In our previous article in January 2022, we discussed how APP (Authorised Push Payment) fraud occurs when someone is tricked into sending money to a fraudster posing as a genuine payee and what changes were on the horizon. In the UK, we saw the introduction of the Contingent Reimbursement Model (‘CRM’) Code which came into force in May 2019 and seeks to protect victims of fraud. The CRM Code is a voluntary scheme that sets standards and details when repayment should be made for those Payment Services Providers (‘PSPs’) who have signed up – the majority of high street banks are signatories. However, the CRM Code is not applied consistently by PSPs and there is a tendency to rely too heavily on the exceptions within the CRM Code to avoid repayment. Often victims of fraud can find themselves being challenged by banks stating the victim customer received an effective warning or is accused of gross negligence as to being careless with their security details, both of which were not the intention of the CRM Code.
The Payment Systems Regulator (‘PSR’) has identified that APP fraud continues to be a significant source of loss for consumers. In 2021, victims were defrauded of at least GBP 583 million as a result of APP scams. The PSR identified that there are three measures that they believe could help to reduce APP scam losses and on 11 February 2021, they published a consultation paper detailing these measures.
These are:
Publication of fraud data by banks
Improvements in scam prevention
Mandatory reimbursement of victims
By introducing these measures, the PSR seeks to achieve improved outcomes for customers as they estimated that the overall level of reimbursement was less than 50% and this figure varies significantly depending on the PSP.
The first of these measures is the publication of data on performance relating to APP fraud. The PSR confirmed, on 23 March 2023, that they had directed 14 of the UK’s largest PSPs to collect and provide data on the proportion of victims of APP scams who do not get reimbursed and the rates of APP scams happening within the PSPs. The first report will be published in October 2023 and on a six-monthly basis thereafter. With this knowledge, customers will have greater transparency on which payment firms have not only the highest level of scams reported but also which payment firms have low levels of reimbursement. This will undoubtedly influence a customer’s decision as to whom they choose to bank with.
A crucial tool in scam prevention is the Confirmation of Payee (‘CoP’). The service is designed to prevent payments by checking the name of the account holder with the account number and sort code. On 11 October 2022, the PSR announced plans to see 400 more financial firms provide CoP. There are currently 59 institutions offering this service and with greater reach, the number of APP scams will hopefully continue to fall.
In the face of growing harm from APP fraud, the Treasury Committee called, in November 2019, for the CRM Code to be made mandatory. Following up on that recommendation, in February 2022, the Treasury Committee’s Economic Crime report called for urgent legislation to make reimbursement mandatory. The Financial Services and Markets Bill currently making its way through Parliament will require the PSR to establish a system for mandatory reimbursement of APP fraud over the Faster Payments system.
The Treasury Committee has recommended that the system should be fully implemented by the end of 2023. In response, in September 2022, a second consultation was published by the PSR indicating that there would be a mandatory requirement that all PSPs would be required to reimburse APP scam victims with only very limited exceptions and that this reimbursement should be as soon as possible, i.e., no more than 48 hours from the fraud being reported. There will of course be exceptions to this rule, such as where customers have acted with gross negligence. However, the PSR has indicated that this is a very high bar and will only apply in a small minority of cases. In addition to the above, the proposed changes include a minimum claim threshold of GBP 100 claim, a GBP 35 fixed excess fee, and a time limit of 13 months to present a claim. Furthermore, the costs of reimbursement will be allocated equally between sending and receiving PSPs, with a default 50:50 split. However, PSPs can use a dispute management process to adjust the allocation to better reflect the steps each PSP took to prevent the scam. The development of causing recipient PSPs to contribute to the compensation to victims is seen as a significant development.
At present, should a customer be reimbursed as the victim of an APP scam, the majority of the payment is picked up by their own bank. In fact, PSPs on the receiving side of transactions now account for a negligible share of reimbursement (less than 5%).
This has the effect of the receiving bank having very little incentive to increase their fraud protection measures for incoming payments. It is often the case that those payment providers receiving the payment would have an easier job of identifying the fraud due to the nature of the account and its use.
Either way, the mandatory reimbursement requirements are likely to lead to significant new costs for banks and other PSPs. However, with the introduction of the mandatory publication of data running alongside these changes, it would be somewhat of an own goal for PSPs to resist the changes.
PSPs need to ensure that they are taking appropriate steps to ensure that they are able to implement the proposed changes. There will need to be internal education in terms of when a customer should be reimbursed but also changes to policies and procedures to ensure both incoming and outgoing payments are flagged earlier, and the fraud prevented in the first instance.
From an outward-facing perspective, PSPs may wish to put more of an onus on the education of their customers to reduce exposure at the source. We are likely to see continuing pop-up warnings which evolve to ensure effective warnings about the risk for customers are just that, effective enough to cause customers to think twice before a transaction if they have any concerns.
The publication of fraud data will be very telling as it will be immediately obvious to consumers who have taken the time to invest and care for their customers and seek to protect them from fraud.
This editorial was initially published in the Financial Crime and Fraud Report 2023 which dives into the captivating world of fraud management, digital onboarding, and financial crime in the financial services industry. You can download your free copy here.
Esther is an experienced litigator with expertise across a wide breadth of commercial litigation matters ranging from straightforward breach of contract claims to complex cross-border litigation.
Rebecca has 10 years of experience in trying cases and representing clients in high-stakes litigation and disputes, now specialising in fraud and financial crime compliance matters.
Tenet Compliance & Litigation is an award-winning boutique compliance and litigation law firm that helps organisations manage their financial crime regulatory obligations, investigate fraud, and provide advice on business disputes arising from business crime. Our expertise covers the spectrum of preventative action in the form of training and policy advice, through investigation and litigation advice. Our clients include banks, fintech financial services businesses, listed companies, not-for-profit organisations, and SMEs.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now