APP (authorised push payment) fraud occurs when someone is tricked into sending money to a fraudster posing as a genuine payee. There are many ways a fraudster will seek to do this, for example through intercepting emails, posing as a genuine business, sending links to fake websites via email or text message and cold calling.
According to UK Finance, APP fraud has, for the first time, surpassed card fraud with GBP 355 million in losses attributed to APP fraud in the first half of 2021. The COVID pandemic has exacerbated the problem given the increase in online transactions, greater opportunity for fraud linked to COVID (for example, fraudsters offering NHS vaccines) together with the squeeze on people’s personal finances resulting in a greater interest in ‘get rich quick’ schemes.
APP fraud can catch out even the savviest among us as a result of the sophisticated nature of the scams. People can lose their life savings in a matter of seconds and find themselves with serious financial, legal, and mental health issues as a result. One thing is certain; more needs to be done to reduce the occurrence and effects of APP fraud but deciding where the risk and responsibility should lie is not easy.
It is this conundrum that will increase time and resources upon banks as regulatory requirements evolve as appears to be the plan in the UK.
In the UK, we saw the introduction of the Contingent Reimbursement Model (‘CRM’) Code which came into force in May 2019. The CRM Code is a voluntary scheme that sets standards for those Payment Services Providers (‘PSPs’) who have signed up. Signatories to the Code commit to:
Protecting their customers with procedures to detect, prevent and respond to APP scams, with a greater level of protection for those deemed to be particularly vulnerable to this type of fraud;
Improved prevention of accounts being used to launder the proceeds of APP fraud, including procedures to prevent, detect and respond to the receipt of such funds;
Reimbursing customers who have fallen victim to APP fraud but who are not to blame for the success of a scam.
There are currently 9 signatories to the Code, however, despite the standards set out in the Code, there is still a huge disparity in the way victims are dealt with, even amongst those institutions that are signed up to the Code.
On 18 November 2021, the Payment Systems Regulator published a consultation paper on APP scams. The consultation paper focuses on three main proposals:
Publication of fraud data by banks – banks and building societies will be required to publish data detailing their performance relating to APP scams revealing reimbursement levels, volumes of APP scams and the number of accounts being used to receive fraudulent funds.
Improvements in scam prevention – greater investment in technology to detect fraudulent payments and improved intelligence sharing to enhance the detection and prevention of APP scams.
Mandatory reimbursement of victims – requiring a legislative change to remove the barriers to make reimbursement of funds lost to APP fraud mandatory.
The publication of data on performance relating to APP fraud will become an important brand management exercise, as consumers use the information to benchmark financial institutions. When choosing a bank, consumers will undoubtedly want to feel their money is safe and will therefore start to give ever-increasing weight to favour those banks and building societies that have adequate fraud detection procedures, are seen to be reducing incidents of fraud and that reimburse victims in full.
We are already seeing campaigns based around a bank’s reaction to fraud, for example, TSB now offers a fraud guarantee meaning that innocent victims of fraud are reimbursed even if they have clicked on a link they should not have or shared sensitive information without thinking. The intended publication of data will become a powerful tool in naming and shaming those institutions whose policies and procedures are not fit for purpose.
Most banks already have technologies in place to assist in the detection and prevention of fraudulent payments. This is going to become much more important and will be a necessary cost of providing payment services. Those banks already signed up to the CRM Code will have made progress in this regard, however, for others (particularly digital banks none of which have yet signed up to the Code) there will inevitably be a sprint to the finish line to have these systems and procedures in place before the changes come in.
To reduce exposure and keep up with regulation, banks will need to invest in the latest fraud detection technologies, develop policies and procedures for protecting customers and for dealing with customers who have fallen victim to fraud. They may require additional teams to investigate fraud claims, complaints teams to deal with the fallout when claims are rejected, and teams that will need to communicate with the Financial Ombudsman when matters cannot be resolved. Furthermore, banks will also require teams to deal with the collection and intended publication of data. All of this will require training, education and, in some cases, recruitment.
Finally, should the reimbursement model become compulsory, we will see banks increasingly educating their customers and promoting fraud awareness to take advantage of the exception to reimbursement i.e. where a customer has been grossly negligent. If a bank can show it has warned and educated a customer on how to spot particular types of APP fraud, then it has a greater chance of arguing against reimbursement.
Banks need to act now to be ready for the proposed changes. Investment in technology to monitor transactions and detect red flags will reduce exposure and therefore represents a sound investment when one considers the cost of compulsory reimbursement. Banks need to be proactive in reducing the occurrence and effects of fraud on their customers. If the PSR achieves its goal to enforce the publication of fraud performance data, there will soon be nowhere to hide.
This editorial was first published in our Financial Crime and Fraud Report 2022, which showcases the innovation and development of the best practices and instruments used by financial institutions in their fraud prevention activities, to improve the digital onboarding process of their customers while fighting against financial crime.
About Arun Chauhan
Arun Chauhan is the founder and director of Tenet Compliance & Litigation, a disputes and compliance law firm specialising in fraud and financial crime. Arun is a regular contributor as an expert for the BBC, a regular conference speaker, and trustee of the highly respected counter fraud charity the Fraud Advisory Panel.
About Tenet Compliance & Litigation
Tenet Compliance & Litigation is a compliance and litigation law firm helping organisations manage their financial crime regulatory obligations, investigate fraud, and provide advice on business disputes arising from business crime. Our expertise covers the spectrum of preventative action in the form of training and policy advice, through investigation and litigation advice. Our clients include banks, fintech financial services businesses, listed companies, not-for-profit organisations, and SMEs.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now