Subscribe
|
|
|
|
|
Voice of the Industry

New UK APP fraud rules: what PSPs need to know

Thursday 29 August 2024 09:48 CET | Editor: Oana Ifrim | Voice of the industry

Gavin Punia and Nassos Kalliris from Bird & Bird outline the key requirements for UK PSPs under the new APP fraud reimbursement rules starting October 7, 2024.


The Payment Systems Regulator (the PSR) in the UK is introducing a new mandatory reimbursement framework in relation to payment services providers (PSPs) dealing with customers that are victims of APP on 7 October 2024. Despite calls from certain sectors of the payments industry for the deadline for implementation to be pushed back, the PSR has re-iterated that the framework will be implemented as planned and without delay. We set out an overview of the key requirements applicable to relevant UK PSPs that are in scope and how the reimbursement framework is proposed to operate.

What are the high level requirements

The new reimbursement requirement will introduce, for the first time, consistent minimum standards to reimburse victims of APP fraud and essentially it will:

  • require sending PSPs to reimburse all-in scope customers who fall victim to APP fraud in most cases; 
  • involve the sharing of costs for reimbursing victims on a 50:50 ratio between sending and receiving PSPs; and 
  • provide additional protection for vulnerable customers.

The PSR have now published three legal instruments which give effect to the reimbursement requirement: (i) a specific requirement (SR1) imposed on Pay. UK to include the reimbursement requirement in the Faster Payments scheme rules; (ii) a specific direction (SD20) given to participants in Faster Payments, obliging them to comply with the reimbursement requirement and the reimbursement rules; and (iii) a specific direction (SD19) given to Pay.UK to create and implement an effective compliance monitoring regime for PSPs.

Who does the new reimbursement requirement apply to?

The new requirement for reimbursement for victims of APP fraud will apply to all participants in the Faster Payments Scheme that provide relevant accounts. For the purposes of the APP fraud reimbursement scheme, relevant accounts are accounts which are held in the UK and can send or receive payments using the Faster Payments Scheme.

The PSR have explained that they are increasing protections within Faster Payments because currently the majority of APP fraud is enacted within the Faster Payments scheme. It is noted that payments firms have urged government to look at expanding regulation to cover social media platforms but the PSRs have not included any bespoken rules for social media platforms as of the date of this article.

What are the key components of the reimbursement obligation?

The following are the three key components of the reimbursement obligation:

  1. Claim excess: Sending PSPs would have the option to apply a claim excess under the new reimbursement requirement up to a maximum of GBP 100 per claim.                                                                                                       
  2. Maximum level of reimbursement: There is a maximum level of reimbursement for APP fraud claims (by value) under the new reimbursement requirement and this is set at: GBP 415,000 per claim.  
  3. Minimum threshold: There is no separate minimum value threshold for APP fraud victims.

Are there any exceptions to the general reimbursement obligation?

The new rules will include two exceptions to the general reimbursement obligation where:

  • the consumer seeking reimbursement has acted fraudulently. This is known as the ‘first-party fraud’ exception; or
  • the consumer has, with gross negligence, not met one or more of the four standards set out by the PSR under the ‘consumer standard of caution’.

It is noted that the definition of ‘consumer’ for the purposes of the APP fraud reimbursement framework includes micro-enterprises, smaller charities, and individuals, and the PSR is not proposing to consider these groups differently in respect to the application of the new rules.

The consumer standard of caution is being disapplied for vulnerable consumers. Where a consumer is classed as “vulnerable”, PSPs would not generally be able to rely upon the consumer standard of caution exception to deny a customer’s reimbursement. This would be the case even in circumstances where the customer has, as a result of gross negligence, not complied with one or more of the four standards set out above under the consumer standard of caution exception.

Time limit for reimbursement

The sending PSP must reimburse any reimbursable APP scam payment to the victim within five business days of the victim making an APP claim to the sending PSP. However, the sending PSP may exercise a ‘stop the clock’ provision that enables it to pause the five business-day reimbursement timescale.

A PSP can stop the clock if it has asked for additional information to assess the claim and is still waiting for a response.
When a sending PSP exercises the ‘stop the clock’ provision, the five business-day reimbursement timescale is paused at the point where the sending PSP sends its request for information. 

An APP scam claim may be closed either by reimbursement of the consumer where appropriate or by rejection of the claim, with an explanation of the reasons. If a claim for reimbursement is denied, customers will still be able to make a claim via the Financial Ombudsman Service.

Allocation of reimbursement between sending and receiving PSPs

When an APP scam claim is reported to the sending PSP, it must tell the receiving PSP within the notification period, in order to maximise the opportunity for repatriating stolen funds - the notification period would be set by Pay.UK.

If requested by the sending PSP, the receiving PSP must pay the sending PSP 50% of the lower of:
  • the amount the sending PSP has paid to the victim; or
  • the required reimbursement amount, if different.

The sending PSP may only claim the ‘specified amount’ from the receiving PSP after the sending PSP has reimbursed the victim. The specified amount would need to be paid by the receiving PSP within a reasonable period of time (to be defined by Pay.UK).

If the sending PSP chooses not to apply the maximum claim access value (up to £100 per claim), then the receiving PSP may deduct 50% of the maximum claim excess amount (i.e., GBP 50) from the specified amount.

Notwithstanding the above, the receiving PSP is not liable to pay any amount in relation to:

  • any voluntary reimbursement falling outside the scope of the APP fraud reimbursement requirement;
  • any payment the sending PSP makes to its consumer after it has closed a claim, whether by reimbursement or rejection. This includes any payment made as a result of a court or ADR decision subsequent to the closing of a claim.

The deadline for compliance with the new APP fraud rules is coming down the track fast and payments firms need to ensure they understand the operational changes they need to make to their payment instruction process, liability framework with other PSPs and liability arrangements with their customers.

About Gavin Punia

Gavin is a financial services regulatory specialist with a particular focus on advising firms who are digitally transforming the way financial services are being delivered. Gavin has extensive regulatory experience in payments, blockchain, insurance distribution and investment services. Gavin has developed a diverse range of in-depth experience advising clients in the Fintech sector on regulatory matters, including advising firms in the payments, e-money and Web3 and blockchain space. He offers particular experience in the regulation of digital payment services and electronic money products, and provides regulatory advice to service providers across the payment chain, including issuers, merchant acquirers and ecommerce platforms, and payment infrastructure operators and technical service providers.

About Nassos Kalliris

Nassos Kalliris is an associate in the Finance & Financial Regulation group in London. With extensive experience advising clients across the UK and EMEA region, Nassos specialises in financial services regulation, particularly within the payments sector. His expertise encompasses a broad spectrum of regulatory and compliance matters, including the implementation of the Payments Package (PSD2 and Interchange Fee Regulation), the UK Payment Services Regulations, and the UK and EU Money Laundering Regulations. Nassos is also well-versed in advising on the UK and EU Wire Transfer Regulations, the EU Cross-Border Regulation, and the EU SEPA Regulation.

About Bird & Bird

Bird & Bird are a truly international firm, organised around our clients. With our full service offering and extensive tech expertise, we’ll help you unlock the potential of change to realise your ambitions. Everything is connected. With more than 1700+ lawyers and legal practitioners across a worldwide network of 31 offices, Bird & Bird delivers expertise across a full range of legal services. Our specialisms include advice on commercial, corporate, EU and competition, intellectual property, dispute resolution, employment, finance and real estate matters.



Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: APP fraud, regulation, payment fraud, scam, reimbursement, PSP
Categories: Banking & Fintech
Companies: Bird & Bird
Countries: United Kingdom
This article is part of category

Banking & Fintech

::: more

Bird & Bird

|
Discover all the Company news on Bird & Bird and other articles related to Bird & Bird in The Paypers News, Reports, and insights on the payments and fintech industry:





Industry Events

Free Headlines ::: subscribe now
RSS ::: follow ThePaypers via RSS ::: connect
LinkedIn ::: connect with ThePaypers on LinkedIn ::: connect
Twitter ::: follow ThePaypers on Twitter ::: follow
Facebook ::: like ThePaypers on Facebook ::: like