Voice of the Industry

The APP fraud problem and its impact on the payments industry

Monday 22 July 2024 10:22 CET | Editor: Estera Sava | Voice of the industry

Mark Beresford, Director at Edgar, Dunn & Company (EDC), tackles authorised push payment (APP) fraud and its effect on the payments industry.

 

The Authorised Push Payment (APP) fraud problem

APP scams involve fraudsters pretending to be real companies, government agencies, or even loved ones. They trick victims into sending money urgently, often through impersonation emails, phone calls, or texts. Scammers employ social engineering techniques to manipulate the victim’s emotions, creating a sense of urgency or fear to pressure them into making the payment quickly. The victim, convinced they’re paying someone legitimate, transfers money to the scammer’s account.

The size of the APP fraud problem

UK Finance published its Annual Fraud Report in June 2024, which stated that just over GBP 1.17 billion was stolen by criminals in 2023, and APP fraud losses remained high, at GBP 459.7 million – showing little progress from GBP 485.2 million in 2022. APP fraud losses are mainly driven by the fraudulent activities of criminals who scam their victims through online platforms. Such activities include investment scams, romance scams committed via online dating platforms, and purchase scams through auction websites and ecommerce marketplaces.

The picture in Europe isn’t that different, as reported by the European Payments Council (EPC). Their report describes the overall payment fraud trends, including APP fraud, but does not provide specific figures for Europe as a whole. However, EDC believes that APP fraud losses across Europe could be as high as EUR 2.4 billion (an EDC estimate), increasing by 20% to 25% since 2022.

What is the solution to APP fraud?

To protect against APP fraud scams, it is crucial to verify any changes in payment details directly with the known supplier through a trusted contact method. This can be done either through a verified phone number or email address. Comparing the new details against existing records, rather than relying solely on information provided in unsolicited emails, can help identify potentially fraudulent activity.

The European Commission has recently published a draft PSD3 including a new Payment Services Regulation which would introduce limited liability on payment service providers (PSPs) for APP fraud. Part of the fight against fraud is using Confirmation of Payee (CoP) for instant payments – an IBAN/name-matching verification service. The PSP will be required to show the customer any non-match results before they proceed to complete the transaction. The EU’s revised Payment Services Directive (PSD2) proposes a Verification of Payee (VoP) scheme. The rule change is currently in consultation, its publication is expected in September 2024, and its potential implementation in late 2025.

Regardless of whether it is called CoP or VoP, it doesn’t really stop APP fraud. The key issue lies with lax onboarding. CoP/VoP only verifies known accounts, and it’s useless against fraudsters with new ones. The receiving bank, not the sender, should be liable for failing proper checks. CoP has been used in the UK since 2019, and it has not solved the APP fraud problem, nor is VoP expected to do so in Europe.

The UK took another step to help address APP fraud. In 2019, it introduced the APP voluntary code. It provides certain protections for customers of signatory PSPs – and aims to reimburse victims of APP fraud in any scenario where the customer has met the standards expected of them under the code. Over 90% of APP scams fell under the UK’s voluntary code, and GBP 256.5 million was returned to victims in 2023.

The latest development in the fight against APP fraud in the UK has been the proposal to implement a new regulation which will include a reimbursement requirement for eligible victims of this fraud type. The date currently set for implementation is 7 October 2024. Once the requirement comes into force, banks and PSPs will have to reimburse eligible victims of APP fraud. The reimbursement will be split fifty-fifty between sending and receiving banks. The maximum level of mandatory reimbursement will be GBP 415,000, applicable to all consumers.

PSPs must prove consumer gross negligence to reject reimbursement claims, and they’ll need robust systems to understand the cause and identify pressured behaviour. Behavioural biometrics can further aid this. As the responsible parties (banks, building societies, etc.), PSPs will need to adopt new technologies for scam detection in incoming payments.

Future expectations

It’s still too early to say definitively whether this will significantly address APP fraud in the UK. However, PSPs must use better detection technologies to be aware of the potential risks and take steps to protect their operations. This is something all the larger PSPs will have already conducted; however, the smaller fintech firms may not have the necessary funds to invest in new detection technologies, and they could fall foul of the proposed reimbursement requirements that could force a fintech company into bankruptcy.

Fintech companies have lobbied to reduce the GBP 415,000 reimbursement threshold. It will be interesting to further observe how regulation impacts fraud rates, security measures implemented by the banks, and the overall cost of APP fraud in the UK. Additionally, as lessons will be learnt from the UK’s regulatory measures, it remains to be seen how Europe addresses APP fraud head-on.

 

This editorial piece was first published in The Paypers'  Unlocking the Potential of A2A Payments Report 2024 – Changing the Way We Pay and Get Paid, which taps into the fast, ever-expanding A2A payments industry, being the ultimate source of information for businesses looking to grow their consumer base.

About Mark Beresford

Mark Beresford is a Director at Edgar, Dunn & Company and has over 25 years of strategic consulting experience in the payments sector. He is responsible for the company’s retailer and merchant payments practice, working with omnichannel merchants and payment service providers across the globe.



About Edgar, Dunn & Company

Edgar, Dunn & Company (EDC) is an independent global payments consultancy. The company is widely regarded as a trusted adviser, providing a full range of strategy consulting services, expertise, and market insights. EDC’s expertise includes M&A due diligence, legal and regulatory support across the payment ecosystem, fintech, mobile payments, digitalisation of retail and corporate payments, and financial services.


Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: APP fraud, online fraud, financial crime, paytech, fintech, regtech, PSD3, scam, social engineering, online platform, romance scam, ecommerce, marketplace, PSR, PSP, Confirmation of Payee, instant payments, IBAN, PSD2, identity verification, fraud prevention, A2A payments, regulation
Categories: Fraud & Financial Crime
Companies: Edgar, Dunn & Company
Countries: World
This article is part of category

Fraud & Financial Crime

Edgar, Dunn & Company

|
Discover all the Company news on Edgar, Dunn & Company and other articles related to Edgar, Dunn & Company in The Paypers News, Reports, and insights on the payments and fintech industry:





Industry Events