Nice Actimize payment experts explain how adopting a comprehensive strategy for PSR compliance enables FIs and PSPs to shield themselves from liability-shift losses, reputational damage, and financial repercussions.
On June 7, 2023, the UK Payment Systems Regulator (PSR) announced significant changes to the liability framework that affect all the UK Financial Institutions (FIs) and Payment Service Providers (PSPs). These changes primarily target the growing issue of Authorised Push Payment (APP) scams. There is a requirement for FIs and PSPs to reimburse ‘all in-scope customers’ who are victims of APP scams.
According to the PSR, sending and receiving FIs and PSPs will share the cost of reimbursement to victims by 50-50, unless the customer has acted fraudulently (first-party fraud) or with gross negligence. There are also new stipulations applied for assessing APP scam victims’ vulnerability that must be factored in. This article explores the impacts of the PSR's liability shift mandate and its implications for fraud prevention and regulation across the globe.
Fraudsters, just like consumers, have widely adopted Faster Payments and other real-time payment (RTP) rails in many different jurisdictions. PSD2 and Strong Customer Authentication legislation alongside the adoption of risk intelligence tools, such as behavioural biometrics and device intelligence, have helped in combating third-party fraud (such as account takeover). However, fraudsters have pivoted to using scams and social engineering tactics to manipulate customers into making fraudulent transactions for them. This used to be difficult for FIs to detect using traditional fraud monitoring solutions: the transactions may look normal given they’re made by customers using their own device etc., so they don’t generate any red flags. This dynamic landscape where high-volume digital transactions are combined with RTP speed allows fraudsters to work at scale and exploit consumers using wide-ranging methods.
Recognising this challenge, and the fact that the existing Contingent Reimbursement Model (CRM) Code is voluntary and doesn’t fully address tackling APP fraud across wider institutions, the PSR responded by consulting on a mandatory shared liability approach. That approach requires both sending and receiving institutions to share the cost of reimbursing victims on a 50-50 basis.
The new reimbursement requirements are underpinned by 10 key principles, designed as a balanced package to set out the framework of the policy:
The proposed de-minimis level of GBP 35 for claims was removed and will be replaced by a new excess (details to be agreed on post-Q3 2023 consultation).
Victims of APP scams are expected to report it to the sending PSP not more than 13 months from the completion date of when their last respective APP scam payment was executed.
The sending PSP’s time to decide on paying or denying a claim has recently increased from 48 hours to five working days. There is also a provision to stop the clock if additional investigation time is required.
Guidance has been issued around the assessment of vulnerable customers as part of the reimbursement requirements.
The scale of this undertaking becomes especially apparent when considering GBP 485 million in APP Fraud Losses were reported in the UK alone in 2022. The scope of these changes, however, extends beyond just the borders of the UK. As we have seen repeatedly, good policy in one major market is copied across others. It would be shocking if similar policies for APP fraud victim reimbursement do not get proposed across the US, Brazil, Nordics, etc. in the years to come.
To effectively prepare for that eventuality and manage the rising threat of APP fraud, FIs and PSPs must act now, prioritising four key areas and achieve a real-time, holistic view of risk:
Data: Embrace an API-first data environment to securely transmit customer, transaction, and claim data (interoperability between investigating organisations is a requirement). Use third-party data sources, such as behavioural biometrics, for early detection and data visualisation tools to keep legible records of transactions and investigations.
Fraud Detection and Prediction: Employ advanced real-time prevention strategies, detection tools, and intelligence models to identify first-party fraud and mule activity promptly. This also means regularly enriching data with varied sources and standardising how data is sent, ingested, and used in transaction risk assessments.
Strategy Management: Apply Artificial Intelligence (AI)/Machine Learning (ML) models to create a comprehensive risk assessment framework to detect evolving and varied APP fraud attack methods. This includes adopting a typology-based approach for routing and orchestration of alerts.
Claims & Case Management: The forthcoming PSR mandates will have global, significant impacts on the mandatory reimbursement process. Prepare for the comprehensive overhaul by ensuring efficient processes are in place for: claim intake and capture; triage and investigation; consumer reimbursement; financial recovery; claim finalisation, tagging, and reporting.
Going forward, FIs and PSPs taking a holistic approach and enhancing internal controls can not only shield themselves from liability-shift losses, reputational damage, and financial repercussions but also comply with new PSR mandates on APP scams. Though new reimbursement requirements are not expected to be in effect until Fall of 2024 under current proposals, now is the time to update processes and technology. Implementing new controls now can mitigate risk while protecting customers from fraudsters who seek to circumvent an FI’s internal controls by using money mules and executing APP frauds.
About Nice Actimize
NICE Actimize is the largest provider of financial crime, risk, and compliance solutions for financial institutions. The company offers real-time, cross-channel fraud prevention, anti-money laundering detection, and trading surveillance products that address payment fraud, cybercrime, sanctions monitoring, market abuse, customer due diligence, and insider trading. Find us at www.niceactimize.com.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now