The Payment Systems Regulator (PSR) has cast a keen eye on managing the ever-rising battle for the payments industry to address the increasing problem of Authorised Push Payment (APP) fraud. With backing from the UK Government, the PSR has committed to ensure that prevention and detection, with better mechanisms for reimbursing victims of APP scams, occurs. A welcomed approach for customers, particularly pre and post the COVID-19 pandemic where fraudsters are becoming increasingly sophisticated in their methods of deception, but one which will place additional duties and burdens on payment service providers (PSPs).
The PSR’s efforts in fighting the existence of APP scams started in 2022 with its plan to ensure banks implement Confirmation of Payee (CoP) as a bank account name-checking tool to help identify fraudulent accounts and account owners. Also, helping to stop payments that are accidentally misdirected by checking the payee’s account details with that provided by the payer. From 01 June 2022, all PSPs are required to implement ‘Phase 2’ which starts the migration for financial firms to use CoP. The PSR has directed approximately 400 financial firms within two groups to start implementation, with the first group’s deadline set for 30 June 2023; the other group are assigned to have CoP in place by 30 June 2024.
On the 10 May 2022, the Government published its approach and intention to encourage the PSR to use its existing regulatory powers under the Financial Services (Banking Reform) Act, which could inevitably mean Payment Service Providers (PSPs) may be obligated to reimburse its victims in cases of APP scams.
What are Authorised Push Payments scams?
Authorised Push Payments scams are when individuals and businesses are tricked into sending money to fraudsters, usually by digital means. We have all received one of “those” emails and/or phone calls from someone claiming to be from a reputable bank and requiring a domestic or international payment unknown to us. The fact that this activity is now recognised as a ‘scam’ identifies its real money-making potential for fraudsters and substantial disproportionate losses for the victim, worth thousands of pounds in some unfortunate cases.
The PSR had estimated that the number and cost of these scams is significant and increasing. In 2020, reported APP scam losses totalled £479m, with the actual figures likely to be higher.
Why has the Government recognised APP as a threat to the payments industry, and identified the need to do more to address it?
Amongst other factors, the Government considers that there is an inconsistent approach to the reimbursement of APP scams (i.e. customers). They consider that victims continue to suffer loss as the right action is not being taken by their payment providers. This may be due to PSPs not committing to managing the consequences of APP scams effectively or even efficiently, and those who have are not interpreting their obligations correctly. This means there is a lack of clarity on the right approach to take – and the PSR have sought to raise the ‘why and how’, starting with its initial CP21/3 Calls for Views on APP Scams. The recent outcome of this was supported by the Government in its CP 21/10 Consultation on Authorised Push Payments (APP) scams.
A key observation from the PSR’s CP21/3 implies responsibility on all PSPs and other institutions involved in the sending and receiving of payments in a transaction, to educate themselves and customers on the technological advancements used in APP scams:
“Of course, consumers need to exercise caution, and we recognise that increased consumer awareness through better education by PSPs may be needed in light of the increased sophistication of scams, including a rise in the use of social engineering to get around fraud prevention measures and warnings. Action is needed by many different stakeholders, not just sending PSPs”.
It looks like the relationship between Compliance and Information Security teams is needed more than ever. An interesting question here is whether, if a PSP hosts the account into which the proceeds of APP scams flow, this indicates a failure in that firm’s onboarding and/or transaction monitoring systems, and whether that ought to imply that they have the greater liability.
What legislative changes will impact on PSPs and Payment System Providers?
The pressing need for legislative action was outlined in the Queen’s speech earlier this month, where the proposed enactment of two parliamentary bills were announced to help the PSR fight APP activity. As you will see, the common theme here appears to be about calling all PSPs to enhance consumer protection:
- The Financial Services and Markets Bill will enable the PSR to use its power outright, without relying on the voluntary code, to require PSPs to reimburse APP victims for losses. Whether these are confined to just financial losses (as opposed to distress and inconveniences) is undeterminable at this stage.
- The Online Safety Bill will demand social media activity (from platforms, advertising channels, search engines etc) to be responsible for i) identifying fraudulent advertisements and ii) implementing controls to prevent this.
PSPs will have a ‘duty of care’ assigned to them which could be interpreted to mean that they must ensure they actively check for any suspicious material or activity posted about their payment service offering, that could or does cause APP scams to occur. Any consequences of APP scams are likely to fall onto the PSP.
The FCA has further explored the principle of ‘new’ Consumer Duty in its consultation CP21/36 (on December 2021) to address several harms including problems caused by fraud or identity theft in the financial industry.
There has been a notable case addressed by Clyde & Co in its article on 05 April 2022 relating to the principle of ‘Quincecare Duty’, where it is reasonable to impose a duty on the financial institution to ensue appropriate protection to its customer for fraud (including APP) on the account. The outcome from the case was the challenge in striking the right balance between implementing realistic customer protection against all types of fraudulent schemes, be it simple or complex.
Furthermore, the Government intends to amend Regulation 90(1) of the Payment Services Regulations 2017. The regulatory provision places liability on the PSPs in correctly executing payment orders with the unique identifier provided by the customer (e.g. account number and sort code). The liability will stretch further in terms of the transaction being ‘correct’, meaning the PSR can still use it regulatory powers under the Financial Services (Banking Reform) Act 2013 to review/investigate such matters which involve APP scams, with the aim of improving refunds and similar to customers.
Timescales for implementing legislative changes will not take effect immediately. A 2 month ‘cushion’ is provided to the PSR to publish its draft regulatory requirements before being implemented; a 6 month period before the provisions become mandatory for all PSPs, followed by the PSR’s consultation on its preferred reimbursement methods for APP scams in Autumn 2022.
What should payment firms do now?
It may be time for Faster Payments to start reviewing their scheme rules and PSPs accessing these services, either directly or indirectly, to review the adequacy of their fraud management controls. A good starter for ten is for these PSPs to consider and ask themselves:
- Is the fraudulent activity which culminates from APP scams being captured and mitigated in your REP018 risk assessments?
- Could your accounts be used to receive the proceeds of APP Scams? How good is your onboarding and transaction monitoring at spotting this?
- Are there any peaks and troughs on fraudulent activity experienced by the Firm, particularly since the pandemic? What is your Management Information telling you?
- The common typologies of fraudulent behaviour used to scam customers at the Firm i.e repeated fraudsters and transaction patterns, even locations where fraudulent events occur
- Be honest about how effective your fraud prevention systems are – if more investment is needed to improve this, treat it as a necessary investment. Better to volunteer than be pushed
- Be aware of the various types of technological and digital methods used by fraudsters – perhaps frequent insight from your Information Security team could help you keep updated on current regulatory developments, even a monthly Steering Group could help
- Think about whether there is sufficient and appropriate Senior Management oversight and decision-making around the entire fraud management process
- Are the complainants of APP scams getting the compensation they should receive?
- How effective is consumer protection? Are you really doing enough?
- Reach out to staff – is it time to improve training around fraud identification?
- Your financial pot – how much can you ‘afford’ to reimburse customers and can this be helped in any way?
- Review your financial promotions or any third parties promoting your services – does your contractual agreement with them say who is responsible? Do the advertisements look legitimate?
It is best not to be complacent nor to sit and wait to hear back further from the power houses. Fraud is right on the legislators and regulators radar – and we’d advise that it should be on yours. Let’s all work together and help tackle APP fraud for good.