The Financial Conduct Authority (FCA) has recently published details of its key findings from its multi-firm review of how the risks of Authorised Push Payment Fraud (‘APP Fraud’) and fraud attacks are mitigated across the financial industry. The publication has a focus on the payments industry i.e. Payment Service Providers (‘PSP’s) including banks, building societies and other businesses that provide payment accounts such as Electronic Money Institutions (‘EMI’s).
The review involved the FCA’s own risk-based sampling of 12 current account providers, ‘challenger banks’ and payment firms. The FCA utilised data submitted by firms in its Payments Fraud Report which involved analysis of data on fraud volumes, value and type. Furthermore, the analysis extended to the FCA’s review of intelligence from the Financial Ombudsman Service. The FCA’s insights and case experience also provided an informative and rounded view to its findings.
The publication couldn’t be more timely, with recent regulatory publications on the APP Fraud reimbursement model by the Payment Systems Regulator as its strategic approach to compensating victims of imposed fraud in recent years.
What were the findings of the review?
The findings of the review provide a pragmatic and useful summary of the dos and don’ts (which are often found discreetly fashioned in traditional FCA prose), of what implementing appropriate anti-fraud practices looks like. Alongside this is the integrated notion of Consumer Duty which touches on account freezing and complaint handling, as covered in the FCA’s Dear CEO Letter on Implementing the Consumer Duty in payment firms earlier this year.
There is also a real focus on the need for firms to identify and tackle APP Fraud in their compliance frameworks. By way of reminder, APP Fraud involves the exploitation of customers and customer accounts and occurs when a person is tricked into sending money to a fraudster posing as a genuine payee. We previously unpicked the impact of APP Fraud on the payments and e-money industry in our series of articles on the requirement and proposed reimbursement.
And so, with the cross-over of various regulatory requirements, the message couldn’t be clearer in that firms should start thinking about their fraud management frameworks and ask themselves:
- Are they prioritising customer needs and protection and delivering good outcomes for them?
- Is there appropriate information imparted to customers to help them understand what fraud is and to understand if they have experienced it?
- Are they clear on how to report fraud e.g. when, to whom?
- Are victims of fraud being treated fairly in all stages of fraud management?
- Is there a tailored service of fraud management and reporting embedded for vulnerable customers?
- Is complaints management fair and modernised to encompass recent fraud typologies, such as APP Fraud?
In general, the commonalities in control frameworks which beg for firms’ attention stem around: not evidencing good consumer duty outcomes; mis-focused management information steering away from consumer duty focus; poor customer service support and complaint handling to fraud victims and delayed response times; non-transparent complaint handling communications; and a lack of evidence on the fair treatment of vulnerable customers with fraud claims and complaints.
What should firms do now?
The immediate priority is for firms to “sit up” and review their fraud systems and controls. The following five-point plan can act as a guide for firms to strengthen their systems and controls, so they are optimised to detect, prevent and manage fraud:
1. Governance, Oversight and Management Information (MI)
- Firms must evidence effective oversight and challenge by relevant senior management or board and other governance committees.
- Firms must move away from generating “commercially” driven data metrics. Instead, they should generate MI which has a clear link between customer-focused data and anti-fraud practices. In other words, firms must use their data to tell a narrative on bad customer outcomes and improved customer outcomes in response to their risk management practices to fight fraud. Where there’s a problem, there must be a solution imposed, hence the need for effective anti-fraud strategies.
2. Fraud systems and controls
- Firms are advised to implement proportionate and adequate systems and controls, in all forms of fraud, which includes the need for them to mitigate the risk of money mule activity which has been on the rise recently.
- Firms must commit to an overhaul of their prevention and detection techniques for identifying, managing and reporting fraud throughout the customer journey i.e. onboarding, transaction monitoring, ongoing customer monitoring and system review.
- Start at the source of the payment – the firm’s staff. Do they possess adequate fraud awareness knowledge?
3. Use of intelligence
- Firms must think about their use of data to work collaboratively with external agencies (e.g. NCA, Action Fraud, Police) to report incidents of fraud. Think about the source, reliability and impact of data received and used. Can it be used to actively prevent and detect fraud?
- In terms of managing fraudulent matters internally, firms must think carefully about handling the matter appropriately. In particular, ‘receiving’ PSPs must act promptly under law and ensure good customer outcomes are being received on being notified of a fraudulent payment. Firms should already think about the impact of the APP Fraud reimbursement obligations, if impacted by the proposed model.
- Firms should also review their account freezing procedures to ensure the time allocation for investigating fraudulent matters are reasonable, and if they can justify any delays in the process.
4. Customer treatment and awareness
- Firms must review the promotional material on their websites and other literature material to ensure it is fair, clear and not misleading with regards to displaying customer contact information to enable them to report fraud, and to explain the action taken by the firm and customers outside of its standard hours.
- Review the firm’s complaint handling process including the speed of response, quality of advice and the management of delays in the process. Think about the complaint handler’s conduct and fraud awareness.
- Consider contingency arrangements for customers who are unable to access their funds whilst their matter is being investigated.
5. Treatment of Vulnerable Customers
- Firms must think conscientiously about their decision-making on managing fraudulent activity experience by vulnerable customers. With Consumer Duty in mind, firms must evidence their obligation to treat vulnerable customers with appropriate levels of care in accord with characteristics of the customer. A “one-size-fits-all” approach to customer service will not work.
All in all, the message here is that if something goes wrong, the FCA can ask the firm what it did and did not do – so firms must justify the process that they have undertaken, otherwise the firm will be seen to not produce the right outcomes in its fraud management practices. If any support is required with planning or implementing your fraud management frameworks, please feel free to get in touch.