Fighting and pushing against payment fraud – revolutionising reimbursement

The Payment Systems Regulator (‘PSR’ or the ‘regulator’) has recently introduced its world-first reimbursement requirement (‘reimbursement’) to Authorised Push Payment Fraud (APP) victims and E-money Institutions, Payment Institutions (PSPs) and banks, in its Policy Statement on 7 June 2023 (‘Consultation’).

It appears that fighting APP fraud and protecting consumers has been a mammoth task for the PSR where it has engaged with various regulators, governmental and industry bodies. And, it has concluded that the reimbursement approach is the best way to recompense victims of APP fraud.

The Government has recognised the hardship caused to victims by APP fraud and instructed the PSR to introduce reimbursement through its Financial Services Market Bill. The new reimbursement right applies to consumers, microenterprises and charities (as defined by the regulator).

The new reimbursement requirement applies to payments sent and received by PSPs in the UK across the Faster Payments system (FPS), including payment initiation service (PIS) transactions venturing into the scope of Open Banking. For the avoidance of doubt, PSPs that do not operate the sending or receiving of a payment account are out of scope.

There has been approximately 80% of APP Fraud originating through purchases made on social media with social media companies rarely being involved with preventing fraud. The Online Safety Bill is a start in holding them with accountability to identify fraudulent advertisements and related fraudulent activity but with nothing specific on their involvement in reimbursement in our view, which could increase the pressure on PSPs to ‘perform’ as the recompense saviour. 

But the challenge is whether the reimbursement approach is proportionate enough and is fair to all parties involved. Whilst the customer’s pockets become heavier - the Firm’s piggy bank will be a lot lighter. How will reimbursement work and who will feel the least pain?

The ‘shields’ protecting our customers

The Contingent Reimbursement Model Code (the CRM Code) has been used since May 2019 to help recover financial loss to consumers via repatriation (i.e. fund recovery) or reimbursement from the victim’s PSP. But this has only been applicable to PSPs’ who have signed up to the CRM Code. So, it’s a discretionary approach for Firms, not mandatory, with only 10 signatories, leaving a significant number of consumers feeling unprotected. It seems that any valued customers should be reassured that their chosen service provider has a blanket to cover them from any financial distress caused by external threats.

The PSR noted that in early 2021, less than 50% of APP losses assessed under the CRM Code resulted in reinstating the victim. In 2022, the success rate for reimbursement under the Code increased to 66% which is indicative of a more conscientious culture from the payment industry to prioritise consumer protection.

Another possible, but rarely used, recourse for APP fraud relief (separate to ‘claims excess’) could be for PSPs to increase their current insurance premium limits to accommodate for reimbursement “pots”, but in reality it is challenging for insurers to ‘value’ the risk of unforeseen fraudulent activity.

Reimburse – in or out?

The reimbursement model aims to provide consistent standards for recompensing victims, meaning all PSPs are in scope of the requirement to reimburse victims, which includes high-street banks, building societies, E-money Institutions and Small Payment Institutions. There are ten key policies set out by the PSR which comprise the reimbursement framework.  The requirement for PSPs under the reimbursement model is to:

• Reimburse all in-scope customers who fall victim to APP fraud in most cases – save for customers in civil disputes, payments which occur across other payment systems (notwithstanding CHAPS which is currently in scope for the Bank of England’s supervision to provide comparable protections and BACs payment system which is under review by the PSR), international payments and those made for unlawful purposes;
• Share the cost of reimbursement victims on a 50:50 basis between sending and receiving payment firms;
• Provide additional protections for vulnerable customers.

Remember, the impact of APP fraud applies – in principle – to victims of authorised card fraud too, even though it is not defined as a ‘push payment’ fraud, it is seen as an entry for fraudsters to scam, trick and manipulate its users for illegitimate gains.

Consumer harm caused by cryptoasset activity is out of scope for the reimbursement requirement model as they are deemed not to be operating within a regulated payment system. A recent PSR webinar tells us it would be in scope if the E-money was received through illegitimate gains and converted into cryptoassets as it moves into its exchange, amongst other scenarios of a similar nature.

Saving grace

PSPs will be relieved to know there are some transactions untouched by the reimbursement requirement if they can prove if the customer has:

• Acted fraudulently i.e. ‘first-party fraud’;
• Acted with gross negligence – the ‘standard of caution’ for APP fraud claims.

How does the PSP determine if the customer’s behaviour or actions were ‘fraudulent’? A Transaction Monitoring review of trends in payment history or unusual payments, or inter-changing senders and beneficiaries, or from just good, old plain suspicion? Either way, some indicators on the types (and degree) of evidence which provide a basis for an APP fraud claim are needed, so that PSPs implement a consistent approach to protecting its customers – and provide some guarantee that reimbursement will be provided. 

With gross negligence, it is a high bar to reach in the FCA’s eyes with the ‘burden of proof’ laid on the PSPs who suspects the fraud.

Gross Negligence is already an exception to PSP liability for unauthorised funds under s77(3) of the Payment Service Regulations 2017 and for reimbursements under the CRM Code.

This means there is a unanimous view from the PSR and FCA that in the spirit of PSD2 recitals, the customer needs to have shown ‘a very significant degree of carelessness’ with the exception to vulnerable customers (and quite rightly, too). Though, it makes it even more challenging for firms to prove whether a customer is vulnerable or not in some cases where it isn’t so easy to determine.

Fair share

If we unpick the role of ‘Receiving’ PSP and ‘Sending’ PSP here, the bottom line is, the Receiving PSP is obligated to pay the Sending PSPs 50% of reimbursement, that the Sending PSP paid to the customer.

Deciding on the allocation of liabilities was never going to satisfy all parties. A symmetrical share of the costing pie was probably seen as the least bad option for sending and receiving PSPs, but one could be burdened more than the other, particularly a PSP who invested in appropriate fraud prevention controls.

The reimbursement requirement appears to indicate that a lot of the “leg work” will be undertaken by the Sending PSP in the customer end-to-end journey, but not forgetting of course that they will be “reimbursed” themselves of 50% of the total pay-out to the customer.

Though, it has been argued that the ‘sharing liability’ here is proportionate where both PSPs can freeze or block accounts on suspected fraud.

The disparity is the lack of a similar reimbursement for Receiving PSPs to strengthen controls on accounts as a defence against APP Fraud. The impact of PSD3 hints at APP Fraud prevention as a general requirement for all PSPs to deploy as a means of stopping fraudsters from accessing payment services at any point in the customer journey.

Interestingly the recent EU Commission publication on PSD3 has mentioned ‘conditional reversal of liability for authorised push payment fraud'. Could this mean there’s scope for Receiving PSPs to gain a bigger piece of the liability pie?

Damage control

The reimbursement requirement will enable Sending PSPs to manage APP fraud reported to them by victims by applying for a ‘claims excess’ (or ‘reimbursement claim’) which, unlike an insurance claim, is focused more on managing a ‘moral hazard’ i.e. where one party (customer) gets involved in a risky event knowing that it is protected against the risk and the other party (Sending PSPs) will incur the costs. Does this sound familiar, Sending PSP?

Customers must be reimbursed within a 5 business-day timescale after deducting any optional excess but PSPs should be vigilant of customers who themselves may ‘abuse’ the opportunity for reimbursement. More details on the claim levels and its function are to be published in the regulator’s consultation in Q3 2023, with a final verdict on expectations for firms by end of Q4 2023.

‘Policing’ the claims process could means that all PSPs would need to upskill their resource management to effectively investigate fraud by hiring more fraud specialist staff or re-training existing staff. An extended customer ‘service’, possibly. Re-training and more sophisticated systems for data management. The piggy bank is becoming lighter.

The regulator expects the reimbursement requirement to incentivise various outcomes across the payments industry with firms expected to contribute to better data sharing, more transparency on risk indicators, effective data-driven intervention, risk-based decisions by firms in managing fraudulent activity and improved victim aftercare. So, where does one start with revamping its fraud prevention and management framework?

Knowledge is Power

Where fraudsters are increasingly creative in their scandalous ways to infiltrate the payment system, Sending and Receiving PSPs must gain more insights into ‘multi-step’ fraud scenarios to understand the various levels of victim manipulation. These relate to transactions within the FPS for payment to an account controlled by another person other than the customer, where the customer has been deceived into granting authorisation for the payment. PSPs will understand how and where push payment fraud occurs to determine if the activity leading to the transaction falls within the scope of reimbursement.

‘Money muling’ has become the trendy way for fraudsters to gain access to funds internationally with some persons being recruited, sometimes unwittingly to aid criminals. The development of a ‘mule monitoring strategy’ is the way forward for firms. 

Against the clock

Speed is of the essence here for Sending PSPs to extract the relevant data from the customer for the reimbursement claim. If the information is not received on time (after final payment to the fraudster), it could impede on the PSP’s decision to accept the claim where it falls outside of the 13-month time limit to submit the reimbursement claim.

Whether this is the case or the Sending PSP has all the necessary data within the deadline and on review rejects the customer’s claim, the matter may fall into the hands of the Financial Ombudsmen (FOS) to investigate customer dissatisfaction within a period of up to 6 years from the fraudulent incident occurring. For this reason, adequate, record-keeping couldn’t be more critical for Sending PSPs.

Play Detective

Whilst waiting for more definitive external guidance to help firms reshape fraud and information security controls around the new reimbursement requirement, firms should conduct a “drains up” exercise in reimbursement readiness on its fraud identification, prevention and management systems:

• Unpick your Fraud and Information Security risk assessment and investigate the gaps;
• Review the effectiveness of your Strong Customer Authentication and Confirmation of Payee controls (if implemented);
• Think of your good old-fashion Customer Due Diligence. Could the onboarding form benefit from a few more questions? Is your transaction monitoring up to scratch?
• Ensure senior management have a good handle of fraud-related management information. Is the data too basic or informative enough, for measuring APP fraud, in particular?
• Staff is a preventative and detective asset to PSPs. Tap into your internal behavioural analytics and consider if the trends in fraud reporting reveal inadequate management of fraud incidences through complaints, “after care” and treatment of vulnerable customers within the same remit. Ensure staff are re-educated in the right way, otherwise you could run the risk of its employee being victimised themselves from fraudsters;
• Fraud awareness and victim support sets the right tone for PSPs in enhancing its risk management framework. It ticks a box with meeting Consumer Duty too. PSPs could introduce “warning sticker” communications on its websites about high-risk payments or on implementing account controls;
• A thematic review on the impact of reimbursement on financial forecasting and capital/liquidity risk of firms would underpin the scope of any potential reimbursement or compensation provided to victims.

‘The Duty is upon us all’

Consumer Duty casts its wide net over APP Fraud identification and management. Firms need to demonstrate that they have considered the impact of APP fraud in their Consumer Duty framework with the risk of fraudulent activity being ‘peppered’ across the entire customer journey.

This has been markedly addressed by the FCA in its Dear CEO letter on Implementing Consumer Duty in Payment Firms of 21 February 2023. The message reinforced the need for PSPs to be visibly supportive to its fraud victims in so far as to necessitate the appropriate level of care.

Vulnerable Customers fall outside of the scope of the ‘standard of caution’ and firms must assess on a case-by-case basis.

The onus for compensating victims under the requirement does not fall to payments civil disputes, payments which take place across other payment systems (yet), international payments, and those made for unlawful purposes.

The responsibility falls on the Sending PSP processing an APP fraud claim to assess if the customer is vulnerable in line with the FCA guidance where, ‘Firms should consider consumers’ vulnerability and capacity to make decisions when deciding how to treat consumers who have been victims of scams or fraud’.

Fortunately there are protections to vulnerable customers where the standard of caution (claim excess or gross negligence) cannot be applied by PSPs. Therefore, it is imperative that the Sending PSP can verify the vulnerability of its customer at the outset of the customer’s journey (i.e. at onboarding) if possible. Ongoing monitoring of customer behaviour and circumstances identifies if vulnerability becomes apparent.

The overlap of vulnerable customers and protected characteristics hosts increased susceptibility to harm cased from social engineering in APP fraud attacks. The equality risk here further validates the fair approach to precluding vulnerable customers from the standard of caution and claims excess. Thankfully, Consumer Duty serves as an effective mitigant for identified equality risks, with Pay.UK, FCA and PSR monitoring all Consumer Duty outcomes on the fair treatment of customers.

What should firms do now?

The new reimbursement requirement will apply to firms in 2024, with the exact date to be confirmed by the PSR. In the interim, there will consulting on draft legal instruments in early Q3 2023 – with the reimbursement requirement coming into force in Q1 2024. Whilst firms should not panic, they must be alert to the regulator’s expectation to start employing measures to implement the arrangements for offering reimbursement.

Firms should be wary that criminals are not selective and their crimes in evolving and infiltrating payment systems are for the long- term. Reimbursement has already marked its territory in the New Payments Architecture (NPA) set for migration into its infrastructure by 01 July 2026. There is no escape!

Amongst the distant deadlines, firms are not expected to ‘sit back and wait’ in the intervals and so the regulator’s message is clear. Let’s not procrastinate, because fraudsters certainly aren’t.

STOP PRESS

As we publish this article, news emerges of Barclays’ successful appeal to the Supreme Court, relating to the extent of banks’ duties and obligations to protect customers from fraudsters. This may bring into question some of the policy statements from both the PSR and FCA in combating push payment fraud and, importantly, where liability (and reimbursement) truly lies.