FCA identifies UK industry failings in response to financial crime
Published on 16th Nov 2023
Firms reminded to improve risk mitigation and customer support against authorised push payment fraud attacks
The recent focus on the prevention of fraud and countering money laundering by the financial regulators in the UK has been definitive.
The Financial Services and Markets Act 2023 was finalised when it received Royal Assent on 29 June 2023 giving a mandate to the Payments Systems Regulator (PSR) to put in force a mandatory reimbursement scheme in favour of the victims of APP fraud. Since then, the PSR has issued no fewer than seven consultations, policy statements, and directions setting out its proposed approach which represents a significant shift for the payments market as it looks to boost UK consumer protection against APP fraud.
In parallel, the Financial Conduct Authority (FCA) continues to keep the prevention, reduction and tackling of financial crime at the top of its priority list. The FCA's 2023/24 Business Plan reiterated its commitment to a number of financial crime-related aims including to invest in raising standards in authorised firms to improve their abilities to detect and prevent financial crime. Most recently, it expressed this in its 'Dear CEO letter' to wealth management and stockbrocking firms, which sets out how the FCA intends to be robust in its supervision of firms in this area.
On 7 November, the FCA issued the findings of its "risk-based" review of a mixed sample of 12 current account holders, challenger banks and payment firms. The high-level evaluation, which focused on APP fraud, picked out anti-fraud controls, customer experience and complaint handling as key areas for improvement. Although the review recognised some good behaviours in the market, it also found "several common weaknesses in key areas of firms' fraud risk management frameworks and customer treatment", which put customers at risk of financial harm.
With comparatively little time until payment firms will be liable in many cases (absent, for example, fraud or gross negligence by the customer themselves) to reimburse customers for losses arising from APP fraud, the guidance from the FCA will no doubt be of significant interest to firms, not least as the FCA's focus on prevention may seem more attainable and perhaps fairer than the PSRs approach of after-the-event reimbursement.
- Inadequate management oversight. Firms are currently focused on reporting against commercial risk appetite and financial information. The FCA wants firms to apply more relevant customer-centric measures and demonstrate how those measures strengthen their compliance systems and controls as well as improving customer outcomes and service.
- Inadequate systems and controls. Some firms did not have appropriate fraud risk assessments in place to prevent and detect APP, while others did not have effective monitoring and reporting systems.
- Use of shared intelligence was generally good. Most firms actively engaged with various external bodies to discuss intelligence and horizon scan for future threats. However, some "receiving" payment service providers can be slow to freeze fraudulent funds. The FCA expects them to ensure good customer outcomes when notified of fraudulent payments.
- Customer treatment and complaints handling. The FCA were concerned that many firms did not have clear and effective communication channels with customers, and some did not provide clear information on how to report APP fraud or how complaints would be handled. This led to delays in resolving complaints and increased the risk of financial harm to customers.
- Training. The review found that some firms did not adequately train their staff on how to identify and respond to APP fraud. This led to missed opportunities to detect and prevent fraudulent activity, as well as delays in resolving complaints.
The FCA identified that most firms in the review had scope to build out further and strengthen their approach and, therefore, has made a number of recommendations to firms to address these weaknesses. These include strategies to identify fraud and acting on information identified through the entire customer journey, the use of behavioural biometrics, and the use of manual intervention to create positive friction. Firms are expected to:
- Have effective governance arrangements and controls to detect, manage and reduce APP fraud and losses.
- Treat customers fairly, including when they complain, and to deliver consistently good outcomes to customers who are victims of fraud. The FCA specifically called out the new Consumer Duty as playing a key role in underpinning the FCA's expectations of firms in this area.
- Ensure they are doing enough to mitigate the risk of money mule accounts, with specific reference to the FCA's review of money mules.
Osborne Clarke comment
Although the FCA's review calls out some positive behaviours by firms it largely identifies gaps which, if present within a relevant firm, may cause problems in due course. Although many firms may feel they are already operating best practice in these areas, this review may cause them to conduct their own review to ensure they are not caught out in future.
This is obviously a rapidly evolving area of the regulatory landscape and we expect that the pressure is going to mount for it to be recognised that there are other players at the table who will need to shoulder some of the burden.