UK boosts consumer protection against authorised push payment fraud
Published on 21st Jul 2023
New rules on reimbursing victims are likely to have significant industry impact
Authorised push payment (APP) fraud remains a significant issue across the financial services industry. APP fraud occurs when an individual is conned into making a bank transfer to a fraudster. This type of scam can be difficult to tackle as the transfer looks legitimate from the perspective of the individual's bank – it is, by definition, "authorised", using the individual's log-in details, passwords, and biometric or other two-factor authentication methods.
Huge scale of APP fraud
The scale of the problem in the UK alone is huge: in 2022, APP fraud losses topped £485 million, with unreported losses likely to significantly increase that number.
APP fraud has been facilitated by the growth of real-time or faster payments systems, such as Faster Payments in the UK and SEPA (Single Euro Payments Area) Instant in the EU. Faster payments systems were used for 97% of APP fraud payments in 2021. By being able to access transferred funds in real time, fraudsters have greater room to dissipate or move funds away from the payer and make them harder to trace and recover.
Under the current model, ten financial institutions are responsible for reimbursing their customers under a voluntary code: the Contingent Reimbursement Model (CRM) Code. However, this usually leads to only a proportion of victims being reimbursed - while this figure hit 66% in 2022, fewer than 25% by value were reimbursed in 2018.
The Financial Ombudsman Service (FOS) now receives more complaints where the financial provider has not signed up to the CRM code (according to its 2022/23 financial year data). The FOS considers this is likely due to banks that have signed up to it having better fraud prevention measures, as well as higher reimbursement rates for their customers.
The Payment Systems Regulator (PSR) has, for some time, been trying to put in place more expansive measures to ensure that victims are reimbursed for their losses. It has issued a number of consultations in recent years, but has lacked a good statutory basis to make any mandatory rules. However, the Financial Services and Markets Act 2023, which recently received Royal Assent, allows the PSR to impose reimbursement requirements on participants operating across Faster Payments.
What are the new rules?
The PSR has published a policy statement in June 2023 setting out its new approach, which represents a significant change to the current approach under the CRM code.
The reimbursement requirement is mandatory in all circumstances where an individual, microenterprise or small charity (a "customer") has been deceived into authorising a payment via Faster Payments; all types of APP fraud are to be included.
All payment service providers (PSPs) , not just the institutions that are signed up to the voluntary CRM code, are now required to reimburse: this increases the number of firms covered by the obligation to around 400.
The reimbursement requirement does not apply to:
- international payments;
- payments across different payment systems (for example, where funds are sent to a crypto-exchange and the fraudster is paid in digital assets); or
- civil disputes (for instance, where there was no fraud, merely a dispute about whether the goods and services paid for were delivered as agreed).
In a significant shift from the current mechanism (in which the payer's bank bears all of the cost), the cost of reimbursing victims is to be shared 50:50 between the sending and receiving PSPs. PSPs must reimburse customers within five business days (though PSPs can "stop the clock" to investigate the claim).
The sending PSP has an option to include a reimbursement "claims excess". A later consultation on this point will follow.
While there is no minimum value threshold, there will be a maximum value threshold – again, a later consultation on this point will follow.
Sending PSPs have an option not to reimburse claims submitted more than 13 months after the date of the final payment.
Perhaps the most significant change is the way in which customers can be excluded from the right to reimbursement based on their own conduct.
There is, of course, no right to reimbursement where there is evidence that customers have themselves acted fraudulently. However, beyond fraud, customers will only fall outside the regime when they have acted with "gross negligence". This is also referred to as the "customer standard of caution". It is explicitly a high bar, and the burden will be on the PSP to prove it.
There are enhanced protections for those categorised as "vulnerable customers" under Financial Conduct Authority guidance. Victims of APP fraud who fall under this definition will not be subject to the customer standard of caution or any claims excess, and the PSR will consult on whether vulnerable customers will be subject to the maximum value threshold for claims.
This represents a significant change from the current position under the CRM code where it is sufficient that the relevant bank gave a customer "effective warnings" and the customer ignored those warnings. There is currently no guidance on whether ignoring effective warnings would constitute gross negligence but – given the overall approach being taken by the PSR – PSPs would be well advised to take a cautious approach.
Later this year, the PSR will consult further on the appropriate levels for the maximum value of reimbursement, the maximum claim excess and the guidance as to the meaning of gross negligence under the customer standard of caution.
It will also prepare draft legal instruments to provide a basis for payments operator Pay.UK's role in implementing and overseeing the new regime.
While the new reimbursement requirement will come into force in 2024, the regulator expects industry to start work now to implement the new requirement.
Osborne Clarke comment
The policy intention behind this new reimbursement requirement is clear: it greatly increases the scope of APP fraud protection.
In doing so, the PSR has sought to balance the potential risk that, if customers are more confident of being reimbursed following APP fraud, they may take less care to ensure that a payee is not a fraudster. It seeks to address this concern with the introduction of the customer standard of caution. The guidance on this standard is yet to be agreed, but with the PSR seeing "no credible alternative" to a bar of gross negligence (a position that is supported by consumer groups) it is likely to require conduct that is exceptional.
The PSR has also sought to balance the roles of the sending and receiving PSPs, and with the introduction of the 50:50 split is clearly envisaging receiving PSPs taking a more active role in preventing APP fraud. That said, the requirement applies to all PSPs irrespective of size and so it will be interesting to see how different PSPs react to this, given differences in: regulatory status (banks versus EMIs (electronic money institutions) or APIs (authorised payment institutions), customer profiles, payments profile (value and volume of payments, net sending or receiving, and so on), role (such as agency banks) and general sophistication (technology to support real-time analysis of fraud risk).
We look forward to watching how this reimbursement requirement evolves, hoping it will not have unintended consequences in achieving its policy objective, consumer protection.
Adam Rutledge, a Trainee Solicitor with Osborne Clarke, contributed to this Insight.