The Payment Systems Regulator introduces plans for mandatory reimbursement for APP fraud
Insight
In September 2022, the Payment Systems Regulator (PSR) published a consultation paper which developed its proposals for mandatory reimbursement and cost allocation for authorised push payment fraud. In this article, we examine the current requirements on payment service providers in relation to APP fraud, the PSR’s proposals and practical implications for affected firms.
What is authorised push payment fraud?
An authorised push payment (APP) is a payment where a payer, often an individual consumer, instructs their payment service provider (PSP) to send money from their account to another account. PSPs include banks, credit unions and electronic payment institutions. The payments are typically executed via CHAPS or Faster Payment System (FPS). APP fraud occurs when the payer is deceived into making an APP to an account controlled by a fraudster. The FCA Handbook contains a rather longer definition of authorised push payment fraud, but essentially the meaning is the same.
The scale of APP fraud in the UK is significant and is the largest type of payment fraud in the UK. In 2021, UK Finance found that losses to APP frauds totalled £583.2 million, a 39 per cent increase on the previous year. UK Finance also noted that many cases go unreported, so the real figure could be much higher. Of these reported cases, currently only 46 per cent of total APP fraud losses are reimbursed to the victim.
What obligations do PSP have at the moment?
APP fraud has been a cause for concern for some time, and the PSR began working on this type of fraud in 2016 following a super-complaint from Which?. In 2019 this led to the establishment of the Contingent Reimbursement Model (CRM) Code which is overseen by the Lending Standards Board. Ten major PSPs (including the high street banks) have signed up to the voluntary CRM Code which led to a significant increase in re-imbursements to consumers. However, the PSR has highlighted the following issues:
-
the CRM Code is voluntary, many PSPs have not signed up to it and so consumers get different levels of protection against potentially life-changing APP scam losses depending on where they bank;
-
for those PSPs that are signatories, there is considerable variation in reimbursement rates between signatories;
-
the overall level of re-imbursement under the CRM Code is still below 50 per cent;
-
given that not all PSPs are signatories to the CRM Code, this has led to fraudsters targeting non-Code signatory PSPs, for example, where those non-Code PSPs have less relevant warnings and support in place;
-
there is very limited liability attached to receiving PSP so their incentives to address fraudster-controlled accounts are weak.
Given the above issues and the continued growth of APP scams, the PSR believes that industry needs to do more to prevent APP fraud.
What position do the Court and the FOS take on APP fraud?
Consumers who find themselves victims of APP fraud can potentially seek to take their PSP to Court for an alleged breach of the Quincecare duty.
Under the Quincecare duty, where a PSP is on notice that a payment instruction may be a fraudulent attempt to obtain the account holder’s funds it must refrain from making or executing the payment. If upheld, the fiscal consequences of the fraud would therefore be borne by the PSP and not the receiving (fraudster’s) Bank or the victim.
The scope of the Quincecare duty has been the subject of a number of important cases in recent years. The Court of Appeal’s decision in Philipp v Barclays Bank UK PLC [2022] confirmed that it was “arguable” that the duty would arise in the context of APP fraud. Previously it was thought to only apply to corporate customers acting via agents and so the Philipp case was not welcome news for PSPs. Sadly, Philipp is yet to be heard on its facts as the Court of Appeal were only asked to determine if the duty applied and whether the first instance summary judgment should be set aside. The claim will need to progress to trial to determine whether or not Barclays actually breached the Quincecare duty. As a result, little guidance has been provided as to how a PSP can avoid breaching its duty in this context, with the Court confirming that the correct question to be determined at trial is “what facts would put an ordinary prudent banker on inquiry in the first place, and what further inquiries and steps would that prudent banker have undertaken”.
The other potential route is the Financial Ombudsman Service (FOS), which is not bound by questions of law but what is “fair and reasonable in all of the circumstances”. The flexibility afforded to the FOS has resulted in a number of claims by APP fraud victims against PSPs being upheld with additional obligations and standards being imposed on the PSP as to what is expected of them. As a result, there are concerns that the decisions of the FOS are effectively creating “new law”. A number of FOS decisions were used as proof against the argument run in Philipp by Barclays that the Quincecare duty in the context of APP fraud would be too onerous an obligation on PSPs.
This lack of clarity on the scope of the Quincecare duty has left PSPs in a position of uncertainty and at risk of falling foul of a FOS decision even if their actions could be deemed compliant by the Court.
With litigation being an expensive and time-consuming process for PSPs, it is likely that this uncertainty has also motivated the regulators to seek to provide transparency on what is reasonably expected of PSPs in cases of APP fraud.
PSR initiatives to reduce APP fraud
Since the introduction of the CRM Code, the PSR has continued to work to reduce APP fraud. A key measure was the implementation of a Confirmation of Payee (CoP) protocol. This was designed to help stop fraud and accidental missed payments by checking the payee account name matches the name and account details provided by the payer.
Initially in 2019, the PSR required the UK’s six biggest banking groups to implement a CoP protocol. The PSR’s view is that the CoP successfully prevented some APP fraud and also reduced mistaken payments. The PSR therefore directed Pay.UK to extend the CoP protocol to 400 additional PSPs so that more consumers could benefit from this protection.
In addition, in November 2021, the PSR published a consultation paper CP21/10 detailing further proposals that it wished to take to further protect consumers from APP fraud. CP21/10 consulted on three main measures, summarised below.
|
PSR CP21/10 – key proposals |
||
|
Measure 1 |
Publishing scam data |
To improve transparency and to incentivise the reduction of APP fraud, the PSR proposed that the largest PSPs publish a scorecard of APP fraud data on a six-monthly basis, including APP fraud rates and their reimbursement rates. The PSR proposed to publish this data as a comparison of performance across PSPs. |
|
Measure 2 |
Intelligence sharing |
The PSR proposed to require industry to improve intelligence sharing between PSPs. |
|
Measure 3 |
Wider reimbursement |
The PSR wants all consumers to benefit from reimbursement protection, however, in this CP the PSR highlighted that it needed further statutory powers to carry this out. |
In July 2022, the Financial Services and Markets Bill was published, which set out a new proposed power for the PSR to require mandatory re-imbursement of APP fraud victims by PSPs. With this additional statutory power the PSR issued a further consultation paper CP22/4 in September 2022.
Key points in the PSR Consultation Paper 22/4
Building on CP21/10, and following confirmation by the government that it will provide the necessary statutory powers to the PSR to require mandatory reimbursement to consumers for APP fraud, the PSR issued CP22/4 which focuses on its mandatory reimbursement proposals. The PSR believes that these measures, will improve the level of protection for victims of APP fraud and further incentivise industry to prevent such fraud.
A summary of the proposals for mandatory reimbursement is set out in the box below.
|
Mandatory reimbursement of consumers for all types of APP fraud where payments are sent using Faster Payments including directly connected PSPs to Faster Payments and PSPs indirectly connected to Faster Payments via an indirect access provider (IAP) |
|
|
Application to type of consumer |
Individual consumers, charities, and micro-enterprises. The PSR believes that larger business payers can be expected to protect themselves from such fraud. |
|
Timing for reimbursement |
Unless the sending PSP has evidence or reasonable grounds for suspicion of first party fraud or gross negligence, it must reimburse the consumer within 48 hours of the fraud being reported. If there is evidence or reasonable grounds for suspicion of first party fraud or gross negligence, the sending PSP will have more time to investigate. |
|
Thresholds and excess amounts |
PSPs can set a fixed excess of up to £35, which they can withhold from the reimbursement. PSPs can set a minimum threshold claim for reimbursement (of not more than £100). |
|
Costs of reimbursement |
Although the sending PSP would be responsible for reimbursing the victim of an APP scam, as a default, the PSR proposes that the sending and receiving PSPs share the cost of reimbursement 50:50. It is proposed that PSPs may depart from the 50:50 default allocation by negotiation, mediation or dispute resolution based on a more tailored set of criteria for allocating reimbursement costs. The PSR proposes that these are developed and designated in the scheme rules. |
|
Time limits |
PSPs can apply a time limit of no less than 13 months from the date of payment. |
|
Application to types of PSP |
The rules will apply to both direct Faster Payments participant and indirect PSPs (which provide accounts through another PSP’s connection to Faster Payments). The PSR is in discussions with the Bank of England to extend its proposals to CHAP payments. |
Exceptions
The PSR is proposing two exceptions to mandatory reimbursement: first party fraud and gross negligence. The first party fraud exception is where the consumer has acted fraudulently. The PSR does not intend to require PSPs to refund consumers who have been complicit in the APP fraud themselves.
In terms of the gross negligence exception, the PSR is proposing an exemption in line with FCA guidance for gross negligence. This provides an exception to mandatory reimbursement where the customer has shown a very significant degree of carelessness.
Vulnerable customers
In line with the CRM Code which exempts consumers who are vulnerable to APP frauds from its exceptions to reimbursement including its gross negligence exception, the PSR also intends to exempt vulnerable consumers from the proposed gross negligence exception to mandatory reimbursement.
Further PSR Measures
Alongside the mandatory reimbursement proposals in CP22/4, the PSR also confirmed in that CP that it intended to take forward proposed Measure 1 and Measure 2 from CP21/11.
In terms of Measure 1, the PSR ran a voluntary reporting trial during June 2022 with seven PSPs volunteering. The PSR notes that the trial together with stakeholder engagement will inform its guidance and data template. It intends to publish a policy statement containing the final guidance and data template before the end of 2022.
In terms of Measure 2, the PSR notes that progress has been made on a “proof of concept” for intelligence sharing in order to identify fraud payments. The PSR notes that UK Finance and Pay.UK are developing standards that would allow PSPs to share data on a real-time basis. Further testing by PSPs is currently being conducted.
How does the PSR intend to implement the CP22/4 proposals?
The PSR does not intend to implement these proposals directly. Instead, it intends to ask the payment system operator, Pay.UK, to implement these mandatory reimbursement proposals. The PSR believes that Pay.UK is the appropriate body to undertake this role as it has the operational oversight and the necessary expertise on what happens in practice. In the PSR’s view, Pay.UK’s rulebook is the most practical approach to addressing the harms from fraud in the payment system. However, the PSR does acknowledge that Pay.UK does have already have important projects to deliver, such as the transition from Faster Payments to the New Payments Architecture (NPA) which should itself help to reduce APP fraud.
While the PSR acknowledges that it could use its powers to direct PSPs to implement its requirements, it does not prefer this approach, although it may be necessary in the short term. CP22/4 asks for feedback from industry on implementation routes by the PSR.
In addition in the short term, the PSR acknowledges there may be a case for considering alternative options for implementing some elements of the requirements for mandatory reimbursement on monitoring, on enforcement of compliance and on applying rules to indirect participants.
In terms of the timeline, the PSR has said it would like the core requirements in respect of mandatory reimbursement to be in place for consumers as soon as possible and no later than during 2024.
Practical considerations for PSPs
Mandatory reimbursement will of course increase costs for most if not all PSPs. This is an intended consequence by the PSR in order to incentivise PSPs to work to prevent APP fraud, although such measures will themselves come with additional costs.
Smaller PSPs in particular may find the reimbursement costs onerous and while the PSR’s view is that this should further encourage PSPs to have stronger anti-fraud measures, these measures will also result in higher compliance costs, which could have an impact on the number of smaller PSPs in the market. The PSR has noted that it is working with the FCA and the PRA to consider how risks to individual small PSPs can be monitored and managed.
The requirement that the reimbursement should be split 50:50 may cause issues for PSPs, in terms of administration costs and the proposal for a dispute resolution process to adjust this allocation to better reflect steps taken by each PSP to prevent the fraud is likely to increase costs of business for PSPs.
While the minimum threshold of up to £100 and the maximum excess amount of £35 is likely to be useful and welcomed by PSPs, it is questionable whether such amounts are significant enough to encourage consumers to be careful and to thoroughly question whether there is a risk that their APP is subject to fraud. In any event PSPs should thoroughly publicise their threshold and excess amounts as part of their financial education for consumers.
Ongoing consumer education about APP fraud will continue to be an important part of seeking to reduce this crime and the costs to PSPs.
Conclusion and next steps
The PSR is keen to hear from all stakeholders before CP22/4 closes on 25 November 2022 and intends to publish a policy statement on mandatory reimbursement early in 2023. Providing the relevant provisions of the Financial Services and Markets Bill come into force around spring 2023 the PSR would like to see its mandatory reimbursement requirements in place for consumers as soon as possible, and no later than during 2024.
The PSR is also continuing to work on Measure 1 and Measure 2 as set out in CP21/11 and PSPs can expect further policy statements from the PSR on APP fraud data reporting and intelligence sharing.
The PSR has also been working collaboratively with the FCA on an APP fraud tech sprint, which took place at the end of September 2022, which brought together financial services providers, regulators, technology providers and others to collaborate on APP fraud use cases, such as how might firms below real time APP fraud prevention. The outcome from the tech sprint will feed into the regulators work in this area, particularly the PSR’s work on Measures 1 and 2 as set out in CP21/11.
If you require further information about anything covered in this briefing, please contact Grania Baird, Kya Fear, Victoria Atkins, or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, November 2022
