Authorised push payment fraud and mandatory reimbursement
Insight
The Authorised Push Payment Reimbursement Scheme came into force on 7 October 2024. It applies to eligible payments made by a consumer on or after 7 October 2024 where the payment is executed by a payment service provider (PSP) through either the Faster Payments scheme or CHAPS.
As part of the previous government’s wider fraud strategy[1], and the fight against authorised push payment fraud (APP fraud), the Payment Systems Regulator (PSR) and the Bank of England are introducing a mandatory reimbursement scheme for victims of APP fraud.
APP fraud occurs when a consumer is persuaded or tricked into authorising a payment to a fraudster, whether through being deceived as to the recipient of the payment, or as to the purpose for which they are transferring the funds.
The scheme is being implemented through:
- PSR Directions to Pay.UK, the independent operator of the Faster Payments scheme.
- PSR Directions to PSPs to comply with the Faster Payments and CHAPS rules regarding the reimbursement requirement.
- Amended Pay.UK rules for Faster Payments.
- Amended CHAPS rules.
Summary of new scheme:
- Mandatory reimbursement within five working days for consumers. Consumers in this context includes microenterprises and charities, provided they are below the thresholds set out in the APP fraud reimbursement rules.
- Cost to be split 50/50 between sending and receiving PSPs.
- Applies to eligible payments made on or after 7 October 2024.
- No claim minimum, maximum £85,000.
- Voluntary excess of £100.
- Both Faster Payments and retail CHAPS payments are within scope. However, payments where the sending and receiving PSP are the same firm are not covered.
It is hoped that the new scheme will further encourage and incentivise PSPs to develop better systems for identifying fraud and effective interventions to change consumer behaviour, including improving their onboarding processes. Such systems include considering appropriate transaction limits, improving "know your customer" controls, strengthening transaction-monitoring systems and stopping or freezing payments that PSPs consider to be suspicious so that the PSP can investigate them further before making the payment. The FCA reiterated in its October 2024 letter to firms (see below) that PSPs should be working to reduce APP fraud by improving their anti-fraud systems and controls.
The PSR is also aiming to increase transparency by continuing to publish APP fraud data.
The reimbursement requirement
The reimbursement requirement is underpinned by 10 key policies:
- Sending PSPs must reimburse all eligible customers who fall victim to APP fraud.
- Customers must be reimbursed within five business days (subject to a “stop the clock” provision if the sending PSP needs to obtain more information).
- There will be two exceptions:
- Where the customer has acted fraudulently, or
- Where the customer has acted with gross negligence, that is, outside the consumer standard of caution: see below for more details.
- There will be a voluntary claim excess of £100. PSPs may levy the full excess, a partial excess, or no excess at all. If PSPs reimburse in full and do not levy an excess, they will not be able to claim back any of the excess from the receiving PSP.
- There is no minimum threshold for claims (although some may fall below the excess).
- The maximum mandatory level of reimbursement is £85,000, for both Faster Payments and CHAPS.
- There will be a time limit for making claims of 13 months after the last related payment.
- Vulnerable consumers will be subject to the cap. However, they will be excepted from the consumer standard of caution and will not be subject to the excess.
- The receiving PSP must pay the sending PSP 50 per cent of the reimbursable contribution amount, within five business days of being notified by the sending PSP that the contribution is payable.
- “Multi-step” fraud cases that involve more than one payment will also be covered. The reimbursement requirement will apply to an account controlled by a person other than the customer, where the customer has been deceived into granting that authorisation as part of an APP fraud case.
Exception to the reimbursement requirement; the consumer standard of caution
There are two exceptions to the reimbursement requirement: the first is where the consumer has acted fraudulently, and the second is where the consumer has acted with gross negligence. The latter is referred to as “the consumer standard of caution”.
In order to address industry concerns that consumers will be less careful if they do not bear the consequences of being defrauded, consumers are subject to an express standard of care in relation to authorised push payments and the PSR has published guidance on this.
The guidance states that the standard of care includes four elements:
- The requirement to have regard to interventions. Customers should have regard to specific, directed interventions made either by the sending PSP or by a competent national authority. Any intervention should be bespoke. They must be consumer, scam and transaction-specific and should not consist of “boilerplate” written warnings. Where a consumer chooses to proceed with a transaction after an intervention by the PSP, they should not automatically be deemed to be grossly negligent. Rather, the PSP should conduct an assessment of the degree of negligence including, for example, the complexity of the scam to which the consumer has become victim.
- The prompt reporting requirement. As soon as possible, and no later than 13 months after the last payment was authorised.
- The information sharing requirement. Consumers will be required to respond to any reasonable and proportionate requests for information made by their PSP, which should allow providers to assess reimbursement claims and whether the consumer is vulnerable. Firms will need to consider carefully what is reasonable and proportionate, and appropriate action if a consumer does not respond.
- The police reporting requirement. Consumers should, after making a reimbursement claim, consent to the PSP sharing their details with a competent national authority.
The burden of proof falls on the PSP to show that the consumer has acted with “gross negligence”. The PSR considers this to be a higher standard than the general standard of negligence under common law and the consumer needs to have shown a very significant degree of carelessness to fall within the exception. PSPs should not place additional standards on consumers. For example, the guidance states that PSPs should not impose any terms and conditions on their consumers that purport to shift the burden of proof to the customer or require consumers to disprove that they were grossly negligent.
Ability to delay crediting an account
The Payment Services (Amendment) Regulations 2024 amend the Payment Services Regulations 2017 to allow a payment service provider to delay crediting a transaction to a payee’s PSP’s account in cases of APP fraud. These are specified as where:
- The PSP has established that there are reasonable grounds to suspect a payment order from a payer has been placed subsequent to fraud or dishonesty perpetrated by a person other than the payer, and
- Such grounds are established no later than the end of the business day following the time of receipt of the payment order.
The delay must not be any longer than necessary to achieve the purpose required, that is, investigating the payment, and cannot be longer than the end of the fourth business day after the time of receipt of the payment order.
Unless it is unlawful to do so, PSPs are required to inform the payer of the fact of the delay, the reasons for the delay and any information or action required by the payer to enable the payment service provider to decide whether to execute the order.
In September 2024 the FCA consulted on consequential changes to its Payment Services and Electronic Money Approach Document, in which it gives guidance on the risk-based approach firms should take when deciding whether to delay a payment. It takes a similar approach to defining “reasonable grounds” to suspect fraud or dishonesty as that taken in the Joint Money Laundering Steering Group Guidance on the Prevention of Money Laundering and Combatting Terrorist Financing.
The FCA is expecting to publish the updated approach document by the end of the year.
Consumer communications
Sending PSPs were required to inform their customers about their rights under the reimbursement requirement and reimbursement rules, before the scheme came into force, and must update their terms and conditions, if they have not already done so, by 9 April 2025.
In August 2024 the PSR published “Information on consumer communications for PSPs” to assist PSPs with communicating with their customers about the new scheme. It is not considered guidance, or intended to be prescriptive, but allows firms to decide how best to communicate with their customers, based on their business model and other requirements.
The PSR is aiming for the following outcomes:
- Consumers should be aware that they can be reimbursed by their PSP for APP fraud and should receive clear and consistent messaging about the scope of protections, including exclusions.
- Consumers should understand what to expect if they do fall victim to an APP fraud and make a claim for reimbursement.
- Consumers should be aware of the steps they can take to protect themselves from falling victim to an APP fraud and how their PSP can protect them.
The PSR reminds firms that they should also consider the requirements of the Consumer Duty when communicating with customers.
Guidance on supporting the identification of APP frauds and civil disputes
Following industry concerns that it may be difficult to distinguish between an APP fraud and a civil dispute, in September 2024 the PSR published PS 24/6 guidance on supporting the identification of APP frauds and civil disputes.
The PSR had already confirmed that claims which relate to a civil dispute would not be reimbursable under the new scheme. However, as civil disputes and scams might look very similar, the PSR has stated that PSPs should consider each case carefully on its facts. The PSR sets out key factors for the PSP to consider as part of its assessment, including, for example, the extent to which the alleged scammer deceived the consumer as to the purpose of the payment.
The PSR considers that if the consumer has paid an unintended recipient, there is no evidence of an error, and there is evidence of an intent to defraud, then it is likely that an APP fraud has taken place. On the other hand, civil disputes often involve instances where a consumer has paid a legitimate supplier for goods or services and has not received them, or has received them in a defective way, and there is no intention to defraud by the alleged scammer.
FCA “Dear CEO” letter to PSPs
In October 2024, the FCA published a “Dear CEO” letter to PSPs on its expectations for in-scope firms under the APP Fraud Reimbursement Scheme. As noted above, the FCA expects PSPs to be working to reduce APP fraud by improving their anti-fraud systems and controls. In November 2023 the FCA published examples of good practice for firms’ anti-fraud controls and complaint handling in firms, which included having effective governance arrangements, and appropriate customer due diligence controls at onboarding stage.
The FCA also stressed that the Consumer Duty applies to firms’ treatment of customers under the reimbursement scheme.
In particular, the FCA considers that the Consumer Duty applies to what they refer to as “on us” payments (where the same PSP is both the sending and receiving institution). As firms would not need to use Faster Payments or CHAPS to make such a transfer, they are not in scope of the reimbursement scheme. Nevertheless, the FCA has said that it expects firms to reimburse customers anyway, in line with their obligations under the Consumer Duty, and that if they chose not to do so they would need to contact the FCA and explain why.
Monitoring and compliance
In July 2024, the PSR published its finalised rules for in-scope PSPs relating to monitoring and compliance. Pay.UK is responsible for monitoring all directed PSPs’ compliance with the FPS reimbursement rules. Pay.UK published its final compliance monitoring regime in July 2024.
Pay.UK has made several changes to its rules which place obligations on PSPs to provide data in the manner and form it requires. Pay.UK has procured a single reimbursement claim management system (RCMS). PSPs will use the RCMS to manage FPS APP fraud claims, communicate between themselves and report data to Pay.UK.
The PSR is proposing phased reporting from the start of the regime coming into force, with the more comprehensive reporting standard starting on 1 May 2025.
There is no central system for PSPs using CHAPS. Instead, they will provide information bilaterally, including deciding the payment system to be used for the reimbursable contribution, and will report information directly to the Bank via email, using the published reporting standard.
The rules
The reimbursement requirement is being implemented via the following legal instruments:
- Specific Requirement 1 to Pay.UK to insert the reimbursement policies into the Faster Payment Scheme rules (including separate instruments mandating the value of the maximum level of reimbursement, the maximum excess and the Consumer Standard of Caution).
- Specific Direction 19 which imposes responsibilities on Pay.UK to monitor compliance with the reimbursement rules, to take steps to improve PSPs’ compliance and to gather data and report to the PSR.
- Specific Direction 20 which directs PSPs to reimburse APP scam payments and comply with the Faster Payments Rules.
- Specific Direction 21 to direct and indirect CHAPS participants to reimburse APP scam payments and comply with CHAPS rules.
- Amended Faster Payments Scheme rules.
- CHAPS Reimbursement Rules (New Annex A to the CHAPS Reference Manual).
Next steps
The FCA is due to publish its updated Payment Services and Electronic Money Approach Document by the end of 2024.
The maximum reimbursement level will be reviewed in Q4 2025.
The PSR has committed to publish a post-implementation review in 2026.
[1] Tackling fraud and rebuilding trust (publishing.service.gov.uk)
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, November 2024