New Challenges for tackling Authorised Push Payment Fraud

The Payment Systems Regulator (PSR) has recently announced significant changes to the mandatory reimbursement regime for Authorised Push Payment (APP) fraud proposed for implementation by late 2024. The landmark reform will create significant challenges for financial institutions. This blog summarises recent developments, explores the difficulties and concludes with practical guidance and comments on the outlook.

Recent developments

The PSR consulted on the mandatory reimbursement scheme for APP fraud in 2022 and has recently published responses to the consultation, the draft legal instruments and further guidance. The proposals may be summarised as follows:

• Payment System Providers (PSPs) must provide “mandatory” reimbursement in “most cases” of a “payment scam” where a claim is made within 13 months of the final payment to the fraudster. There are two exceptions: first, where the PSP can show that customer has acted fraudulently; secondly, where the customer has acted with gross negligence (known as the “customer standard of caution”).
• A sending PSP must reimburse a victim within five business days, except where they 'stop the clock’ by investigating further; for example, by gathering additional information to assess the claim or where a claims management company submits a claim, verifying the company’s legitimacy.
• Pay.UK will oversee the scheme but the draft legal instruments are designed to allow the PSR to enforce the provisions where necessary.
• The cost of reimbursement will be shared 50/50 between the sending and receiving PSP.
• Additional care will be required for “vulnerable consumers,” which will be defined in accordance with the current Financial Conduct Authority (FCA) requirements for this category of customers.
• PSPs will have the option to apply a claim excess; the PSR is currently consulting on this issue, having identified three potential options (fixed excess; percentage excess and percentage excess with a cap). The PSR is also consulting on a proposed maximum level of reimbursement of £415,000 per claim.

The PSR will consider the feedback to the consultations with a view to publishing the final details in late 2023 and early 2024. The PSR and Pay.UK are also holding a series of workshops and presentations to engage with stakeholders.

The Challenges 

There are several challenges that PSPs face in the application of the new reimbursement requirement, including practical difficulties and managing obligations that intersect with the new requirements, as well as several areas of uncertainty.

Practical difficulties 

Practical difficulties arise in various areas, but an overarching concern is how to balance protecting consumers from fraud whilst not causing excessive friction in the processing of payments. As to the former, the PSR has indicated that PSPs should implement additional fraud prevention measures to combat fraud to act in accordance with the new scheme. The PSR has explained that it expects additional warnings to tackle fraud should not be the “boilerplate” alerts that are “routinely accompany most or all transactions of a similar type,” but instead should be customer specific and “tailored” to the different types of customers. However, insisting on bespoke wording overlooks the vast volume of low value transactions that cannot easily be identified into different categories of potential customers and/or types of fraud. The problem of taking further safeguards to combat fraud are illustrated by the UK Finance statistic that 31% of financial institutions are currently having difficulty measuring and understanding effective ways in combatting scams even prior to the new measures. The other side of the coin are the higher value claims that represent 25% of the value of all APP fraud; many of the customers within this category are ‘under the spell’ of a scam, who can become indifferent to persistent warnings from PSPs and law enforcement; instead, continuing to engage in scam activity despite safeguarding attempts.

Although, the ‘stop the clock’ provisions may allow sending PSPs to conduct further investigations by extending the five day period for a claim, this process is likely to result in significant delays and the PSR has indicated these provisions should only be used in a “proportionate” and “reasonable” manner without any guidance on this issue. Further, that failings by PSPs to ensure “timeliness of reimbursement” may result in enforcement action. The problems are greater for receiving PSPs that have no engagement with the sending customer but will still be liable for half the costs of reimbursement and appear not to be able to utilise the ‘stop the clock’ provisions to obtain further information.

There are also concerns with the introduction of additional information sharing requirements on PSPs to monitor implementation. The additional disclosure duties overlook the extensive existing data sharing burdens on PSPs and the limited legislative mechanisms to facilitate information sharing in the sector. The expected implementation date has been an ongoing concern because it is widely regarded unachievable.

Balancing other legal requirements

PSPs also need to grapple with the challenge of the interaction of the new scheme with other legal requirements; including FCA regulations and the Quincecare duty, as well as Anti-Money Laundering (AML) standards. This presents further layers of complexity.

In respect of FCA standards, the PSR guidance states that is will rely primarily on several the existing FCA expectations when judging several aspects of the scheme, including in respect of judging firms’ approach to gross negligence and vulnerable consumers. When assessing gross negligence, it is likely that the PSR will look to the new FCA Consumer Duty in delineating the scope of caution expected from customers. It is therefore essential that financial institutions ensure consistency with approaches in applying the PSR and FCA rules. In practice, this will be difficult, particularly where the FCA Consumer Duty envisages that firms should ensure customers are satisfied with the services offered, including speed and compliance with payment instructions, and not preventing access to funds that may pose financial hardship for customers. For example, the FCA has warned firms implementing the FCA Consumer Duty that they should not be creating excessive friction in processing payments, observing that some firms have chosen to “freeze a disproportionate number of accounts, for too long, and without adequate explanation” in response to potential fraud. The letter urges firms to take better care of their customers by freezing accounts less frequently, investigating possible fraud faster, communicating better with affected customers and supporting those “put in acute financial difficulty” after having their accounts frozen. These comments show that it can be challenging to balance adequate customer outcomes when processing payments and combatting financial crime.

PSPs are also required to execute payment instructions in accordance with existing common law obligations when outside the regulatory framework. This is typically for international transactions that are not covered by the scheme. In this arena, the Supreme Court has recently provided some clarity by confirming that a bank should generally be entitled to treat a customer's mandate at its face value save in extreme cases when a bank is placed “on inquiry” of fraud. Such extreme cases may include the bank knowing of, or shutting its eyes to, obvious dishonesty, and in the contemporary context, suspicion for the purpose of the statutory money laundering regime. The decision, in which UK Finance intervened, suggests a higher threshold for liability in respect of international payments that contrasts with the differentiated approach applied under the scheme. Even under the common law framework, there also remains uncertainty around the circumstances where a bank will be “on inquiry” and the adequate steps banks will be expected to follow to recover funds dissipated following fraud. The ambiguity on these points, considered only briefly in recent cases, necessitates ongoing monitoring of court proceedings assessing these issues for further guidance.

There is also a potential tension between the new requirements and existing AML obligations. The PSR has confirmed that where a PSP ‘knows’ or ‘suspects’ that a person is engaged in money laundering or dealing in criminal property, they must submit a Suspicious Activity Report (SAR). By way of illustration, a PSP may suspect that a customer is involved in money laundering, which triggers a requirement to submit a Suspicious Activity Report (SAR). If there is also a risk of dealing with criminal property in a way that may amount to a money laundering offence under Part 7 of Proceeds of Crime Act 2002 (POCA), PSPs should consider whether to request a defence against money laundering (DAML) from the National Crime Agency (NCA), setting out their suspicion, details of the transaction or arrangement and detail of the entities involved. The NCA will have seven days to respond. However, if a customer triggers a reimbursement claim, the five day time limit for reimbursement will commence and the PSP may also be required to request further information to investigate the claim to utilise the ‘stop the clock’ provision. This investigation process in this circumstance will be a delicate exercise because there may be risk of “tipping off” the customer, which is also prohibited under POCA. Firms have experienced several difficulties in this area prior to the reforms; as evident from a FCA Dear CEO letter to retail banks detailing control failings across AML frameworks. The FCA observed “instances where the process by which firms’ employees can raise internal SARs to the nominated officer is either unclear, not well documented, or not fully understood by staff. In one example, a customer may have been alerted to money laundering concerns due to investigators not being appropriately trained in how to investigate potential suspicious activity. An additional concern is that often firms are unable to adequately demonstrate to us their investigation, decision-making processes, and rationale for either reporting or not reporting SARs to the National Crime Agency.” The new reimbursement scheme will make the process of managing AML risk an even greater challenge for the financial services sector.

Uncertainty 

Based on the current proposals, there are several aspects of the new scheme that may prove inherently uncertain to apply in practice; such as the customer standard of caution, the extent to which PSPs will be permitted to “stop the clock” in a “proportionate” manner, and the definition of vulnerable consumers. The consultation on the claim excess also presents several competing options that will have vastly different outcomes for PSPs. There will not be clarity on this important aspect of the scheme until late 2023.         

The PSR has published additional guidance on the customer standard of caution (gross negligence) but there remains further areas of uncertainty. In summary, the guidance provides that the standard has three aspects:  

• A requirement for consumers to have regard to specific, directed warnings given by their bank. PSPs should assess the complexity of the APP scam, including any social engineering consumers may have faced.
• Consumers who are, or suspect they are, a victim of an APP scam should notify their bank promptly and, in any event, not more than 13 months after the last fraudulent payment.
• Consumers should respond to any “reasonable and proportionate requests for information made by their bank to help them assess a reimbursement claim, or to determine if a consumer is vulnerable.”

If it can be demonstrated that the consumer has been grossly negligent in not meeting one of more of these requirements, then they may not be reimbursed. However, the PSR has explained that “gross negligence is a very high bar which will critically depend on the individual circumstances of each case. The PSR only expects it to apply in a small minority of cases. Gross negligence will never apply where a victim’s vulnerability is a factor in them being defrauded.” Given this, it seems that consumers will only have to exercise limited care in processing payments, simply having regard to relevant warnings. The primary burden will consequently be on PSPs to implement warnings to tackle fraud and respond to information provided by the consumers. It therefore seems warnings will be crucial issue in assessing customer caution, but there is a degree of ambiguity on this issue. With the PSR explaining that it does “not propose to be prescriptive on the approach that PSPs should take in creating tailored, specific warnings. It will be up to providers to develop their own operational approaches and identify effective best practice.”

At the time of writing, it remains to be seen how the PSR will frame its final policy for implementation in 2024. Irrespective of any further clarity, it is likely the implementation of additional warnings and the information sharing requirements will result in significant additional friction in the processing of payments and has the potential to see vastly many more genuine payments stopped as a result. There may also be insufficient time before implementation to address any concerns with the current guidance. Moreover, the PSR has confirmed that they have no plans to provide any additional direction on the meaning of the “proportion” and “reasonable” use of stop the clock and vulnerable customer provisions, which renders the risk of enforcement or prosecution for misinterpretation of these pivotal parts of scheme.

Due to the vagueness around these and other points, the PSR has accepted that immediately following implementation there may be a degree of uncertainty in precisely how PSPs should follow the scheme rules, including in respect of the customer standard of caution, which could lead to disputes being brought to the FOS. As noted above, outside the regulatory standards, the common law will remain, where most cases do not reach the courts but follow the path of an internal review of a complaint, which is escalated to the FOS. Given this, it is likely that the FOS will be addressing most complaints arising from APP fraud during the forthcoming years. The nature and structure of the FOS system results in no remit for regulatory or judicial authority to provide precedent, consistency, or guidance in future cases. In short, there is no way to ensure the coherent application of regulatory standards by the FOS. Absent wider reform of this vehicle to resolve consumer redress, it is likely that we will see uncertainty in the application of the scheme for several years as it is embedded into the Faster Payments System.

Preparing for the proposals

Although changes to the proposals may be unlikely, it remains important that financial institutions engage with the PSR and Pay.UK during this critical time as the proposals are finalised. We suggest monitoring the PSR consultations and announcements closely.

The PSR may undertake enforcement action where PSPs fail to introduce the measures adequately and/or due to operational disruption that may occur during the implementation process. It expects Pay.UK to take initial steps to address failings, which if remain unresolved should be referred to the PSR. Examples where the PSR foresees that Pay.UK will refer a case include:

• A consistent failure by a PSP to abide by the new reimbursement requirement and underlying policies; such as, where a PSP has failed over a sustained period to improve timeliness of reimbursement.
• An extreme compliance failure by a PSP to abide by the new reimbursement requirement. For example, where a PSP refuses to implement the new reimbursement requirement.

In the past, the PSR has used its enforcement powers to issue directions, such as the specific direction against VISA due to failures to operational disruption in authorisations for a six hour period when 2.4 million worth of transactions failed. We have also seen fines against banks for overcharging customers due to the incorrect application of payment rules to consumer credit card customers, who were charged higher rates applied to commercial accounts. 

In the future, the PSR may look to hold senior managers increasingly accountable; particularly given that the PSR Regulatory Principles include a mandate that the regulator ensure “[t]he responsibilities of the senior management” for compliance with the exercise of PSR legislative powers, including the giving of general directions. It is therefore important that those overseeing the changes have adequate measures in place to ensure they have adequate understanding of the implementation process and can intervene where necessary.

PSPs will also need to take practical measures to prepare for the proposals, which may include the following steps:

• Introduce additional ways where possible to identify transactions with higher risk of APP fraud.
• Expand investigations into the threats to customers and align protection accordingly.
• Increase customer fraud awareness initiatives.
• Identify vulnerable consumers and contact this group with further information on how to protect against fraud.
• Train staff to prepare for the changes.
• Implement additional methods to freeze and recover fraudulently transferred funds.
• Use risk-based, tailored, and effective warnings to help combat fraud.
• Due to the piecemeal nature of the publication of all aspects of the scheme, firms should continually re-evaluate and return to previous plans to reflect ongoing developments.
• Prepare for increases in customer complaints and referrals to the FOS.
• Address data collection and provision tools to comply with new information requirements.
• Given the importance of coordination between PSPs under the terms of the reimbursement model, it will be necessary to engage with other PSPs to install the reimbursement scheme.

In short, the proposals necessitate a significant level of coordination, which can be achieved by aiming to implement a single framework across firms and affected third parties. Culturally, it is equally important to meet regulators’ expectations that firms will embed the principles of safety and soundness across the whole organisation.

Outlook

Based on the current proposals, there are several aspects of the new scheme that may prove inherently challenging to implement. Given the complex and emerging landscape, financial institutions will need to prepare for bespoke approaches for different categories of customers. In circumstances where firms cannot predict easily which regime will apply as part of a multi-tiered landscape, it will be a significant operation requiring careful coordination. With recent statistics indicating that tech companies account for over 85% of all scams, the finance sector must also keep pressing for the Government, PSR and FCA to undertake systemic reform to address the root cause of APP fraud. Policy recommendations may include ensuring greater coordination amongst Government agencies and increasing oversight of tech companies. Ultimately, in response to a universal threat of APP fraud, which seems ever-growing in a rapidly transforming banking and payments sector, a clear, coordinated, and consistent governmental and regulatory response is required.

Further guidance on the proposals are available in an article in the October edition of the Butterworths Journal of International Banking and Financial Law.