This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Freshfields Risk & Compliance

| 5 minute read

Stop that payment! FCA guidance on delaying payments suspected to be APP fraud

On 9 September 2024, the FCA launched a Consultation in which it proposes changes to its guidance to payment service providers (PSPs). The changes are intended to reflect the Treasury’s draft statutory instrument (published in March 2024), which would amend the Payment Services Regulations 2017 (the PSRs 2017) to allow PSPs more time to delay processing payments if they have reasonable grounds to suspect fraud or dishonesty by someone other than the payer. 

The context

A series of high-profile litigation, including the seminal case of Philipp v Barclays (see our previous blog here), and the more recent decision in CCP v National Westminster Bank (see our previous blog here) drew sharp focus on the challenges and consequences of authorised push payment (APP) fraud (where someone is deceived into authorising a payment either (i) to an account they believe belongs to a legitimate payee but which is being controlled by a fraudster, or (ii) for something they believe is legitimate but is fraudulent). According to UK Finance’s data, APP fraud losses totalled over £450m last year, affecting both businesses and individuals. The proposed amendments to the FCA’s guidance are the latest in an ever-growing body of regulation, guidance and case law relating to the fight against APP fraud, with the Payment Systems Regulator’s requirement that PSPs reimburse victims of APP fraud within the Faster Payments System coming into effect next month.

Overview

The FCA proposes to amend its guidance to PSPs in its “Payment Services and Electronic Money – Our Approach” document (the Approach Document) to address:

  • when and how PSPs should consider whether to delay an outbound payment transaction, and when to notify customers of this;
  • how PSPs should treat potentially suspicious inbound payment transactions; and 
  • how the FCA will monitor and evaluate PSPs’ implementation of the payment delays legislation when enacted, and the information it expects PSPs to provide to the FCA. 

Key takeaways from the proposed amendments

Outbound payments 

Currently, once an outbound payment order is received, subject to certain exceptions, the payer’s PSP must ensure that the amount of the payment transaction is credited to the payee’s PSP’s account by the end of the business day following receipt of the payment order (regulation 86(1) of the PSRs 2017). Following industry feedback, HM Treasury accepted that PSPs may require additional time to conduct proper investigations into the legitimacy of a payment.  HM Treasury has therefore proposed amended legislation that would allow PSPs to delay processing a payment for up to four business days where the PSP has “reasonable grounds to suspect […] fraud or dishonesty perpetrated by a person other than the payer”. 

To meet this test, PSPs will need to demonstrate they took reasonable steps in the circumstances to understand the nature and rationale for the transaction, the amount involved, the intended destination of the funds and whether the payee appears to have any links with criminality. There are numerous factors which may indicate a payment is suspicious (with the proposed guidance giving examples including the transaction being to a new payee and not of the size, frequency or purpose that is consistent with their usual habits, or where the payee has a history of quickly forwarding on inbound payments without clear rationales). However, those examples are not exhaustive, and there is no “single decisive factor” for meeting the test, with the relevance and weight for each factor to be considered on a case-by-case basis.

While the amended legislation permits a longer period of delay, this should not be used “automatically”, but only where the PSP has suspicions by the end of the next business day and requires more time to contact the customer or third party (such as a law enforcement agency) to gather the necessary information and prevent fraud. The delay should still be no longer than needed, but in any event no longer than four business days.

The amended legislation, if enacted, will also generally require PSPs to notify the payer and provide information for the reason for the delay, and how to resolve it – even if the PSP is not making enquiries of the payer. The proposed guidance in the Approach Document indicates the payer should be notified with sufficient information to enable them to understand the risks identified as soon as possible (but no later than one business day after receipt of the payment order) and reminds PSPs of their obligations under the Consumer Duty (see our previous blog here), including regarding communications with customers. The payer’s PSP should also inform the payee’s PSP where the transaction has been delayed – to avoid the risk of duplicative investigations by both PSPs and additional delays. 

Where the payer is not a consumer , a micro-enterprise or a charity, the payer and the PSP may agree to contract out of the option to delay processing payments in connection with payment transactions under framework contracts and single payment transactions.

Inbound payments 

While the payment delays legislation only applies to outbound payments, the Consultation notes there is reported uncertainty regarding PSPs’ ability to delay inbound payments where they suspect fraud. As such, the FCA proposes to also update its guidance on this issue to clarify to how the force majeure provisions of the PSRs 2017 operate, and when they might be triggered. 

Currently, a payee’s PSP must ensure that the amount of the payment transaction is at the payee’s disposal immediately after that amount has been credited to that PSP’s account (regulation 89(3) of the PSRs 2017), with the current guidance indicating “immediately” means no longer than two hours in normal circumstances and, unless payment is received out of business hours, the same business day. 

The proposed guidance explains that the FCA’s view is that a payee’s PSP would not be liable for contravening the above requirement by virtue of the force majeure provisions under regulation 96(2) of the PSRs 2017, where (i) making the funds available would breach any of the provisions of Part 7 of the Proceeds of Crime Act 2002 (POCA) and/or Part 3 of the Terrorism Act 2000 (the Terrorism Act), or (ii) for reasons outside the PSP’s control, it is impossible for their nominated officer to determine if making the funds available would contravene Part 7 of the POCA and/or Part 3 of the Terrorism Act (e.g., if they require more time to get information to determine if there are suspicions of a breach). However, the FCA notes that triggering the force majeure provisions has a high threshold, and PSPs should take a “rigorous case-specific approach” to assess if the threshold is reached. Similar to outbound payments, the FCA expects the PSPs to consider their obligations under the Consumer Duty when delaying inbound payments.

In addition to the ongoing uncertainty as to how PSPs should balance their competing obligations, the courts have left open the possibility that banks have a “retrieval duty” to take reasonable steps to retrieve or recover sums paid out as a result of fraud, once that fraud comes to light (see our blog on the CPP decision referred to above), but rejected the suggestion that a PSP owes a duty of care (generally) to a third-party payer/victim when processing payments which transpire to be APP fraud (Larsson v Revolut Ltd [2024] EWHC 1287 (Ch)).

Next steps

The Consultation closes on 4 October 2024, and the FCA intends to publish revised guidance by the end of 2024. The Treasury is expected to lay the draft statutory instrument before Parliament in due course; however, there is no clear timeline in this regard. As a result, the Payment Systems Regulator’s reimbursement requirement may come into force before the proposed extension of time for PSPs to conduct investigations into suspicious payments.

Tags

fca, financial institutions, regulatory, uk, financial services, regulatory framework, the financial conduct authority