In its June 2023 Policy Statement on authorised push payment (APP) fraud (PS23/3), the Payment Systems Regulator (PSR) said that payment service providers (PSPs) would not be required to reimburse customers who had failed to exercise the ‘customer standard of caution’ (on which guidance is awaited) for APP fraud claims.  This makes sense and is consistent with the regulatory principle that ‘consumers should take responsibility for their decisions[1].

In principle, this exception to reimbursement would not apply in respect of vulnerable customers i.e. a vulnerable customer would not be expected to exercise the customer standard of caution – an exception to the exception.  However, the PSR seemed to be clear in PS23/3 that ‘This is not a blanket exception for all customers who exhibit any characteristics of vulnerability‘ and that a firm should determine whether the customer’s characteristics of vulnerability ‘led them to be defrauded[2].  In other words, vulnerability would not, of itself, require a PSP to default to making reimbursement.

This (important) nuance however seems to have got lost in implementation.  In Consultation Paper 23/4 on the new reimbursement requirement (CP23/4) issued in July 2023,  the PSR has published drafts of the legal documents required to implement the APP fraud reimbursement requirement.  Contrary to the indication in PS23/3, the relevant provision does appear to introduce a blanket approach:

‘PSPs will not be required to reimburse any APP scam payments where the consumer standard of care exception applies, unless the victim was a vulnerable consumer at the time the reimbursable APP scam payments were made.’

(In this case, ‘vulnerable consumer’ has the meaning used by the FCA in its Guidance for firms on the fair treatment of vulnerable customers, namely that a vulnerable consumer is someone who, due to their personal circumstances, is especially susceptible to harm – particularly when a firm is not acting with appropriate levels of care.)

So, as it stands, the PSR’s approach in CP23/4 does not appear to be consistent with PS23/3 or indeed with the current Contingent Reimbursement Model (CRM) Code for APP Scams which says: ‘A Customer is vulnerable to APP scams if it would not be reasonable to expect that Customer to have protected themselves, at the time of becoming victim of an APP scam, against that particular APP scam, to the extent of the impact they suffered.’

It may be that this apparent discrepancy is not intentional and/or that the discretion offered in PS23/3 is intended to be implicit in the drafting in CP23/4, but clarification on this point may help avoid costly disputes down the line.

The deadline for responses to CP23/4 is 25 August 2023.

[1] FSMA 2000, section 3B(d)

[2] PS23/3 at 2.13


Jenny Stainsby
Jenny Stainsby
Partner and Global Head of Financial Services Regulatory
+44 20 7466 2995