Among the UK regulators’ recent output relevant to Authorised Push Payment (APP) fraud, two items warrant particular consideration:

  • The Payment Systems Regulator’s (PSR’s) publication of the first set of APP fraud performance data.   This data includes percentages of reported APP fraud losses refunded by value and by volume, broken down by Payment Services Provider (PSP), as well as value and volume of APP fraud sent per £ million of transactions.
  • The FCA’s review of firms’ fraud controls and complaints handling with a particular focus on APP fraud.

The PSR’s APP fraud performance data

The PSR’s stated objectives in gathering and publishing this data is to achieve a reduction in APP fraud losses incurred by consumers by:

  • giving consumers and stakeholders information to help them choose or switch between PSPs; and
  • giving PSPs reputational incentives to improve their performance, through the interest taken by key stakeholders including journalists, consumer groups, government, and investors.

Surely however there is a real risk that consumers, if interested at all in this data, will use it as a way of identifying which PSP is more likely to pay out if they are a victim of fraud thereby increasing moral hazard, not reducing fraud.

It is unclear that the publication of this data will do anything to reduce APP fraud losses at all.  This ‘naming and shaming’ exercise is, like the PSR’s forthcoming reimbursement requirement, too focused on closing the barn door after the horse has bolted.

The FCA’s Review

The FCA’s publication this week, on the other hand, is largely about prevention.  In its review of firms’ fraud controls and complaints handling, the FCA notes good practice but also calls out areas in which firms could do more to strengthen their systems designed to detect and prevent fraud, including APP fraud.  For firms and their senior managers, it is worth noting that the FCA looked at governance and risk management, including how management information (MI) is reported and acted on.  Additionally, for those with an eye on how the Consumer Duty is being embedded in the regulator’s work, it is notable that the regulator looked at complaints handling as a way of assessing consumer experience and fairness of outcomes.

In line with the Financial Ombudsman flagging an increase in ‘hybrid’ scams and the need for firms’ fraud prevention measures to keep pace, the FCA also looked at systems and controls in the context of ‘evolving fraud attacks’.  The message is that firms’ approaches need to have a dynamic quality.

The pro-active steps the FCA recommends include:

  • helping customers understand what fraud is and how to identify it;
  • making it easy for customers to report fraud;
  • identifying and acting on information identified through customer onboarding, transaction monitoring, ongoing customer and account-level monitoring, device monitoring, and use of intelligence generally;
  • using behavioural biometrics to try to identify whether a customer is being socially engineered; and
  • introducing positive friction.

This review follows on from, and cross-refers to, the FCA’s review published last month on detecting and preventing money mules.

In conclusion

To be fair to the PSR, it is not wholly focused on reimbursement, and is also taking action on the prevention front – 31 October 2023 marked the deadline for the first group, beyond the largest banking groups, of (32) PSPs to have and use the name-checking service, Confirmation of Payee (CoP) (with the remainder to have followed in 12 months’ time). CoP is one of the measures credited for the reduction in APP fraud losses between 2021 and 2023.

The sad fact remains however that, even with the best will (and fraud prevention and detection systems) in the world, PSPs alone cannot solve the APP problem.  For so long as the FCA and industry’s call for a more balanced distribution of costs associated with compensation of fraud to customers, including an appropriate contribution from technology and social media platforms‘ goes unheard, the prospects of winning the fight against APP fraud remain low.

While not a panacea, the Monetary Authority of Singapore’s current consultation on a Shared Responsibility Framework for Phishing Scams, at least recognises the concept that others should share responsibility, including the consumer; and seeks to achieve clarity on respective duties.

 

Jenny Stainsby
Jenny Stainsby
Partner and Global Head of Financial Services Regulatory, London
+44 20 7466 2995

Disclaimer

Herbert Smith Freehills LLP has a Formal Law Alliance (FLA) with Singapore law firm Prolegis LLC, which provides clients with access to Singapore law advice from Prolegis. The FLA in the name of Herbert Smith Freehills Prolegis allows the two firms to deliver a complementary and seamless legal service.