At the end of 2023, the UK Payment Systems Regulator (PSR) published its final position on the authorised push payment (APP) fraud reimbursement requirement in Policy Statement 23/4 Fighting APP scams: Final decision  (PS23/4).

Although other jurisdictions have started to look at less potentially morally hazardous approaches to the scourge that is APP fraud, it was inevitable, given how far down this path the PSR had come (and with the statutory underpinning in place), that there wasn’t going to be a last minute radical change in the UK.  PS23/4 holds no surprises. (Our summary of the requirement is set out below.)

The new requirement will require significant work to implement, in particular, but not only, for those firms who aren’t signatories to the existing voluntary code.  Meeting the (revised) start date of 7 October 2024 will be tight. But critically, alongside that implementation work, much more is needed to stem the flow of APP fraud. 

Where have we landed?

The basic principle of the reimbursement requirement remains that APP fraud victims will be reimbursed by the sending payment service provider (PSP) in most cases, with the cost of reimbursement split 50/50 between the sending and receiving PSP.

The PSR has confirmed that there will be a maximum mandatory reimbursement level of £415,000 per claim; this level will not automatically be indexed to inflation. The level aligns with the Financial Ombudsman Service’s (FOS) award limit, reflecting the PSR’s hope that this parity will avoid victims referring cases to FOS for resolution. PSPs can choose to reimburse above that level. Recognising the difficult trade-offs involved in setting a maximum, the PSR has said that it will monitor the incidence and impact of high value APP scams in the coming months and may consult on revising the level if there is ‘convincing evidence’ to do so before the October start date.

The sending PSP must reimburse the consumer within five business days of the consumer making their claim. The ‘clock may be stopped’ to gather information, but the PSP must reach an outcome by the end of the 35th business day following the claim being made.

PSPs may apply an excess up to £100 to claims. Recent data suggests that this would impact up to 32% of cases (representing 1% of the total value of APP fraud cases).

This excess doesn’t apply to vulnerable consumers. Having failed to do so in its earlier drafts, the PSR at least now acknowledges that there should be a connection between a consumer’s vulnerability and the fraud. Describing vulnerable customers, the PSR states:

PSPs should evaluate each customer’s circumstances on a case-by-case basis to help determine the extent to which their characteristics of vulnerability, whether temporary or enduring, led them to be defrauded, and therefore whether they meet the definition of vulnerability.

The consumer standard of caution

To be reimbursed, consumers must exercise a standard of caution. If they do not, under an exception, the PSP may not have to reimburse them. In theory, this could have introduced sensible precautions for consumers to take to avoid being scammed – but sadly it does not. There are four specific elements to the consumer standard of caution:

  • The requirement to have regard to ‘interventions’. Here, there is a bit of a change from the August draft which talked about ‘warnings’. Nonetheless, the ‘intervention’ must offer: a clear assessment of the probability that an intended payment is an APP scam payment. In other words, generic warnings will not suffice. The ‘intervention’ may come from the consumer’s PSP or from a competent national authority, such as the police.
  • The prompt reporting requirement. ‘Prompt’ remains a somewhat controversial term in this regard as the long stop date for reporting the matter to the PSP remains at 13 months after the last relevant payment was authorised.
  • The information sharing requirement. The consumer should respond to reasonable and proportionate requests for information made by the PSP to help with assessment of their claim.
  • The police reporting requirement. In a change to the draft guidance, consumers may consent to the PSP reporting to the police on their behalf, rather than doing so themselves.

While there are some tweaks to these four elements since the PSR’s earlier draft, the bar remains very low for consumers – only the first of these is something they need to do pre-payment instruction – and very high for PSPs.  The burden of proof is on the PSP to show not only that the consumer failed to meet one or more of the elements of the standard of caution, but also that they have done so with ‘gross negligence’.

The consumer standard of caution does not apply to vulnerable customers. Logically, this means that PSPs’ initial action on receiving a claim should be to assess vulnerability.

Where do we go from here?

A key criticism of the reimbursement requirement is that it is effectively just a compensation scheme – closing the door after the horse has bolted. It would have been possible to have placed more onus on consumers by clearly setting out some reasonable expectations – a ‘Green Cross Code’ for making payments. Or more could have been done to share responsibility for fraud across the ecosystem; this approach is currently under discussion in the EU. Both options place a greater emphasis on prevention.

In PS23/4, the PSR makes clear that the APP fraud fight is not one it is tackling alone and specifically notes Treasury’s commitment to legislate to provide clarity on the ability to make risk-based delays to payments to support PSPs’ fraud prevention efforts. In its review of firms’ fraud controls and complaints handling, the FCA has provided guidance on good practice and called out areas in which firms could do more to strengthen their systems designed to detect and prevent fraud, including APP fraud.  And, of course, the Government’s Online Fraud Charter, published at the end of November, contains a number of commitments from the BigTech signatories including in relation to blocking and reporting fraudulent material. The Charter is a voluntary agreement between the Government and the technology sector to reduce fraud on their platforms and services, and forms part of the Government’s wider Fraud Strategy.

However, there is still more which could – and should – be done. For instance:

  • greater regulatory scrutiny on those PSPs known to have poor onboarding systems and controls;
  • regulators and authorities should collaborate on both policy and supervisory efforts to effectively hold the wider ecosystem to account; and
  • much more effort is needed to raise consumer awareness of the risk of fraud.

Such broader considerations are essential to achieving success in the fight against APP fraud.

With the PSR estimating incremental annual administrative costs of the reimbursement requirement for PSPs of between £17m and £38m (in addition to the amounts reimbursed to consumers), the need for careful monitoring and evaluation of the success of this scheme in terms of reducing APP fraud could not be clearer.

 

Jenny Stainsby
Jenny Stainsby
Partner and Global Head of Financial Services Regulatory, London
+44 20 7466 2995