What are you doing to protect your customers from authorised push payment (APP) scams? That is a question payment service providers (PSPs), including payment and e-money institutions, will have to answer following regulatory intervention in the UK to force the industry to tackle the problem following Which?’s supercomplaint in 2017.
So what is APP fraud? Well as the name suggests, APP fraud involves the customer being deceived into authorising a payment. This type of fraud can take two forms, either:
- the customer intends to transfer funds to person A, but is instead deceived into transferring them to person B; or
- the customer transfers funds to person A for what they believe are legitimate purposes, but which are in fact fraudulent.
While the Payment Services Regulations 2017 (PSRs 2017) make PSPs refund customers if an unauthorised payment is made from their account, no equivalent protection is in place for customers who have been deceived into authorising a payment.
To fill the gap, the industry itself, the Payment Systems Regulator (PSR) and the FCA have taken a series of coordinated actions aiming to force PSPs to protect customers from APP fraud.
We will look now at the industry voluntary code and further blog posts will follow on the PSR’s direction on confirmation of the payee and the FCA’s new rules on APP related complaints.
Voluntary Code
In May, the APP Scams Steering Group[1] published a voluntary code for PSPs. The code sets out standards for PSPs in preventing APP fraud.
Crucially, it also requires PSPs to reimburse customers who have fallen victim to APP fraud. A mechanism is set out to enable PSPs to allocate responsibility for the reimbursement.
Given that it is a voluntary code, you may have read the preceding paragraphs thinking that this is of no concern. However, so far, Barclays, HSBC, Lloyds, Metro Bank, Nationwide, RBS, Santander and Starling Bank have signed up to the code. This creates moral pressure for smaller PSPs, including payment and e-money institutions, to sign up to the code, particularly those banking with signed-up banks.
So what does the code entail? Let’s firstly look at the standards PSPs are required to adopt.
Standards
The code lays down various standards that PSPs must adopt in tackling APP fraud. A PSP’s compliance or non-compliance with the standards then impacts the proportion of liability they are allocated in reimbursing the customer.
Key standards include the following.
- Vulnerable Customers- PSPs must identify customers more vulnerable to APP fraud. For example, the elderly or those with a form of mental incapacity. PSPs must reduce the likelihood that vulnerable customers become victims of APP fraud.
- Transactional Data – PSPs should analyse transactional data and customer data, using fraud data and typologies to identify payments that are more likely associated with APP fraud. PSPs will have to ensure that their transaction monitoring software is tailored to detect APP fraud.
- Customer Awareness – Effective warnings should be provided to customers at various stages in the payment journey telling the customer of the risk of APP scams. The warnings should be clear, impactful (influencing the customer’s decision making), timely and specific (tailored to the type of customer and particular APP scam risk).
- Delay and Investigate – Where the PSP is concerned a payment relates to APP fraud, it should take all possible measures to delay payment while it investigates.
Reimbursement
The overarching principle of the code is that subject to certain exceptions, customers should be reimbursed for losses incurred by APP fraud.
There are just a few exceptions. For example, where the customer has ignored warnings provided by the firm. Or where the customer has no reasonable basis for believing either that the payee is the person they are intending to pay, or that the payment is for genuine goods or services.
However, even with these exceptions, the rules make clear that customers vulnerable to APP scams, to the extent that they cannot be expected to have protected themselves, should be reimbursed regardless of whether the exceptions would have applied.
The voluntary code opens up PSPs to potentially huge financial liabilities relating to APP fraud.[2] This is even more clear from the mechanism to allocate responsibility for reimbursement. Even where the customer has been grossly negligent, if one of the PSPs has breached the standards, they will still be responsible for partial reimbursement. Broadly speaking, the allocation mechanism leads to the following outcomes.
- Where both the sending and receiving PSP has breached the standards, but the customer has met their requisite level of care, each PSP is responsible for 50% of the reimbursement.
- Where one PSP has breached the standards, but the customer has met their requisite level of care, the PSP in breach is responsible for 100% of the reimbursement.
- Where both PSPs have breached the standards and the customer has also not met their requisite level of care, the customer will receive a 66% reimbursement, with each PSP contributing 33%.
- Where one PSP has breached the standards and the customer has not met their requisite level of care, the PSP in breach is responsible for reimbursing the customer 50% of his or her losses.
There is even coverage where no one is to blame apart from the fraudster. All but two of the eight banks signed up to the code[3] have established a “no blame fund” for this purpose. The funding for this is guaranteed until 31 December 2019, after which a longer-term funding mechanism has to be reached.
Impact
Those banks signed up to the code could create a competitive advantage by attracting customers away from PSPs with lesser protection, though it’s arguable as to how alert consumers are to these issues when choosing their PSP.
More likely, given the standards applied by the code, combined with the PSR direction to the main UK banks on confirmation of the payee, it will become harder for fraudsters to perpetrate APP fraud against customers of those banks, which will attract focus on PSPs not covered by the code.
Regardless of whether they sign up to the voluntary code now or be required to sign up to the code later, the trajectory is clearly in the direction of greater protection for all customers and particularly those who are vulnerable.
In my next blog on APP fraud, we will look at the PSR’s new direction on confirmation of the payee, and the impact it is likely to have on payment and e-money institutions.
[1] Established by the PSR and composed of industry representatives.
[2] The liability will not extend to corporate clients, as the code only applies to consumers, micro-enterprises and charities.
[3] The two non-contributing banks are Starling and Metro.
