As of October 7 2024, new UK government regulations mandate that payment service providers reimburse victims of Authorized Push Payment (APP) fraud. This development follows an announcement made by the Payment Services Regulator (PSR) on June 7, 2023. The new rules stipulate that all in-scope customers who fall victim to APP fraud must be reimbursed by their payment service providers, with only a few exceptions.
These regulations, implemented through directions by the PSR and modifications to the Faster Payments rules under Sections 54 and 55 of the Financial Services (Banking Reform) Act of 2013, superseded a voluntary code which was introduced in May 2019. The voluntary code - called the Contingent Repayment Model - had been adopted by 10 payment service providers but the shift to new mandatory requirements aims to provide broader and more consistent protection for consumers.
What is APP fraud?
APP fraud occurs when victims are tricked into sending money to fraudsters from their own bank accounts. It has been a growing problem in the payment services industry for years, and according to trade body UK Finance’s 2023 fraud report, APP fraud losses surpassed card fraud losses in 2021.
In 2022, there were 207,372 incidents of reported APP fraud in the UK and while most cases involved online fraud (78%), this was responsible for only 36% of reported losses, while telecommunications fraud, which accounted for 18% of cases, was responsible for 44% of losses.
In fact, again as reported by UK Finance, Britons lost £460M to APP fraud last year, 70% of which involved ordered goods that never materialise.
The Contingent Repayment Model explained
In 2019, seven payment service providers in the UK established a voluntary code to reimburse customers for losses caused by APP fraud. This membership has since grown to 10 providers, representing 19 consumer brands and covering over 90% of APP transactions in the UK. The code was proposed by the PSR, the code is applicable to personal customers, charities with annual incomes under £1 million ($1.2 million) and micro-enterprises.
Key elements of the Voluntary Code include
Standards of conduct:
Payment service providers are required to take reasonable steps to detect APP scams.
Providers must issue warnings to potential victims and offer advice on how to protect themselves.
Reimbursement obligations:
The code applies only to payments within the UK jurisdiction.
International payments are excluded.
Conditions for refusal of reimbursement:
The victim ignored a warning given under the code.
The victim ignored a clear negative confirmation of the payee result.
The victim made the payment without a reasonable basis to believe it was genuine.
The victim did not follow the provider's procedures.
The victim was guilty of gross negligence in connection with the payment.
Liability, reimbursement and fault distribution:
If only one provider is at fault, that provider covers the entire reimbursement.
If both providers and the customer are at fault, each party bears 33% responsibility, resulting in the customer receiving 66% of the loss.
If neither provider is at fault, reimbursement is paid from a pooling fund contributed by all code members.
If both the paying and recipient payment service providers are at fault, they each cover 50% of the reimbursement.
The key changes which will fall under the new mandatory regulations
The requirements under the new rules apply to the same types of customers as those falling within the scope of the voluntary code and, like that code, apply only to payments made within the jurisdiction. However, the new requirements differ from the voluntary code. Here's a detailed breakdown of these changes:
Mandatory compliance:
Previous code: Voluntary, opt-in for providers.
New rules: Mandatory for all payment service providers using the Faster Payments system.
Scope of application:
Previous code: Applied to multiple payment systems.
New rules: Exclusively applies to the Faster Payments system, which accounts for 97% of APP frauds as of 2021.
Reimbursement decisions:
Previous code: Decisions could involve both sending and recipient providers.
New rules: Reimbursement decisions are made solely by the sending payment service provider. The sending provider can claim back 50% of any reimbursement from the recipient provider.
Claim deadline:
Previous code: Not explicitly defined.
New rules: Claims must be made within 13 months, though providers can choose to reimburse claims made after this period voluntarily.
Reimbursement timing:
Previous code: Timelines varied.
New rules: Reimbursements must be given within five business days. However, providers can pause this process for investigations, up to a maximum of 35 days.
Claims excess and reimbursement cap:
Previous code: Not specified.
New rules: Providers can impose a claims excess of up to £100, with a maximum reimbursement limit of £415,000 ($525,028) per APP fraud case.
Consumer standard of caution:
New rules: The new rules introduce a "consumer standard of caution," as outlined in the December 2023 policy statement by the Payment Systems Regulator (PSR).
Reimbursement refusal conditions:
Previous code: Conditions for refusal were less defined.
New rules: Reimbursement can only be refused if the customer fails to meet the consumer standard of caution through gross negligence, and only if the customer is not deemed vulnerable (with vulnerability having a material impact on the customer's ability to protect themselves from the scam).
These new requirements are designed to standardise and enforce more rigorous protection for customers against APP fraud, providing clear guidelines and timelines for reimbursement, while also introducing measures to ensure that customers are held accountable under the consumer standard of caution.
What payment providers should do now
It has been observed that this ruling could place an unfair and unsustainable burden on banks and payment providers as the new regulations become absorbed as part of everyday operations. Specifically, they will be required to seek out the right professionals to navigate the host of uncharted responsibilities around tackling APP fraud and reimbursing victims, which will inevitably abound when the new regulation comes into play.
Speaking about the situation, Andy Hodson, MERJE’s Principal Consultant in Financial Crime and Fraud, said:
“The onus is now very much on banks to ensure they have the right levels of staffing within fraud prevention - such as MRLOs - and also that they have APP expertise within their function. This is all with a view to keep up with the demands, rigours and challenges that this new legislation poses while mitigating passing on any financial risk or detriment to the wider business and their customers.”
However, the precise wording of the new Faster Payments rules is yet to be published by Pay.UK, although a provisional deadline was set for June 7 of this year. Payment service providers will need to review the details of their obligations once the new rules are finally published on October 7. This should have the benefit of offering providers some time to prepare for the full force of the regulations later this year, by sourcing the right talent. In short, firms need people who are primed and ready to operate any associated new systems, frameworks and processes.
Professionals in this arena also need to be aware that the new requirements create further incentives for payment service providers to strengthen their APP fraud detection systems, both at the know-your-client stage and in the processing of payment instructions.
Payment service providers then need to design appropriate systems to provide warnings to customers and to set interventions by which a customer’s compliance with the consumer standard of caution can be assessed. To comply with the requirements, these warnings and interventions will need to be developed flexibly, especially in the context of vulnerable customers.
Providers will also need to develop systems to deal with reimbursement claims under the requirements. This will require clear policies and procedures for assessing a claiming customer’s compliance with the consumer standard of caution, identifying vulnerable customers and analysing whether any vulnerabilities were the cause of a failure to comply with the standard.
While payment service providers will be able to create intuitive digital systems to assist in this process, appropriate hiring and training programs will need to be implemented for employees to successfully deal with a multitude of claims simultaneously.
Looking for additional skills in your team in response to the new regulations? Contact us today to discuss your recruitment options.
Related Articles
How Consumer Duty has affected Wealth Management firms