The Payment Systems Regulator (the PSR) has published its policy statement: ‘Fighting authorised push payment fraud: a new reimbursement requirement’ (the Policy Statement). We have set out below a summary the key points in the Policy Statement.

Background

On 29 September 2022, the PSR published its consultation (CP22/4: Authorised push payment (APP) scams: Requiring reimbursement) containing its proposals to give greater protection to consumers against Authorised Push Payment (APP) scams. In summary, it proposed that payment service providers (PSPs) will be required to reimburse all victims of APP fraud where payment is made over Faster Payments, subject to limited exceptions. The consultation was open until 25 November 2022 and the PSR received 71 responses.

Fighting authorised push payment fraud

The reimbursement requirement: The Policy Statement sets out the new reimbursement requirement that will “introduce consistent minimum standards to reimburse victims of APP fraud” within the Faster Payments system (as directed by the Financial Services and Markets Bill). The reimbursement requirement will apply to all Payment System Providers (PSPs) within scope of the Policy Statement including banks, building societies and smaller payment firms. The reimbursement requirement applies to consumers, microenterprises, and charities.

In summary the reimbursement requirement will:

1. Require PSPs to reimburse all in-scope customers who fall victim to APP fraud in most cases other than where there is first party fraud or gross negligence.

2. Share the cost of reimbursing victims 50:50 between sending and receiving payment firms.

3. Provide additional protections for vulnerable customers.

Key policies: The new reimbursement requirement is underpinned by ten key policies:

1. Reimbursement requirement for APP fraud within Faster Payments

2. The cost of reimbursing victims of APP fraud should be shared 50:50 between the sending and receiving PSPs (the sending PSP will be expected to notify the receiving PSP as soon as possible)

3. Exceptions to the reimbursement requirement for APP fraud claims include (a) where the customer has acted fraudulently or (b) where the customer has acted with gross negligence

4. Sending PSPs must reimburse customers within five business days

5. Sending PSPs have the option to apply a claim excess (there will be further consultation on this at a later date)

6. There is no minimum value threshold for APP fraud claims

7. There will be a maximum level of reimbursement for APP fraud claims (there will be further consultation on this)

8. Sending PSPs have the option to reject APP fraud claims submitted more than 13 months after the final payment to the fraudster

9. The customer standard of caution and claim excess must not be applied to vulnerable customers

10. The new reimbursement requirement applies to the Faster Payment to an account controlled by a person other than the customer, where the customer has been deceived into granting that authorisation for the payment as part of an APP fraud


Timing: The new reimbursement requirement will apply to Faster Payments authorised after the regulatory requirement comes into force in 2024 although the PSR says it expects the industry to start work now to implement the new reimbursement requirement. The PSR says it expects the new reimbursement requirement to lead firms "to innovate and develop effective, data-driven interventions to change customer behaviour".

Application: The reimbursement requirement will not apply to

(a) civil disputes

(b) payments which take place across other payment systems (e.g., if a customer sends funds to their account at a crypto exchange and then pays a fraudster via a cryptocurrency)

(c) international payments and

(d) payments made for unlawful purposes where the customer isn’t deceived.

It will therefore be important to work through each payment journey when considering a complaint to ensure the reimbursement requirement is being applied correctly (particularly if a complaint is referred to the FOS). Open banking payments and some multi-step fraud cases (the Policy Statement provides examples of what may and may not be covered) are in scope of the new reimbursement requirements. However, payments made by CHAPS and ‘on us’ payments are not covered under the Policy Statement. The PSR says the Bank of England, as the operator of the CHAPS system, is committed to achieving comparable outcomes of consumer protection for CHAPs transactions.

Legislation: The PSR want Pay.UK as the independent payment system operator to run Faster Payments in a way that ensures customers are protected. The PSRs’ five-year strategy explained that it wants Pay.UK to take “a stronger role to lead the development of protections for payment system users”. The PSR will direct Pay.UK to put the new reimbursement requirement into Faster Payments rules using its powers under Section 55 of the Financial Services (Banking Reform) Act 2013.

Wider aims: The PSR says reimbursement “will create a clear financial incentive for payment firms to do everything they can to limit a fraudster’s ability to access the UK banking system, and their ability to move money into their control”. The Policy Statement also says the new reimbursement requirement will deliver the PSR’s wider measures and it expects to see (1) less APP fraud (although it recognises reported claims may increase in the short to medium term as victims become aware of this new requirement) (2) improved protection for victims (3) effective incentives for payment firms and (4) increased confident in Faster Payments.

Other action: As part of its action against APP fraud, the Policy Statement sets out that the PSR is also

1. publishing a balanced scorecard of APP fraud data,

2. increasing intelligence sharing, and

3. expanding the rollout of Confirmation of Payee.


Vulnerable customers: PSPs will be expected to

1. assess a customer’s situation and any potential vulnerability in line with the FCA’s guidance for PSPs on the fair treatment of vulnerable customers and

2. be mindful of their obligations under the Consumer Duty.

If a customer is deemed to be vulnerable the sending PSP must not apply the customer standard of caution (i.e., gross negligence) or claim excess. The Policy Statement says all firms should consistently apply the FCA’s definition of vulnerability to identify customers vulnerable to APP fraud – “[A] vulnerable customer is someone who, due to their personal circumstances, is especially susceptible to harm, particularly when a firm is not acting with appropriate levels of care”. This will mean all firms are working to a single definition of vulnerability.


Gross negligence guidance: The industry generally argued that gross negligence was too high a bar for the customer standard of caution and in the Policy Statement the PSR says it sees “no credible alternative to gross negligence that would likely meet” its objectives. However, the PSR says it will develop and publish additional guidance on the customer standard of caution in Q4 2023.

Next steps: The PSR says it will engage in a series of workshops with interested parties in June and July 2023 to gather preliminary views and aid understanding. It will then consult on:

  • the allowable claim excess that Payment Service Providers can charge (August 2023)
  • the maximum cap on reimbursement (August 2023)
  • the production of guidance on how to interpret the customer standard of caution of ‘gross negligence’ (August 2023)
  • a timeline for the reimbursement requirement to come fully into effect
  • draft directions for Pay.UK (July 2023)
  • draft directions for Payment Service Providers (October 2023).

Comment

  • As set out in the Policy Statement, in 2022, there were around 207,000 reported APP fraud cases on personal accounts and losses totalled £485.2 million although, the real figures are likely to be higher. In 2022, 66% of APP fraud losses within scope of the CRM Code were reimbursed, which the PSR says forms part of a “positive cultural shift”, but more is needed.
  • The reimbursement requirement will be a world first and so the PSR acknowledges it will “evolve and be refined over time”. The ongoing consultations will form an important part of this work and additional guidance on factors including gross negligence will be key.
  • Alongside the measures, the PSR expects the industry to continue initiatives and adopt new, innovative approaches to prevent APP fraud. Key to this will be the use of AI to improve detection alongside ongoing customer education. Further, the FCA specifically highlights scams as an example of foreseeable harm and the Consumer Duty requires firms to act to deliver good outcomes for retail customers and increase consumer understanding (e.g., “account safety information and warnings that can be easily actioned”). Firms will already be considering how to incorporate the Consumer Duty as part of their fraud prevention and detection measures.
  • Whilst the Policy Statement highlights the PSR is engaging extensively with the FCA, the Treasury, the Home Office, Ofcom, the Department for Digital, Culture, Media and Sport, police forces and other public bodies to stop fraudsters operating in the UK, it is understood further lobbying for more change and involvement will be ongoing to ensure the burden of losses to consumers is more evenly spread across the industry.

If you would like to discuss the above in any further detail, please let us know.

Authors: Kaileigh Hunter, Alanna Tregear, Clare Stothard, Richard Hayllar

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2023. Specific advice should be sought for specific cases. For more information see our terms & conditions.


Date published

12 June 2023

Get in touch

RELATED INSIGHTS AND EVENTS

View all