How will the incoming PSR APP fraud reimbursement requirement affect Payment Service Providers?

The new requirement is underpinned by 10 key policies, the key of which:

• Require payment firms, in most cases, to reimburse all in-scope customers who fall victim to APP fraud;
• Require sharing of the cost of reimbursing victims 50:50 between sending and receiving payment firms; and
• Provide additional protections for vulnerable customers.

The PSR will continue to consult throughout July and August 2023, and final guidance can be expected by the end of 2023 ahead of the requirement coming into force in 2024. The focus of the new measures will centre solely on Faster Payments method of payment, at least for the first iteration, given that it is Faster Payments that accounted for total losses of just under £500 million which was 97% of all APP fraud payments, as reported by the PSR,^[1] in 2022.^[2]

The prospect of reimbursing victims of fraud for their losses is, of course, not new. The Contingent Reimbursement Model (CRM) Code was introduced in 2019; however, that is a voluntary scheme and despite notable programs from Nationwide and TSB: Scam Checker Service^[3] and Fraud Refund Guarantee,^[4] respectively, a relatively small subset of banks are signatories This low participation and slow uptake across the banking industry has caused concern that the acceptance across the broader payments sphere would be low and slow which is arguably why we are now seeing this stricter measure put in place.

So how does the PSR classify fraud that is in or out of scope? The new requirement will apply to all payments where the PSP has received authorisation to transfer funds from its customer to an account controlled by an individual who is not the customer, through deceptive practices such as masking the identity of the recipient or masking the purpose of the transfer. APP fraud types can include impersonation, investment, romance, purchase, invoice and mandate, CEO fraud and advance fee according to UK Finance.^[5].Out of scope activity will include civil disputes, unlawful purposes, international payments and payments which take place across other payment systems.

Who will the requirement apply to?

All PSPs that operate the sending or receiving payment account will fall within scope. This will also include Open Baking payments or Payment Initiation Services (PIS) transactions, which includes high-street banks, building societies and smaller payments firms. For the purposes of the policy statement, the PSR use the collective term ‘Customers’ to refer to consumers, microenterprises and charities.

How will the requirement take in to account vulnerable customers?

All in scope firms should consistently apply the FCA’s definition of a vulnerable customer^[6] and Consumer Duty obligations when considering exceptions and not applying the customer standard of caution or claim excess. In perhaps an attempt to quell consumer fear around rising fraudulent activity, the PSR has released this policy yet remains open for consultation through Q3 2023. It is clear from the policy statement that the treatment and interaction with vulnerable customers will be pivotal to assessing how the requirement is adhered to by PSPs and an element that will certainly be scrutinised in future compliance monitoring programs.

What are some of the industry’s concerns?

Whilst it is clear from the publication of the consultation and associated Q&A from participating firms that more should be done to tackle fraud and protect customers, there are also several concerns that are shared across PSPs that will no doubt lead to some pushback from industry stakeholders. The £500m of losses due to APP fraud in 2022 are expected to increase once customers are aware of the reimbursement requirement simply through a rise in the number of cases reported. Initial concerns also include the likelihood of increased operating costs not only due to the reimbursement itself but through increased need for staff and management time as well as legal time to agree bilaterally how this is costs are allocated between the payment providers, potential market exits by smaller firms and reduced ability for innovation due to impact on discretionary spend.

Since the announcement of the policy statement, there has also been notable lobbying of the government by the banks to ensure that the technology companies that do not act when scams occur on their platforms will also be allocated some of the costs to pay the victims of APP fraud. However, as of the current consultation and statement there is no authority for Pay.UK to bring the tech companies into scope for repayment costs. This line of questioning has been apparent through the consultation period with questions being asked about how this new requirement addresses tackling fraud upstream and avoiding the potential of increased risk of moral hazard, whereby the customer takes less care in ensuring the payee is not fraudulent. Whilst this is a concern noted by many PSPs, there is currently no quantitative data to support this.

Lastly, there were questions raised around the possibility of reduction in services (or de-banking) for those customers deemed ‘higher risk’. This is something that will be closely watched in forthcoming compliance monitoring programs post implementation.

Who will be responsible for upholding the requirements?

Whilst the PSR expects that Pay.UK will ultimately become responsible for the total enforcement and evolvement of the reimbursement requirement as part of its operation of Faster Payments, it recognises that it is not currently in a position to do so fully at this point particularly as it progresses the delivery of the New Payments Architecture (NPA) and further evolution of other key innovations such as Confirmation of Payee. As such, the monitoring of requirements will be split across the PSR and Pay.UK for the foreseeable future.

However, as part of Pay.UK’s role, they will create and implement a compliance monitoring regime for all requirements for in-scope PSPs and provide a comprehensive summary of PSP performance against the reimbursement requirement to the PSR, highlighting specific PSPs that are performing poorly.

What is the takeaway?

Act now! Whilst there are still a number of areas that remain undefined throughout the policy statement, the PSR reiterates that they are encouraging all PSPs to adopt these changes early and not wait for ‘day 1’ in 2024. In fact, the expectation is that PSPs will understand the new reimbursement requirement by ‘day 1’ and meet several minimum conditions. It is strongly encouraged that firms begin allocating appropriate resources and mobilising a plan now to meet those conditions.

Each institution’s implementation plan is likely to look very different dependent on how closely firms are already aligned to the CRM Code; however, initiatives could include review of control frameworks to ensure high risk APP fraud scenarios and events are detected, rigorous governance and controls are in place, and modelling of potential costs. The financial services industry has experienced an uptick in the use of analytics around suspicious fraudulent behaviour, and using analytical tools and technology both to detect and predict fraudulent behaviour will likely be a common theme in implementation planning processes.

How can Protiviti help?

Please reach out to our Payments specialists: Christine Reisman, Bernadine Reese, Martin Douglas or Kristi Ausmees if you would like to discuss your approach to the new reimbursement requirement and how we can help tailor your response to your business.

 

[1] PSR, Fighting authorised push payment fraud: a new reimbursement requirement, June 2023

[2] UK Finance, Annual fraud report – The definitive overview of payment industry fraud in 2023 (May 2023)

[3] Nationwide, Scam Checker Service | Nationwide

[4] TSB, Fraud Refund Guarantee | TSB Bank

[5] UK Finance, Fraud The Facts 2021- FINAL.pdf (ukfinance.org.uk), March 2021

[6] FCA, FG21/1 Guidance for firms on the fair treatment of vulnerable customers (February 2021)