The introduction of changes to the fraud landscape in Autumn 2024.
UK Finance's Annual Fraud Report 2024 , released earlier in this year, showed that in 2023, cases of Authorised Push Payment ("APP") fraud were up 12%, although losses totalling £459.7 million were down by 5%. Additionally, the voluntary reimbursement of losses had increased, with a total of 62% of all APP losses being returned to victims, compared to 45% in 2020, when APP fraud cases were at a record high.
So, is enough being done to help safeguard victims of fraud? Recent changes have seen greater regulatory input to both protect and compensate the increasing numbers of people who fall victim to APP scams.
Reimbursement to Fraud Victims
The Contingent Reimbursement Model (the "CRM Code"); a voluntary code of practice introduced in 2019, saw the Payment Service Providers ("PSP"s) who were signatories to the Code, committing to reimbursing victims of APP fraud where certain standards were met. With 10 PSP signatories covering over 90% of the recorded APP frauds in 2023, one might wonder whether the Payment Systems Regulator's introduction of a mandatory reimbursement scheme was really necessary?
In short, the answer is yes. The CRM Code was the first step in a wider fraud prevention plan. The Payment Systems Regulator has stepped in to mandate the reimbursement of victims as part of its intention to create a consistent approach in responding to cases of APP fraud.
For payments made on or after 7 October 2024, the compulsory reimbursement scheme now applies. With all PSPs now in scope, individuals and certain SMEs and charities are protected and entitled to automatic reimbursement following an APP fraud using Faster Payments or CHAPS.
The value of any reimbursement is to be split equally between the sending PSP and receiving PSP, which will be managed by Pay UK via its Reimbursement Claims Management System.
Who or what is covered?
- To qualify:
- a company must have fewer than 10 employees and annual turnover not exceeding £2 million; and
- charities must have an annual income of less than £1 million.
- International payment transactions are currently excluded.
- An upper compulsory reimbursement level of £85,000 applies (although PSPs can choose to voluntarily reimburse above this amount).
- A PSP may be entitled to refuse a reimbursement request where:
- the customer is somehow involved in the fraud (which also covers dishonest reimbursement claims);
- the fraud is a result of the customer's gross negligence (i.e. where the PSP can evidence that the customer has acted with serious recklessness); and/or
- the Consumer Standard of Caution has not been met. This includes where a consumer has failed to take note of any warnings or interventions, failed to promptly report the scam and/or failed to comply with reasonable requests from the PSP to provide additional information or report the fraud to the police). The Consumer Standard of Caution does not, however, apply to vulnerable customers and reimbursements in these circumstances should always be made.
A PSP is entitled to apply an excess of up to £100 in successful reimbursement requests. Again, this does not apply to vulnerable customers.
Once a customer reports a case of APP fraud, PSPs are required to make the reimbursement payments within 5 business days. While on its face this is a very short turnaround, the new rules include a "Stop the Clock" provision, where a PSP can pause the reimbursement period if more time is needed; for example, to obtain further information on the scam, or assess a customer's vulnerability. A long-stop deadline of 35 business days is in place to ensure matters are dealt with without undue delay.
The reimbursement cap was reduced at the eleventh hour (from the originally proposed £415,000) following a consultation with industry. Whilst the reduction appears financially significant, the current £85,000 cap will still capture the majority of APP frauds and mirrors the level of reimbursement under the Financial Services Compensation Scheme (FSCS).
Delays to Payments where Fraud Suspected
The Payment Services (Amendment) Regulations 2024 (SI 2024/1013) ("PSRs 2024") were laid before Parliament on 9 October 2024, and will come into force on 30 October 2024.
These Regulations amend the previous Regulation 86 setting out the time limits for PSPs to execute a customer's payment instructions (which required payment to be credited to the receiver's account by the end of the business day following the payment order being made). This gave PSPs little to no time to be able to investigate any fraud risks and gave little scope to PSPs to prevent suspicious payments for fear of liability to the customer. Yet, in cases of APP frauds, once the money has been transferred to the fraudulent account it significantly reduces the likelihood of the customer recovering their money once the fraud is uncovered.
Under the PSRs 2024, a PSP is able to delay crediting the receiving PSP's account by up to 4 business days where there are reasonable grounds to suspect that the payment instruction has been procured by fraud perpetrated by a third party. The delay is intended to allow the PSP to contact the paying customer or other relevant third parties in order to make enquiries and establish whether the payment order should be executed.
The PSRs 2024 set out when and how the paying customer should be notified of the delay (Regulation 86 (2D)) as well as the liability they incur for charges or interest as a result of the PSP's delay (new Regulation 94A).
This follows a consultation by the FCA on amendments to its guidance document on how the new regulations should be applied (e.g. what amounts to reasonable grounds to suspect" and how PSPs should address suspicious payment requests whilst still processing payments promptly. The FCA is expected to publish the revised guidance by the end of the year.
Conclusion
In what appears to be positive steps in the never-ending battle against fraud, the recent changes in the APP fraud landscape put greater burdens on PSPs and financial institutions, both in terms of reimbursing customers who fall victim to fraud, but also in the implementation of fraud prevention measures to be able to detect suspicious transactions, prevent a fraud occurring, and therefore a need to reimburse. The changes introduced by the PSRs 2024 will likely be more onerous for fintechs who in their early stages, often prioritise volume of payments over detailed fraud risk management.
PSPs will need to pay more attention to data transaction monitoring to improve their ability to detect risks. The changes may also encourage greater information sharing between institutions which should increase the utility of the data.
Only time will tell on the impact these changes have had and no doubt data collected by UK Finance and other fraud surveys in relation to 2024 onwards, will be heavily scrutinised to understand whether cases of APP fraud have decreased, or whether the measures simply increase the rate of reporting.
