In July, the UK’s Payment Systems Regulator (PSR) issued its annual report outlining figures on scams and reimbursement in the UK, which we analysed in the first part of this latest blog series.
With just weeks to go until the new rules take effect, we now take another look at the parameters of the mandatory reimbursement and the immediate impact banks, consumers, and even fraudsters may face.
Mandatory reimbursement: The facts
As a reminder, here is a summary of the new rules (taken from our White Paper Countdown to APP Reimbursement.
Despite the rapidly incoming enforcement of these parameters, there are still outstanding questions. Let’s explore some of these unknowns, and the impact they may have on financial institutions and consumers.
Reimbursement limit: PSR issued new consultation earlier this month to reduce the limit from £415k to £85k, which we covered in a another blog post on our site. At such a late stage, this increases uncertainty for all involved.
• Bank/financial institution (FI) impact: Possible reduction in liability if they have not been able to detect and prevent their customers from falling victim to APP
• Customer impact: For victims who lose more than £85k to APP scams, they could find themselves worse off than they are under current protections offered by the existing Contingent Reimbursement Model (CRM) Code methodology. For losses greater than £85k, there are still unknowns as to what methodology will be used.
Gross negligence: Banks/FIs must be specific, timely, and clear about risk with their customers. They must prove their customer failed to heed warnings and, therefore, acted in a grossly negligent manner. It’s unclear what behaviour or actions would satisfy this requirement under the Mandatory Reimbursement rules.
• Bank/FI impact: The obligation for banks/FIs in terms of actions they must take is unclear and open for interpretation. What we do know from previous rulings is that displaying warning messages is not enough.
• Customer impact: What constitutes gross negligence remains subjective under Mandatory Reimbursement which continues the risk of inconsistencies across banks/FIs and, therefore, unfair outcomes for victims of APP scams.
Vulnerability: Banks/FIs must consider the vulnerability of their customer. Vulnerable customers are afforded additional protection under APP Mandatory Reimbursement. Vulnerability is fluid and individual, and there are not clear guidelines on determining whether a customer should be considered as vulnerable. Per the FCA guidance, “a vulnerable consumer is someone who, due to their personal circumstances, is especially susceptible to harm – particularly when a firm is not acting with appropriate levels of care.”[1]
• Bank/FI impact: Substantial effort needs to be made to understand how banks/FIs will identify their customers’ vulnerability to ensure their refund strategy is fair and consistent.
• Customer impact: With different interpretations of vulnerability, the risk of inconsistent outcomes for victims who are vulnerable is high, especially considering a person’s vulnerability might not always be immediately apparent to a bank.
Reporting: Banks/FIs have begun publishing scam losses and refunds as per the three metrics established. The PSR will publish these metrics on an already-agreed-upon schedule, enabling the direct comparison of PSPs. What needs to be understood is what is not included in that reporting (payments to crypto exchanges and the associated magnitude of losses, for example). This has been a massive challenge for banks/FIs, bringing the accuracy of these metrics into question.
• Bank/FI impact: The metrics reported could drive firms/banks to prioritize strategies detecting and preventing against the APP types on which the PSR requires them to report, to protect their reputations. This might mean the true extent of losses and refunds to payments remains unknown, making the scale of APP reflected in PSR reports inaccurately high. With cryptocurrency scams increasing, this could skew results further.
• Customer impact: This allows customers to interpret how their bank compares against peers. This information could be misinterpreted as to which bank is the ‘safest’ to choose to do business with.
A slowdown of payments: In addition to the recent consultation by PSR on the reduction of the reimbursement limit, the FCA has released its own consultation enabling a risk-based approach to payment processing.
• Bank/FI impact: This could be a very powerful tool if used correctly with the correct resources and a consistent approach. It could also, however, lead to an increased drain on operational resources to manage required manual reviews.
• Customer impact: Increased friction on genuine transactions seems likely to also impact genuine customers.
While we have evaluated the impact for banks/FIs and customers, we can also expect some level of impact on fraudsters. In general, we know the additional controls that will undoubtedly arise from PSR will make life more difficult for fraudsters, who will have to find ways to circumvent any new barriers. We also know finding ways to circumvent new barriers is what fraudsters do best.
Analysing the unknowns once again, we know that if payments are slowed down, this could lead fraudsters to migrate to other channels where these controls or measures are not implemented, e.g., telephony channels. Similarly, with the new reporting requirements not including crypto exchanges, we could see fraudsters double down on using crypto as their preferred method of withdrawing their illicit gains.
In the coming weeks before these new PSR rules go live, we’ll publish a third blog post on this subject, with our predictions for all of the potential impacts.
Stay tuned.