In a little under 90 days, the United Kingdom (UK) will become the venue for a unique experiment, one that will test the cognition and behaviour of around 99% of the population.
Conducted in the 'real world' this experiment is the latest stage in a sixteen-year journey that commenced when the UK embraced real-time payments in 2008. I am referring to the introduction of mandatory reimbursement for Authorised Push Payment (APP) scams.
The provisions within the Financial Service and Markets Act (FSMA) provide a legislative basis for transitioning from the somewhat limited voluntary arrangements that were put in place following the super-complaint from consumer advocacy group, Which?. The Contingent Reimbursement Model (introduced in 2019) has acted as a forerunner, recording losses of a little under £500M per annum whilst also exposing issues of consistency surrounding the reimbursement of losses. In 2023, 62% of scams were reimbursed under the voluntary code, according to UK Finance.
What is an authorized push payment (APP) scam? An APP scam occurs when a person uses a fraudulent or dishonest act or course of conduct to manipulate, deceive, or persuade a consumer into transferring funds from the consumer’s relevant account to a relevant account not controlled by the consumer, where: • the recipient is not who the consumer intended to pay, or • the payment is not for the purpose the consumer intended. |
Is friction bad?
In the world of e-commerce, the issue of friction is seen as a blocker, a perception that is often also applied to the world of digital banking. You don’t need to look far to find articles that call for friction to be addressed.
It is generally accepted that there is an inevitable tension between security and usability. The rapid growth in scams has put a focus on the issue of banking in the UK, with organisations such as Which? setting out to rank banks according to the efficacy of their approach to security.
Returning to the issue of APP, the specific provisions set out by the Payment System Regulator (PSR) appear likely to test how Payment Service Providers (PSPs) can best address risk whilst also maintaining customer experience (CX).
When thinking about friction in payments, context is king. To address this dilemma, we should differentiate between friction that frustrates and friction that safeguards. This means ensuring that customers have access to a banking experience that is efficient but also secure, with low-risk events subject to little or no friction.
Consumer Standard of Caution
Back to the lab, one element of the UK's unique experiment that will likely prove significant in determining how PSPs can protect their customers is the Consumer Standard of Caution. Whilst there are four elements to the standard, it is the first that is most relevant to the issue of the provision of risk-based friction. Consumers are required to “Have regard to any intervention made by their sending PSP and/or by a competent national authority (CAN).”
In operational terms, this requires a PSP to provide the consumer with an intervention that offers “a clear assessment of the probability that an intended payment is an APP scam payment.”
The million-dollar question is how best to deliver an intervention that is scam and transaction-specific, supporting a consumer to make the right decision.
The quest for context
Payment Services Directive 2 (PSD2) introduced the concept of Strong Customer Authentication (SCA), which called for PSPs to authenticate customers based on knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is).
Whilst SCA isn’t relevant to APP, as the customer can authenticate, the real issue is whether they are making the payment because of external influence. However, the concepts behind SCA provide a useful parallel. I'd like to suggest that APP interventions should be driven by intent (the purpose of the payment), behaviour (deviations in user activity, session and transactional) and intelligence (evaluated information on the recipient).
The challenge presented to PSPs is how to best combine these factors to meet the expectations of the customer and regulators.
Putting theory into practice
An early example of this approach being put into practice is provided by Santander UK, which deployed new APP scam prevention measures in December 2023 to combat purchase scams. Online purchase APP scams are a particular challenge for PSPs. High in volume, yet low in value, they result in significant operation costs on top of the costs associated with reimbursement. Before the new measures, Santander UK customers lost nearly £6.5 million in 2023 to Facebook Marketplace scams, an increase of almost 50% over the last year.
So how do the scam prevention measures work?
When customers indicate their payment is associated with a purchase on Facebook Marketplace, they are shown a tailored scam warning and asked if they have seen the item in person.
Any customer answering ‘no’ will not have their bank transfer authorised and will instead be advised to make further checks on the item, including seeing the item in person and using a more secure payment method.
Any customer who confirms they have seen a photo or video of the item, but have not viewed the item in person, will also be unable to make the bank transfer.
The screenshots below show examples of how these prompts appear within the customer journey.
Between December 2023 and May 2024, among 45,427 Santander UK customers who attempted to make a bank transfer to purchase an item through Facebook Marketplace:
• 35,588 customers said they had seen the item in person, meaning the payment was made.
• 1,899 customers were prevented from making the payment after admitting to not having seen the item in person, and the payment was not subsequently made.
• 7,950 customers were initially prevented from making a payment, but then subsequently confirmed that they had seen the item in person, meaning the payment was made. Of this group, 240 customers then went on to report that they had fallen victim to a purchase scam.
In all, 439 people in total fell victim to a scam on Facebook Marketplace, losing a total of £284,000, an average of £647 per person. Of the 439 customers who fell victim to a scam, 263 were customers who changed their answers.
Although less than one percent of customers still fell victim, it shows that scammers only need a small win rate to cash in. Chris Ainsley, Head of Fraud Risk Management at Santander said: “Fraudsters can be incredibly manipulative. The fact that in just a few months hundreds of customers felt the need to attempt to sidestep our fraud prevention measures by changing their answer so they could proceed with the purchase, goes to show the level of pressure that these criminals are placing on unsuspecting victims.”
Conclusion
Regardless of your stance on that point, the regulatory environment in the UK is providing PSPs around the globe with an opportunity to better understand how they can balance customer experience and security. Assertions that consumers don’t value measures to safeguard them will surely be tested by the UK’s real-world experiment in how best to address APP scams.
The focus is often on customer reimbursement, but it is only one of a series of measures that incentivise PSPs to change their stance on risk. The primary objective must be to demonetise scams, and only time will tell if the UK's measures will result in lower overall losses.
Learn More
Friction does not always need to be a risk and can actually present new opportunities. The growth in social engineering scams globally has opened the door to conversations around introducing “good” friction into the online banking process. Discover how some organizations have resolved the conflict between customer safety and user experience through the use of technology and innovative strategies in the white paper, “Mastering Friction, Security, and Efficiency: A Behavioral Approach to Online Banking.”