The date that will change the scam landscape in the UK is now upon us. As of Oct. 7, the Payment System Regulator’s (PSR) mandatory reimbursement rules have taken effect.
These measures seek to protect scam victims and encourage payment service providers (PSPs) to do more to block criminal cash flow.
On the surface, mandatory reimbursement promises increased customer protection and accountability within the banking sector. The ripple effects – both positive and negative – of this latest regulation, however, remain unknown.
Understanding the challenges the banking industry will face and how it responds to them will be crucial in anticipating shifts in fraudster behaviour and, ultimately, keeping pace with criminal innovation, which in turn will allow banks to proactively navigate threats as they arise and evolve.
The chameleon in a jungle: Fraudsters adapting to their new environment
Fraudsters are opportunists by nature. They thrive in changing environments. New defences deployed in response to the PSR’s new mandates are unlikely to deter these criminal innovators. History shows fraudsters tend to shift strategies rather than giving up and disappearing.
As banks strengthened their account takeover controls, for example, we saw fraudsters move towards more sophisticated and underhanded techniques, including the many social engineering MOs and deep fakes that influenced the creation of PSR’s mandatory reimbursement requirement.
Data available through UK Finance’s annual reports shows a continued rise in APP fraud volumes, as shown below:
As financial institutions implement additional controls, particularly on digital channels, fraudsters may direct their efforts elsewhere, targeting alternate channels – phone banking, branch banking, cards, etc. – with the same fraud types.
It seems unlikely we’ll see fraudsters targeting the UK specifically because of the PSR’s new reimbursement requirement. According to TSB, the deployment of the bank's Financial Reimbursement Guarantee (FRG) resulted in no significant increase in attempted APP fraud. With this in mind, it seems fair to assume we won’t see a significant increase in UK scam volumes in the weeks and months after 7th October.
Whatever happens, it is important for banks to react quickly to any changes in the fraud and scam landscape. If financial institutions don’t present a united front and collaborate, fraudsters may exploit the weaknesses of individual entities, distorting reality for the rest.
Stuck in the current: The impact of unintended consumer consequences
One of the more common concerns during the consultation period centred on potential changes in customer behaviour, particularly around the sense of security and caution with which users bank online. Critics believe that if consumers know their funds are protected in the event of a scam, they might behave more recklessly. TSB’s aforementioned letter to Parliament refuted this theory.
Yet, this change may also lead to more reporting. Sadly, we know many scam victims do not come forward and report their experience, whether because they feel embarrassed or pessimistic their reporting will have any impact. The new reimbursement rules could change this, and we could finally begin to see the real volume and value of APP fraud. This is another impact TSB reported as an unexpected benefit of their FRG, which saw scam reports to law enforcement increase by 1,338%.
TSB was also very vocal about FRG and the positive impact it would have on those customers whose fell victim to a scam. Right now, there’s nothing in the PSR mandate that dictates how banks should educate their customers on the new rules. Those in the industry are knowledgeable, but what about the general public?
One big unknown discussed within the industry is the application of the £100 excess. How, if at all, will this be enforced by banks? Or will banks forego imposing it to keep customer satisfaction levels high? The uncertainty in this regard will only be resolved over time, but the potential disparity across banks will lead to an inconsistent treatment of consumers, depending on their PSP.
While we have data that shines a light on the impact of reducing the maximum reimbursement limit from £415k to £85k (just 0.27% of all cases are reportedly between £85k and £415k), we don’t yet know how the £100 excess – if enforced – will impact victims.
Additionally, by shifting liability to payment service providers, consumers could see slower transaction processing times and face more stringent verification procedures, as per the recent FCA consultation. This impact to consumer experience feels like a step backwards, challenging whether PSPs have sufficient frictionless tools.
The one-armed juggler: The impact on PSP’s currently strained resources
Banks have a huge responsibility to protect their consumers from fraud and scams while ensuring the level and quality of the service they provide is streamlined and user-friendly. They also have limited resources to pull this off.
The 50/50 liability change, although it has its advantages, will come with additional costs, as banks will have to pay more attention to inbound payments – something that may be a new area of focus for some PSPs.
Moreover, with increased bank liability, it’s natural to assume banks will deploy additional controls on outbound payments.
Maintaining a seamless user experience while keeping pace with fraudsters and meeting ever-evolving regulatory requirements is no easy task. If bad actors migrate to new channels or payment methods, we should expect this drain on fraud team resources to only intensify, perhaps forcing some banks to make difficult decisions as to which areas they prioritize and which they leave less protected.
The challenges are also compounded by the lack of transparency on how to consistently deal with gross negligence and vulnerability as explained in greater detail in an earlier instalment of this blog series.
Preparing for a new era: Proactive steps to combat future challenges
It is inevitable that new controls implemented by banks will change fraudster behaviour and lead to unintended and unexpected consequences. There are several proactive steps the industry could take to mitigate risk:
1.) Improving infrastructure and payment information: Banks and payment bodies should invest in infrastructure that supports fraud prevention prior to the point of payment. Furthermore, increasing the availability of information and data-sharing across banks can serve as a line of defence, providing a network view which can be leveraged by machine learning models and aid in investigations.
2.) Understanding user behaviour: While the focus of fraud prevention has traditionally been on outbound transactions, there is a growing need to monitor inbound payments as well as the general conduct and behaviour of existing accounts to get a better idea of bad actors are operating within banks. More needs to be done to impede fraudsters’ ability to exit stolen funds from the financial system to fund illicit criminal activity.
3.) Intelligence sharing: Improving communication and collaboration between FI/banks, regulators, and law enforcement is essential. By sharing real-time data on fraud patterns, the industry can anticipate trends and respond faster to emerging threats.
The introduction of mandatory reimbursement by the PSR is set to change the payments landscape significantly. While it offers essential protections for consumers, it will inadvertently encourage fraudsters to evolve and adapt to counteract the changes made by FI/Banks and consumers.
We must be prepared for these shifts by improving security, embracing new technologies, and fostering transparent collaboration. Through improved data intelligence and infrastructure, coupled with transaction monitoring balanced across all payment mediums, we can proactively create a safer, more resilient payment ecosystem.
This is the third installment in a three-part series from McKenzie and Peacock. You can find the first two chapters here: New UK liability-sharing rules: Unpacking the PSR’s latest report and A closer look at the impact of the UK’s new reimbursement requirements
