The UK’s Payment Systems Regulator (PSR) has released a 72-page Policy Statement explaining how reimbursement for Authorized Push Payment (APP) scams will work. Importantly, the very first sentence of the document confirms that fraud and scams are greater than any other crime in the UK. In 2022, losses from APP scams alone were £485 million. It goes on to state, “Once a victim realizes they have been scammed, it’s often too late to stop it and it can have a devastating impact on their life or business.” This sensitivity for the victims of APP scams and the large amount of scam losses has helped drive the PSR to create this document with a real goal of preventing these scams from occurring in the first place.
There are three primary goals of this document:
- Incentivize the payment industry to deploy better and stronger controls.
- To reimburse victims of APP scams (including holiday scams, romance scams, impersonation scams, investment scams, invoice and CEO fraud, and purchase scams.). The victim must have been deceived into granting the authorization to make the payment “executed over the (UK) Faster Payments Scheme.” There is no minimum value threshold for payment reimbursement. The PSR is still determining what the maximum value of reimbursement will be. The plan is to increase reimbursement from 66% in 2022 to 100% in 2024. The reimbursement plan covers consumers, micro-enterprises, and charities. The consumer’s vulnerability and capacity should be considered when evaluating a reimbursement claim. There are three major exceptions to reimbursement: 1) first party fraud and 2) customer gross negligence (PSR is working with the Financial Conduct Authority and the Financial Ombudsman Service to provide guidance on the definition of gross negligence) and 3) excessive claims (with specifics to be provided in Q4).
- Work with Pay.UK to improve the rules governing the Faster Payments System to prevent fraud/scams.
The third point is important as 97% of APP scams occur on the UK Faster Payment rails. According to the PSR, these scams were less than 0.1% of total Faster Payments in 2021.
In addition, the PSR is putting focus on three areas:
- More reporting of APP fraud data. The PSR has initially requested 14 top Payment Services Providers (PSPs) to report on how effectively firms are handling APP fraud. This will include the associated receiving PSPs (showing disbursal of payments among PSPs) with the first report to be published in the fall.
- Requiring Confirmation of Payee (Name Match) controls to be required for another 400 PSPs (out of a total of over 1500 PSPs).
- Promoting intelligence sharing within the payment industry by developing a data tool to support data sharing, including sharing of risk indicators, to change customer behavior and to help hold/stop scam transactions by the sending and receiving PSPs. This will involve the use of the UK Finance’s Enhanced Fraud Data (EFD) solution, with Pay.UK involvement. The plan is for an early phased rollout in late 2023. Also, the PSR wants PSPs to start tracking the source of scams (e.g., robocall, smishing, online advert, etc.).
Components of Reimbursement
There are some new components for reimbursement:
- Reimbursement will be split 50-50 between the sending and receiving PSP. The purpose of the split is for both sides of the transaction to have strong controls to prevent these scams from occurring. The PSR also wants both sides of the transaction to adopt a risk-based approach to determine “when to intervene and hold or stop a payment.” The PSR is looking to see if legislation might be needed to support these delays. In the spirit of faster payments equals faster fraud, the PSR is saying slow down when the alerts warrant it—and help protect the customer from a loss.
- The new reimbursement requirement will apply to all sending and receiving PSPs (over 1,500) using the UK’s Faster Payments Scheme. Open Banking Payment Initiation Service (PIS) transactions are in scope for reimbursement. CHAPS transactions, Bacs transactions, international payments, and payments sent to a crypto exchange are excluded.
- “On Us” transactions (where the sending and receiving entity are the same) are currently excluded in the Policy Statement as the PSR does not have control over these transactions as they are not transferred via a payment system. The PSR is ‘recommending’ that PSPs treat these as Faster Payment transactions and provide reimbursement as defined in this Policy Statement, as the impact to the customer is the same.
- The target implementation deadline for the new reimbursement program is Q1 2024. The implementation reimbursement will be done through a combination of Faster Payments rules (from Pay.UK) and PSR directions.
Expected Outcomes from APP Reimbursement Policy
The PSR has four expected outcomes from this new policy:
- Less APP fraud
- Improved protection for victims
- Effective incentives for payment firms to have proper controls to reduce APP scams
- Increased confidence in the UK’s Faster Payments System
It is important to note that ten PSPs (representing over 90% of authorized push payments) already started this journey to reimbursement a few years ago by signing up to the Contingent Reimbursement Model (CRM) Code. Interestingly, the CRM Code covers Faster Payments, CHAPS and “On-Us” transactions. The latter two transaction types, as previously discussed above, are excluded in this new PSR Policy Statement.
Also, on July 31, 2023, the Financial Conduct Authority’s (FCA) Consumer Duty comes into effect which introduces a cross-cutting rule that requires firms to avoid causing “foreseeable harm.” So, the new PSR Policy weaves closely with the Consumer Duty requirement. Weak controls around Faster Payments could be a violation of this new Consumer Duty.
The PSR is still working out the details of implementation with Pay.UK, the payment systems operator. The PRS plans to have Pay.UK manage the reimbursement process, including the defined reporting on PSP performance on reimbursement. Pay.UK will add Faster Payment rules to reflect the new PSR Policy Statement. PSR will monitor the new Pay.UK responsibilities.
Summary
In summary, the PSR has put together a very detailed and complete document. It is clear what is included in the Policy Statement and, as important, what is excluded. The PSR really wants to see innovation from the PSRs and Pay.UK. One of the best quotes from the document is, “We want payment firms to take responsibility for protecting their customers at the point a payment is made. In doing so, we expect the new reimbursement requirement to lead firms to innovate and develop effective, data-driven interventions to change customer behavior.”
Partnerships between PSPs and more agile fraud solution providers can mean more data points passed, by push API as an example, to aid the sending and receiving PSPs in asking relevant questions along the payment journey (e.g. is the customer on an active call during a live banking session or risk data sent to the receiving bank to possibly warn of an issue).
For the more complete solution, the UK Government 2023 Fraud Strategy is important to address the issue of the origination of these scams which often start with telecom provider calls and messages, along with social media dialogue and internet platform advertisements. A good example of this is the voluntary agreement between the FCA and Google which involves “Google to change their advertising policies to only allow financial services adverts from FCA-authorized firms.” Perhaps the 2023 Fraud Strategy can incorporate telecom providers and Internet platforms into a future APP reimbursement solution, as their products often contain the starting point of the scam (up to 80% of scams start on a social media site).
Also, it is important to remember that with money going to crypto exchanges, an out-of-scope transaction for this Policy Statement, the burden is on the sending PSPs to build controls, as some PSPs have already done, to control the growing fraud in this area. Think of the intense pain the customers go through in many of these scams and ask, “What can I do better to prevent these scams?”