In a typical payment scam, a victim is tricked or groomed into sending money to a fraudster under some false pretense. The fraudster will usually provide the victim with very specific instructions on how to get the funds to them, and they will often provide the victims with stories to tell their bank if anyone at the bank should question the transaction or try to persuade the victim that they are being scammed. However the scheme works, the important point here is that the victim is authorizing the transaction. These are not unauthorized transactions, such as in an account takeover scheme or if a thief has obtained unauthorized access to the victim’s account and conducted a transaction without the victim’s authority.

As a general rule, financial institutions in the United States are not liable to customers who lose money due to scams if the customer authorized the payment to the fraudster. This may seem unfair in some respects because the victim has lost funds that were in the custody of the bank. In some cases, there may have been red flags that would have enabled the bank to identify a possible scam. For example, the bank would have information where an elderly victim who never sent an international wire transfer is wiring funds to Asia or has withdrawn a large amount of cash. Even where such red flags might exist, banks have generally been held not to be liable if the victim authorized the transactions.

The UK experiment: An overview of the PSR reimbursement rules

Some jurisdictions have started to take steps that would require financial institutions to compensate victims when they have lost money as the result of a scam. For example, as of October 7, 2024, rules in the United Kingdom (UK) require UK payment providers to reimburse all in-scope customers who fall victim to Authorized Push Payment (APP) scams, except for limited exceptions, up to a limit of  £85,000. Banks are required to refund fraud victims within five days.

The UK’s rationale for implementing this measure was stated by the Payment Systems Regulator (PSR) in its June 2024 Policy Statement:

“We want payment firms to take responsibility for protecting their customers at the point a payment is made. In doing so, we expect the new reimbursement requirement to lead firms to innovate and develop effective, data-driven interventions to change customer behaviour. This includes adopting a risk-based approach to payments with firms making better decisions on when to intervene and hold or stop a payment.”

The PSR defines APP fraud as which fraud occurs when a consumer is persuaded or tricked into authorising a payment to a fraudster, whether through being deceived as to the recipient of the payment, or as to the purpose for which they are transferring the funds.

When the new regime went into effect, it established a reimbursement limit of £85,000. This limit was reduced at the last minute from an initial proposed limit of £415,000. In addition to the limit, there are numerous rules and procedures governing the reimbursement process.

Consumers should, on learning or suspecting that they have fallen victim to an APP scam, report this promptly to their PSP, and in any event not more than 13 months after the last relevant payment was authorised.

The information sharing requirement.Consumers should respond to any reasonable and proportionate requests for information made by their PSP to help assess a reimbursement claim.

The police reporting requirement.Consumers should, after making a reimbursement claim, and upon request by their PSP, consent to the PSP reporting to the police on the consumer’s behalf. The PSP can alternatively ask the consumer to report the details of the APP scam to a competent national authority directly.

The PSP must reimburse the consumer within five working days. The term “consumers” in this context includes microenterprises and charities, provided they are below the thresholds set out in the APP fraud reimbursement rules.

The cost of the reimbursement must be split 50/50 between sending and receiving PSPs.

The sending PSP must notify the receiving PSP within two business hours of an APP fraud claim, and the receiving PSP should provide any relevant information to the sending PSP within three business days.

The receiving PSP must pay the sending PSP 50% of the reimbursable contribution amount, within five business days of being notified by the sending PSP that the contribution is payable.

Sending PSPs can ‘stop the clock’ to gather additional information or, where relevant, verify that a claims management company is submitting a legitimate claim. Receiving PSPs must respond to any requests for additional information within 25 business days. Sending PSPs may stop the clock as many times as necessary to complete their assessment, provided they complete their assessment and close the claim within 35 business days.

The reimbursement requirement will apply to an account controlled by a person other than the customer, where the customer has been deceived into granting that authorisation as part of an APP fraud case.

PSPs will be allowed to withhold up to £100 from the reimbursement to cover their expenses.

There would be exceptions to this general reimbursement obligation:

Where the consumer seeking reimbursement has acted fraudulently.
Where the consumer has acted with gross negligence.
However, vulnerable victims will be excepted from the consumer standard of caution and will not be subject to the excess.

Consumer standard of caution.

The rules require firms to reimburse all in-scope APP fraud victims, except where the consumer seeking reimbursement has (1) acted fraudulently, or (2) where the consumer has acted with gross negligence, as set forth in the December 2023 Guidelines.

The consumer standard of caution will not apply to vulnerable customers.

The burden of proof falls exclusively upon the PSP to demonstrate that a consumer has acted with gross negligence.

Where a consumer chooses to proceed with a transaction after an intervention by their PSP, and that transaction turns out to be a scam, the consumer should not automatically be deemed to have been grossly negligent. In section 1.13, the PSR provides several factors that should be assessed in order to determine whether the consumer’s conduct was grossly negligent.

Each reimbursement claim made by a consumer will need to be assessed on its individual merits to ascertain whether the consumer is eligible for reimbursement or has acted with gross negligence in not meeting the consumer standard of care.

When simple meets reality: The hidden complexities of scam reimbursement

As can be seen from this overview of the rules and procedures covering the PSR reimbursement process, what seems to be a relatively simple idea can become very complex when put into practice. For example, there is the process whereby the sending and receiving PSPs must each pay 50% of the claim – which will require coordination between the PSPs. Also, there is the issue of assessing and determining “gross negligence” by the consumer, including cases where the consumer was warned of the fraud by the PSP.

Since these new rules have only been in effect for a few months, I have yet to see any anecdotal or empirical evidence with respect to how the new process has been working. However, one commentator has reported that he has seen this new policy spur increased investment in fraud technology and fraud personnel at his institution.

I expect that we will be receiving additional information about developments in this area as institutions begin to file required reports on reimbursements. The first report of data required was due on January 6, 2025, which will be followed by monthly reporting from January 31, 2025.

While the UK policy on reimbursement is clearly well intentioned and may, in fact, drive institutions to increase investments in counter-fraud technologies and personnel, it is not clear in my mind that this policy will actually reduce losses resulting from scams. This new regime is a complex system that will require resources to administer and oversee the program.

First, this fraud-reimbursement process will result in PSPs having to set up a whole new internal framework to implement the program: people to process the claims; people to evaluate the claims; people to interact with the PSP on the receiving end of the transaction; people to consider whether the consumer was grossly negligent in the transaction; people to argue gross negligence; auditors to review and assess the program, etc. In addition, there will have to be government oversight to promote and evaluate compliance by PSPs with the program. PSPs will be expected to spend funds to implement the program as well as to enact new counter-fraud programs. In my view, it would be more productive if these resources were spent to actually detect and prevent fraud.

Further, while counter-fraud measures to protect customers may allow PSPs to protect themselves from claims by establishing gross negligence by their customer, the burden of proof falls exclusively upon the PSP to demonstrate that a consumer has acted with gross negligence. So, even if the PSP has implemented a program to protect their customers, they will still be required to expend funds to establish gross negligence by their customer if the customer seeks reimbursement. Thus, it is interesting to compare the situations of three different hypothetical responses by institutions to this new regime:

1. The first PSP has taken virtually no steps to protect their customers. This PSP would have to reimburse all of their customers for losses up to the maximum.

2. The second PSP has taken some measures to protect their customers from scams but has not implemented a program to actually intervene with customers who are being scammed. This PSP would have spent funds to implement their program but would probably not be in a position to establish gross negligence by their customers so they would be required to reimburse their customers in most cases.

3. The third PSP has implemented a good program, identified the scam, and reached out to their customers to warn them about the scam when possible. This program would require substantial expenditures and should result in some customers being prevented from being scammed. So, the increased expenditures should result in some savings. However, in cases where a customer proceeded with the transaction despite the warning, the burden would still be on the PSP to establish gross negligence.

Every PSP will have to decide what level of protective measures it will take to try to protect their customers and avoid having to reimburse claims. But only PSP #3 will be in the best position to contest claims under the gross negligence provisions. And even then, it is still not assured of prevailing in every case. So, every PSP will have to calculate how they will address this situation. In this day of limited resources, it will not be an easy decision. Since there are no standards for an effective anti-fraud program, it will not be easy for PSPs to determine what kind of program it should implement.

Moral hazard

As we have discussed, prior to this new regime, the general rule has been (and still is in the United States) that financial institutions are not responsible for customer losses due to scams because the customer has authorized the transaction. This puts the responsibility for due diligence and care on the customer. However, if the system shifts to one where the customer is no longer responsible for such losses, this reduces the incentive on the customer to exercise due care. This scenario brings up the principle of “moral hazard.”

Moral hazard can exist when a party to a contract can take risks without having to suffer consequences. While I understand that no one wants to be the victim of a scam and the fraudsters are very good at deceiving victims, nonetheless, do we really want to take away an incentive to be alert for scams? Financial institutions in the United States are implementing new measures to identify, deter, and prevent scams, and some have made significant investments in customer education programs. Ongoing media coverage and public service announcements are regularly released to raise awareness and alert potential victims about scams So, this would cause some to argue whether at least part of the burden should be on the victims to be alert to scams.

Collusion between scammers and victims

Everyone reading this article is probably aware of how creative and adaptive scammers are. Thus, if a regime to reimburse victims of scams is implemented, scammers will undoubtedly seek to take advantage of the new regime by colluding with customers so that they can both take the money from the purported scam and seek reimbursement as well – thereby profiting twice from the same scam. While this collusion would probably not be widespread, can anyone doubt this kind of collusion will occur at some level?

What about other responsible parties in the fraud environment?

One other concern about requiring PSPs to reimburse customers for losses due to scams is that this new regime places all of the burden on the PSPs and ignores the role that social media companies and telecoms play in the fraud chain. As I argued in a previous blog, in most cases, the initial contacts in these scams are primarily made on social media platforms where fraudsters (who are often themselves victims of human trafficking) reach out to potential victims to engage them in conversations. PSPs are only the last point in the fraud transaction – once the victim has been contacted, groomed, and convinced to send money to a person they have never met. Since social media and telecoms are an essential part of the scam ecosystem, it is only right that they should be involved in the reimbursement process as well.

A better approach?

I certainly understand why some people believe that PSPs should be required to compensate customers for funds that they lose to scammers. No one likes to see an innocent victim lose their life savings because they were taken in by a scammer. There are arguments in favor of the UK approach. However, I am concerned about the complexity of the UK approach, the amount of money that would be spent on implementing and operating such a reimbursement regime, the issue of moral hazard, the possibility of collusion between victims and scammers, and the responsibility of social media and telecom companies bear.

In light of these concerns, in my view, the better solution would be to establish guidelines or standards for PSPs and social media and telecom companies to follow in order to reduce fraud, provide some sort of regulatory incentives for financial institutions to encourage them to implement stronger anti-scam measures (as of now, banks get no credit from regulators for implementing such measures), and develop a strategic approach to fighting fraud that would include law enforcement, the federal regulators, and the private sector so that the efforts of all of these groups could be coordinated in a meaningful manner. I provided a blueprint for such a coordinated approach in a prior blog. The focus on a coordinated approach would be more productive in fighting fraud and scams than simply making banks reimburse victims for losses.

Recent Posts