This blog is being published in two parts. Part 1 summarizes the final UK regulations for mandatory APP scam reimbursement. Part 2 discusses what non-UK FIs should take away from what is happening in the UK around APP scams.
In December 2023, the UK Payment System Regulator (PSR) released the final details of the new APP scam reimbursement requirements ahead of the October 2024 implementation date. Several documents related to the reimbursement regulations were released (refer to Additional Resources below for the full list).
The key points outlined by the PSR include:
- Most APP scams (impersonation, romance and investment scams) that occur on the UK faster payments system rails (“Faster Payments System”) will be reimbursed by the Excluded transactions are international payments, payments made across other payment systems (including funds sent to a crypto exchanges) and On-Us transactions (intrabank transfers). The PSR is requesting FIs to voluntarily include On-Us transactions for reimbursement. Also excluded from the reimbursement policies are credit unions, municipal banks and national savings banks and first party fraud payments. Separately, the Bank of England is working on including CHAPS payments for reimbursement at a later date.
- The reimbursement is a 50-50 split between the sending and receiving bank (technically the sending and receiving Payment Service Provider, or PSP).
- The maximum reimbursement amount is £415,000 per customer claim. The definition of a customer claim is: “one or more FPS APP scam payments made as part of an APP scam.” This amount was chosen to match the Financial Ombudsman Service current award limit for a single complaint of £415,000. There is no exception for vulnerable customers. A PSP can voluntarily reimburse over the maximum amount at their own discretion. The PSR estimates this maximum amount “covers 95.5% of losses by value.”
- PSPs can exclude up to the first £100 of scam loss from reimbursement per customer claim (exclusion not applicable to vulnerable individuals where customer vulnerability led the customer to be defrauded). By excluding £100, the PSR document states “up to 32% of the cases would receive no reimbursement,” but this will represent “less than 1% of the total value of APP fraud cases.”
- Vulnerable customer must be treated differently (e.g. no minimum amount for reimbursement). PSPs are required to determine if a customer vulnerability led the customer to be defrauded. According to the Financial Conduct Authority, vulnerable customers could include up to 25% of UK adults.
- PSPs must have clear and specific transaction warning signs (not boilerplate) on known risky transactions that appear to be a possible scam.
- PSPs can pause, or even reject, transactions when it appears to be a scam.
- If a customer is grossly negligent, there is no reimbursement. The document limits the consideration of gross negligence to “four specific circumstances, including the requirement to have regard to interventions (e.g. online alerts or branch staff/police scam discussions about the transaction in question), prompt notification (of the loss), responding to requests for information and police reporting.” Customers must listen to bank staff and police, but failure to listen by itself is not sufficient to deny reimbursement. The vulnerability status of the customer must also be considered to determine if customer gross negligence can be considered by the PSP. Customers who repeatedly fall victim to APP scams may itself be indicative of their vulnerability.
- If a customer is denied reimbursement, they can appeal to the Financial Ombudsman Service (FOS). A customer’s appeal to FOS can include concerns that the PSPs involved caused the loss by their acts or omissions. If the loss involves several payments, the customer can file a complaint for each. According to the PSR, “It follows that victims who have lost very large sums are already entitled to seek redress of more than £415,000 by bringing multiple complaints to the Financial Ombudsman Service and they will continue to have that right after the reimbursement rules are introduced.” FOS has a maximum limit of £415,000 per complaint.
- If the sending PSP decides not to reimburse and it is overturned by the FOS or the courts, then the sending PSP will be liable for the full reimbursement determined by FOS or the courts.
- The sending PSP must reimburse the customer within five business days of a claim submitted unless the sending PSP needs more information to assess the customer claim. Then, the sending PSP can have up to 35 business days from the date of the claim to decide to reimburse or not.
- This reimbursement policy starts on October 7, 2024. Any scam payments made prior to this date are not covered. The current voluntary reimbursement Code will stay in effect until this date.
- The PSR requires Pay.UK, the manager of the Faster Payments System, to report on claims vs reimbursements to ensure PSPs are acting responsibly. The frequency of the report is TBD.
Observations on Scam Reimbursement Requirements
Here are some of my observations on these new rules for reimbursement:
Since the maximum amount is £415,000 per claim, if a customer made three APP payments for £200,000 each (e.g. romance scam), this is considered one claim according to the PSR, and a maximum of £415,000 will be reimbursed. But if the customer is not satisfied with the reimbursement received from the sending PSP, they can go to the FOS and file one complaint per scam payment and conceivably receive £600,000 in reimbursement (£200,000 per claim). This is what FOS allows to possibly occur, depending on the FOS determination.
The sending PSP is the one responsible for determining if the scam claim is valid or not. If they decide it is not valid, and the customer goes to FOS or the courts and either FOS or the courts agree that it is valid, then the sending PSP alone must pay the client 100% of what FOS or the courts determined. As a result, the sending PSP must carefully assess the customer claim for first party fraud, gross negligence and whether any vulnerabilities the customer had at the time of the scam caused the customer to be defrauded. I think this will help scam victims get reimbursement where they have been psychologically impaired by the scammer to execute the transactions.
Investment scams where the customer sends a payment from the sending bank to a cryptocurrency exchange are definitely not covered by the PSR regulations (not a Faster Payment). In fact, according to a Reuters article last year, several UK banks limit transfers or block money from being sent to cryptocurrency exchanges. In addition, if the scammer convinces the customer to withdraw cash from their bank for whatever purpose, this is also not covered by the PSR regulations (not a Faster Payment).
The PSR, and The Financial Conduct Authority (FCA), will be looking to see that the bank customers are treated fairly and the reporting on scam claims and reimbursement by PSPs will help assess the effectiveness of this reimbursement program. With the new UK Consumer Duty law, the FCA will specifically be looking for how customers are treated (e.g. assessing vulnerabilities, how complaints are handled, etc.) and what controls are in place to prevent fraud and scams.
The UK regulators are also placing strong requirements on PSPs to implement effective controls to reduce scams before they cause losses. The PSR states: “We want payment firms to take responsibility for protecting their customers at the point that a payment is made. In doing so, we expect the new reimbursement requirement to lead firms to innovate and develop effective, data-driven interventions to change customer behavior.” The FCA report, Proceeds of fraud - Detecting and preventing money mules, published in October 2023, states: “Firms should have proportionate and adequate systems and controls to mitigate the risk of money mules. We will use our full regulatory tools, including appropriate enforcement, should we identify a firm failing to maintain proportionate and adequate controls.”
Industry Response on Scam Reimbursement Requirements
Here is some key feedback from the UK on the final reimbursement requirements:
- Which?, the consumer advocacy group, responded, “It is very positive that the Payment Systems Regulator is progressing with its plans for implementing mandatory reimbursement. This will make the UK the first country in the world to implement consistent standards to reimburse victims of APP fraud.”
- The UK Payments Association’s Director General, Tony Craddock, provided a response on LinkedIn on December 19. A condensed version of his full commentary follows:
“The Payment Systems Regulator has published its final policy decisions on #appfraud. And despite extensive expressions of concern from the #payments industry, the policies are unchanged from the drafts published two months ago, with one exception.”
“The first thing to do is take a deep breath and work with the PSR team to facilitate the implementation of these new regulations. We have to make the best of a difficult situation. We have to do everything in our power to deploy systems and processes that prevent any sort of reimbursement being required in the first place, whatever its size; in other words, to prevent scams from happening."
- Document 1: Fighting authorised push payment scams: final decisions
- Document 2: Specific Requirement 1: The Consumer Standard of Caution Exception
- Document 3: The Consumer Standard of Caution Exception Guidance
- Document 4: Specific Requirement 1: Maximum excess - Notice of Value
- Document 5: Specific Requirement 1 on the Faster Payments Scheme operator to insert APP scam reimbursement rules into the Faster Payments Scheme rules
- Document 6: Specific Direction 20 to PSPs participating in the Faster Payments Scheme that provide relevant accounts, to reimburse FPS APP scam payments and comply with the reimbursement rules
- Document 7: Specific Direction 19 imposing certain responsibilities on the Faster Payments Scheme operator in respect of the Faster Payments Scheme APP scam reimbursement rules