Search This Blog

Sunday, 25 June 2023

The Payments Industry Required To Cover 'Push Payment' Scams

The UK’s Payment Systems Regulator (PSR) has announced it will impose a new reimbursement requirement for ‘authorised push payment fraud’ (APP fraud) involving the Faster Payments system from 2024, with a further review in 2026. APP fraud occurs where a fraudster tricks someone into sending a payment to a payment account controlled by the fraudster (or a ‘mule’). I've summarised the requirements below for information purposes, but if you need advice on the scope or application of the new requirements, please let me know.

What is APP fraud?

APP fraud involves payments where the victim is deceived into allowing or authorising a payment from their account with a bank or other payment service provider (PSP), including where they intend to transfer the funds to someone else but are deceived into transferring the funds to the fraudster instead (or the fraudster's associate or ‘mule’), or where the victim is deceived as to the purpose of transferring the funds to the account outside their control. 

Examples of APP fraud involve impersonation, investment, romance, purchase, invoice and mandate, CEO fraud and advance fees.

How much APP fraud is there?

According to UK Finance, there were approximately 207,000 reported cases on personal accounts in 2022 (up 6%) worth £485m, but “many cases” go unreported. Most (97%) involve the Faster Payment system (though APP fraud payments make up only 0.1% of all Faster Payments. 

Mandatory reimbursement will be on top of the voluntary Contingent Reimbursement Model (CRM) Code launched in 2019, which covered 66% of APP fraud losses within its scope in 2022; and some other initiatives by individual firms. 

What about other payment methods?

The Bank of England is also committed to achieving similar reimbursement for consumers making larger 'CHAPS' transactions. 

The PSR will also consider whether the new reimbursement requirement should apply to other payment systems in due course, but it will apply to the New Payments Architecture (NPA) that will replace existing inter-bank payment systems by 1 July 2026. 

Which customers are covered?

The new reimbursement requirement applies to consumers, microenterprises and small charities (which are all treated as ‘consumers’ under the Payment Services Regulations and is the same coverage as the CRM Code). 

The sending PSP processing an APP fraud claim should assess the customer’s situation and any potential vulnerability in line with the FCA’s guidance for PSPs on the fair treatment of vulnerable customers

A vulnerable customer is someone who, due to their personal circumstances, is especially susceptible to harm, particularly when a firm is not acting with appropriate levels of care. 

If a customer is deemed vulnerable for a specific APP fraud, the sending PSP must not apply the customer standard of caution (gross negligence) or claim excess. 

Which firms are liable for a reimbursement?

The new requirement will mean payment firms must reimburse all in-scope customers who fall victim to APP fraud, sharing the cost of reimbursing victims 50:50 between sending and receiving payment firms, with extra protections for vulnerable customers. PSPs must reimburse customers within 5 business days. There will also be a deadline for firms reimbursing each other, where one pays the customer first. 

The regulator will consult later this year on a potential maximum limits for reimbursements, and claims must be made within 13 months after the final payment to the fraudster. 

Only the PSP that operates the sending payment account and the PSP that operates the receiving payment account for a qualifying transaction are both required to provide reimbursements. This means that a ‘payment initiation service provider’ will not need to provide reimbursements unless it is also acting as the receiving PSP. 

Which payments are covered?

Only payments made using Faster Payments where the victim is deceived into allowing or authorising a payment from their account with a PSP to another account outside the victim's control at another PSP.

Where fraudster persuades the victim to go through several steps - first transferring their money from the sending account at one PSP to another account that the victim has at a different PSP, before then transferring the funds to an account outside the victim’s control at another PSP (‘multi-step APP fraud’), the reimbursement requirement only applies to the Faster Payment made from the victim's last sending account to the receiving account outside the victim’s control.

Which payments are not covered?

The reimbursement requirement does not apply to: 

  • civil disputes, such as those relating to the quality of goods/services which are mainly covered by consumer rights legislation; 
  • payments which take place across other payment systems; 
  • international payments; or 
  • payments made for unlawful purposes.  

There will also be no reimbursement where the customer has acted fraudulently (‘first-party fraud’) or with gross negligence, which the PSP must prove. 

The PSR has no regulatory power to require reimbursements for ‘on us’ payments, where the fraudster uses a receiving account with the same PSP where the victim holds the sending account. However, the regulator is seeking to persuade the FCA that this must be the case. The PSR also suggests the same result should apply for users of Bacs and payment cards. 

How will the PSR enforce the requirements?

The Regulator will direct Pay.UK to put the new reimbursement requirement into Faster Payments rules and give a general direction to create a regulatory obligation on in-scope PSPs to comply with the requirement in the Faster Payments rules. The regulator will also issue guidance on what constitutes ‘gross negligence’ by customers. 

This post does not constitute legal advice. If you need advice on the scope or application of the new requirements, please let me know.


No comments:

Post a Comment