Written by Rob Tharle, Head of Product  

I’ve written a lot recently about the increasing regulatory response in the UK to fraud and scams, particularly Authorised Push Payment Fraud (APP) fraud. Not everyone agrees with the details, but all agree we need to act. How to respond is an area of focus that continues to evolve and is useful to understand how the different regulations and laws fit together.  

In a recent speech Chris Hemsley, the head of the UKs Payments Services Regulator (PSR), talked about the need for collaboration across the private and public sectors and action on multiple fronts. The areas he singled out were – the origin of frauds, enforcing against the criminals, repatriating funds, and that data sharing is key to helping with all of these.  

Across these fronts there are four areas to tackle that were raised: 

• Collecting data and publishing on the sources of fraud 
• Risk management by payment firms  
• Informing and empowering customers  
• Taking effective law enforcement actions  

Chris also made the key point that there needs to be alignment of incentives on participants in the wider ecosystem to act to bring about a reduction in APP frauds. The PSR are looking at using both financial and reputational incentives, by increasing and reassigning liability and publishing data on firms who receive lots of APP scams. 

CYBERA was founded in order to join up the sectors to help disrupt financial cybercrime, so we’re supportive of all these points.  

But on the other side of the fence, we have the new Duty of Care regulations coming in later 2023 and highlighted in a recent Dear CEO letter. These rules apply to many crypto firms too, where they are used for payments as they are part of the e-money regulations. 

Here we see an opposing viewpoint, where there is a need to ensure customers of financial services firms get the outcomes they deserve. The Financial Conduct Authority (FCA) mentioned a number of areas where firms need to concentrate.  

1. Ensuring access to Strong Customer Authentication (SCA), that is not just by using a mobile phone in some way. 

2. Improving the process around freezing take centre stage. This is no surprise given the Lending Standards Board (LSB) and PSR are requiring an increase in mule prevention and stopping funds moving through multiple generations. Specifically, they mention:  

• Fewer accounts frozen by reducing mule accounts onboarded and improved transaction monitoring to lower false positive rates 
• Faster investigation of cases, reaching a conclusion quicker 
• Better communication within the confines of tipping off 

• Improved support for the account holders, including financial hardship cases 

3. The need to support customers in alleged cases of fraud, especially APP fraud.  

Looking at these in turn, what does this mean for firms? 

For SCA this means firms need to look at offering a range of PSD2 compliant ways to access services digitally. Looking at how this area is evolving, this should really encompass Passkeys and the ability to utilise FIDO2 Security keys. 

In addition, they should be allowing customers to select that they mandate SCA/MFA for login, and/or all transactions, even if there are PSD2 exemptions or the bank feels the risk is low. This is because fraudsters do utilise even view only access to aid their scams, especially when impersonating banks. 

Regarding account freezing, these points all add additional emphasis for the need for further investments by firms in order to improve how they manage frauds and stop the movement of funds to organised crime groups (OCGs). 

On customer support, this can be read as covering two categories: 

• True victims of fraud, whether authorised or unauthorised 

• Those who have been tricked into being a money mule 

On the first category, this fits with the CRM and PSR consultation to do more to protect the true victims, as well as reducing the incidents where possible. On the second, this might mean improving detection at the earliest stage to help prevent customers becoming unwitting mules, although being a money mule, even by mistake, is illegal in the UK. 

Overall, then this helps lays out the difficult challenges for firms, as there are potentially conflicting laws and regulations here such as PSD2, MLRs 2017 and GDPR to name a few. Walking the tightrope between offering easy and open payment systems, preventing fraud and ML and customer care is not easy. 

This means firms must invest further as part of a holistic and multi-layered fraud and financial crime strategy as outlined in my previous blogs here and here.  

Take a look at how CYBERA can help across these areas here.