Written by Rob Tharle, Head of Product

I’ve written extensively on the UK’s evolving regulatory landscape relation to authorised push payment (APP) fraud and scams covering the FCAs Consumer Duty of Care regs, the Lending Standards Board (LSB) changes to the Contingent Reimbursement Model (CRM) and the Payment Services Regulators (PSR) September consultation. Following writing about the PSRs consultation back in November, this week we’ve seen the results. The response is very comprehensive and as well as the changes to the reimbursement model, also covers elements including the Governments wider fraud strategy and recognising the need for policy responses outside the FI arena.  

What are the key points? 

• Sending Bank refunds customer¹ 100% within 5 days (some exceptions) 
• Receiving Bank Refunds sending Bank 50% 
• Comes into force in 2024 date TBC, but likely Q2, CRM in place until then 
• New rules apply to FPS only and includes Payment Initiation Service (PIS) payments 

• All 1500 PSPs operating in the UK will be in scope 

What are the key changes from the consultation? 

It was proposed to have both a £100 minimum limit to allow a claim and for an excess of £35 to be applied. The minimum amount has been removed and the value of the excess is to be determined following further consultation. This makes a lot of sense for operational and fairness grounds. 

However, a new maximum limit will also come into effect, again with the value to be determined following further consultation. This may impact on a small number of larger value cases. 

48 hours was the proposed time to refund, but this has been extended to 5 working days to allow for proper operational processes to be undertaken. A new ‘Stop the Clock’ ruleset has also been introduced for certain situations: 

• Awaiting evidence from the victim 

• Assessing victim vulnerability 
• Validating a claims management company has authority 
• FPF suspected get more evidence and liaising with law enforcement including SARs & DAML SARs 
• More evidence for multi-step frauds  

This may see some cases take longer than 5 days. 

The scope has also been more clearly defined. PIS open banking payments are in scope. A PISP will only have liability if the hold the funds at any time. Agent only processing will not confer lability. CHAPs is not covered as the PSR cannot regulated it, however the Bank of England will provide Comparable cover. Similarly, ‘On Us’ those where the same PSP has both sides of the transaction will not be covered but the FCA will look to ensure equivalence. 

When will PSP’s not be liable? 

There has also been additional clarity on exceptions reimbursement and rules for liability. A summary of these exclusions, which seems much longer now, are: 

• Non- FPS Payments including BACs and International 
• Civil disputes 

• Payments for unlawful purposes 
• Only the payment from the victims account to a fraudster/mule is covered 
• First Party Fraud 
• Gross Negligence – Guidance on a Customer standard of Caution is to be provided  
• Over 13 months from last fraudulent payment to report by the victim 

• Frauds prior to the new rules coming into force 
• The customer doesn’t provide reasonable evidence to support the claim 
• Firms that voluntarily refunds customers outside the scope of these rules will not be entitled to 50% from the beneficiary bank (50% for any in-scope amounts) 

What does this mean for financial institutions? 

As expected, there will be an increase in liability for financial institutions (FIs) and some more than others. This provides the incentive to invest in additional prevention & detection capabilities. Some will also need to invest in greater operational capabilities to manage the workload. 

These investments should cover the following areas: 

• Utilizing lists of known fraudulent details within the KYC process to reduce onboarding of mules, in addition to identity checking.  
• Enrich fraud and financial crime transaction monitoring with details of known mule accounts, beneficiary names and account aliases to improve network analysis and further aid detection.  
• Undertake real time inbound payment profiling to prevent onward transmission of funds. 
• Ensure victims can quickly and easily report any frauds and scams. 
• Share data on mules for use in prevention and intelligence for law enforcement. 

• Work alerts received externally, quickly, freezing funds where appropriate and repatriating where possible. 
• Help customers, particularly the vulnerable report these frauds to the police 
• Automation to free up resources 

These will help reduce the level of frauds, increase recoveries and reduce liability for PSPs. 

What might be contentious areas? 

As ever as the details become clearer, there are some areas that could cause contention. 

Will some Advance Fee Frauds, for example helping ex dictators move their funds be classed as payments for unlawful purposes and be out of scope? Where is the line between a purchase scam and a dispute? Most will be clear cut, but there will be some grey areas seeing some refunded and some not. Customers of larger frauds, including some investment frauds, will not be made whole either. 

Multi-stage frauds and frauds involving Crypto will be hot topics. Two examples can illustrate this: 

• If the fraudster convinces the victim to send funds to their friend, who then sends it to the fraudster, the original sender doesn’t have a claim, only the friend. Does he then give him the money back? 
• Sending funds to your own crypto account and then sending crypto to the fraudsters is also not covered. 

It is likely we will see much discussion about how the Stop the Clock rules work in practice. Are they being used as a delay and of course what is reasonable evidence to support the claim. And the biggest will likely be how the Gross Negligence and proposed Customer Standard of Caution guidance will work.  

This is the most significant piece of regulation globally in combating authorised fraud and scams. The impacts on FIs will be significant in terms of liability and the cost of investments required to meet these challenges and keep liability down. This will be particularly hard on those firms that have been net recipients of fraudulent transfers, but this should incentivise to improve their controls frameworks.   

It will be interesting to see where the excess and max refund limit values get set over coming months and how it works in practice next year. 

Overall, this a positive step forward that should help reduce APP frauds in the UK over the medium term. Other regulators around the world will be watching closely how this plays out. Its is  likely to see further movement in policy responses globally, just like the recent Australian announcements. 

  1 It will apply to retail consumers, micro enterprises of less than 10 people and EUR2M turnover or balance sheet and charities with income under £1m. 

About CYBERA 

At CYBERA we’re on a mission to stop money laundering and help protect customers from scams and other financial cybercrime. We close gaps that allow cyber criminals to thrive by sharing crime data in real-time with financial institutions, fintech, and crypto exchanges, and coordinating a global response to support customers who have become victims of financial cybercrime.   

CYBERCRIME WATCHLIST™ helps support firms to reduce fraud and money laundering and meet the requirements of the CRM as part of a holistic fraud and financial crime strategy.  

CYBERCRIME VSR™ lets victims report fraud and scams to increase chances of recovery.