Rob Tharle, Head of Product
At the end of September, the UK’s payments Services Regulator (PSR) put forward a consultation regarding mandatory refunding of Authorised Push payment (APP) frauds/scams for all Payments Service Providers (PSPs) using two key payment rails. This follows from the recent Financial Services & Markets Bill, published in the summer and currently working its way through Parliament. I drew attention to this at the time, but it has been overshadowed by recent events in the UK. However, it is clear this provides another step change in fraud regulation in the UK.
This consultation and its rollout will be watched closely by other regulators around the world, who are also, grappling with authorised frauds and scams. Many countries are just embarking on rolling our real time or instant payments with the EU are looking to mandate them on 2023. This will likely increase the losses further if the UK, US and other counties experience is anything to go by as I mentioned here.
It will clearly make the UK the safest country to be a victim of fraud and scams in. However, this could clearly cause its own issues, for example in terms of first party abuse or moral hazard and these are key parts of the consultation.
What’s the detail in the consultation?
There are two key points to this change:
- Ensure the majority (very high %) of retail customers are refunded in full.
- Provide financial incentives for banks and PSPs to invest in additional tools to prevent more of these frauds at source along with improving recovery mechanisms.
It will apply to all PSPs connected to the Faster Payments Service (FPA), the UK’s real time payments system and CHAPs the UKS RTGS high value payments system. It will apply to retail consumers, micro enterprises of less than 10 people and EUR2M turnover or balance sheet and charities with income under £1m.
The current proposals are that paying PSPs will refund the victim 100% of the APP fraud within 48 hours. There will be no limit to the level to be refunded. Beneficiary firms will then be liable for 50% of this as a default. Firms will be able to agree different values between themselves with a mechanism yet to be agreed.
The only reasons firms can use to not refund are; that the customer is involved, gross negligence or the claim is over 13 months old. In addition, a very low cap to remove small claims under £100, along with an excess of £35. Vulnerable customers will be refunded even if they are deemed grossly negligent and possibly excluded from the minimum value threshold too.
What are going to be the key areas of discussion?
Firstly, there will be lots of discussion around whether this will result in a lack of care by customers or increase first party abuse.
Whilst it is likely that some people will attempt false claims, in practice it might be difficult to get away with (legally at least) for opportunists. However, for organised criminals it is possible to imagine them setting up accounts and frauds to get a double bite of the cherry.
The gross negligence element will provoke man animated opinions, mainly as there is no definition, just that it needs to be a high bar. It would seem, based on how the APP discussions have evolved over the last 5-10 years, along with the level of sophistication of the current scams, that many actions in the part of victims will be seen as gross negligence. What actions will fall either side of the line will be where it gets interesting and likely to be on a case-by-case basis. Where might the following fall for example?
- Responding to a phishing email
- Providing an OTP
- Moving funds to a safe account
- Moving ahead with a payment despite a COP result that’s not a straight match
- Ignoring clear warnings from the PSP that this is likely a scam
Vulnerable customers will also be a talking point, mainly around how to fund their refunds, given they will be refunded 100% despite any level of negligence.
There will be pressure on many financial institutions to take steps to reduce the risk of loss to vulnerable customers, if gross negligence does not apply to them, when the changes come into force. As such there is bound to be pressure to de-risk. Whilst this is unlikely to result in mass closure of vulnerable customer accounts, it is likely to see restrictions on functionality and payment limits for example. It may mean forcing of Power of Attorney (POA) on these customers and other controls to limit the loss.
All these serve a backdrop to the main element, the increased liability on both paying and receiving banks. It will have a particularly big impact on the beneficiary banks, as they will now be looking at picking up significant increases in liability. Based on the UK Finance 2021 fraud numbers there’s approx. £300m of losses currently sitting with victims that will now shift to banks P&L. Then the majority of the £583m (over £500m) would be shared between the paying and beneficiary banks.
For some firms, who make up a mixture of both paying and receiving the liability may well even out and for some, it may even reduce their liability. However, as we have seen from the introduction of Confirmation of Payee (COP) some institutions have a high mule to victim ratio and as such these may experience very large increases in operational losses. As the PSR points out, this means that there is the potential for prudential issues and even closure for some firms as it may make their business models unsustainable. However, this is key to as it will start to align the incentives on institutions to do prevention, throughout the customer lifecycle.
The proposed 50/50 split between the PSPs will come in for much discussion as will the ability to agree different splits. Implementing a process that is low effort for the parties to agree to a different split, based on the merits of the case will be key. Perhaps similar to the old Other Bank Giro Credit (OBGC) rules.
This will need to be based on the sophistication of the controls in place for both banks/PSPs as well as the individual victim circumstances.
There will be many beneficiary banks that will be keen to reduce their share on the basis they have done all they could. For example:
- KYC was completed correctly with no forged documents
- CDD undertaken regularly and transaction history matched to it
- Account behaviour didn’t look like a mule until it took the payment in question
- Real time inbound payment profiling in place
It’s very likely that real time inbound payment profiling and better data sharing will be key to minimising liability and loss here.
Its key to point out however, is this only applies to UK FPS and CHAPs. This covers the majority of the current APP losses, however, as every fraud manger knows (we like playing whack-a-mole), this will push fraudsters towards other payment methods. Expect to see increases in frauds direct to crypto and international (Swift) payments.
This also means that genuine customers will start to see even more impacts on their banking and payments. This will be in two main ways:
- More friction in the journey for new beneficiaries and other non-regular payments
- Increased closure of accounts, either just to avoid costs and risk, but also where there are real signs of potential mule behaviour.
Further, with the current economic headwinds, especially in the UK we will see more people becoming money mules, both wittingly and unwittingly. It sounds like we are already seeing some mules who have been victims of ACTO for mules, had their friends/family abuse their account
As with all these things, there will be false positives and therefore some people will have their accounts closed when they shouldn’t.
I think it is fair to say this is a very important piece of regulatory change, right up there with PSD2 SCA & Open APIs for significance. It will be watch closely around the world and will be the direction of travel over the next few years.