Add a bookmark to get started

Man holding a smartphone
18 April 20249 minute read

PSR Policy Statement on changes to APP fraud reimbursement

Payment fraud and APP webinar recording.

Payment fraud is rife, and Authorised Push Payment (APP) fraud is currently a prominent issue. In February, Leontia McArdle, Philip Williams, David Cook, and Ben Fellows hosted a webinar addressing ongoing trends, the forthcoming reimbursement regime starting October 2024, and effective incident response strategies. 

Introduction

On 19 December 2023, the Payment Systems Regulator (PSR) published a Policy Statement PS23/4 regarding authorised push payment (APP) fraud reimbursement. This Policy sets out the changes to how Payment Service Providers (PSPs) should reimburse victims of APP fraud within the Faster Payments Scheme (FPS), with the new requirements taking effect from 7 October 2024. The new Policy replaces the existing voluntary reimbursement code from 2018.

This note provides an overview of the Policy requirements, together with a consideration of the role played by Claims Management Companies (CMCs) in pursuing complaints and the Financial Ombudsman Service (FOS) in determining whether reimbursement is required and in what amount. Finally, there is a review of how the scheme compares to those in other jurisdictions.

 

Overview of the Policy Statement

The key points in the Policy Statement can be summarised as follows :

  • The reimbursement will be available for consumers, microenterprises and charities.
  • The maximum level of reimbursement per claim will be set at GBP415,000. This is in line with the maximum award the FOS can make when considering complaints. The customer excess will be GBP100.
  • The reimbursement is to be paid by a 50-50 split between the sending and receiving bank.
  • The PSR recognises that this maximum level will limit recovery for some customers. As a result, it will monitor the incidence and impact of high value APP scams before the reimbursement requirement start date of 7 October 2024. It may consult on revising the level before October 2024 if there is convincing evidence to do so.
  • The PSR sets out the circumstances when a bank might reasonably consider that a person has not been sufficiently careful, called the ‘consumer standard of caution exception’, although this exception does not apply to vulnerable customers.
  • If a customer is considered to have acted in a way that is grossly negligent (see further below), then the reimbursement requirement will not apply. The threshold to be considered grossly negligent is exceptionally high and the burden shall rest with the PSP.
  • A PSP will be able to deny reimbursement if 13 months has elapsed since the final APP payment.

 

What is the likely impact of the Policy Statement?

The PSR recognise that these changes will have an impact upon PSPs, both financially and on resources. Whilst recognising these concerns, the PSR makes it clear that they expect PSPs to take a pro-active approach to these changes and improve their risk management and fraud prevention regarding APP fraud (paragraph 2.6 of the Policy Statement).

Moreover, the PSR recognise that APP fraud is not a new phenomenon and PSPs should already be developing technologies to manage this risk (paragraph 4.34 of the Policy Statement).

One of the key ways to reduce risk, is to utilise early warning systems to give the customer time to reconsider making the payment in the first instance and to highlight the high prospects of fraud. To that effect, the UK Government has recently introduced proposals to give all PSPs a further 72 hours to stall payments if it suspects a transaction is likely due to authorised push payment fraud. This timescale is intended to give PSPs prior opportunity to investigate a prospective payment if fraud is suspected. The extension of time will only be appropriate if:

  • there is/ are reasonable rounds to suspect a payment request has been placed pursuant to fraud or dishonesty;
  • these “reasonable” grounds must be identified end of the next business day after the payment request was placed;
  • the extra time is needed to contact the customer to (i) inform the customer of the delay and (ii) obtain further information.

The PSR make it clear that the GBP415,000 limit is not solely designed to protect consumers. Instead, it seeks to strike a balance between protecting consumers and incentivising PSPs to develop new risk management strategies and prevention systems in response to APP fraud.

If they haven’t already, PSPs should seek to innovate and improve their APP fraud detection programmes to reduce risk.

 

Implications for CMCs

Paragraph 5.28 of the Policy Statement makes a direct reference to the operation of CMCs in APP fraud reimbursement scenarios.

Consumers who have been a victim of APP fraud still have to meet a standard of care (reporting promptly, responding to requests to any reasonable and proportionate requests for information etc) even when they have instructed a CMC as an intermediary. If the customer fails to respond to those requests, or does so, to such a degree that could be “grossly negligent”, then the customer will become ineligible for reimbursement.

The problem for PSPs is that if a CMC is acting as an intermediary, then the PSP would be hard-pressed to accuse the customer, or the CMC, of gross negligence in this regard for the following reasons:

  • The customer could say it has merely responded to and acted upon the advice of its legal representative;
  • The CMC could argue that the PSP’s information requests are excessive, and that, it is the PSP who holds more information about the circumstances of the fraud, than the customer;
  • The CMC is still going to be operating on a relatively “template” and mass-complaints scenario, so expect generic responses;
  • In response to a request for information from the PSP, the CMC may simply issue a Data Subject Access Request for the PSP to answer and essentially return no further information than is already held by the PSP – in effect, reversing the burden of proof and placing further administrative obligations upon the PSP.

 

Role of the Financial Ombudsman Service

Despite the GBP415,000 reimbursement limit, consumers will retain an alternative route to claim through FOS.

Whilst on the face of it the FOS reimbursement limit is the same as that detailed in the Policy Statement, the FOS level is “per single complaint”. The FOS is also not obliged to examine a customer complaint based upon the standard of care set out in the Policy. The remit of the FOS is to examine what is “fair and reasonable” to the customer.

Therefore, if the APP scam has meant that the victim has made a sequence of payments, they could make separate complaints to FOS for each instance of payment. The Policy seems to accept/approve that a customer could resort to such tactics “in the rare instance of a very high value fraud”, and seems to hold the belief such a circumstance would be rare.

For consumers who make multiple payments and/or payments beyond the reimbursement limit, the FOS remains a key option for recovering those monies. Accordingly, the FOS is anticipating that it will be inundated with extra claims from alleged victims of authorised push payment fraud once the compulsory reimbursement scheme is implemented. Given this expected trend, FOS have said that it is taking steps to prepare for the extra volume, its trying to introduce new efficiencies and improve the speed of its investigation and determination.

If FOS can successfully implement these proposed efficient case handling initiatives, these proposals may potentially also increase the attractiveness of FOS as a dispute resolution service, and lead to an increased volume of complaint referrals (to the extent that the original complaint is not upheld by the PSP or the value of redress was not accepted by the customer).

 

How is APP fraud dealt with in other jurisdictions?

Australia:

  • Currently there is no regulatory framework governing the approach to APP fraud claims against banks in Australia.
  • ASIC and the ABA have introduced a suite of anti-scam measures, however, these are minimal in their impact and do not come close to the willingness of the UK regulator to impose mandatory reimbursement regarding instances of APP fraud.
  • Whilst the decision in Philipp (Respondent) v Barclays Bank UK PLC (Appellant) [2023] UKSC 25 [see our earlier publication] is not binding in Australia, it does have an influential effect.
  • It is likely to support the resistant attitude of the Australian courts to claims made against banks in regard to APP fraud.
  • Nevertheless, the Policy Statement set out by the UK regulator may provoke the Australian regulator to take a similar approach to APP fraud, especially in the absence of any legislative guidance.

Europe:

  • European Union member states are subject to the requirements of Directive 2015/2366/EU on payment services (or PSD2).
  • It provides reimbursement protection for victims of unauthorised transfers where the payer has not consented to a payment.
  • It does not provide reimbursement protection for victims of authorised push payment fraud.
  • This is a topic of debate and the EU may look to follow the UK regulator in providing some reimbursement scheme for authorised push payment fraud.

 

Beyond Faster Payments?

Whilst the reimbursement requirement is limited to payments sent via Faster Payments, the Bank of England have announced its intention that a similar model should be applied to CHAPS payments. Indeed, the PSR has indicated that the scope of the APP fraud reimbursement scheme lies beyond Faster Payments.

It has been indicated that where possible, the model for CHAPS payments would mirror the direction on Faster Payments, save for technical nuances and characteristics of the payment systems.

 

Next Steps

The Policy Statement by the PSR is one of a number of efforts being proposed by the UK Government to tackle fraud and financial crime. APP fraud is reported as being at an unacceptable high level, and those alarming statistics may not reveal the full extent of the issue  if customers have previously failed to report because of embarrassment or low expectations of a positive outcome. Whilst prevention is always better than post-transaction rectification, it remains to be seen whether the Policy will help to improve customer understanding and/ or reduce the level of fraudulent transactions, or simply, encourage more complaints to be directed to the PSR and/ or FOS in the expectation of a pay-out. At the very least, the Policy should help to re-address the imbalanced financial and investigatory burden between the transacting and receiving PSRs.

Print