By John Goodale, Executive Director and Head of Europe, Ubiquity
As fraudsters continue to prey on UK consumers, posing as staff of their banks or other trusted organisations to convince them to send large sums of money through authorised push payments (APPs), the United Kingdom’s Payment Systems Regulator (PSR) is taking action that could have serious implications for fintechs (financial-technology firms) and banks.
APP-fraud losses totalled around £500 million in 2022. Although the amount of money lost declined by 17 percent in 2022, the figures represent a 6-percent increase in the number of victims. In 2022, 207,372 incidents of APP fraud were reported, with individuals and businesses falling victim to scams and transferring funds to accounts controlled by fraudsters pretending to be their banks or financial-services brands. Even the most tech-savvy, financially aware consumer is not immune to this type of fraud.
While we all agree that consumers need more education and protection from fraudsters, what the PSR is proposing could inadvertently trigger a multitude of unintended consequences that could hurt financial-inclusion efforts as firms face escalating costs.
Under the PSR’s new APP-fraud requirements, which are due to come into force at the end of 2023 or the start of 2024, banks and payment providers that directly use the Faster Payments Service (FPS)—and indirect payment service providers (PSPs) connecting to it—will need to reimburse victims of online APP fraud within five days. Customers will not be reimbursed if they are found to have acted fraudulently or with gross negligence or if their transactions involved cryptocurrencies or international payments.
Fears over reimbursement costs may stifle business growth.
Unsurprisingly, industry resistance to the requirements has emerged, driven by genuine concerns that APP-fraud losses are about to go through the roof.
There is also a power imbalance under the new proposals, whereby the cost of APP-fraud reimbursement will be shared 50:50 between the sending and receiving banks/PSPs. A customer will claim a full refund from his or her PSP, with the PSP then claiming 50 percent back from the receiving PSP.
A sizable contingent within the industry argues that greater reimbursement responsibility should rest on the receiving bank/PSP. Under the new requirements, a sending bank/PSP may do nothing wrong in acting on its customer’s instructions and still be punished. That could lead to extra friction in payment processes as sending banks/PSPs seek to mitigate their losses. Some in the industry go further by maintaining that the payee’s bank should be responsible for covering the entire reimbursement, as it enabled APP fraud by opening an account for the payee who has perpetrated the fraud because of either poor due diligence or inadequate risk monitoring.
At the same time, without clearly defined reimbursement parameters, who decides whether a customer has acted with gross negligence, and how does this differ from naivety? Many in the payment industry are concerned that malicious players will pretend to be vulnerable and thus be automatically entitled to reimbursement, even when acting intentionally and with gross negligence.
Compounding that problem is that companies will have only five days to investigate and determine a consumer’s fraud or gross negligence. These claims typically involve several institutions and layers of bureaucracy, so deciding who to reimburse will be difficult enough for large entities but even more burdensome for smaller industry players. How will the starting point of any claim be decided? And who will be responsible for identifying the fraud and initiating the process on behalf of the customer?
Smaller PSPs and industry associations argue that reimbursing scam victims may lead to a “honeypot” effect. This would encourage criminals to target consumers more often or incentivise customers to deceive their banks by pretending to be vulnerable customers, increasing their chances of qualifying for reimbursement.
Some banks support the new reimbursement model, defending it as good business sense to protect customers and an incentive for payment players to stop fraud if they are responsible for directly bearing the costs. This is easier for the big players. While they likely will not be able to recover any money from fraudsters, larger banks and payment players have deeper pockets and resources to draw from to reimburse victims.
The financial and logistical impacts of the new reimbursement model will particularly hit banks/PSPs that aren’t signatories to the Contingent Reimbursement Model Code (CRM Code), an initiative led by the Lending Standards Board (LSB) that aims to protect consumers who have authorised a payment to a fraudulent payee. A voluntary CRM was introduced in 2019, which resulted in banks paying back about 66 percent of losses to scam victims in 2022.
Given that large banks and PSPs are signatories to the CRM Code, they will already have processes and systems in place to monitor payments and reimburse when obligated to do so. But smaller players outside the CRM face significant costs in making the necessary system changes to protect customers from authorising high-risk payments and preparing for claims investigations.
The financial risks for smaller PSPs are clear—with less capital, they may struggle to reimburse customers. The PSR proposes a maximum reimbursement level of £415,000 per claim, which it states around 99.98 percent of APP fraud falls within. Fears over higher costs could force some firms to stop offering services that expose them to APP fraud—or leave the United Kingdom altogether.
Unintended consequences may stifle consumer experiences.
APP-fraud reimbursement is a mixed blessing for consumers, too. With customers demanding smooth and secure omnichannel payment experiences, banks and payment providers strive to make them as speedy and seamless as possible. Although consumers will benefit from more protections under the APP requirements, they’ll also suffer more friction in their payment processes, as it is likely that smaller PSPs may seek to mitigate fraud risks by adding more authentication measures, particularly for payments flagged as higher risk.
Friction in any payment process means more frustration for customers, especially when making urgent, high-value payments. Examples include a consumer making a bank transfer to buy a car at a dealership or paying a deposit when buying a home. Not having their payments authorised in legitimate scenarios such as these results in humiliated and angry customers—and worse still, potentially lost deals.
Smaller PSPs may seek to mitigate fraud risks further by capping the amounts transacted through the Faster Payments Service. This potentially throws the entire business model of Faster Payments out of the window. Why would banks and fintechs offer Faster Payments if they bear the risks of APP fraud at the end of the process?
APP-fraud countermeasures can work, but more collaboration is needed.
Measures to stop the spread of APP fraud are having some success, such as Confirmation of Payee (CoP), the payee-checking service designed to help prevent APP scams and misdirected payments. With CoP, consumers setting up a new payee (or changing the details of an existing one) can prevent payments from going to the wrong account. CoP is a great example of how collaborations between banks, financial-services players and others are improving intelligence sharing and helping to promote customer awareness and education.
But deeper collaboration with other industry sectors, including telecommunications and social-media operators, will be required. UK Finance data shows that 78 percent of APP scams start online and 18 percent via telecommunications, including texts and calls. Social-media platforms account for the greatest number of online fraud cases—around three-quarters of online fraud starts on social media.
No matter how the new APP-fraud requirements play out, they still don’t solve the underlying issue of stopping APP fraud at the source. According to the PSR, an APP fraud can only be successful if facilitated via a payment. But banks and fintechs are often downstream from abuses of mobile networks and social-media platforms via phishing, smishing and other methods used to perpetrate APP fraud, with no line of sight on what happens upstream before their customers come under attack.
And as long as banks and fintechs bear the costs, other industries have little incentive to collaborate or share intelligence that could stem the flow of fraud. While some PSPs are working to capture data on fraud sources, the wider fraud ecosystem requires more action across industries to stop fraud wherever it originates.
What can fintechs do now to prepare, and how can outside experts help?
At a time when fintech funding and investment are in flux, it’s understandable that many businesses feel stifled by what they see as too-strict regulations that could produce unintended consequences—such as increases in first-party or “friendly” fraud. Concerns over fraud-investigation costs (including the need to hire specialist staff) and reimbursement costs could result in firms being more cautious about opening accounts for people classified as vulnerable, such as the disabled, elderly and low-income groups. Damaging financial inclusion could be yet another unintended consequence of APP-fraud reimbursement-rule changes.
Striking a balance between applying measures to verify and protect vulnerable customers and not excluding them from financial access will be top of mind for industry players, especially with the introduction of the Consumer Duty rules. Preparatory action should include identifying customers or transactions with higher risks of APP fraud while evaluating current due-diligence standards, revising complaints-management processes and updating reimbursement policies and risk-governance frameworks.
Specialist partners can help supply the right technologies and people (from customer-dispute agents to senior-level compliance advisers) to ensure that fintechs’ investigations and resolution processes fully comply with all relevant regulatory controls. This will enable fintechs to focus on their customers and hand off the burdens of fraud management, dispute resolution and staff recruitment and training to expert third parties.
We have yet to see how many of the scenarios outlined above will play out on a mass scale or what impacts the direct costs of reimbursements and the indirect costs of managing investigations will have. While having a good outsourcing partner will not prevent a business’s customers from suffering from APP fraud, it can certainly help mitigate losses.