• Peter Harmston, Partner |
  • Ignatius Adjei, Partner |
  • Kennedy Masterton-Smith, Partner |
7 min read

Fraud accounts for over 40% of all reported crime committed in England and Wales. Authorised push payment (“APP”) fraud arises when a victim is tricked into making a payment to an account controlled by a criminal. According to UK Finance’s Fraud Report 2022 losses due to APP fraud amounted to GBP£485.2m, split between personal (£408.2m) and non-personal or business (£77m). As many cases go unreported, and these figures cover only a subset of payment firms, the real figures are likely to be higher. As such, tackling fraud (including reimbursing more victims of fraud) is one of Government’s (Home Office) strategies, aiming to reduce fraud by 10% on 2019 levels by December 2024.

Example of an APP fraud journey: 

On 7 June 2023 the Payment Systems Regulator (“PSR”) published a policy statement creating a new reimbursement requirement for APP fraud. It will apply to all types of APP fraud where payment orders are executed over Faster Payment System subsequent to fraud or dishonesty.

The table below sets out the types of APP fraud that will be subject to the reimbursement requirements:

In scope ✔

Out of scope ✖

All types of APP fraud executed over Faster Payments including where:

  • the payer intends to transfer the funds to a person other than the recipient, but is deceived into transferring the funds to the recipient
  • the payer intends to transfer the funds to the recipient but is deceived as to the purposes for which they are transferring the funds

Fraud relating to:

  • civil disputes
  • payments which take place across other payment systems
  • international payments
  • payments made for unlawful purpose

 

What Payment Service Providers are subject to the new requirement?

Mandatory reimbursement requirements will apply to all Payment Service Providers (“PSPs”) sending and receiving payments over Faster Payments, irrespective of whether they are direct Faster Payments participants or indirect PSPs connecting to Faster Payments via the indirect access provider. This includes high-street banks and building societies but also smaller payment firms. Payment Initiation Service transactions are also within the scope.

Mandatory reimbursement requirements are specifically aimed at transactions executed over Faster Payments, because currently most of the APP fraud is enacted through Faster Payments. However, further work is currently being done by the PSR, Financial Conduct Authority (“FCA”) and the Bank of England to create comparable protections for consumers executing payments over CHAPS or “on-us” payments (where the Sending PSP and Receiving PSP are a part of the same group). Further, once the New Payment Architecture (“NPA”) is fully operational, the mandatory reimbursement requirement will carry over into it.

Sharing the cost of reimbursement

Sending PSPs will have to reimburse the victim of an APP fraud. Sending PSPs will then seek contribution for the costs of reimbursement from the Receiving PSP. The costs of reimbursement will then be allocated equally between the Sending PSP and the Receiving PSP, with a default 50:50 split. Where stolen funds are recovered by the Receiving PSP, 50% of these funds must be repatriated to the sending PSP.

In the past, according the data published in the PSR’s September 2022 consultation paper, Sending PSPs would pick up over 95% of the costs of reimbursement. The current voluntary Contingent Reimbursement Model (“CRM”) Code was updated on 8 February 2023 to include more incentives on the Receiving PSPs to put in place measures to stop APP fraud. Under the CRM Code, Sending and Receiving PSPs should agree on the allocation of the costs of reimbursement, with actions of PSPs and the victims considered when reimbursement costs are allocated. Full reimbursement costs fall on the Sending PSPs where both PSPs complied with the relevant standards applicable to them under the CRM Code and none of the reimbursement exceptions apply to victims. Currently 10 PSPs are signatories to the CRM Code. The new mandatory requirement will apply to over 1,500 PSPs.

Who must be reimbursed:

  • consumers (individuals who are acting for purposes other than a trade, business or profession);
  • micro-enterprises (enterprises that employ fewer than 10 people and whose annual turnover and/or annual balance sheet total does not exceed £2m); and
  • charities (as defined in the relevant legislation and with annual income of less than £1m).

Exceptions: where the victims are involved in the fraud themselves (“first-party fraud”), or where they have acted with gross negligence, reimbursement will not apply. A further PSR consultation will be conducted to provide guidance on the customer standard of caution (gross negligence) and is expected for Q3 2023.

Vulnerable consumers: additional protections will apply (e.g., gross negligence exception and claim excess will not apply to them). PSPs are also expected to comply with the FCA’s guidance on vulnerability and be mindful of their obligations under the Consumer Duty requirements.

When to reimburse: within five business days from the fraud being reported, unless the Sending PSP has evidence or reasonable grounds for suspicion of either first party fraud or gross negligence. Sending PSPs may also “stop the clock” in certain situations, such as when gathering additional information from victims to assess the claim, assess vulnerability, or where first party fraud is suspected.

PSPs will have an option to:

  • implement a maximum level of reimbursement – subject to consultation in Q3 2023 and publication of guidance in Q4 2023
  • apply claim “excess” – subject to consultation in Q3 2023 and publication of guidance in Q4 2023
  • set a time limit for claims of no less than 13 months. This does not impact customers’ right to pursue a claim via the Financial Ombudsman Service up to six years from an APP fraud taking place or even longer in certain circumstances. 

How will these changes be implemented?

PSR’s long term vision is for Pay.UK as a payment systems operator to maintain, monitor and enforce these requirements. However, given this role represents a significant change to Pay.UK’s current role and other limiting factors, in the immediate future reimbursement requirements will be implemented though a combination of Faster Payment rules (PSR will direct Pay.UK to put new reimbursement requirements into Faster Payments rules) and PSR’s general direction, placing on all in-scope PSPs a regulatory obligation to comply with the relevant Faster Payment rules. Pay.UK will also be directed to create and implement effective monitoring of compliance with this requirement and reporting to the PSR, who may then take enforcement action against non-compliant PSPs.

Timelines

The new reimbursement requirement will come into force in 2024. The PSR will consult on a specific start date in early Q3 2023. The PSR expects the industry to start work now to implement the new reimbursement requirement.

What should you do next?

Failure to adhere to mandatory reimbursement requirements may lead to enforcement action by the PSR, with financial penalties or public censure being available. Reputational damage is a large risk, especially due to the requirement on 14 of the largest PSPs to collect APP fraud data and provide it to the regulator who will then publish it.

Preparatory action should include:

1) Detect and prevent

  •  Implement capability to identify customers and transactions with higher risk of APP fraud.
  • Develop detailed descriptions of the threats targeting customers, and use this to drive your processes around what you deploy to protect which customers and how.
  • Align and schedule customer awareness initiatives to the threats and most appropriate timings.
  • Apply expanded recipient account and off-book profiling for mule targeting.
  • Implement Confirmation of Payee (if not already done).
  • Apply additional measures to protect vulnerable customers.
  • Review current standard of customer due diligence.
  • Use currently available shared intelligence sources and industry fraud databases.
  • Implement appropriate policies and processes to manage higher risk accounts.

2) Reimburse

  • Implement appropriate governance, policies, processes, and controls for:  
  • effective risk management to ensure PSP’s adherence to reimbursement requirements,
  • amended complaints management process,
  • training staff responsible for assessing reimbursement request cases (including training on identifying vulnerable customers),
  • workflow/case management implemented with integration to customer record to ensure a single source of the truth,
  • suitable and comprehensive customer communications.

3) APP fraud aftermath:

  • Implement robust mechanisms for identifying and freezing funds received as a result of an APP fraud and, where appropriate, repatriate them.

How can KPMG Law help?

KPMG can draw on specialists from our legal, payments consulting, technology, and data analytics teams to help you design and implement the necessary framework to meet the APP fraud requirements. This could include:

  • optimisation of detection strategies (inbound and outbound),
  • mule monitoring strategy,
  • conducting gap analysis,
  • developing customer awareness strategy,
  • enhancing current standard of customer due diligence,
  • reviewing governance, policies, processes, management information and controls,
  • designing reimbursement framework and necessary interaction with third parties,
  • providing training to management and customer facing staff.

If you would like to discuss any of the topics covered in this guide or how KPMG Law can support your organisation with them, please get in touch. 

* Some or all of the services described herein may not be permissible for KPMG audited entities and their affiliates or related entities

Tags: