Fraud accounts for over 40% of all reported crime committed in England and Wales. Authorised push payment (“APP”) fraud arises when a victim is tricked into making a payment to an account controlled by a criminal. According to UK Finance’s Fraud Report 2022 losses due to APP fraud amounted to GBP£485.2m, split between personal (£408.2m) and non-personal or business (£77m). As many cases go unreported, and these figures cover only a subset of payment firms, the real figures are likely to be higher. As such, tackling fraud (including reimbursing more victims of fraud) is one of Government’s (Home Office) strategies, aiming to reduce fraud by 10% on 2019 levels by December 2024.
Example of an APP fraud journey:
On 7 June 2023 the Payment Systems Regulator (“PSR”) published a policy statement creating a new reimbursement requirement for APP fraud. It will apply to all types of APP fraud where payment orders are executed over Faster Payment System subsequent to fraud or dishonesty.
The table below sets out the types of APP fraud that will be subject to the reimbursement requirements:
In scope ✔
Out of scope ✖
All types of APP fraud executed over Faster Payments including where:
Fraud relating to:
What Payment Service Providers are subject to the new requirement?
Mandatory reimbursement requirements will apply to all Payment Service Providers (“PSPs”) sending and receiving payments over Faster Payments, irrespective of whether they are direct Faster Payments participants or indirect PSPs connecting to Faster Payments via the indirect access provider. This includes high-street banks and building societies but also smaller payment firms. Payment Initiation Service transactions are also within the scope.
Mandatory reimbursement requirements are specifically aimed at transactions executed over Faster Payments, because currently most of the APP fraud is enacted through Faster Payments. However, further work is currently being done by the PSR, Financial Conduct Authority (“FCA”) and the Bank of England to create comparable protections for consumers executing payments over CHAPS or “on-us” payments (where the Sending PSP and Receiving PSP are a part of the same group). Further, once the New Payment Architecture (“NPA”) is fully operational, the mandatory reimbursement requirement will carry over into it.
Sharing the cost of reimbursement
Sending PSPs will have to reimburse the victim of an APP fraud. Sending PSPs will then seek contribution for the costs of reimbursement from the Receiving PSP. The costs of reimbursement will then be allocated equally between the Sending PSP and the Receiving PSP, with a default 50:50 split. Where stolen funds are recovered by the Receiving PSP, 50% of these funds must be repatriated to the sending PSP.
In the past, according the data published in the PSR’s September 2022 consultation paper, Sending PSPs would pick up over 95% of the costs of reimbursement. The current voluntary Contingent Reimbursement Model (“CRM”) Code was updated on 8 February 2023 to include more incentives on the Receiving PSPs to put in place measures to stop APP fraud. Under the CRM Code, Sending and Receiving PSPs should agree on the allocation of the costs of reimbursement, with actions of PSPs and the victims considered when reimbursement costs are allocated. Full reimbursement costs fall on the Sending PSPs where both PSPs complied with the relevant standards applicable to them under the CRM Code and none of the reimbursement exceptions apply to victims. Currently 10 PSPs are signatories to the CRM Code. The new mandatory requirement will apply to over 1,500 PSPs.
Who must be reimbursed:
- consumers (individuals who are acting for purposes other than a trade, business or profession);
- micro-enterprises (enterprises that employ fewer than 10 people and whose annual turnover and/or annual balance sheet total does not exceed £2m); and
- charities (as defined in the relevant legislation and with annual income of less than £1m).
Exceptions: where the victims are involved in the fraud themselves (“first-party fraud”), or where they have acted with gross negligence, reimbursement will not apply. A further PSR consultation will be conducted to provide guidance on the customer standard of caution (gross negligence) and is expected for Q3 2023.
Vulnerable consumers: additional protections will apply (e.g., gross negligence exception and claim excess will not apply to them). PSPs are also expected to comply with the FCA’s guidance on vulnerability and be mindful of their obligations under the Consumer Duty requirements.
When to reimburse: within five business days from the fraud being reported, unless the Sending PSP has evidence or reasonable grounds for suspicion of either first party fraud or gross negligence. Sending PSPs may also “stop the clock” in certain situations, such as when gathering additional information from victims to assess the claim, assess vulnerability, or where first party fraud is suspected.
PSPs will have an option to:
- implement a maximum level of reimbursement – subject to consultation in Q3 2023 and publication of guidance in Q4 2023
- apply claim “excess” – subject to consultation in Q3 2023 and publication of guidance in Q4 2023
- set a time limit for claims of no less than 13 months. This does not impact customers’ right to pursue a claim via the Financial Ombudsman Service up to six years from an APP fraud taking place or even longer in certain circumstances.