In an article last year, I looked at the Payment Systems Regulator’s consultation in relation to its stated aims of increasing reimbursement to APP fraud victims and therefore fighting payment scams. The intention being that PSPs are incentivised to prevent payment scams to stop their costs from increasing. The added incentive was that APP fraud was going to be reported and thus increase media attention and customer awareness of which banks appeared safer and better at prevention.
The publication of the consultation last year coincided with the Techsprint organised by the Financial Conduct Authority and PSR that aimed to find and develop new ways to tackle APP Fraud in the UK. At the time, this enabled focus to be on prevention rather than refunding and reporting. With policy being firmed up and dates of implementation being discussed, hopefully efforts are maintained or even renewed to focus on detection and prevention rather than introducing a large distraction that is a potentially complicated reimbursement process with a lot of money movement needed to settle split liability cases.
The policy document covers different viewpoints and moments in time and should be appreciated for taking that wider view. There is clarification of reimbursement while also looking forward to potential improvements in prevention both inside and outside of banks. This document doesn’t have all the answers and consultation will continue and may even grow to include some of the wider discussion points called out here.
Before jumping into the wider discussion, here are the key points from the policy.
No specific implementation date yet – it will come into force in 2024
Many PSPs will have been looking to improve APP fraud detection for years and have even been working on fraud detection on inbound payments as well, but the consultation last year potentially triggered firming up of plans and putting in plans for some. The policy publication probably doesn’t change this but may open the door for some breathing space where a deadline of the end of this year had been assumed.
50% of the cost of reimbursement to be paid by receiving PSP
The liability split was probably the most contentious element of the consultation last year. The debate of whether it is fair for the receiving bank to pay 50% of refund will continue, but one big step forward in my opinion is that the 50% is fixed and the debate won’t be had for every claim. The longer-term view of whether it is fixed or where the split is, will be held off for a period of time until there is data to argue for a change.
No mandated controls – PSPs have freedom to tackle the fraud how they want to
Unlike the Contingent Reimbursement Model, there aren’t any specific mandated controls such as “profiling for inbound payments to allow firms to prevent the onward movement of funds”. This could mean that PSPs looking to reduce their inbound fraud liability could do this through application and account profiling rather than real time payment review, although this is likely to be much less effective as the data available is limited and would miss trends such as older people allowing their accounts to be used in scams.
Time taken to reimburse increased to 5 days
A large area of debate from the initial consultation was how long PSPs had to refund a victim. The PSR was keen to keep this short so that victims weren’t out of pocket and stress they suffered was minimised. 48 hours was felt to be too short, particularly if some of that time was used up waiting for information from the victim. Sensible changes have been made to allow the “clock to be stopped” when waiting for the victim and also where PSPs are able to show the case isn’t simple and there may be first party fraud suspicion.
For limits and excesses, consultation continues
One change that was suggested by Featurespace and others in the consultation was the removal of the proposed minimum threshold. This has now been removed and will reduce the potential harmful and unfair impact on low-income victims, but this risk still needs to be considered when looking at vulnerability and claim excess. Claim excess and gross negligence are both areas that the PSR is going to continue consulting on and aims to clarify in Q3 this year. Although slightly more complex, changing excess to be a percentage could balance the desire for customer caution and the need for fairness across claim values. A 5% excess would mean a small claim would have an excess of £5 to £10 and create some caution, and an average claim of £1,731 would have a larger excess and greater caution but still be less than £100.
Other areas need further clarification or precedent setting
The policy has some clear statements regarding civil disputes and makes it clear that these are not defined as APP fraud. The challenge is how to determine whether the claim is a civil dispute? Will this relate to whether there is evidence the supplier is legitimate and how this would be done? Entities registered on Companies House and/or FCA registered could help, but there will be smaller suppliers that are legitimate that aren’t registered and also scammers that have registered to appear legitimate and improve the success rate of their scam. Other approaches could be to request the sender and receiver to provide evidence of goods or services, but with high quality scams this will be challenging and time consuming.
Wider action to fight fraud
While the points above cover the specifics of the policy and may be the immediate focus for many, we need to deliver it as quickly and efficiently as possible so that fraud professionals can focus on what they do best, innovation to fight fraud. The 10 PSPs signed up to the Contingent Reimbursement Model Code (covering 90% of Faster Payments) are already heading towards early compliance as the CRM Code has a December deadline for shared sending and receiving liability and even goes further than the PSR policy by stating “Firms should have in place profiling for inbound payments”. Hopefully the remaining circa 1,500 PSPs can move quickly to compliance and in parallel be thinking about how to improve their detection and prevention capabilities.
As seen at the Techsprint last year, the two best bets to detect and prevent more scams are:
- machine learning enabled fraud detection that optimises to find and prevent the most fraud, and
- data sharing to improve the breadth and depth of data the machine learning uses.
The PSR reinforces the view on data sharing with its measure to increase intelligence sharing and cites the UK Finance POC for Enhanced Fraud Data that “can significantly improve fraud detection”. There is also mention of capturing and then hopefully acting on where fraud starts, such as social media and telecommunications, with specific reference to the Home Office’s Online Safety Bill to hold tech companies accountable and the Economic Crime and Corporate Transparency Bill for unlocking information sharing.
Information sharing is historically a challenging area to move forward, but with UK Finance proving value, Government pushing for it and Featurespace developing solutions with them, then the future looks promising and starts to build the bigger picture of where the PSR hopes it and the Government can push the PSPs and wider ecosystem to get to.
FCA’s Consumer Duty specifically called out for consideration
For the avoidance of any doubt, the PSR cites the FCA’s new Consumer Duty and how it will require PSPs to act to deliver good outcomes for customers and aligns with the PSR reimbursement policy as it will include fraud and APP scams related outcomes. There is specific mention of safety information with advice and warnings that can be easily and clearly actioned, as well as support and victim aftercare. The Duty also introduces a rule to avoid foreseeable harm while highlighting a scam related example of having inadequate systems or inadequate testing and monitoring of warnings. The Consumer Duty should mean PSPs can’t just adhere to the letter of the law in the PSR policy and must embrace the spirit of it as well.
One area that is an opportunity to improve consumer outcomes is utilizing data to identify victims that haven’t made a claim. If funds can be returned by recovery or refund, either way is a great outcome for the victim who may have been unaware they could claim or too stressed or embarrassed to.
Scam response, repatriation, and deterrent impact
The final part of the scam lifecycle and the element that gets least consideration in the policy and within PSPs, is the response to the scam. Here are some challenges we can look to tackle together:
- Can the money be followed quickly enough to freeze it and return it?
- Can developing longer term investigations utilise the 400 police officers in the new national fraud squad with the expectation of seizing funds and prosecuting scammers?
- Can both be done and is there a need to develop new tools to enable this?
The Home Office Fraud Strategy doesn’t directly reference these challenges and puts a lot of expectation into a new system for reporting fraud that it says will be developed and hopefully the solution’s focus is on supporting victims, repatriation of funds, building investigations and successful prosecutions and doesn’t end up as an additional way to track the growing fraud challenge in the UK.
Hopefully this article has highlighted areas for focus and raised interesting questions to think about. To discuss further and see how Featurespace can partner with you now and in the future to tackle scams, please reach out to us.