Mandatory reimbursement proposed for APP scams

The Payment Systems Regulator (PSR) yesterday published a consultation paper on measures that it proposes to address authorised push payment (APP) scams in the UK. This follows the PSR’s February 2021 “Call for Views” on the same subject and its October 2021 Response Paper which commented on the measures that the PSR was considering. The consultation proposes two particularly significant measures. First, the mandatory reimbursement of APP scam victims by PSPs. Second, the mandatory publication by the 12 largest payment service providers (PSPs) of comparative data on their performance in relation to APP scams, reimbursement and which PSP’s their fraud payments have been sent to. The former measure would require legislative change in order to be implemented. However, on the same date as publication of the consultation, the Economic Secretary to the Treasury announced that the Government will legislate to address any such barriers to regulatory action at the earliest opportunity.

Authorised Push Payment Fraud

APP fraud is a significant, and growing, problem in the UK. A total of £355.3m was lost to APP scams in the first half of 2021 alone – an increase of 71% compared to the same period in 2020. Moreover, since the payments in question are authorised by the victim, there is no automatic right to reimbursement. As a result, victims frequently bear the loss, especially as the perpetrators are commonly located outside the UK. The UK has a code which provides for reimbursement of scam victims (the CRM Code), but it is voluntary and is considered to result in inconsistent treatment for victims due to differing interpretations of it.

Proposal for mandatory compensation

The PSR believes that reimbursement of scam victims should be made mandatory and has proposed two mechanisms by which this could be achieved:

• requiring Pay.UK to change Faster Payments scheme rules to require reimbursement for all APP scam victims who have exercised sufficient caution; or
• requiring Pay.UK to incorporate into scheme rules a requirement for PSPs to sign up to a PSR-approved code.

This first mechanism could require reimbursement for all victims subject to exceptions such as firstparty fraud and other circumstances where the customer did not act appropriately. The Financial Ombudsman would still adjudicate on appeals from victims in individual cases and compliance with the rule would be enforced by Pay.UK, as the system operator. The PSR anticipates that this mechanism would have to have a much tighter definition of liability than that currently in the CRM Code, which would mean more liability for APP scams falling on PSPs.

The second mechanism would involve formalising the CRM Code by requiring Pay.UK to incorporate into scheme rules a requirement for PSPs to sign up to the Code. If a PSP did not sign up to the Code or is unable to demonstrate a high level of compliance, the default would be a requirement that they reimburse all victims of APP scams, subject only to very limited exceptions. The CRM Code would likely be administered and enforced by the Lending Standards Board.

Proposal for mandatory publication of APP data

The PSR believes that publishing a balanced scorecard comparing data on PSPs’ performance on APP scams will provide reputational incentives for PSPs to prevent APP scams and protect and reimburse victims. This would apply to the 12 largest PSPs in the UK (representing 95% of all Faster Payments sent). The specific data that those PSPs would be required to report would be:

• The proportion of APP scammed customers who are left – fully or partially – out of pocket.
• Sending PSPs’ APP scam rates.
• Receiving PSPs’ APP scam rates, net of repatriation. Those comparisons will also include the wider set of receiving PSPs to whom the directed PSPs send payments (ie not just the 12 largest PSPs in the UK).

In the PSR’s view, the data in C above is particularly relevant to a PSP’s wider reputation – showing how far a receiving PSP is playing its part in preventing scams, protecting customers of other PSPs and limiting flows of funds to criminals, and could also contribute to some consumers’ choice of PSP.

Comment

If implemented, the proposed measures would have a significant impact on PSPs, both in terms of their liability to reimburse victims and their public image. There are also a number of practical considerations that will have to be worked through before the measures are implemented if they are to operate effectively and avoid unintended outcomes.

The consultation is open until 14 January 2022 and the PSR expects to publish a resulting Policy Statement in the first half of 2022.