Delve into how financial institutions are gearing up for the reimbursement obligations in the wake of new regulations on authorised push payment (APP) fraud.
The Payment Systems Regulator (PSR) has new authority to order Payment Services Providers (PSPs) using Faster Payments to fully reimburse victims of authorised push payment (APP) fraud following the Financial Services and Markets Bill’s royal assent on June 29, 2023. The reimbursement requirement will go into effect the following year.
The head of financial crime at Currencycloud, a company that offers international payment solutions, Tommaso Scarpa, investigates if financial institutions are aware of the implications of the recent, significant change in regulations pertaining to APP fraud and if they are ready for it.
The act of tricking payers into sending money to criminals is known as authorised push payment fraud. In this especially nasty scenario, a first-time home buyer discovers that their solicitor has misappropriated their deposit and has instead forwarded it to a scammer after the solicitor’s email was compromised.
The victim of APP fraud suffers severe financial and psychological consequences, while the fraudster benefits handsomely from it. It’s also not uncommon: in the UK alone, APP fraud stole about half a billion pounds in 2022.
Since many incidents go unreported and include more difficult-to-track cross-border transactions, the true number is probably far higher.
One reason so much goes unreported is that victims rarely get their money back. Financial institutions (FIs) are not required to compensate APP scam victims, and few do. The victim gave the FI a valid payment order, according to the argument. It’s their account, so they send the money.
The PSR disagrees, and starting in 2024, all PSPs must reimburse APP fraud victims through the Faster Payments Scheme. FI must reimburse victims within five days of the incident. APP fraud is handled differently in the UK. Are FIs—especially non-banks—aware of the consequences and able to satisfy the PSR’s tight deadlines?
The possibility of unforeseen outcomes
The regulation’s goal is to encourage financial institutions (FIs) to use improved controls to thwart APP fraud. However, configuring those controls is costly, time-consuming, and skill-dependent. Financial institutions must guarantee that they have a substantial amount of cash on hand to recompense victims in light of the necessity for prompt reimbursement.
The staff, the information, and the bottom line are probably already in the large banks’ possession. However, it might be far more difficult for the smaller non-bank FIs, many of which have already been negatively impacted by the fintech slowdown of the past year.
De-risking on a large scale could be the immediate solution. There is now a one million pound plan limit for a single transaction on FPS, but there is no lower restriction, so many financial institutions could choose to reduce it to £250,000 or even less. They may be cautious until they have complete confidence in their controls, and reducing transaction limits can be a simple approach to achieve that. Naturally, this defeats the purpose of the laws and will not assist the public.
The fact that many non-banks rely on another PSP that is a direct participant in the FPS programme rather than being direct participants themselves exacerbates the issue. In light of this additional credit risk, the direct participant may likely reconsider its willingness to continue providing that service if it is found to be accountable for the APP fraud of its indirect PSP. Not only that, but both direct and indirect participants have the option to grant other FIs—including non-UK ones—embedded FPS access. If applicable, these may find it challenging to enforce payment based only on a contract, particularly when doing so across international borders.
The price of change
The revisions may potentially result in higher expenses for consumers. When compared to alternative payment rails, FPS is supposed to be the quickest and least expensive choice, with money arriving almost instantly. This is probably going to change, as FIs will be halting and looking into a lot more payments. Theoretically, this will lessen the likelihood of fraud for consumers, but it can also cause problems and increase expenses for them by delaying or even blocking legitimate payments. It will take some time to get the balance right, and there may be a desire to use other payment rails when reimbursement is not yet required.
Financial institutions that attempt to prevent APP fraud by implementing their already-expenditured time and resources—AML transaction monitoring controls—are likely to discover that these measures are ineffective. Higher-value transactions are the focus of controls because of the established risk-based approach to AML.
On the other hand, fraud is typically high volume/low value, so that manually investigating transactions involves a lot more work. Retrospective monitoring won’t be very helpful either because the scam will already have occurred. It will cost money and take time to install and maintain the appropriate controls.
Injuring PSPs?
The PSR will argue that since APP fraud is not new, these safeguards ought to be in place already, or at least well on their way there. But it’s also feasible that the new rules will increase the likelihood of some frauds, especially the ones for which the controls are still in their infancy.
For instance, there’s a good chance that first-party fraud, in which the sender and the recipient are con artists working together, may rise sharply. In first-party fraud, all you need to do is persuade the financial institution that you have been scammed, rather than relying on the victim to transfer you money. The victim is then tricked into paying back a fraudster who never really lost any money, and becomes the FI.
Sending PSPs will now have to reimburse victims in full within five days of the new legislation taking effect, and they will also have to recover 50% from the receiving PSP. After the fraud has occurred, the sender PSP is therefore powerless over the controls of the receiving PSP and must rely on them to act quickly enough to block the fraudster’s accounts before the monies were used. FIs may become especially watchful of serial offenders and keep a careful eye on which PSPs pose a high risk of fraud. This implies that PSPs that are the target of fraudsters may swiftly have their access to other FIs restricted, leaving them unable to take action.
FIs need to take immediate action
There is no doubt that the PSR is headed in the right path because there is still work to be done to safeguard consumers against APP fraud. As always, though, the real test will be how the regulations are put into practise. If the industry is not prepared, the unintended consequence may be de-risking rather than upskilling, which ultimately does not benefit the consumer.
To mitigate the “day 1” prudential risk that financial institutions (FIs) will be taking, gradually increasing the maximum reimbursement value could be a reasonable strategy. This will lessen the FIs’ desire to de-risk.
In any case, this is the moment for all FPS members to strengthen fraud-specific controls, with a particular emphasis on transaction risk rating that is dynamic, data exchange with other financial institutions and law enforcement, and even the use of “AI” technologies to detect fraud.
