FCA Expectations on APP Fraud Reimbursement Requirement

On 7 October 2024 the Financial Conduct Authority ("FCA") published a letter to firms setting out its expectations in relation to (1) the introduction of the new authorised push payment ("APP") fraud reimbursement rules, (2) the role of the Consumer Duty in this space; and (3) what to expect from the FCA through a data-led approach to monitoring progress.

APP fraud occurs when a customer of a bank is deceived into instructing their bank to transfer money into an account controlled by a fraudster. Pursuant to the new reimbursement rules introduced on 7 October 2024, banks and other payment services providers ("PSPs") are now required to reimburse eligible customers who fall victim to APP fraud via FPS and CHAPS (subject to certain exclusions).

It is against this landscape that HM Treasury has also published its final draft of the Payment Services (Amendment) Regulations 2024 ("PSRs 2024"), proposing amendments to the Payment Services Regulations 2017. Once approved, the new legislation will allow PSPs to slow down the processing of outbound payments when there are reasonable grounds to suspect fraud or dishonesty. For further details please see here.

In this Dear CEO letter, the FCA confirms its expectation that PSPs should be working to reduce APP fraud by improving their anti-fraud systems and controls (noting also that this is also the best way for PSPs to limit their own potential liability). The FCA highlights that such systems and controls, including at onboarding and through ongoing transaction monitoring, help to (i) prevent customers from falling victim to APP fraud, and (ii) identify fraudsters and prevent them from receiving payments. With reference to its good practice publication, the FCA notes that PSPs should:

  • have effective governance arrangements, controls and data to detect, manage and prevent fraud;
  • regularly review their fraud prevention systems and controls to ensure that these are effective; and
  • maintain appropriate customer due diligence controls at onboarding stage and on an ongoing basis to identify and prevent accounts being used to receive proceeds of fraud or financial crime.

In its letter the FCA emphasises that firms will be in breach of the Consumer Duty to avoid causing foreseeable harm where a consumer falls victim to APP fraud because of inadequate systems to detect and prevent scams, or where a firm has inadequate processes to design, test, tailor and monitor the effectiveness of scam warning messages presented to customers. Where a firm identifies that it has caused harm, it must take appropriate action to rectify the situation.

Further, the FCA reminds PSPs of their obligation under the Payment Services Regulations 2017 to provide information about the availability of alternative dispute resolution procedures for payment service users and how to access them as part of their pre-contractual information (which includes informing eligible customers about the availability of the Financial Ombudsman Service).

The new reimbursement rules apply only to payments routed through FPS and CHAPS, meaning that ‘on us’ payments (i.e. payments where both the sending and receiving accounts are held with the same PSP or group) may fall outside of their scope (for example, where payment is executed via an internal channel). In its letter the FCA sets out its expectation that where a PSP intends to apply lower levels of protection to ‘on us’ payments versus payments made via FPS and CHAPS, the FCA be contacted and provided with an explanation of the steps that have been taken to ensure that the PSPs obligations under the Consumer Duty have nevertheless been complied with.

Finally, the FCA sets out that it will be working with the Payment Systems Regulator to monitor for conduct breaches and inadequate systems and controls. In the light of the proposed PSRs 2024, it also intends in due course to gather data from PSPs on payment execution timings.

What's next?

PSPs should already be familiar with their obligations under the reimbursement rules and have appropriate policies and procedures to manage reimbursement claims in place. The test that will now be faced is applying those policies and procedures in the correct way to avoid any contravention of the reimbursement requirement, or indeed any breach of the wider Consumer Duty.

The extent to which the introduction of the reimbursement rules widens the Consumer Duty by placing an increased expectation on PSPs to prevent and protect customers from fraud, including APP fraud, also remains to be seen. Last year, the Supreme Court confirmed that the so-called Quincecare Duty (i.e. the duty to refrain from executing a payment instruction where there are reasonable grounds to suspect fraud) is limited to circumstances where an agent is acting on a customer's behalf. Is it possible that now, however, regardless of the Supreme Court's ruling, ongoing compliance with the Consumer Duty now requires PSPs to refrain from executing a transaction even where a customer is acting on its own behalf? As proposed, the PSRs 2024 certainly make it easier for PSPs to delay executing payments, but to what extent will they be considered liable to the customer (or for regulatory enforcement) if they do not exercise a right to delay and a customer falls victim to fraud as a result?

If you would like to discuss the new reimbursement rules, or the impact of the PSRs 2024, in more detail please do get in touch with a member of the team below.

Key contacts

Related