New reimbursement requirement for Authorised Push Payment fraud

This month, the Payment Services Regulator (PSR) has published a policy paper announcing the introduction of a new reimbursement requirement for Authorised Push Payment (APP) fraud.

APP fraud occurs when a customer of a bank is deceived into instructing their bank to transfer money into an account controlled by a fraudster.

The new requirement, which is due to come into force next year, will introduce consistent minimum standards to reimburse victims of APP fraud within the faster payments system, providing significantly wider coverage in comparison to the Contingent Reimbursement Model Code (the CRM Code).

The CRM Code is a voluntary industry code which was launched in 2019 as good industry practice to prevent APP fraud.

 The new reimbursement requirement will:

• Require payment firms to reimburse all in-scope customers who fall victim to APP fraud in most cases.
• Share the cost of reimbursing victims 50:50 between sending and receiving payment firms.
• Provide additional protections for vulnerable customers.

There are a number of payments which the requirement will not apply, including civil disputes, payments taking place across other payment systems (eg. CHAPS), international payments and payments made for unlawful purposes.

The new requirement will apply to all payment service providers (PSPs) who operate the sending or receiving payment account, including those with indirect access to a payment system.

Exceptions

The only proposed exceptions to the new reimbursement requirement are where a customer has themselves acted fraudulently, or where a customer has acted with gross negligence (ie. the customer standard of caution). This is a high bar and, where suspected, the burden of proof is on the PSP.

The PSR is expected to publish guidance on the customer standard of caution later this year (with a consultation to take place before that time), though reference is made to current Financial Conduct Authority (FCA) guidance. This provides that, to fall short of the standard, the customer needs to have shown a significant degree of carelessness.

Vulnerable customers

The customer standard of caution will not apply to vulnerable customers. PSPs will be required to assess customer vulnerability on a case-by-case basis in line with the FCA's Guidance for firms on the fair treatment of vulnerable customers, and consistently apply the FCA's definition of vulnerable customer. The FCA defines a vulnerable customer as someone who, due to their personal circumstances, is especially susceptible to harm, particularly when a firm is not acting with appropriate levels of care.

Impact

The introduction of the new reimbursement requirement marks a significant step towards the improved protection of victims of APP fraud in the UK. According to data published by UK Finance in their recent annual report, APP fraud resulted in losses of over £480 million last year alone, so the sums for which banks could find themselves liable to reimburse are significant.

In light of the introduction of this new requirement, and the scale of APP fraud in the UK, all in-scope PSPs should review their existing fraud detection and prevention processes and consider whether the policy proposal requires that any operational changes be implemented.

PSPs may also which to consider whether the impact of the new requirement on their business merits a response to the consultation taking place later this year. The PSR will consult on the maximum claim excess, the maximum level of reimbursement, the customer standard of caution (i.e. gross negligence), and the draft legal instruments through which the requirement is to be introduced.

Conclusion

The introduction of the new reimbursement requirement is consistent with the introduction of other proposed legislative changes designed to clamp down on fraud in the UK, including the Financial Services and Markets Bill, and the Economic Crime and Corporate Transparency Bill (currently at Report Stage in the House of Lords).

Whilst it is clear that increased efforts in the UK are being made to tackle fraud, this is a quickly evolving landscape, and the fight against fraud won't come without its difficulties. Those PSPs who fall within the scope of the new reimbursement requirement, for example, will be keen to ensure that the exercise of any discretion used in applying the customer standard of caution, or identifying vulnerable customers, is done correctly, and additional guidance in this regard is likely to be welcomed.

If you would like to discuss any of the issues explored in this article in more detail, please contact a member of our Fraud team below.