PSR publishes APP scams Reimbursement Policy Statement

24 Jan 2024 | 6 minute read

The Payment Services Regulator (PSR) announced last year the introduction of a new reimbursement requirement for Authorised Push Payment (APP) fraud.

The new requirement, which is due to come into force on 7 October 2024, will introduce consistent minimum standards to reimburse victims of APP fraud within the faster payments system, providing significantly wider coverage in comparison to the Contingent Reimbursement Model Code. See our previous article for further consideration of the impact of the new reimbursement requirement.

Implementation

In its June policy paper the PSR noted its intention to implement the new reimbursement requirement through a combination of Faster Payment rules and PSR directions. The PSR has now completed its consultations on the three proposed legal instruments to be used to implement the new requirement, and on 19 December 2023 published its final policy statement (the Policy Statement).

The Policy Statement confirms, amongst other things, that the following legal instruments will be used to implement the new reimbursement requirement:

A specific requirement on the Faster Payments operator to put the new reimbursement requirement into Faster Payments rules.
A specific direction was given to Faster Payments participants (PSPs) obliging them to comply with the reimbursement requirement and the reimbursement rules.
A specific direction on Pay.UK to create and implement effective monitoring of payment service providers.

Specific requirement on the Faster Payments operator to put the new reimbursement requirement into Faster Payments rules

It is incumbent on to create the reimbursement rules, though they are required to ensure that these include the following:

A requirement on sending PSPs to reimburse APP scam victims (except for those claims made outside of the relevant time limits, or those falling within the consumer standard of caution exception).
A requirement on sending PSPs to notify receiving PSPs of an APP scam report within a specified time limit.
A requirement that sending and receiving PSPs share the cost of reimbursing the APP scam victim.
The ability for the sending PSP to deduct a claim excess from the amount reimbursed the APP scam victim.
A maximum reimbursement level of £415,000 per claim.
A time limit of 13 months after the last authorised payment to make a claim.

Specific direction was given to Faster Payments participants (PSPs) obliging them to comply with the reimbursement requirement and the reimbursement rules

From 7 October 2024, all in-scope PSPs will be required to comply with the reimbursement rules, including the reimbursement requirement. From 31 March 2024, all indirect access providers will also be required to send the PSR an annual list of all indirect PSPs to whom they supply Faster Payments.

Specific direction on Pay.UK to create and implement effective monitoring of payment service providers

This direction includes a requirement on to:

Develop and implement arrangements for the monitoring of compliance by PSPs with the reimbursement rules.
Monitor the nature, extent and effectiveness of such compliance.
Take steps to improve compliance.
Gather data and information from PSPs to monitor compliance.
Report to the PSR on its findings.

Consumer standard of caution: gross negligence

The Policy Statement also gives further guidance on the consumer standard of caution (gross negligence). Where a consumer has themselves acted fraudulently, or where a consumer has acted with gross negligence, there will be no requirement on a PSP to reimburse funds.

The Policy Statement narrows the consideration of gross negligence to four specific circumstances, consisting of the following:

A requirement on consumers to have regard to interventions made by their sending PSP or by a competent national authority, such as the police.
A prompt reporting requirement, requiring consumers to report an APP scam to their PSP promptly upon learning or suspecting that they have fallen victim to an APP scam.
An information sharing requirement, requiring consumers to respond to reasonable and proportionate requests for information made by their PSP.
A police reporting requirement, requiring consumers, upon request by their PSP, to consent to the PSP reporting to the police on the consumer's behalf (or alternatively, reporting to a competent national authority themselves).

The consumer standard of caution will not apply to vulnerable customers. PSPs will be required to assess consumer vulnerability on a case-by-case basis in line with the FCA's Guidance for firms on the fair treatment of vulnerable customers, to understand whether the consumer's vulnerability led to them being defrauded. The FCA defines a vulnerable customer as someone who, due to their circumstances, is especially susceptible to harm, particularly when a firm is not acting with appropriate levels of care.

Maximum reimbursement level

The PSR has announced a maximum reimbursement level of £415,000 per claim, applicable to all in-scope consumers. This limit is said to cover the majority of APP fraud cases and be sufficient to incentivise PSPs to implement effective anti-fraud measures. So whilst PSP's may reimburse amounts above this limit if they wish, there is no requirement on them to do so.

No exemption to the limit is being introduced for vulnerable consumers. The PSR states that this is so as to ensure levels of consistency, and so as to avoid vulnerable consumers being targeted specifically by fraudsters as a result of falling within an exemption.

Excess

The Policy Statement confirms that sending PSP's will be allowed to levy an excess of up to £100 per claim, though vulnerable consumers will be exempt from paying this excess (provided that the consumer's vulnerability was a contributing factor which led to them being defrauded). The PSR states that setting an excess of £100 is an effective way to encourage consumer caution.

Industry concern

Whilst the PSR's Policy Statement provides long awaited guidance to PSPs on how the new reimbursement requirement and applicable rules will operate in practice, there are likely to remain a number of concerns amongst PSPs and industry bodies which aren't tackled by the finalised directions.

UK Finance, for example, has previously expressed concern that the new requirement places all liability (and responsibility) for APP scams on PSPs, ignoring other firms whose platforms may be used by fraudsters. In this regard, whilst a requirement for PSPs to share the cost of reimbursing APP scam victims has been generally supported, such a requirement does not take into account circumstances in which the funds are received by a cryptocurrency platform, for example.

There are also concerns that the consumer standard of caution is too low and does not encourage improved consumer behaviours. Whilst the PSR states that the introduction of the excess payment is an effective way to ensure consumer caution, under the finalised directions PSPs can choose to not apply this excess. Further, the standard of caution does not include an obligation on consumers to be honest with their banks (for example, when asked to lie to their bank by a fraudster), adding to concerns that the introduction of the new reimbursement requirement will lead to an increase in first party fraud.

Additionally, it is noted that the Policy Statement does not provide any significant further guidance around the assessment of consumer vulnerability. Currently, PSPs will be required to assess consumer vulnerability on a case-by-case basis in line with the FCA's own definition (as set out above). This however is very broad, giving rise to concern that the rules will lead to inconsistent outcomes for consumers.

Conclusion

Only time will tell whether the new reimbursement requirement is effective in tackling the unacceptable levels of APP fraud in the UK. Whilst there are likely to remain some concerns amongst industry regarding the operation of the new requirement, in-scope PSPs must nevertheless begin to take steps so as to ensure that they are prepared for its introduction come October 2024. PSPs should also ensure that any policies, systems and processes which are put in place align with Pay.UK's compliance monitoring regime, which is due to be published by 7 June 2024.

If you would like to discuss the issues discussed in this article, or the consequences of the introduction of the new mandatory reimbursement requirement, in more detail please contact a member of our Fraud team.

James Gliddon

Partner

Head of Banking & Lender Disputes | Dispute Resolution | Banking & Finance

01179154641

Email James Gliddon

View Profile

Gena Ritchie

Solicitor

Fraud

01174038964

Email Gena Ritchie

Find out more

Cookie	Duration	Description
CookieControl	7 years 8 months 1 day	This cookie is set by the Civic UK Cookie Control and is used to remember a user’s choice of cookies on the website.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_8FBMLQP5H9	2 years	This cookie is installed by Google Analytics.
_gat_myTracker	1 minute	A Google Analytics tracking cookie that sets a unique visitor ID, the date and time of the first visit, the start time of the active visit and the number of visits made by a visitor to the site.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_hjTLDTest	session	To determine the most generic cookie path that has to be used instead of the page hostname, Hotjar sets the _hjTLDTest cookie to store different URL substring alternatives until it fails.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
cusid	30 minutes	ClickDimensions sets this cookie to establish and continue a user session with the site.
cuvid	2 years	This cookie, set by ClickDimensions, is written to the browser upon the first visit to the site from that web browser.
cuvon	30 minutes	ClickDimensions sets this cookie to store the last time a visitor viewed a page.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
_hjSession_1667891	30 minutes	No description
_hjSessionUser_1667891	1 year	No description
AnalyticsSyncHistory	1 month	No description
JoP_SGM-bYTR	1 day	No description
jUspEKvx	1 day	No description
li_gc	2 years	No description
VK-bxnJ	1 day	No description
zkxqriGyJLZ	1 day	No description

Charities

Developer

Energy & Infrastructure

Islamic Finance

Private Equity

Private Wealth

Retail & Consumer

Banking & Finance

Commercial, Tech & Data

Corporate

Dispute Resolution

Employment

General Counsel Services

Intellectual Property

International

Private Clients

Real Estate

Regulated Financial Services

Risk Advisory