February 6, 2024 | Mark Taylor
Estimated reading time: 6 minutes
New rules for bank payment fraud reimbursement to enter force in late 2024
The UK’s Payment Systems Regulator (PSR) and the Bank of England (BoE) have announced the go-live date of a mandatory reimbursement scheme for victims of authorised push payment fraud (APP fraud).
The new reimbursement scheme is intended to come into force on 7 October 2024 and will apply to payments made after that date.
Firms can decide voluntarily to reimburse consumers before this date.
APP fraud typically involves a fraudster tricking a consumer into authorising a payment, whether deceiving as to the recipient of the payment or the purpose for which they are sending the funds.
APP fraud is rampant, with more incidents than any other crime type in the UK, accounting for more than 40% of fraud losses annually.
In the UK Finance 2023 annual fraud report, more than 200,000 APP fraud cases were reported on personal accounts, with losses topping £485m.
Previous efforts to address the problem have included strong customer authentication requirements and the Lending Standards Board’s Contingent Reimbursement Code.
The update should also reduce manual errors and innocent attempts to send money to the wrong accounts.
In a recent interview, actor Tom Hollander gave an interview in which he said he’d accidentally received a “seven-figure sum” intended for Avengers star Tom Holland following a payroll error.
Experts mused how the actors could have been mixed up by accounting departments – and how Confirmation of Payee rules could have avoided the mistake.
What should firms know about the new payment rules
In 2022 the PSR expanded Confirmation of Payee to 400 new Payment Service Providers (PSP), some of which had to comply by 31 October 2023 (Group 1) and the rest by 31 October 2024.
The UK government has said the measures do not go far enough, and as part of its wider fraud strategy has legislated to allow a requirement for mandatory reimbursement (through the Financial Services and Markets Act 2023).
Ministers updated the Payment Services Regulations (PSRs 2017) to clarify that regulation 90, under which a PSP is not liable for the defective execution of a payment that is executed in accordance with a unique identifier, “does not affect the liability of a PSP where the PSR has exercised its regulatory powers concerning APP scams”, said Grania Baird, partner and payments expert at Farrer & Co law firm.
In June 2023, the PSR published a policy statement on bolstering consumer protection from APP fraud in Faster Payments. This followed previous consultations and a call for input in 2021 and 2022.
The mandatory reimbursement scheme will be implemented through the PSR giving directions to Pay.UK, the independent operator of the Faster Payments scheme.
A similar rule for UK retail Clearing House Automated Payments System (CHAPS) payments is being developed by the BoE.
Regulators have said they want to increase transparency by publishing APP fraud data and have asked banks to develop a data and intelligence sharing tool.
It is hoped the moves will encourage and incentivise PSPs to develop stronger systems for identifying fraud and effective interventions to alter consumer behaviour.
The regulator noted the October 2024 go-live date “will still be a challenging target for some PSPs”, describing it as “ambitious but feasible”.
Where firms indicate they cannot deliver comprehensive reimbursement management systems (RMSs) by October, the regulator said it will collaborate to develop the minimum RMSs that it considers necessary to abide by the rule changes.
The maximum mandatory reimbursement level, applicable to all in-scope consumers, has also been confirmed as £415,000 for each single APP scam case, which is identical to the Financial Ombudsman Scheme’s (FOS) current award limit for a single complaint.
Given the “particularly high level” of industry response to the proposals, the regulator said it will monitor the incidence and impact of high-value APP scams over the next ten months before the start date and may revise the level ahead of October if there is evidence to do so.
What is the reimbursement requirement?
The reimbursement requirement consists of 10 key policies:
- Sending PSPs must reimburse all customers who are victims of APP fraud.
- The receiving PSP must pay the sending PSP 50% of the reimbursement, within a time period to be set by Pay UK.
- The two exceptions are where the customer has acted fraudulently, or when the customer has acted with “gross negligence”.
- Customers must be reimbursed within five business days.
- There will be a claim excess, which was finalised at £100.
- There is no minimum threshold for claims.
- There will be a maximum level of reimbursement of £415,000 and a 13-month time limit for making claims after the last payment.
- The customer standard of caution and claim excess will not apply to vulnerable consumers, and
- ‘Multi-step’ fraud cases that involve more than one payment will also be covered.
- The reimbursement requirement will apply to an account controlled by a person other than the customer, where the customer has been deceived into granting that authorisation as part of an APP fraud case.
Who is in scope?
The reimbursement requirement applies to payments made by consumers, microenterprises, and charities, Baird noted.
“PSPs that operate the sending or receiving payment account for a qualifying transaction are in scope, including direct and indirect Faster Payments participants,” she said. “It is expected that this will be similar for CHAPS participants, taking into account its unique characteristics.”
The regulator is unable to mandate reimbursement for a payment made to a recipient hosted by the same PSP, as it is not made via a payment system, Baird said. However, it expects PSPs to reimburse such victims of APP fraud anyway.
What happens next?
With the publication of the final position on the consumer standard of caution, the excess, maximum level of reimbursement, and legal instruments, PSPs can now move forward with the design and/or alteration of the necessary end-to-end processes and systems, said Roger Tym, partner at Hogan Lovells law firm.
Cross-industry collaboration is essential “to successfully implementing the new reimbursement requirement by day one”, the regulator said. The PSR will set up a clarification process in Q1 2024 to encourage a consistent approach to implementation across the industry.
Whilst HM Treasury has said it will amend the Payment Services Regulations 2017 to allow PSPs to delay the processing of a payment when there is a reasonable suspicion that the payment is fraudulent, no legislation has yet appeared.
The UK’s payment sector should brace for major changes to compliance processes as regulators attempt to stem the enormous tide of APP fraud.
All payment service providers (PSPs) using Faster Payments (the payment system across which the vast majority of APP fraud currently takes place) will have to meet minimum standards for reimbursement.
This will eventually apply to over 1,500 PSPs – a significant leap from the 10 banks and building societies currently signed up to the voluntary CRM Code.
The new rules mean both sending and receiving firms will have cause to take action to prevent fraud where customers do fall victim to fraud.
Details are still to be thrashed out by both regulators and the government, however, it is expected that the legislative changes, along with wider reforms, will redraw the regulatory landscape for payment services.
Firms should do all they can to ensure they are fully abreast of what is on the horizon.
For fast-moving payments firms entering a new era of compliance, CUBE’s industry-leading proprietary automated regulatory intelligence platform can help guide compliance teams through the complex challenges that lie ahead.