The UK Payment Systems Regulator: Consultation published on Authorised Push Payment Fraud (APP) and Reimbursement

Introduction

On 29 September 2022 the Payment Systems Regulator (PSR) published an industry consultation on Authorised Push Payment (APP) scams reimbursement, the proposed measures aim to improve the level of protection for victims of authorised push payment fraud by mandatory reimbursement for victims in all but exceptional cases.

This consultation follows recent effort by the PSR to gather industry feedback in 2021 through a call for views on Authorised push payment scams, and an initial consultation paper on Authorised push payment (APP) scams.

The UK government intends to legislate in the Financial Services and Markets Bill (Bill) to allow regulatory action to be taken by the PSR to require banks and other payment service providers to reimburse APP scam losses. The new Bill is currently in passage through the House of Commons.

Who does the consultation apply to?

The requirement for reimbursement for victims of APP fraud will apply to all participants in Faster Payments, including indirect Payment Service Providers (PSPs) as well as PSPs connected indirectly through indirect access providers (IAPs).

What is the discussion about?

Authorised push payment has increased in recent years however reimbursement remains inconsistent across PSPs. Although some PSPs offer reimbursement, there is currently no regulatory requirement for it and as such little incentive to address customer protection in relation to fraudulent activity.

To date 10 PSPs have signed up to the voluntary Contingency Reimbursement Model (CRM Code). The code has been successful in reimbursement from 19% in the first half of 2019 to 41% by Code signatories in 2020.

The effect of the Financial Service and Markets bill places a standalone duty on the PSR to draft regulatory requirement for reimbursement in ‘qualifying cases’. The definition of a ‘qualifying case’ is provided by the Financial Services and Markets Bill s.62(2) ‘(a) the case relates to a payment order executed over the Faster Payments Scheme, and (b) the payment order was executed subsequent to fraud or dishonesty’.

The PSR are consulting on two initial regulatory requirements.

1. Mandatory reimbursement of victims of APP scams in all but exceptional cases.
2. Shared liability between sending and receiving PSPs.

More specifically the consultation seeks views on reimbursement and shared liability between PSPs  on the following:

• “an APP scam victim’s PSP (the sending PSP) must reimburse them, except in cases of first party fraud or gross negligence (unless the victim is a vulnerable consumer)
• the sending PSP must reimburse the victim within 48 hours of the fraud being reported, unless the sending PSP has evidence or reasonable grounds for suspicion of either first party fraud or gross negligence (it will then have more time to investigate)
• PSPs can set a fixed ‘excess’ of up to £35, and a minimum threshold claim for reimbursement of up to £100
• the costs of reimbursement (as well as any repatriated funds) are shared equally between sending and receiving PSPs by default; PSPs can use a dispute resolution process to refine the allocation of reimbursement costs to better reflect the steps each PSP took to prevent the scam
• PSPs can apply a time limit on claims of no less than 13 months from the date of the payment
• both direct Faster Payments participants and indirect PSPs will be covered by the requirements”

Exceptions

To provide customers with appropriate incentives to exercise caution, the consultation provides for limited exceptions to mandatory reimbursement and aims to ensure that the requirements are proportionate.

Exceptions include scams where the consumer has been complicit to the fraud, or where they have acted with gross negligence. Gross negligence is already an exception to PSP liability for unauthorised frauds under section 77(3) of the Payment Service Regulations 2017.

Vulnerable customers will be exempt from the exception of gross negligence. The definition of a vulnerable customer follows the FCA definition; ‘A vulnerable customer is someone who, due to their personal circumstances, is especially susceptible to harm, particularly when a firm is not acting with appropriate levels of care[1]'.

Faster Payment scheme rules

As the Payment System Operator, the PSR envision it would be sensible for PAY.UK to be responsible for a comprehensive set of scheme rules on the monitoring and enforcement of reimbursement by PSPs, at a minimum the PSR propose these include:

• “when a consumer must be reimbursed by its sending PSP
• a default 50:50 allocation of reimbursement costs (and of any repatriated funds) between the sending and receiving PSP, and any arrangements needed to enable sending and receiving PSPs to transfer funds between them
• designated arrangements to enable PSPs to choose to depart from default allocation by negotiation, mediation or dispute resolution based on more tailored allocation criteria"

Enforcement in the short term

The PSR have highlighted that in the short term they will need to provide Pay.UK with support in undertaking the role of enforcement effectively, immediately after the requirements take effect. The new framework on mandatory reimbursement must provide delineation between the roles of PSR and PAY.UK on enforcement.

The PSR are therefore consulting on a short-term plan to support Pay.UK with enforcement arrangements and consider three main options:

1. “Pay.UK develops and improves its own enforcement regime in the short-term.
2. The PSR directs any PSP that has failed to comply with scheme rules on reimbursement to comply within a timescale, following which we would use our own enforcement regime for any further breaches.
3. Pay.UK applies its own enforcement regime, but with escalation to the PSR explicitly included as one of the steps in that regime. If escalated to us, we would follow the process in option b”.

Next steps

The consultation will remain open until 25 November 2022. Following the deadline, the PSR will publish a policy statement on mandatory reimbursement early in the new year.

The PSR will publish draft regulatory requirements for consultation in-line with the expected statutory deadline of two months following the relevant legislative provisions coming into force.

The relevant provisions of the Finance and Markets Bill are expected to come into force around spring 2023. By then Pay.UK would be expected to begin the process of implementation for the new requirements on reimbursement.

If you would like to receive our regular Payments alerts in your inbox, click here.

If you would like to read Bird & Bird’s previous alerts, please check out our Payments webpage here.