PSR consultations on APP fraud reimbursement limit and consumer standard of caution

On 15 August 2023, the Payment Systems Regulator (PSR) published two consultations (CP23/6 and CP23/7) in relation to its new reimbursement requirements which aim to improve the level of protection for victims of authorised push payment (APP) fraud.

The consultations are centred around the reimbursement requirement claim excess, the maximum reimbursement limit and the required consumer standard of caution.

Background

In our article back in September (available here), we discussed the PSR’s industry consultation on APP scams reimbursement and the proposed measures around mandatory reimbursement for victims in all but exceptional cases.

In June 2023, the PSR published its resulting policy statement (PS23/2) outlining the new APP fraud reimbursement requirement which will:

• Require payment firms to reimburse all in-scope customers who fall victim to APP fraud in most cases
• Share the cost of reimbursing victims 50:50 between sending and receiving payment firms
• Provide additional protections for vulnerable customers that will see mandatory reimbursement awards to be given to vulnerable customers within five days.

It also stated its final policy position in relation to three key components of the reimbursement obligation:

• Claim excess: Sending payment service providers (PSPs) may apply a claim excess under the new reimbursement requirement. This cannot be applied to vulnerable customers.
  
• Minimum threshold: There is no separate minimum value threshold for APP fraud claims.
  
• Maximum level of reimbursement: There is a maximum level of reimbursement for APP fraud claims (by value) under the new reimbursement requirement.

The PSR also stated that there would be two exceptions to the general reimbursement obligation: (a) where the consumer seeking reimbursement has acted fraudulently (first-party fraud); and (b) where the consumer has acted with gross negligence (the consumer standard of caution), albeit the consumer standard of caution would not apply to consumers who are identified as being vulnerable to a particular APP scam.

In line with its policy statement in June, the PSR is now consulting on the values of the claim excess and maximum reimbursement limit, as well as on the consumer standard of caution.

Who do the consultations apply to?

The requirement for reimbursement for victims of APP fraud will apply to all participants in Faster Payments, including indirect PSPs as well as PSPs connected indirectly through indirect access providers (IAPs). The PSR is also asking questions on the topic of a maximum reimbursement level for CHAPS on behalf of the Bank of England (in relation to its intention to create comparable protections for retail CHAPS payments), and therefore CP23/6 is also relevant to CHAPS participants that have retail customers.

What are the PSRs current proposals?

The PSR is seeking views on the most appropriate way of structuring a claim excess. This includes whether an excess should be a fixed amount (similar to an insurance claim excess) or a percentage of the reimbursement claim amount.

The PSR has proposed that the maximum reimbursement level should be in line with the prevailing Financial Ombudsman Service limit of £415,000 per claim - which is what around 98% of APP fraud falls within. The regulator is also consulting on whether the maximum level will apply to vulnerable consumers.

In relation to the consumer standard of caution, the PSR’s high level proposal is that consumers should be expected to meet an express standard of care when executing APPs consisting of three core elements:

• A requirement to have regard to warnings: Consumers should have regard to specific, directed warnings raised by their PSP. These must occur before an APP is executed and make clear that the intended recipient of the payment is likely to be a fraudster.
• A prompt reporting requirement: Consumers who learn or suspect that they have fallen victim to an APP scam should report the matter promptly to their PSP. In any event, they should report it no more than 13 months after the last relevant fraudulent payment was authorised.
  
• An information sharing requirement: Consumers should respond to any reasonable and proportionate requests for information made by their PSP. This is to help them assess a reimbursement claim and whether the consumer is vulnerable.

Next Steps

Both consultations close on 12 September 2023. The PSR aims to publish its final policy position on the excess and maximum reimbursement level, as well as on the consumer standard of caution by the end of 2023. The PSR will also publish its final guidance document on the consumer standard of caution by the end of the year.

The new reimbursement requirement will come into force in 2024.

Commentary

Given the current rates of fraud, with 207,372 incidents of APP fraud reported in the UK in 2022 (CP23/6) and the ever-evolving tactics of fraudsters, the new rules on reimbursing victims are likely to have significant industry impact. Particularly since under the current model only ten financial institutions are currently signatories to the voluntary Contingent Reimbursement Model (CRM) Code which sets out certain standards for signatory PSPs and is designed to give people the confidence that, if they fall victim to an APP scam and have acted appropriately, they will be reimbursed.

The Financial Services and Markets Act 2023, which recently received Royal Assent, now allows the PSR to impose mandatory reimbursement requirements on PSP participants in Faster Payments.

During previous consultations, several respondents had raised concerns that the new reimbursement requirement could lead customers to exercise less caution when making payments, safe in the knowledge that they are more likely to be reimbursed. Given the breadth of PSPs caught by the PSRs new requirements, this is likely to be a particular concern for smaller market participants from both an operational and financial perspective. The PSR has accepted that this a valid risk which will need to be managed as the new requirements are rolled out, albeit it has noted that both PSPs and customers have a role to play in managing APP fraud risk.

It will be interesting to see how the reimbursement requirement takes shape following these current consultations.

If you would like to read Bird & Bird’s previous alerts, please check out our FinTech webpage here.