Out-Law News 3 min. read
14 Jun 2023, 3:43 pm
UK payment firms have been urged to begin work to implement new reimbursement requirements designed to help protect victims of authorised push payment (APP) fraud made over the UK’s near-instant retail payment system.
APP fraud occurs where the victim is tricked into making a payment to an account controlled by a fraudster, such as to purchase something they will never receive or due to invoice or impersonation scams. Fraudsters often use social engineering and impersonation to manipulate and gain the trust of their victims. APP fraud losses totalled nearly £500 million in the last year, according to the UK Payment Systems Regulator (PSR).
Under the proposed new rules, payment firms will have to reimburse most APP fraud victims within five business days and additional protections will be put in place for vulnerable customers. The PSR said the Financial Services and Markets (FSM) Bill, currently making its way through parliament, would remove barriers and allow it to direct firms to reimburse customers.
The new rules will apply to the Faster Payments system – the payment system across which the vast majority of APP fraud currently takes place. The PSR said that all payment firms will be incentivised to take action, with both sending and receiving firms splitting the costs of reimbursing victims equally.
Retail banking expert Andrew Barber of Pinsent Masons welcomed the reforms. “’Sending payment’ firms already signed up to the voluntary contingent reimbursement model (CRM) code will undoubtedly welcome ‘receiving payment’ firms paying a portion of the costs of reimbursement.”
“This cost to receiving payment firms will give them a significant financial incentive to take stronger action to identify, block and ultimately close the accounts of fraudsters. After all, removing a fraudsters ability to receive payments is probably the biggest single action that could be taken to stop APP fraud. However, there is the risk that the cost of reimbursement may be a significant financial burden for smaller payment firms,” Barber said.
In July, the PSR will consult on the draft legal instruments to put reimbursement requirements in place, before consulting on the maximum level of reimbursement, claim excess and customer standard of caution. Then, in October, the PSR plans to give the final legal instruments to Pay.UK, which operates the Faster Payments system, and will consult further with payment firms. The PSR said it expects the regime to come into force in 2024 following the publication of the claim excess, maximum reimbursement level, guidance on the customer standard of caution and the legal instruments by the end of this year.
Josie Day of Pinsent Masons said the process and its timing hinges on the FSM Bill becoming law. “The current version of the FSM Bill, as amended in Grand Committee on 23 March 2023, provides that from the date the relevant section in it comes into force, which is two months after Royal Assent, then the PSR will have two months to publish a draft reimbursement requirement for qualifying cases of Faster Payments resulting from fraud, and six months to impose the requirement.”
“The draft section also contains the necessary amendments to the Payment Services Regulations 2017. The high-level timeline in the PSR’s policy statement refers to an assumed date of ‘Q3 2023’ for Royal Assent of the FSM Bill – but it is worth emphasising that is an assumption. In terms of its actual progress through the parliamentary process, the Bill has now moved to third reading in the House of Lords,” Day said.
“Assuming the relevant section comes into force as it is in the Grand Committee version of the FSM Bill, once these time periods for the PSR to meet start running, the payments industry will not have the luxury of time, as the PSR has already made clear in its policy statement it expects payments firms to start work now to implement the new reimbursement requirement,” she added.
Angus McFadyen of Pinsent Masons said the reforms would extend APP fraud protection to a large number of customers. “Some banks are already part of the voluntary code that achieves similar outcomes. For those banks, this is an evolution of that code, bringing more clarity in a number of areas and, importantly, providing for reallocation of liability between sending and receiving banks.”
“For those banks that are not part of the voluntary code, this is a much larger change. New technology and processes will be required across the industry to deliver upon the requirements,” he added.
Alongside reimbursement, the regulator plans to publish data on how well firms are protecting customers from fraud and will promote intelligence-sharing to spot and prevent fraudulent transactions. The PSR will also expand the roll-out of the name-checking service Confirmation of Payee.