After the Financial Services and Markets Bill received royal assent on 29 June 2023, the Payment Systems Regulator (PSR) obtained new powers to direct Payment Services Providers (PSPs) using Faster Payments to fully reimburse victims of authorised push payment (APP) fraud, with the reimbursement requirement coming into force next year.
Tommaso Scarpa, head of financial crime at Currencycloud, the international payment solution provider, explores whether financial institutions fully understand and are prepared for the impact of the new drastic change in regulation surrounding APP fraud.
Authorised push payment fraud involves deceiving payers into sending payments to criminals. Here’s a particularly vicious example: a first-time house buyer goes to transfer their deposit to their solicitor to complete the deal, only to find out the solicitor’s email has been hacked and they’ve sent their deposit to a fraudster.
APP fraud is financially and psychologically devastating for the victim and lucrative for the fraudster. And it’s common: in 2022, close to half a billion pounds was stolen through APP fraud in the UK alone.
The true figure is likely to be much higher as many cases go unreported and involve harder-to-track cross-border transactions.
Part of the reason so much goes unreported is victims are unlikely to get any money back. Financial institutions (FIs) are currently not legally required to refund victims of APP fraud, and few do. The thinking goes the FI is legitimately instructed to make the payment by the victim. It’s their account, their money, and they choose to send it.
The PSR disagrees, and from 2024 all PSPs will be legally obligated to use the Faster Payments Scheme (FPS) to reimburse victims of APP fraud. Moreover, victims will need to be paid back by the FI no more than five days after the incident. It’s a radical change in the UK’s approach to APP fraud. But do FIs, especially non-banks, understand the implications and can they meet the PSR’s ambitious timelines?
The risk of unintended consequences
The objective of the regulation is to incentivise FIs to prevent APP fraud through better controls. But setting up those controls takes time, is expensive and requires know-how. Given the requirement for quick reimbursement, FIs also need to ensure they have a sizeable chunk of cash on hand to pay back victims.
The big banks are likely to already have the personnel, the data and the bottom line. But the smaller non-bank FIs, many of which have already suffered in the fintech downturn of the last year, may find it much harder.
The short-term response may be widespread de-risking. The scheme limit for a single transaction on FPS is currently one million pounds, but there is no lower boundary: meaning many FIs could opt to lower it to £250,000, or perhaps even less. Until they are very confident in their controls they will tread carefully, and lowering transaction limits may be an easy way of doing that. Of course, this isn’t the point of the regulations and won’t help consumers.
Exacerbating the problem is the fact many non-banks are not direct participants in the FPS scheme but instead rely on another PSP which is. If the direct participant finds itself liable for the APP fraud of its indirect PSP, it may well rethink its appetite to provide that service considering this new form of credit risk. And it doesn’t stop there, both direct participants and indirect participants can offer embedded FPS access to other FIs, including non-UK ones. If in scope, these might find enforcing reimbursement based on a contract alone may be difficult to do, especially across international borders.
The cost of reform
Consumers could also face additional costs because of the reforms. FPS is meant to be the fastest and cheapest option, with payments landing in near real-time compared to other payment rails. That is likely to change, with FIs stopping and investigating significantly more payments. In theory, this will help protect customers at risk of fraud, but it could also add friction and cost to the customer experience, with legitimate payments delayed and maybe even blocked. Getting the balance right will be tricky and take time, and the temptation to use different payment rails, where reimbursement is not yet mandatory, may start to creep in.
FI’s who try to combat APP fraud by porting across existing AML transaction monitoring controls, on which they’ve already spent lots of time and money, are likely to find these are not effective. The established risk-based approach to AML means controls are geared towards higher-value transactions.
By contrast, fraud tends to be high volume/low value, requiring much more effort to investigate transactions manually. And retrospective monitoring won’t help much since the fraud will have already happened. Getting the right controls in place and working properly will be expensive and time-consuming.
The PSR will say these controls should already be in place, or at least well on their way, as APP fraud is nothing new. However, it is possible the new regulations will also make certain types of fraud even more likely, particularly those for which controls are not yet mature.
For example, it’s very likely first-party fraud (where both the sender and the receiver are fraudsters working together) will significantly increase. With first-party fraud you no longer must convince a victim to send you funds, you just have to convince the FI you’ve been defrauded. The victim then becomes the FI, duped into reimbursing a fraudster who never actually lost any money.
Under the new regulations sending PSPs will need to fully reimburse victims within five days, and then recoup 50 per cent from the receiving PSP. So once the fraud has happened, the sending PSP is at the mercy of the receiving PSP’s controls and will hope they were quick enough to block the fraudster’s accounts before the funds were used. FIs could become particularly sensitive to repeat offenders, monitoring closely which PSPs present high levels of fraud risk. This means receiving PSPs targeted by fraudsters may find themselves blocked by other FIs very quickly, and unable to do much about it.
FIs must act now
The direction of travel of the PSR is undoubtedly the right one, as more needs to be done to protect consumers from APP fraud. As always, however, the implementation of the regulations will be key, because if it catches the industry unawares the unintended result could be de-risking instead of upskilling, which ultimately does not help the consumer.
Gradually ramping up the maximum reimbursement value may be a sensible approach to manage the ‘day 1’ prudential risk FIs will suddenly be taking, thus reducing their temptation to de-risk.
Either way now is the time for all FPS participants to shore up fraud-specific controls, focusing on the dynamic risk rating of transactions, data sharing with other FIs and law enforcement, and even ‘AI’ solutions for fraud detection.