Mandatory reimbursement for UK authorised push payment fraud: the countdown is on
Published on 6th Sep 2024
With the 7 October deadline approaching, firms grapple with a raft of rules and guidance from the payments regulator
Authorised push payment (APP) fraud occurs when someone is tricked into sending money from their account to a fraudster, believing it to be a legitimate transaction. What sets this apart from other forms of fraud is that the transfer looks legitimate from the perspective of the payer's bank, since it is "authorised" using the payer's log-in credentials.
In 2023, APP fraud losses in the UK alone amounted to £459.7 million across almost a quarter of a million cases. Just over 60% of this amount was reimbursed to the victim under the current voluntary Contingent Reimbursement Model Code, to which 10 financial institutions have signed up.
In June last year, the UK Payment Systems Regulator (PSR) published a policy statement on new mandatory reimbursement requirements for all payment service providers (PSPs), where APP fraud takes place via the Faster Payment System affecting an individual, microenterprise or small charity.
Developments since the policy statement
The PSR has issued Specific Direction 20 (amended July 2024), which contains the Faster Payments APP scam reimbursement requirement and directs in-scope PSPs to comply with the reimbursement rules. The regulator has also published a list of Faster Payments participants potentially in scope of Specific Direction 20.
Following further PSR consultations on aspects of the new regime, additional detail has emerged on how it will work in practice.
Maximum level of reimbursement
A maximum level of reimbursement of £415,000 per claim has been included in the rules for all in-scope customers, including vulnerable customers. This amount was based on the then current Financial Ombudsman Service (FOS) award limit for a single complaint – however, while the FOS limit has since increased to £430,000, the mandatory reimbursement cap will not increase automatically over time, as laid out in the PSR's December 2023 policy statement.
However, after concerns were raised regarding the £415,000 maximum and the impact it could have for some smaller firms in the market, the PSR undertook a review of the value of historic APP fraud scams. As a result of the review, on 4 September 2024 the PSR published a consultation on setting the maximum amount of compensation at a reduced level of £85,000 – this is in line with the maximum level of compensation under the Financial Services Compensation Scheme for individual depositors if their banking institution were to become insolvent. Among other things, the PSR's review found that 99.8% of all APP scam cases would fall below a new proposed limit of £85,000 and around 90% of the total APP scams value would be below the new proposed maximum limit.
Maximum claim excess
The sending PSP may apply an optional excess of up to £100 per claim. The regulator acknowledges that this will affect overall reimbursement rates – UK Finance data indicates that up to 32% of cases would receive no reimbursement – but considers this is balanced by the encouragement to customers to remain vigilant when making payments.
No claim excess can be applied for vulnerable customers, with the PSR's December 2023 policy statement giving further details of the regulator's approach.
Consumer standard of caution
The rules require firms to reimburse all in-scope APP fraud victims, except where the victim has acted fraudulently or with gross negligence. The consumer standard of caution will not apply to vulnerable customers.
Following consultation, the PSR's final approach to the consumer standard of caution exception will consist of:
- The requirement to have regard to interventions. Consumers should have regard to interventions made either by their sending PSP or by a competent national authority, such as the police. That intervention must offer a clear assessment of the probability that an intended payment is an APP scam payment.
- The prompt reporting requirement. Consumers should, on learning or suspecting that they have fallen victim to an APP scam, report this promptly to their PSP, and in any event not more than 13 months after the last relevant payment was authorised.
- The information sharing requirement. Consumers should respond to any reasonable and proportionate requests for information made by their PSP to help assess a reimbursement claim.
- The police reporting requirement. Consumers should, after making a reimbursement claim, and upon request by their PSP, consent to the PSP reporting to the police on the consumer’s behalf. The PSP can alternatively ask the consumer to report the details of the APP scam to a competent national authority directly.
Where a non-vulnerable consumer has, as a result of gross negligence, not met one or more of these standards, their PSP would not be required to reimburse them.
The PSR interprets "gross negligence" to be a higher standard than the standard of negligence under common law – the consumer needs to have shown a significant degree of carelessness. The onus will be on the PSP to prove a consumer has behaved with gross negligence. The PSP will, therefore, have to look at the reason why the consumer did not meet the above requirements.
The PSR's December 2023 policy statement gives more details on the approach. The regulator also published guidance on the consumer standard of caution in December 2023.
Compliance and monitoring
As the operator of the Faster Payments system, Pay.UK is responsible for monitoring in-scope PSPs’ compliance with the Faster Payments reimbursement rules, which includes:
- Collecting data from PSPs and monitoring the compliance of all in-scope PSPs with the rules.
- Acting appropriately on breaches of the reimbursement rules by PSPs, in line with the agreed compliance monitoring process.
- Reporting data to the PSR to allow it to enforce the rules.
Reporting standard A will come into effect on 7 October 2024 – the PSR will consult on the effective date for a potential reporting standard B in late 2024. The PSR's July 2024 policy statement on compliance and monitoring sets out further details.
The regulator also expects in-scope PSPs to publish APP fraud data, and has published guidance explaining the content, format, and timescales.
Implementation date
This is set as 7 October 2024, the later of the two possible start dates originally consulted on.
Firms were required to register with Pay.UK by 20 August in order to use the reimbursement claim management system, which will also support communication between firms, and report data to Pay.UK.
Application to CHAPS
The Clearing House Automated Payment System (CHAPS) is a payment system that is used to settle same-day high-value payments and time-critical low-value payments, such as buying or paying a deposit on a property. The Bank of England is committed to reaching comparable outcomes of consumer protection for retail CHAPS payments, with the same effective date of 7 October 2024, while reflecting the nature of CHAPS as a wholesale payment system. This will be achieved through a combination of directions from the PSR to CHAPS participants, and changes to the CHAPS rulebook.
In May this year, the PSR consulted on the CHAPS APP scam reimbursement requirement – its approach to CHAPS is as similar as possible to the approach to Faster Payments. In August, the Bank of England released the latest proposed CHAPS reimbursement rules. The PSR is expected to release its specific direction for CHAPS in September.
Reporting for CHAPS will initially be via email to the Bank directly, rather than via Pay.UK’s system. Reporting will initially be based on reporting standard A only.
What next?
There are a number of upcoming deadlines for PSPs to be aware of:
Sending PSPs must submit the first report, covering the period 7 October to 30 November, to Pay.UK under reporting standard A by 6 January 2025. All subsequent reports must be submitted monthly and cover claims closed in the previous calendar month.
The reporting deadline for CHAPS remains to be confirmed but is likely to align with the deadline for Faster Payments reporting.
As required by Specific Direction 20, in-scope PSPs must amend the terms and conditions of their relevant contracts to provide that they will reimburse their consumers as and when required by the Faster Payments reimbursement requirement and rules. They should do so at the earliest practicable opportunity, and in any event by the 9 April 2025 deadline.
Osborne Clarke comment
The PSR is aiming to balance its policy objectives of enhancing consumer protection and building confidence in payment systems with the risk that customers may take less care making payments if they assume they will be reimbursed following APP fraud.
The new rules will no doubt have a significant impact on PSPs, particularly those who may have fewer resources at their disposal to ensure compliance and invest more heavily in fraud prevention. We have seen a backlash to the new regime across the industry, with fears voiced such as the deadline being too tight, and the £415,000 maximum compensation limit being too high with the potential to encourage rather than deter fraud, so the PSR's consultation to reduce the maximum limit will be welcomed by many in the industry. There is also concern that the tech and social media firms which often feature in the lifecycle of APP fraud are not on the hook for any reimbursement costs.
So far, the PSR seems to be pressing ahead with its plans, meaning firms will need to ensure they are ready to comply by the 7 October deadline.
Sophie Mullarkey, a Trainee Solicitor with Osborne Clarke, co-authored this Insight.