Payments regulator pushes forward with UK consumer protection against fraud
Published on 26th Oct 2022
Proposed measures include mandatory compensation for fraud and extended powers to crypto-exchanges
The Payments Systems Regulator (PSR) is consulting on how to exercise its new mandate to protect customers from fraud. Under the Financial Services and Markets Bill (FSMB), published in July 2022, the PSR is required to publish draft rules on the liability of payment service providers (PSPs) for losses to consumers arising from fraudulent transactions. The PSR is pushing forward with its proposals, even before the FSMB becomes legislation.
APP fraud
The new proposals are focussed on compensating the victims of authorised push payment (APP) fraud. An APP fraud arises where a fraudster tricks a payer into making a payment from their account to an account controlled by the fraudster. However, when the instruction is given to the customer's payment service provider (PSP) to effect the payment, from the PSP's perspective, the payment looks "legitimate" as it was authorised by the customer. In reality, it is a fraud: the purpose of the transaction was to scam the customer.
APP fraud is a huge problem in the UK. The losses from APP scams totalled £583.2m in 2021, which was up nearly 40% from 2020.
It is also an area where there has historically been very limited legislation. There is currently a voluntary code to compensate victims of APP fraud in place – the Contingent Reimbursement Model (CRM) Code – but only 10 PSP groups are signatories, and there are now over 400 PSPs in the market.
Although reimbursement rose significantly after the introduction of the CRM Code in May 2019 (when only 19% of victims received any compensation) less than half (46%) of victims were reimbursed in 2021.
The PSR has concluded the voluntary, industry-led approach is not sufficient and that it needs to intervene.
The new proposals
The PSR is proposing that reimbursement of APP fraud losses should be mandatory for all PSPs who send payments over the UK's Faster Payments system: these are received almost immediately by the scammer, giving the customer no time to realise they've been scammed and cancel the payment.
Under the PSR's proposals, the only exception will be where the customer was themselves involved in the fraud and/or they acted with "gross negligence". This is a higher standard than that under the voluntary code and should see a higher proportion of victims compensated.
The PSR's aim is to:
- Improve the level of protection for APP scam victims;
- Incentivise PSPs to prevent APP scams; and
- Increase confidence in the Faster Payment system.
Reimbursement would be required within no more the 48 hours from the fraud being reported.
The PSR is proposing that there be:
- A minimum threshold for claims (of no more than £100);
- A right to withhold an "excess" (of no more than £35); and
- A time limit to bring claims (of no more than 13 months).
Perhaps controversially, the PSR is also suggesting that the cost of the reimbursement should be borne equally between the PSP responsible for sending the payment and the PSP responsible for the account to which the monies are sent. This is a new proposal that could impose liability on receiving PSPs even where they have no power to prevent the transaction from occurring. The PSR has indicated that the "default" 50:50 sharing of responsibility can be amended by contractual agreement between PSPs, but in a market of over 400 operators, and where the over-whelming majority of transaction "initiations" will be carried out by just a handful of major retail banks, negotiating a change from the default may be difficult in practice.
Further, it appears that the PSR is intending to increase its regulatory perimeter to capture crypto-exchanges. The PSR's proposals note that the "end to end" journey of some APP scams involves more than one payment, not all of which will involve the Faster Payments system. The PSR specifically refers to crypto-wallets and crypto-based payment systems as an example and is inviting views on how rules could be implemented to include the wallet-providers with the obligation to partially reimburse victims.
Osborne Clarke comment
The PSR has clearly been moving in this direction for some time given the approach taken in its previous consultations on this issue. While the need to prevent the scale of fraud being seen – over half a billion pounds a year – is clear, the extension of a mandatory reimbursement scheme to the whole PSP-market is clearly going to drive up compliance costs.
The implementation of the "50:50" split between initiating and receiving PSPs is likely to be administratively difficult (particularly given the 48-hour limit to pay any compensation) but perhaps reflects feelings within the industry that a liability split should incentivise PSPs to carry out increasingly thorough customer due diligence and similar checks at onboarding. However, the proposal for a minimum threshold and "excess" may help reduce the administrative (and insurance) costs. The proposal may also reduce referrals to Financial Ombudsman Service (FOS) (which incur a £750 FOS case fee with each complaint, regardless of outcome).
That said, they are likely to present specific challenges to fintechs because cumbersome anti-fraud checks could get in the way of the speed and automation that sets their user experience apart from traditional banks.
However, as we have commented previously, the extension of the mandatory duty is likely to have a significant impact on the legal duties that PSPs owe to their customers – and not just the consumers and small and medium-sized enterprises protected under these proposals.
Historically, prior to the implementation of the CRM Code, customers had to rely on the so-called Quincecare duty to recover lost sums from their bank. The Quincecare duty is, essentially, a common law liability on banks that effect fraudulent APPs where they had reasonable grounds to believe the APP instruction arose from a fraud.
The scope of the Quincecare duty has been increasing over recent years as more businesses switch from traditional banks to digital services and fintech providers. One of the remaining limits on the scope of that duty was the fact that there was no mandatory industry code; for example, Judge Russen QC in Philipp v Barclays Bank did not accept that the Quincecare duty could be properly used to impose a higher standard at common law than was required under the rules of an industry code.
Now that industry code requires compensation in all but the most egregious cases of customer negligence, it will be interesting to see how the law follows.