New Rules To Tackle Authorised Push Payment Fraud

Skadden Publication / The Capital Ratio

Robert A. Chaplin Azad Ali William Adams

Background and Scope

Authorised push payment (APP) fraud in the UK is the largest type of payment fraud, both in number of scams and value of losses. It involves a fraudster convincing someone to send a payment to a bank account that the fraudster controls. This type of fraud exploits the speed of direct electronic payments, with victims often believing they are making payments for legitimate reasons. In response to the increasing incidence of APP fraud, UK regulators and industry stakeholders have been seeking ways to better protect consumers and ensure that victims have a clearer path to reimbursement. Consultations on how to tackle APP fraud have focused on several key areas, including introducing more rigorous identity checks, improving the speed and efficiency of fraud reporting and response by banks, and establishing a more consistent approach to the reimbursement of victims.

In the UK, the Payment Systems Regulator (PSR) is the body tasked with overseeing payment systems, including payment rails such as the Faster Payment System (Faster Payments) and the Clearing House Automated Payment System (CHAPS) as well as card schemes such as Mastercard and Visa. In September 2022, the PSR published a consultation paper (CP22/4, the Consultation) proposing a mandatory reimbursement requirement on payment service providers (PSPs) for victims of APP fraud. In response to the Consultation, the PSR published policy statements in June 2023 (PS23/2) and December 2023 (PS23/4) that set out the finalised parameters of the reimbursement requirement and associated rules (the Reimbursement Rules). These are supported by proposed amendments to the Payment Services Regulations 2017 (PSR 2017), discussed further below.

Faster Payments was used for 97% of APP fraud payments in 2021.1 As a result, the Reimbursement Rules will apply to PSPs that are direct or indirect participants in Faster Payments, or that provide a relevant account in the UK to their service users that can send or receive Faster Payments. Credit unions, municipal banks and national savings banks are excluded. The Bank of England is currently working towards creating a similar set of rules for CHAPS participants.2

To implement the new rules, the PSR will issue:

  • a specific requirement imposed on Pay.UK3 to change the Faster Payments scheme rules to include the Reimbursement Rules no later than 7 June 2024;
  • a specific direction given to Pay.UK to create and implement an effective compliance monitoring regime for PSPs in line with the Reimbursement Rules by 7 June 2024; and
  • a specific direction given to Faster Payments participants obliging them to comply with the Reimbursement Rules.

We examine the key aspects of the Reimbursement Rules below.

Mandatory Reimbursement

From 7 October 2024, the Reimbursement Rules will require all PSPs, save for credit unions, municipal banks and national savings banks, sending payments over Faster Payments to fully reimburse all their consumers, including microenterprises and charities, that are victims of APP fraud. For “multi-step fraud” cases, which may involve a number of different payments to different accounts, the payment that is covered will be the Faster Payment made to an account controlled by a person other than the customer, where the customer has been deceived into granting authorisation for the payment.

The requirement to reimburse is subject to a maximum amount of £415,000 and does not apply to:

  • civil disputes;
  • payments that take place across other payment systems;
  • international payments; or
  • payments made for unlawful purposes.

Sending PSPs must reimburse the victim within five business days but can “stop the clock” under certain circumstances, such as in order to gather additional information from the victim, the receiving PSP or law enforcement (particularly where multi-step fraud is suspected), or to verify that the claim is legitimate. There is no limit to how many times a sending PSP can stop the clock, but it must arrive at an outcome after 35 business days, irrespective of the amount of time for which the clock has been stopped.

Receiving PSPs are obligated to respond to a sending PSP’s requests for further information in connection with an APP fraud claim and must pay the sending PSP 50% of the reimbursement that the sending PSP has paid the customer.

If a claim for reimbursement is denied, either because of a missed time limit or as a result of one of the applicable exceptions (see below), customers will still be able to make a claim via the Financial Ombudsman Service in the usual way.

Time Limit To Report APP Fraud

As is the case for claims for refunds of unauthorised payments under the PSR 2017, sending PSPs have the option to deny APP fraud claims that are submitted more than 13 months after the final payment was made to the fraudster.

The assessment outcome by the sending PSP is final, so any subsequent differing outcome — by a court or the Financial Ombudsman Service, for example — will not be treated as a reimbursement under the Reimbursement Rules. Therefore, unless otherwise specified in the dispute decision, the sending PSP will be liable for the reimbursement amount if they decided not to reimburse the customer and a decision is made in favour of the customer.

Claim Excess

Sending PSPs will be able to apply a claim excess up to £100 in order to encourage customer vigilance, but they are not obligated to. However, the 50-50 liability split between the sending PSP and the receiving PSP is always calculated on the assumption that a £100 claim excess has been applied. Thus, if a sending PSP chooses not to apply an excess, it cannot claim the amount not applied from the receiving PSP. A claim excess cannot be applied if the customer is a vulnerable customer (defined further below).

Exceptions to Reimbursement

The Reimbursement Rules provide two exceptions to the mandatory requirement to reimburse:

  • where the customer has acted fraudulently (“first-party fraud exception”); or
  • where the customer has acted with gross negligence, unless the customer is vulnerable (the “consumer standard of caution exception”).

The burden of proof is on the sending PSP to prove gross negligence, which the PSR has clarified requires the customer to have shown a significant degree of carelessness. In August 2023, the PSR consulted separately on the consumer standard of caution exception (CP23/7) to specify a standard of care that consumers are expected to meet, which includes the following requirements:

  • to have regard to specific, direct warnings or interventions raised by their PSP or a competent national authority that a potential payment is likely to be an APP fraud payment;
  • to promptly notify and report to their PSP, and in any event within the 13-month time limit;
  • to respond to any reasonable and proportionate requests for information made by their PSP, including those under the “stop the clock” rules; and
  • to consent to a request from their PSP to (i) report to the police on their behalf or (ii) that the consumer report directly to a competent national authority, after making a reimbursement claim.

A customer failing to meet one of the requirements is not, in isolation, a sufficient reason for reimbursement to be refused. It must be shown that the customer did not meet one of the requirements due to gross negligence.

Vulnerable Customers

The Reimbursement Rules adopt the Financial Conduct Authority’s (FCA) guidance for PSPs on the fair treatment of vulnerable customers (FG21/1), which defines a vulnerable customer as “someone who, due to their personal circumstances, is especially susceptible to harm, particularly when a firm is not acting with appropriate levels of care”. PSPs are required to evaluate each customer on a case-by-case basis to determine whether or not they are considered vulnerable, and to implement measures that appropriately protect such customers.

Certain types of vulnerable customers may be more susceptible to the social engineering techniques deployed in APP fraud if their decision-making has been impaired. Therefore, if a PSP determines that a customer meets the FCA’s definition of vulnerability for a specific APP fraud, such a customer will be exempt from the consumer standard of caution and a claim excess may not be applied.

Further, any PSP will need to consider its obligations to vulnerable customers under the FCA’s consumer duty when complying with the Reimbursement Rules. In practice, PSPs face an increasingly delicate balancing act in considering their obligations to vulnerable customers whilst at the same time considering customers’ reasonable expectations and their own commercial interests.

PSR Expectations of PSPs on Implementation

By the 7 October implementation date, the PSR expects that PSPs will have in place policies and systems to:

  • log, process and settle claims and reimburse victims that goes beyond reliance on the Pay.UK system; and
  • share information between the sending and receiving PSP.

PSPs will need appropriate governance and controls in place to ensure compliance with the Reimbursement Rules and must communicate transparently with their consumers.

Amendments to the PSR 2017

Last month, the UK Treasury published two near-final draft statutory instruments that amend the PSR 2017. The first, the Payment Services Amendment Regulations 2024, amends Regulation 86 of the PSR 2017 to give PSPs the ability to delay the execution of certain payment orders if the PSP has reasonable grounds to suspect the order has been executed as a result of fraud by a third party. The delay is to allow the PSP to determine whether the order should be executed and cannot exceed the end of the fourth business day following the time of receipt of the payment order. If a PSP delays a payment order in this way, it must notify the payer by the end of the business day following the receipt of the order of:

  • the fact that there will be a delay in execution of the payment;
  • the reasons for the delay; and
  • any information or action required of the payer to enable the PSP to decide whether to execute the order.

The second, the Payment Services and Payment Accounts (Contract Terminations) (Amendment) Regulations 2024, increases the minimum termination notice period for PSPs terminating payment service framework contracts from two months to 90 days. PSPs will also be required to give the reasons for the termination so a user can understand why the contract was terminated. Exceptions to these new rules include:

  • where PSPs are required to cease transactions under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 because they are unable to carry out customer due diligence measures;
  • where PSPs reasonably believe a payment service provided under the framework contract is, or is likely to be, used in connection with serious crime; and
  • where a PSP is required to terminate a framework contract by the FCA, HM Treasury or the Secretary of State.

Conclusion

The Reimbursement Rules are a significant step by the PSR to tackle the growing number of APP fraud cases. However, they may result in PSPs incurring significant costs, particularly smaller firms that sit outside the existing Contingent Reimbursement Model Code (CRM Code)4 that will need to make a number of changes to their existing systems and controls to ensure compliance. Smaller firms with less capital may also struggle to reimburse customers, which may prompt some to stop offering Faster Payments services.

_______________

1 The Faster Payment System in the UK is a payment system which enables near-instantaneous bank-to-bank transfers, operating 24/7 to support a wide range of transactions. Its membership spans a broad spectrum of financial institutions, from major traditional banks like Barclays and HSBC to modern digital-first entities such as Monzo and Starling Bank.

2 The Clearing House Automated Payment System (CHAPS) is a payment system that facilitates real-time, high-value, same-day payments from PSPs to their customers that are settled over the Bank of England’s Real-Time Gross Settlement system, operating from 6 a.m. to 6 p.m. each working day. CHAPS direct participants comprise banks that have several thousands of other financial institutions making payments through CHAPS indirectly through one of the direct participants.

3 Pay.UK is the recognised operator and standards body for the UK’s national retail interbank payment systems, including Faster Payments, the BACS Payment System (the system for high-volume, regular interbank retail payments) and the Image Clearing System (the system enabling images of cheques to be exchanged for clearing and payment). It provides the digital payments networks used by the UK’s PSPs.

4 The Contingent Reimbursement Model Code is a UK payments industry initiative led by the Lending Standards Board that was launched in 2019 to help reimburse victims of APP fraud, in response to criticisms of the banking industry’s lack of a consistent mechanism for reimbursement. It is a voluntary code that covers most of the major UK banks but not smaller financial institutions.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP