UK and European Authorised Push Payment (APP) fraud remains to be a big issue

In Europe the European Payments Council (EPC) discussed the overall payment fraud trends, including APP fraud, but it does not provide specific figures for Europe as a whole. (See link). EDC believes that APP fraud losses across Europe could be as high as €2.4 billion (an EDC estimate), increasing by 20 to 25 percent yearly. It isn’t a surprise that APP fraud in the UK is measured in the millions whereas in Europe it is measured in the billions. According to Banque de France, APP fraud in France corresponds to 59% of total fraud in value terms. The European Commission has recently published a draft PSD3 which includes new Payment Services Regulation which would introduce limited liability on PSPs for APP fraud. Part of the fight against fraud is the use of Confirmation of Payee (CoP) for instant payments. This is effectively an IBAN/name matching verification service. The PSP will be required to show the customer any non-match results before they proceed to complete the transaction. CoP already exists in the UK since 2019. The EU the revised Payment Services Directive (PSD2) proposes a Verification of Payee (VoP) scheme. The rule is currently in consultation and its publication is expected in September 2024 and potential implementation by September 2025. Regardless of whether it is called CoP or VoP it doesn’t really stop APP fraud.  

UK Finance published its Annual Fraud Report in June 2024, which detailed the amount of money, as reported by UK Finance members, that was stolen by criminals through financial fraud during 2023. It reported that over £1.17 billion was stolen by criminals through authorised and unauthorised fraud in 2023, equivalent to approximately £2,226 every minute of the year – which was not much of an improvement to the reported figures in 2022 which was approximately £2,300 every minute (see link). Unauthorised fraud is where the account holder itself does not provide authorisation and the transaction is carried out by a criminal (for example, the victim’s card details are used without their knowledge or consent).

Authorised Push Payment (APP) related fraud losses reached £485.2 million in 2022 in the UK, which was down 17% compared to 2021.  It is now £459.7 million in 2023 as reported in the latest report and that is only down around 5%. APP fraud losses are mainly driven by the fraudulent activities of criminals scamming their victims through online platforms. Examples are investment scams, romance scams committed via online dating platforms or purchase scams through auction websites and marketplaces.

APP fraud may be slightly down, as reported by UK Finance; however, it remains a huge problem. It is a problem that is persistent, and it has not yet been solved. The APP voluntary code was introduced in May 2019, following work between the industry, consumer groups, and the regulator has made some improvements. It provides protection for customers of signatory payment service providers (PSPs) and delivers a significant commitment from all signatory firms to reimburse victims of APP fraud in any scenario where the customer has met the standards expected of them under the code. There are ten Payment Service Providers (PSPs), representing over 90 percent of authorised push payments, that have signed up to the UK’s voluntary code. In 2023, £256.5 millions of losses were returned to victims under this APP voluntary code.

This is a step in the right direction, but the Payment Systems Regulator (PSR) will be implementing a new regulation which will include a reimbursement requirement for eligible victims of APP fraud. The date for implementation of this new regulation is now set for 7th October 2024. Once the requirement comes into force, Payment Service Providers (PSPs) will have to reimburse eligible victims of APP fraud. The reimbursement will be split 50:50 between sending and receiving PSPs.

Sending PSPs may charge an excess of up to a maximum of £100 per claim. The excess does not apply to claims made by vulnerable consumers. The maximum level of mandatory reimbursement is £415,000, applicable to all consumers. Sending PSPs may reimburse more than the maximum reimbursement level but cannot claim amounts above the maximum from receiving PSPs.

The proposed new regime will place the onus on the PSPs to prove that a consumer has behaved with gross negligence if they wish to reject a reimbursement claim. PSPs need to have the systems and capabilities to understand the reason why the consumer did not meet the requirement to determine whether the consumer was grossly negligent. The adoption of behavioural biometrics can help firms to identify customers acting under duress or pressure. The PSPs, which include banks, building societies, and other financial institutions that handle money and facilitate payments, are responsible for implementing the reimbursement scheme. They will need to consider new technology to conduct inbound payment screening to identify potential scam receipts.

The concern is that the reimbursement threshold of £415,000 is too high and could encourage the scammers to step up their game. Fraudsters might focus on scams exceeding £415,000 knowing that their victims will have a higher chance of recovering some losses from the banks. The PSR and financial institutions are expected to launch public awareness campaigns across the UK to educate people about APP fraud and how to avoid falling victim.

It's still too early to say definitively whether the threshold will significantly increase APP fraud. However, PSPs must use better detection technologies to be aware of the potential risks and take steps to protect their operations. This is something all the larger PSPs will have already conducted; however, the smaller Fintech firms may not have the necessary funds to invest in new detection technologies and could fall foul of the proposed reimbursement requirements that could force Fintechs into bankruptcy.  

Just as all this change in compliance is being proposed, after a four-year stint, Chris Hemsley, the PSR’s managing director, is stepping down from his role and will be replaced by an interim MD - David Geale.

Changing management and regulation at the same time is never a good idea. The 50:50 split for the reimbursement to the victim seems to favour the larger PSP. The real challenge that is not being addressed is the need to implement exhaustive legal customer onboarding due diligence processes and make sure that fraudsters don’t open bank accounts to receive authorised bank transfers. The receiving bank of the scammed money should be conducting proper checks, and the liability is with them for allowing the fraudster to receive and “squirrel away” the funds. The sending bank is sending the money based on their customer’s request (i.e., the victim). Therefore, why should the sending PSP be liable for 50% of the scam?

Sharing the cost burden incentivises both sending and receiving PSPs to invest in stronger fraud prevention measures. However, the sending banks might argue they have less control over the receiving account and shouldn't be held equally responsible. The fear of incurring significant costs could discourage sending banks from innovating and offering new payment methods. Knowing that they will share the cost, the receiving PSP might be less inclined to thoroughly investigate claims, potentially leading to more claims being reimbursed.

In summary, the 50:50 split is a complex issue with valid arguments on both sides. The new regulation has not been implemented; therefore, its effectiveness remains to be seen. A change in the PSR’s MD and an UK election could mean the 7th October 2024 implementation date may be delayed. As to whether the threshold of £415,000 for reimbursement is to be reduced, there has been a lot of lobbying from different industry bodies representing the smaller Fintech firms and neo-banks. It will be interesting to observe how regulation impacts fraud rates, security measures implemented by PSPs, and the overall cost of APP fraud in the UK. Edgar, Dunn & Company will continue to keep a close eye on this topic in the UK and how APP fraud in Europe will be regulated.

‍

The content of this article does not reflect the official opinion of Edgar, Dunn & Company.

The information and views expressed in this publication belong solely to the author(s).