A recently published policy statement by the UK Payment Services Regulator (PSR) has set out how it envisions the fight against authorised push payment (APP) fraud and introduces new mandatory reimbursement requirements.
The policy statement introduces changes to the landscape of online Faster Payments, with the reimbursement requirements it lists expected to be in force by early 2024. However, the PSR has set the expectation that those in the industry should begin to work now to implement the requirement.
The fight against APP fraud focuses on encouraging payment services providers (PSPs) to share information and have systems in place to analyse and identify payments with high fraud risk.
In the short term, the costs and impact of these changes will be most significantly felt by PSPs that are not signatories to the Contingent Reimbursement Model (CRM) Code, which are responsible for processing 10% of the APPs in the UK.
Currently, 10 PSP groups representing more than 90% of APPs are reimbursing victims of APP fraud, having voluntarily signed up to the CRM Code, an initiative led by the Lending Standards Board that aims to protect consumers who have authorised a payment to a fraudulent payee.
Frustration with [a slow] process could drive customers away from small PSPs
As part of this commitment, such PSPs have additional systems in place to detect, prevent and respond to APP scams, and reimburse customers who fall victim to fraudulent activity.
Under the incoming rules, the sending PSP will be required to reimburse customers within five business days for payments made in the UK via Faster Payments where they have “been deceived into granting that authorisation as part of an APP fraud case”.
The cost of the reimbursement will be shared equally between the sending and receiving PSP, with the obligation to promptly reimburse the customer being on the sending PSP.
Risks for small PSPs
Given that large PSPs are signatories to the CRM Code, they will already have the systems in place to monitor payments more closely and are willing to reimburse where required. They are therefore less likely to need to make significant changes to their current operations.
But PSPs not currently offering reimbursements under the CRM Code will now have to budget for significant changes to their systems to deter customers from making payments with a high risk of fraud.
An option for small PSPs to mitigate this financial risk is to limit the amounts transacted through Faster Payments, particularly if the transaction is considered to be at high risk of fraud – a throwback to the early days of Faster Payments, where banks would place transaction limits below the level of which the system was capable.
Though the PSR will set a maximum reimbursement amount later this year, the reimbursement requirement presents a significant business risk to small PSPs. If the risk materialises, small PSPs obligated to reimburse the maximum amount may struggle to compensate their customers within the five-business-day period, and repeated instances could lead to insolvency.
The Financial Conduct Authority (FCA) does not yet appear to have considered how the reimbursement requirement may affect the capital requirements of small PSPs, and we may yet see action from the FCA on this front.
Read more on APP fraud
From the customer perspective, the changes appear very positive. Their payments will be offered more protection and they are less likely to lose a devastating amount of money due to fraud. However, in practice, these protections may result in added friction to the payments experience.
The PSR’s policy statement – PS23/2 – even acknowledges that changes may be required to the Payment Services Regulations to allow transactions to be processed outside the current time limits where it is necessary to manage significant risk of an APP fraud.
Small PSPs may resort to putting in place additional authentication processes and hoops through which customers will have to jump to authorise payments flagged as a high fraud risk. Frustration with such a process could drive customers away from small PSPs if it becomes more difficult to make what could be a genuine and time-sensitive payment.
Increased intelligence and data sharing
One of the focuses of the PSR’s policy statement is intelligence sharing. By increasing the flow of information across the payment sector and wider ecosystem, the opportunity to stop potential fraud before it happens is greater.
Pay.UK, supported by UK Finance, is leading an initiative to build an application programme interface (API) solution to address the sharing of information, expected to be partly implemented by the end of this year.
Small PSPs may actually benefit from the vast amounts of data collected by the bigger players in the market, helping the former to develop systems that spot fraudulent payments more accurately, in turn reducing the need to reimburse customers.
In the long term this is likely to be a positive change, as it will allow for more data-led fraud prevention and increased protection.
The incoming rules are likely to play out in a number of ways. Most noticeable for customers, however, is likely to be an increase in fraud-spotting as a result of data sharing and a smoother process for reimbursement if things do go wrong. But this will be tempered with an increase in friction when making payments that have the hallmarks of fraud.
Andrew Barber is a partner and Farah Al-Amad is an associate at law firm Pinsent Masons.
