Fuelled by the Covid-19 pandemic and digital transformation in many industries, online fraud and scams are a growing problem throughout the world. In 2022, the UK alone reported that more than £1.2bn had been lost to fraud, while the banking and finance industry prevented a further £1.2bn getting into the hands of criminals.
Fraudsters are using increasingly sophisticated methods, including investment scams, online shopping scams, online dating scams and payment direction scams (where the perpetrator impersonates a business and requests money to be sent to a fraudulent account). Of the £1.2bn lost to fraud, £485.2m was attributed to authorised push payment (APP) fraud, the most prevalent being purchase scams and investment scams.
As governments, regulators and industry seek newer, more effective ways of dealing with scams, different jurisdictions are taking different approaches.
UK
In the UK, the Payment Services Regulator is pressing ahead with the introduction of a new reimbursement requirement in respect of APP fraud, due to come into effect in 2024. Under this requirement, sending payment service providers must reimburse all in-scope customers who fall victim to APP fraud. The cost of reimbursement will be split 50/50 between sending and receiving firms.
The exceptions to the reimbursement requirement include international payments, first-party fraud, and where a customer has acted with gross negligence. Firms will have five business days to reimburse a customer although they may ‘stop the clock’ to investigate. There will be a claim excess and a maximum level of reimbursement, yet to be determined. The time limit for claims will be 13 months from the date of payment.
EU
In the EU, the European Commission has recently published a draft new Payment Services Regulation which would introduce limited liability on payment services providers for APP fraud, specifically limiting liability to impersonation fraud (where the fraudster has impersonated the payment service provider).
Like the UK requirement, there is no liability where the customer has acted fraudulently or with gross negligence. In addition, there is an obligation on the customer to report the fraud to the police, without delay.
Asia
In Asia, the Monetary Authority of Singapore (MAS) is preparing a framework for equitable sharing of losses from scams and is expected to issue a consultation paper in October 2023. MAS is currently studying the type of scams that should be covered by this shared framework, which is likely to address the duties and actions expected of banks and telcos, as well as defining the responsibilities of customers.
The proportion of losses each party bears will depend on whether — and how — the party has fallen short of its obligations.
The Hong Kong Monetary Authority (HKMA) has collaborated with the banking industry and law enforcement to launch the Financial Intelligence Evaluation Sharing Tool (FINEST). FINEST is a bank-to-bank information-sharing platform which helps enhance banks’ ability to share information for detecting and disrupting fraud and mule account networks.
The HKMA also recognises the importance of raising public awareness and has launched the Anti-Scam Consumer Protection Charter to enhance awareness of safeguarding credit card and personal information.
It has also issued a circular outlining the principles that should be applied by banks in handling unauthorised payment card transactions. These include that banks should send regular reminders to cardholders to safeguard their cards and authentication information and provide them with information on the latest large-scale card scam methods and advice on precautionary measures.
Australia
The UK regulatory position may influence the direction in Australia and has already prompted calls by consumer groups for a similar mandatory reimbursement scheme. However, it is not clear that the Australian government would support such a regime. In late 2022, the financial services minister suggested that placing liability on banks would stoke the problem, creating a “honey pot for scammers”.
The Australian Competition and Consumer Commission has established a National Anti-Scam Centre to co-ordinate government, law enforcement and the private sector to combat scams. Its initiatives include awareness raising to help Australians spot scams, building data-sharing capability and technology over the next three years to centralise intelligence on scams and distribute relevant data, and a ‘fusion cell’ to combat the growing problem of investment scams.
Meanwhile, the Australian Securities and Investments Commission (ASIC) has called on banks to take steps to bolster their prevention, detection and response activities, having found the four major Australian banks’ approach to scams strategy and governance was highly variable and less mature than the regulator expected. ASIC also expressed concern banks were taking overly narrow and inconsistent approaches to determining whether to reimburse customers for scam losses.
Global
Across the globe, the focus is now turning to the broader ecosystem and the role that companies other than banks can play, such as telcos, website providers, social media platforms and online dating providers.
For example, in the UK, the Online Safety Bill is making its way through the legislative process. When enacted, it will require tech and social media companies to remove scam adverts from their platforms. The UK government is also developing an online fraud charter with the technology sector, aimed at encouraging tech firms to take action to block scams, report frauds and remove fraudulent content.
Stakeholders will look to jurisdictions where the trend appears to be reversing (for example, overall fraud losses in the UK fell 8% from 2021 to 2022) and draw their own conclusions on whether the regulatory approach in those jurisdictions has contributed to that trend.
In Australia, by contrast, losses to scams have been reported as increasing by 80% between 2021 and 2022. It seems inevitable that regulators and governments will continue to closely follow what is occurring in other jurisdictions and seek to adopt perceived best practice.
Jenny Stainsby is a partner and global head of financial services regulatory in London, UK and Andrew Eastwood is a partner in Australia.
