On 7 June, the UK’s Payment Systems Regulator (PSR) published a policy statement outlining new requirements for reimbursing victims of authorised push payment (APP) fraud within the Faster Payments System.
What are the new requirements for APP fraud?
Once the regulations come into effect, currently slated for 2024, all payment service providers (PSPs) will be required to fully reimburse victims of APP fraud within five business days. There are exceptions for fraud or gross negligence by the payer, as well as an excess (value to be decided). The costs of reimbursement will be allocated equally between the sending and receiving PSPs, with a default 50:50 split.
Why is this happening?
The need for a jolt to the system is clear; APP fraud has quickly become one of the most significant types of payment fraud globally. The PSR reports that in 2022, there were around 207,000 reported cases on personal accounts with total losses of £485m (but notes this is likely an underestimate).
The authorities’ proposed solution as set out in this statement is also clear - shifting the onus for tackling APP fraud onto financial institutions and giving them a clear financial incentive to prevent it happening in the first place. The PSR says that by adopting an outcome-based approach, it is giving the industry “the space to innovate and to choose how best to deliver the new reimbursement requirement” - i.e. moving away from tick-box compliance to focus on effectiveness.
What does this mean for PSPs?
The implications for financial services firms are huge. For some, if they are not able to get their houses in order, the estimated costs could pose an existential threat large enough to put them out of business. We have spoken with industry contacts who have told us that some institutions and EMI agents are unlikely to survive under the new regime without significant changes, given how vulnerable they are to APP fraud. We know of estimated liability figures that are significant multiples above current fraud losses. Firms need to take meaningful, decisive action to protect themselves and their customers, to significantly improve how they identify inbound APP fraud related payments on their own books and identify and protect their customers as victims.
What does the PSR expect?
The PSR says it expects industry to start working “now” to implement the new requirements, beginning by allocating appropriate resources and understanding how they can meet the conditions. Specifically, firms should move towards adopting a stronger risk-based approach to payments, and make better decisions on when to intervene and hold or stop a payment. The PSR believes the requirements will lead firms to “innovate and develop effective, data-driven interventions to change customer behaviour” - a message that is music to FINTRAIL’s ears!
What can PSPs do?
So where should payment firms start? There are numerous parts of an anti-financial crime framework which play a role in reducing APP Fraud exposure - all of which need to be assessed and enhanced:
Customer due diligence, including identity verification
Customers as victims; assessing vulnerability and improving awareness
Customer risk assessments, considering payment sending and receiving exposure
Ongoing monitoring, including transaction and other activity monitoring
Operational enhancements to process monitoring interventions and reimbursement claims
Responsiveness to peer institutions and law enforcement
Use of internal data and financial intelligence
Robust assurance of fraud controls
Staff training
How can we help?
FINTRAIL is here to help PSPs adapt to the new requirements. Over the last five years we have worked with a range of institutions to successfully reduce their APP fraud exposure. With our proven track record we can offer a range of innovative, data-driven services to improve the effectiveness of your fraud controls and enable better identification of fraud risks.
For firms considering where to start, we can conduct a thorough, data-driven risk assessment to identify current weaknesses in frameworks and controls and recommend practical enhancements that will reduce your potential liability exposure. This may include product and feature changes/enhancements, customer vulnerability assessments, new transaction monitoring scenarios, or enhancements to your customer risk assessment model. We can also conduct targeted audits of existing controls, or provide assurance and validation of programme changes being introduced to meet the new reimbursement requirements.