The PSR publishes APP fraud performance data

As UK fraud watchers will be well aware, the UK’s Payment Systems Regulator (PSR) has embarked on a multi-pronged approach to reduce authorised push payment (APP) fraud within the Faster Payments System. As well as new mandatory reimbursement requirements due to come into effect in 2024, the PSR hopes to motivate regulated firms to improve their fraud controls by publishing performance data. This will show how much money connected to APP fraud is sent and received by each payment firm, and how firms perform when it comes to reimbursing victims.

The PSR has published the first ‘league tables’ today, showing data for 2022. The stats cover the UK’s 14 largest banking groups (‘directed firms’, which are obliged to report APP fraud data), plus nine other smaller firms that were among the top 20 highest receivers of fraud.

The performance tables will give firms that are successfully reducing APP fraud losses a competitive advantage, as they will enable customers to see how well individual banks perform in reducing fraud and how well they treat victims.

Recap: what is authorised push payment fraud?

APP fraud is a scam where fraudsters trick victims into sending them money. The account holder authorises the transaction, sending their money willingly but under false pretences.

Examples

Impersonation scams involve the fraudster pretending to be a trusted party like a bank employee or government official, for instance convincing the victim that their bank account is compromised and urging them to move their funds to a ‘trusted’ bank account which is actually under the fraudster’s control.

Romance scams, where a fraudster builds an online relationship with a victim and requests money for various reasons, such as bogus medical expenses or travel costs, supposedly to meet the victim.

Invoice scams, where victims are tricked into paying an invoice that seems to be sent by a legitimate supplier, normally via email. The invoice might be entirely fake, or fraudsters may have intercepted a real invoice and altered the bank details or changed the payment link.

Other examples of APP fraud include employment scams, rental scams, and charity donation scams — where money is sent under false pretences to secure employment, a rental apartment, or donate to a charitable cause respectively.

Key takeaways

1. There are inconsistent outcomes for customers reporting APP fraud. Some firms automatically reimburse victims nearly all of the time, others only make partial reimbursements, and others only consider claims in very narrow circumstances. This inconsistency should reduce with the introduction of mandatory reimbursement for all PSPs in 2024.

In terms of value reimbursed, the figures range from 91% (TSB) to 10% (Allied Irish Bank GB). In terms of volume, they range from 94% fully reimbursed plus 4% partially reimbursed (TBS), to 6% fully reimbursed plus 8% partially reimbursed (Monzo) and 12% fully reimbursed (Allied Irish Bank GB).

NB: PSRs are not currently required to reimburse victims of APP fraud. However, as of 2019, participants in the APP Contingent Reimbursement Model Voluntary Code (‘CRM Code’) have voluntarily agreed to reimburse fraud losses. To date there are nine firms signed up, representing the UK’s major banks with over 90% of the market in payment volumes. These firms would therefore be expected to have much higher reimbursement figures.
 

2. The data showing which firms receive the most money generated by APP fraud indicate a massive degree of variation, indicating fraudsters have identified which firms have weak controls and are actively exploiting them.  Newer and smaller PSPs typically have disproportionately higher rates of fraud than larger, more established firms.  The PSR notes these firms are in the much earlier stages of preventing fraud than major banks, and are not part of the voluntary CRM code. 

For non-directed PSPs (i.e. smaller firms), the rates of fraud-related funds received range from £10,355 per £1m received (Clear Junction) down to £334 (JP Morgan/Chase).  The figures were still widely discrepant but over a smaller range for directed PSPs, ranging from £696 per £1m received (Metro Bank) to just £44 (Santander).

Reasons for some firms having high rates of receiving fraud could include fewer, poor or delayed onboarding checks which would allow fraudsters to open and close accounts before being caught, or weaknesses in inbound transaction monitoring which prevent incoming fraudulent funds being identified and held.

NB: The PSR notes that some firms provide payment accounts to customers but do not manage the customer relationship themselves (e.g. banking-as-a-service providers).  The PSR states that irrespective of whether the firms manage the customer relationships themselves, they retain the regulatory responsibility and are expected to ensure their partners manage the risk of onboarding new customers, conducting identity checks, and monitoring transactions effectively.
 

3. Firms have started to address control gaps, and the PSR believes the situation may have improved over 2023 given greater levels of awareness and industry initiatives, but more still remains to be done.

Outcomes

While these figures date back to 2022, they conclusively show that there is a huge gulf in levels of exposure to APP fraud across the UK payment industry.  Many firms need to radically up their game to prevent themselves being used by fraudsters, and there is a clear imperative to do so given the incoming mandatory reimbursement requirements.  Put simply, unless the most exposed firms are able to reduce the value of fraudulent funds they receive, the resultant reimbursements could put them out of business.

The PSR has said it expects firms to start working “now” to implement the new requirements, beginning by allocating appropriate resources, moving towards adopting a stronger risk-based approach to payments, and making better decisions on when to intervene and hold or stop a payment. 

There are numerous anti-financial crime controls which play a role in reducing APP fraud exposure:

  • Customer due diligence, including identity verification

  • Customer risk assessments, including both customer as fraudsters (receiving funds) and victims (sending funds)

  • Ongoing monitoring, including transaction and other activity monitoring

  • Information sharing mechanisms and responsiveness to peer institutions and law enforcement

  • Use of internal data and financial intelligence

  • Robust assurance of fraud controls

  • Staff training

How we can help

FINTRAIL is here to help PSPs adapt to the new requirements. Over the last five years we have worked with a range of institutions to successfully reduce their APP fraud exposure.

We offer a range of innovative, data-driven services to improve the effectiveness of your fraud controls and enable better identification of fraud risks. For firms considering where to start, we can conduct a thorough, data-driven risk assessment to identify current weaknesses in frameworks and controls and recommend practical enhancements that will reduce your potential liability exposure. This may include product and feature changes/enhancements, customer vulnerability assessments, new transaction monitoring scenarios, or enhancements to your customer risk assessment model. We can also conduct targeted audits of existing controls, or provide assurance and validation of programme changes being introduced to meet the new reimbursement requirements.

Get in touch with our team to learn more.