Global menu

Our global pages

Close

The PSR’s APP scam consultation paper – a plan to stop APP scams?

  • United Kingdom
  • Financial services disputes and investigations

25-11-2021

The Payment Services Regulator’s APP scam consultation paper signals an intention to place reimbursement protection on a mandatory footing. Responses are sought by 14 January 2022. The paper is supported by a Government statement that it intends to legislate to provide for mandatory reimbursement for scam victims. We consider the proposals and their implications below.

Background

  • The Contingent Reimbursement Model code (the “CRM Code”), introduced in May 2019, is a voluntary code which provides for customers of the signatory payment service providers (“PSPs”) (comprising nine financial institutions across 20 brands) to be refunded in certain circumstances where they have been the victim of an authorised push payment (“APP”) scam. APP scams involve customers authorising payments to third parties which they believe to be for legitimate purposes, but which subsequently turn out to be fraudulent
  • recent press coverage has highlighted inconsistent application of the CRM Code amongst signatory PSPs, with reimbursement levels lower for some than others
  • overall, just under 50% of customers were reimbursed in 2020 under the CRM Code. Although that improves on the 19% figure from pre-CRM Code, the PSR states that it is still too low
  • £355m was lost in over 100,000 separate APP scams in the first half of 2021, representing a c.70% increase (in both value and number of scams) compared to the first half of 2020

Planned Changes

  • on 18 November 2021, the Payment Services Regulator (the “PSR”) issued a 74 page consultation paper which addresses the responses to its call for views from February 2021 and summarises its proposed next steps (the “PSR Consultation”)[1]. It is accompanied by a press release[2]
  • although the PSR recognises that significant improvements have been made since its work in this area started in 2015, it suggests that more must be done
  • The Government has given a simultaneous indication that legislative changes are planned to achieve mandatory protection for APP scam victims
  • the main areas covered by the PSR Consultation are:

1.    Publication of fraud data by banks – to include reimbursement levels and details of which PSPs’ accounts are being used for fraudulent purposes

2.    Improvements in scam protection – including data sharing amongst PSPs

3.    Mandatory reimbursement – how best to achieve this once legislation is introduced

  • The PSR confirms that, in addition to improving reimbursement rates, the proposed changes are intended to prevent APP scams from occurring in the first place. The changes will apply only to Faster Payments which cover the majority of relevant transactions

Mandatory reimbursement

  • The PSR intends to create a mandatory reimbursement scheme. This would represent the most significant change to the handling of APP scam complaints. It outlines two options:

1.    Amendments to Faster Payment scheme rules – to require reimbursement for APP scam victims who have exercised ‘sufficient caution’

2.    Requiring PSPs to sign up to a PSR approved reimbursement code – PSPs that did not sign up or demonstrate a high level of compliance would be required to reimburse scam victims in all but very limited circumstances (e.g. first-party fraud)

  • The PSR recognises that until legislation comes into force mandatory reimbursement cannot be introduced. However, noting the Government's intention to introduce statutory protection, it wishes to identify what it would do when empowered to act
  • a mandatory reimbursement rule would apply to all payments made by Faster Payments (not just those made from or to CRM Code signatory PSPs). This will ensure the same standards apply regardless of a customer’s PSP. The PSR also notes that non-CRM Code PSPs are currently favoured for their receiving accounts

Fraud data publication

  • The PSR proposes a ‘balanced scorecard’ approach, with comparative data being published by the PSR and prominently on PSPs’ own websites. The data to be published will include:

1.    Proportional analysis of scam victims left partially or fully out of pocket – by value and by number of scams
2.    Sending bank scam rates – again by value and number of scams
3.    Receiving bank scam rates – the value of APP scam funds received, less repatriated sums

  • this will enable customers to compare reimbursement rates amongst PSPs and identify which PSPs most commonly receive fraudulent payments. The PSR believes this will incentivise PSPs to prevent APP scams. However, it also recognises that consumers infrequently change banking providers
  • The PSR intends to direct the 12 largest PSP groups (rather than individual brands) to publish the proposed data. This includes all CRM Code signatories and some non-signatories
  • data will be published half-yearly, six months after the end of the period. The six month delay between the end of the reporting period and publication will allow PSPs to address any weaknesses revealed by the data to be published

Data sharing

  • the main objective of data sharing is to improve detection and prevention of potential APP scams. It is envisaged that there will be an industry agreement as to the ‘standardised risk data’ to be shared
  • an industry Joint Working Group (“JWG”) has been set up by PSPs, UK Finance and Pay.UK. It is considering:

1.    The data that it would be beneficial to share amongst PSPs; and

2.    The best way to share data (i.e. how and when to share data)

  • The PSR is content with the work already being carried out, and will seek updates from the JWG with a view to putting concrete rules and standards in place
  • it is envisaged that ‘high level’ proposals will be made by the end of H1 2022, with Pay.UK to then incorporate the requirements within the Faster Payments rules

Analysis

  • even with the introduction of mandatory reimbursement rules, in whatever form they may take, questions will remain as to the determination of liability. What amounts to ‘sufficient caution’ on the part of customers is inherently subjective and is likely to remain a key area of contention
  • data publication may go some way to incentivising action on the part of PSPs, and the intelligence provided by effective data sharing will help PSPs to identify and tackle emerging APP scam trends. However, if adopted, the proposals contained in the PSR Consultation are unlikely to significantly reduce the growing number of APP scams that occur. In respect of data sharing, the proposals appear to simply follow an existing industry initiative. Further, some of the data publication requirements could be rendered irrelevant by the introduction of mandatory reimbursement
  • The PSR Consultation states on three occasions that better education of customers by PSPs may be needed in light of the increased sophistication of scams. Although mandatory reimbursement may encourage PSPs to continue to better educate their customers, the PSR Consultation has nothing to say on what ‘better education’ might entail
  • The PSR Consultation recognises that social media platforms, telecoms companies and internet providers also need to do more to stop APP scams. However, the PSR cannot force such organisations to act. PSPs will hope that the Government will appreciate this when it comes to legislate, particularly with the Online Safety Bill currently being considered by a Parliamentary Select Committee
  • one other point of note is the indication that there should be more focus on the balance of liability between sending and receiving banks. This is supplemented by the third part of the fraud data publication proposal, which will effectively ‘name and shame’ receiving banks which are seen to facilitate fraud by allowing fraudsters to open accounts, or allow established accounts to be used as mule accounts
  • The PSR’s press release is  headed “PSR announces plans to stop APP scams”. Even if legislation brings about a mandatory reimbursement scheme (and there is notably no timeframe for legislation to be brought forward), it is difficult to imagine the proposals in the PSR Consultation will achieve the PSR’s goal of stopping APP scams entirely



[1]   https://www.psr.org.uk/publications/consultations/cp21-10-authorised-push-payment-app-scams-consultation-paper/

[2]   https://www.psr.org.uk/news-updates/latest-news/news/psr-announces-plans-to-stop-app-scams/