Payment Systems Regulator finalises policy positions on Authorised Push Payments Fraud - What does this mean for Payment Service Providers?

What is APP fraud?

Authorised push payment (APP) fraud happens when a fraudster tricks someone into sending Money to the fraudster’s account. According to the PSR, there are more incidents of fraud than any other crime type in the UK, with APP fraud accounting for 40% of fraud losses in 2022. The UK is seeking to become the first country in the world to introduce a mandatory reimbursement requirement, where a sending payment service provider (PSP) should reimburse APP scam victims subject to certain exceptions.

What does the Reimbursement Scheme require?

The APP Fraud Reimbursement Scheme requires in-scope PSPs sending payments to reimburse their customers if they are the victim of an APP scam, subject to certain exceptions. Broadly, the cost of reimbursement will be shared equally between the sending and receiving PSPs.

Which PSPs and payments are in scope of the requirements?

An in-scope payment order is one which:

• is authorised by a victim who holds the UK payment account as a consumer, micro-enterprise, or small charity; and
• is settled through the UK Faster Payment System (FPS) to a receiving payment account located in the UK, which is not controlled by the victim and which was identified in the victim’s payment order as a result of dishonesty or a fraud perpetrated.

Sending and receiving PSPs which are indirect FPS participants, as well as direct participants are within scope of the new requirements.

Which payments and claims are not in scope of the requirements?

The new reimbursement requirements do not apply to:

• payments which take place across other payment systems; 
• international payments;
• payments made for unlawful purposes; or
• payments which are the subject of a civil dispute, such as where a customer has paid a legitimate supplier for goods but has not received them or is otherwise dissatisfied with the supply.

The sending PSP is required to assess each APP fraud claim and determine whether it is valid and in-scope. A claim is not reimbursable if the sending PSP determines that:

• the customer claiming to be a victim is in fact party to the fraud (i.e. “first-party fraud”);
• the victim (1) is not a “vulnerable customer”; and (2) through gross negligence, fails to satisfy the “consumer standard of caution”. Please see further details below as to the concepts of vulnerable customer and the consumer standard of caution;
• the customer is claiming for an amount which is already the subject of a civil dispute or other civil legal action; or
• the customer is claiming for an amount which they paid for an unlawful purpose.

Summary of December Policy Statement

• Policy start date: 7 October 2024.  
• Consumer standard of caution exception: The standard encompasses four threshold levels of caution that a customer must meet. The exception to reimbursement does not apply to vulnerable customers. 
• Excess: Sending PSPs will be allowed to apply an excess of up to GBP100 to an APP fraud claim, except for claims made by vulnerable customers. 
• Level of mandatory reimbursement: The maximum level of mandatory reimbursement will be GBP415,000, which applies to all customers (there is no exception for vulnerable customers).
• Legal Instruments: Issuance of final package of legal instruments and key changes.

How will the reimbursement requirement operate between the sending and receiving PSPs?

If a customer becomes aware that they are a victim of APP fraud, they must notify their sending PSP without delay, and in any event within 13 months of making their relevant payment.

The sending PSP must reimburse the victim within five business days. The sending PSP can ‘stop the clock’ if they need to investigate further (including to gather evidence from the receiving PSP), but the sending PSP must arrive at an outcome within 35 business days, regardless of how many times and for how long they ‘stop the clock’.

Having reimbursed the customer, the sending PSP is entitled to compensation from the receiving PSP for 50% of the amount paid to the customer.

However, the receiving PSP does not have to contribute to the reimbursement to the extent that the sending PSP chooses:

• not to apply the claim excess, or to pay more than the maximum level – see further details below;
• to reimburse a claim submitted after the 13-month limit; or
• to reimburse a claim that is a first-party fraud or where a non-vulnerable customer acting with gross negligence failed to satisfy the consumer standard of caution.

When does the Reimbursement Scheme come into effect?

Any in-scope payments that take place on or after 7 October 2024 will be covered by the reimbursement requirement. Where the claim relates to a series of payments, any payments made prior to 7 October 2024 will not be in-scope.

What is the consumer standard of caution?

The consumer standard of caution is a set of requirements which all customers are expected to meet, and if any component is not met due to the customer's gross negligence, their PSP is entitled to reject their reimbursement claim.

’Gross negligence’ is a higher standard than the standard of negligence under common law – the PSRs says that a customer needs to have shown a ‘significant degree of carelessness’ in failing to meet an element of the consumer standard of caution. The onus will fall on the PSP to prove that a customer has behaved with gross negligence.

A PSP cannot, however, reject a claim due to gross negligence if the victim is a vulnerable customer.

The December Policy Statement sets out the four elements of the consumer standard of caution as follows: 

1. A requirement to have regard to interventions: customers should have regard to specific, directed interventions, such as warnings, made by their sending PSP or a competent national authority, such as the police. The intervention must offer a clear assessment of the probability that an intended payment is an APP scam payment.
2. Prompt notification: upon learning/suspecting that they have fallen victim to an APP scam, customers should report the matter to their PSP promptly and, in any event, within 13 months after the last relevant payment was authorised. Any delays due to the customer reporting directly to the police will not be considered to be evidence of grossly negligent behaviour.
3. Information sharing: a customer should respond to any reasonable and proportionate requests for information from their PSP to help it assess a reimbursement claim, including requests under ‘stop the clock’ rules. If a customer, through gross negligence, fails to respond to such requests, they are ineligible for reimbursement.
4. Police reporting: customers should, after making a reimbursement claim, and upon their PSP’s request, consent to one of two options for reporting the APP scam to the police. The PSP can either request that a customer agrees to have the details of their claim shared with the police, or request that the customer reports the details of the APP scam directly to the police. Where a customer, acting with gross negligence, rejects either option, will the PSP be able to refuse a reimbursement claim.

If a customer is vulnerable, their failure to adhere to any element of the consumer standard of caution cannot be used by the PSP to deny reimbursement:

• A vulnerable customer is a ‘natural person’ (which has a wider then usual meaning) “who, due to their personal circumstances, is especially susceptible to harm – particularly when a firm is not acting with appropriate levels of care”, according to FCA guidance.
• The PSR expects PSPs to evaluate each customer’s circumstances on a case-by-case basis to help determine the extent to which their characteristics of vulnerability led them to be defrauded, and therefore whether they meet the definition of vulnerability for the purposes of the particular APP scam payment.

Alongside the December Policy Statement, the PSR has also published a ‘Consumer standard of caution exception notice’ and associated ‘Consumer standard of caution exception guidance’ which should be read together.

What will the claim excess be?

The sending PSP can apply a claim excess of up to GBP100. The PSR confirmed in the December Policy Statement that ‘a maximum claim excess of GBP100 is an effective way of encouraging customer caution. A fixed excess, communicated well, will encourage customers to remain vigilant when making a payment and therefore mitigate the risk of moral hazard.’

The sending PSP can decide whether to apply the excess at the maximum value, a lower excess, or not at all. If a sending PSP chooses not to apply an excess, or to apply an excess below the maximum of GBP100, it cannot claim the amount not levied from the receiving PSP as part of the 50:50 liability split between sending and receiving PSPs.

Vulnerable customers will be exempt from any excess.

What will the maximum reimbursement level be?

A maximum claim value of GBP415,000 will apply to all claims, including those by vulnerable customers. This aligns with the Financial Ombudsman Service’s award limit. The PSR takes the view that a GBP415,000 limit strikes a balance between protecting and reimbursing nearly all customers and incentivising PSPs to improve fraud protections, while providing certainty to PSPs of their maximum liability.

The PSR acknowledges the views from PSPs, particularly smaller firms , that a maximum limit as high as GBP415,000 will raise concerns  about solvency and potential market impacts. However, based on evidence, they have assessed the prudential risks to PSPs from rare high-value claims as being low. The PSR states that it will monitor high-value scams ahead of implementation and may consult on revising the level ahead of October 2024 if there is convincing evidence to do so.

Legal Instruments

Alongside the December Policy Statement, the PSR has published its final package of legal instruments to give effect to its reimbursement policy and place legal obligations on industry to comply with it. These are:

• a specific requirement (SR1) imposed on Pay.UK to change the Faster Payments rules to include the reimbursement requirement and associated reimbursement rules;
• a specific direction (SD19) given to Pay.UK to create and implement an effective compliance monitoring regime for PSPs, in line with the reimbursement rules and our specific direction on industry; and
• a specific direction (SD20) given to Faster Payments participants obliging them to comply with the reimbursement requirement and the reimbursement rules.

What practical steps can a PSP take?

Our September 2023 seminar explored some practical steps that PSPs can take to mitigate the risk of APP Fraud and protect customers, ahead of the go-live date of the Reimbursement Scheme.

PSPs should aim to develop an end-to-end strategy which protects and informs their customers and where possible reduces their risk of being subject to APP fraud compensation claims arising from FPS payments. In the months leading up to the start date, there are a number of steps that PSPs can take including, for example: 

• Updating your customer T&Cs: there will be a need to update customer T&Cs to reflect a customer’s right to reimbursement for in-scope APP scam payments, how to make a claim, handling of a claim and the consumer standard of caution. Subject to legal constraints, there are a number of further changes which PSPs could consider making to customer T&Cs, such as updating provisions for declining/delaying execution of transactions, suspending or terminating accounts, and setting off compensation payments against customer funds.
• Enhancing ‘know your customer’ controls and due diligence: to help, for example, identify whether a customer is at a higher risk of being a fraudster.
• Enhancing transaction monitoring systems: PSPs’ systems may need updating to identify transactions with APP fraud indicators so as to, for example, provide specific warnings to Payers or flag/funds recovered by payees.
• Additional information sharing capability: for example, PSPs may need to develop systems to enable them to communicate claims and share information with other PSPs. 
• Training and awareness: for example, implementing customer awareness initiatives to educate on the risks of fraud and internal staff training on identification and management of APP fraud and key indicators of fraudulent behaviour.
• Data sharing initiatives: participation and cross-industry efforts to prevent fraud.

If you have any queries on the above, please contact Ben, Nikki, Rory, Rhiannon.

Acknowledgments to Jade Low, trainee with A&O's Financial Services Regulatory team in London, for her contribution to this post.