STAYING IN CONTROL

PLAY SAFE – How scam-proof are you in the new world of mandatory reimbursement for APP fraud?

18/01/2024

Imagine this – a customer submits a payment instruction directing that all their life savings are transferred to a third-party account for the purposes of an investment. What do you do? While the scenario may appear innocuous, with the new mandatory reimbursement regime for Authorised Push Payment (APP) fraud about to come into force, it may prove a nightmare for payment services providers (PSPs) operating in the UK. The intention behind the new mandatory reimbursement regime is indisputably good – fraud now accounts for 40% of all crime reported in the UK. However, it is likely to have far-reaching and challenging consequences for the banking sector, both from a regulatory and operational perspective.

APP fraud continues to increase with 22% more cases having been reported in the first half of 2023 compared to the same period in previous year. However, the National Crime Agency estimates that most cases remain unreported, so the number is likely far higher.

Contingent Reimbursement Model Code v Mandatory reimbursement

The predecessor to the new mandatory reimbursement regime is the Contingent Reimbursement Model (CRM) Code, a voluntary code that has been in place since May 2019 and has only ten signatories (albeit representing much of the UK retail banking sector). The CRM Code requires signatory firms to reimburse customers who fall victim to APP fraud, subject to certain exceptions. Most commonly these exceptions relate to the customer ignoring effective warnings or making payments without a reasonable basis for believing that the payee was the person the customer was expecting to pay. These exceptions were disapplied where the customer was deemed vulnerable. The CRM Code allowed discretion to decide whether the claim merited full, partial or no reimbursement.

In many ways, the new mandatory reimbursement regime reflects the approach under the CRM Code where the starting assumption was that the signatory would refund the customer unless one of the exceptions applied. However, pursuant to mandatory reimbursement, there is reduced scope for PSPs to challenge the customer’s claim, even where it would currently be refused under the CRM Code. For example, there may be circumstances where the customer is ‘coached’ by the fraudster to alleviate any concerns that their bank may have about a particular transaction. In such circumstances, it may be that nothing the bank might say would prevent the customer from making the instruction.

The time required to determine a claim means that many PSPs may opt to compensate instead of investigate. The new mandatory reimbursement regime will require a difficult balancing exercise between overzealous protection resulting in many genuine payments being stopped and the customers’ ability to enjoy unimpeded access to payment services.

The time required to determine a claim means that many PSPs may opt to compensate instead of investigate.

The FCA perspective

There is also a potential tension with the new FCA Consumer Duty, which requires firms to ensure that fraud prevention measures (such as freezing the account) are applied less frequently and are less protracted. See our Duty Bound article for more in relation to the Consumer Duty.

Banks will also need to fraud-proof their internal policies and procedures. These will require regular updates to adapt to the ever-increasing sophistication of fraudsters. Client-facing staff will also need to be trained to spot red flags, assisted with ever-evolving technology capable of identifying suspicious or unusual transactions. This is an area we know that the FCA has particular interest. Financial crime remains a hot regulatory topic. We predict that APP fraud systems and controls will come under increasing scrutiny in the coming year, both in the context of the Consumer Duty and also in terms of general compliance with FCA Principle 3 requiring regulated firms to take reasonable care to organise and control their affairs responsibly and effectively.

In its 2023/24 Business Plan, the FCA committed to slowing the growth of APP fraud. While it is estimated that most losses from APP fraud average £3,000, there are some instances where customers have lost their life savings amounting to hundreds of thousands of pounds. While the latter examples are less frequent and the current proposal is for mandatory reimbursement to be capped at £415,000, PSPs should consider whether they need to increase their reserves to ensure that they remain operationally resilient if they were to face multiple concurrent high-value claims. This is particularly important given the obligation to reimburse customers within 5 business days from a claim being made (subject to the ‘stop clock’ provision).

It should also be noted that many of the scams that the PSPs are expected to prevent originate on social platforms which, until recently, have not been considered the natural defenders against APP fraud. It is, therefore, to be seen whether the new Online Safety Act and the Online Fraud Charter translate into fewer banking customers reaching the point in their APP fraud journey when their bank is expected to intervene. For more on the intersection between financial services and online safety, please see our Social Action article.

The role of the Financial Ombudsman Service

Similarly, the role of the Financial Ombudsman Service (FOS) must not be underestimated. Under the new regime, where the PSP refuses a claim – which we emphasise is only possible where the customer is implicated in the fraud or acted with gross negligence – the customer can pursue the claim further via the FOS. The FOS will make its decision based on what is fair and reasonable in the particular circumstances of the case, taking into account the relevant law and regulation that applied at the time, any industry codes of conduct or other relevant guidance. The FOS’ decisions are likely to be particularly important in informing the market’s understanding of the customer standard of caution exception to mandatory reimbursement, in particular in determining what behaviours amount to gross negligence.

It is also important to remember that mandatory reimbursement will not always apply. Our own experience, as well as some of the high-profile cases that have been ventilated before the courts in recent months, suggest that a lot of the scams include the victim being told to transfer their funds into an overseas account. In such circumstances, mandatory reimbursement will not apply. However, there is a question whether equivalent protection should ‘voluntarily’ be extended to these payments in the spirit of the new Consumer Duty. Where mandatory reimbursement is disapplied, firms will remain liable where they were on notice of a potential fraud and failed to stop the transaction.

CONCLUSION

There are many open questions regarding how the new mandatory reimbursement requirement will operate in practice. The success of the new regime will depend on cooperation between the numerous PSPs in the market, effective data sharing, and consistent application of the new framework, both by industry and the regulators. All of these will need to be supported by increased investment in human resources and technology to ensure that the financial institutions themselves are fraud-proof so they can help their customers protect themselves from falling victim to fraud.

The success of the new regime will depend on cooperation between the numerous PSPs in the market, effective data sharing, and consistent application of the new framework, both by industry and the regulators.

MEET THE AUTHORS

2 Articles

Andrew Tuson

Partner, London
2 Articles

Joseph Ninan

Senior Associate, London
3 Articles

Joanna Munro

Associate, London