PSR details mandatory reimbursement for APP fraud plans

The Payment Systems Regulator (PSR) said it intends to press ahead with plans it initially floated last year to impose a new regulatory framework for mandatory reimbursement of APP fraud.

The PSR has set out how it intends to implement mandatory reimbursement (85-page / 935KB PDF) in a new consultation paper. Its central proposal is that mandatory reimbursement obligations should apply to all APP fraud cases above a minimum threshold of £100 at most – PSPs would be able to apply a lower threshold if they wish – except for cases where customers are involved in the APP fraud themselves or have acted with gross negligence.

The PSR said: “The exception for gross negligence is a high bar, which we expect will apply in only a small minority of cases. It would not apply where a consumer was vulnerable.”

PSPs would also be able to charge an excess of up to £35 for processing reimbursement claims. They would face a 13-month backstop deadline for resolving claims, starting from the date of payment.

The right to reimbursement would exist for consumers, micro-enterprises and charities.

The PSR’s proposals are open to consultation until 25 November 2022. It said it would obtain the regulatory powers necessary to require PSPs to reimburse APP scam victims from the Financial Services and Markets Bill, which was introduced into the UK parliament in July. The PSR has said it will publish a policy statement on mandatory reimbursement in early 2023 and use its new powers within two months of the legislation coming into force.

Payments law expert Andrew Barber of Pinsent Masons said the PSR’s proposals for a “near compulsory reimbursement model” would be welcomed by consumers but would also “necessarily see a change in the approach payment firms take to action customer payments”.

“PSPs will scrutinise payments more heavily and customers may find, at least initially, more friction in the payment transactions they make,” Barber said. “This will particularly be the case where the payment amounts are large. Until technology and payment firms’ fraud prevention tools catch up, near instant payments, particularly for larger amounts, may no longer be possible.”

Under the proposals, PSPs that send payments to APP fraudsters would generally have 48 hours to reimburse the victim after the fraud is reported, though PSPs would have more time to investigate if they have evidence or reasonable grounds to suspect the customer has been involved in the fraud or acted with gross negligence.

The costs of reimbursement, as well as any repatriated funds, would be shared equally between sending and receiving PSPs by default, and PSPs can use a dispute resolution process to refine the allocation of reimbursement costs to better reflect the steps each PSP took to prevent the scam. However, the PSR has stated that there needs to be a coordinated set of arrangements, so that all PSPs have the option to choose, and must cooperate with, dispute resolution arrangements based on an appropriate set of allocation criteria.

Mila Pencheva, also of Pinsent Masons, said: “The proposed reimbursement model will likely result in more significant cost implications for smaller PSPs and new entrants on the market, potentially impacting competition. There is some acknowledgement from the PSR of this risk, but it has said that PSPs should respond by putting in place more effective fraud controls. Such advanced controls would, of course, also come at a cost. To avoid serious disruption to their operations, smaller PSPs and new entrants should already start considering how this proposed model might affect them and what improvements they can make to their systems.”

On the proposed use of dispute resolution process to refine the allocation of reimbursement, Pencheva said: “Care should be taken when developing these and the allocation criteria to take into account the resource constraints that small PSPs might have to engage in an additional dispute resolution process.”

Currently, 10 PSPs in the UK have signed up to the contingent reimbursement model (CRM) code, a voluntary code that is concerned with reimbursing customers who fall victim to APP fraud.

The UK’s six largest banking groups are also subject to a regulatory direction from the PSR requiring them to send and respond to ‘confirmation of payee’ requests, which essentially involves checking the name on the account of the person or organisation to be paid and either confirm the details are correct, asking the payee to check the details are correct if the name provided is similar, or advising the customer that the details are wrong. Some other PSPs have also adopted the confirmation of payee protocols, but the PSR consulted earlier this summer on extending the confirmation of payee duties to other PSPs.

The PSR said it plans to require some PSPs to begin submitting data on APP scams and reimbursement rates under the CRM code in spring 2023, with a view to the regulator publishing the first set of data in the summer next year. Further regulatory intervention to promote better data sharing within industry on APP fraud is also possible, it said.