UK Payment Systems Regulator consults on APP fraud reimbursement overhaul

APP fraud occurs where the victim is tricked into making a payment to an account controlled by a fraudster, such as to purchase something they will never receive or due to invoice or impersonation scams. Fraudsters may use social engineering and impersonation to manipulate and gain the trust of their victims. According to figures from UK Finance, APP fraud losses came to nearly £500 million in the UK last year.

In June, the PSR set out its final position on tackling APP fraud when using the Faster Payments Service. This will require banks, building societies and other payment firms to reimburse in-scope customers after deducting any optional excess, within five business days of their customer reporting being the victim of a scam. The reimbursement timeline can be extended if the ‘stop-the-clock’ provision applies.

The PSR intends for the proposed framework to not only to incentivise payments firms to prevent APP fraud from happening in the first place, but also to encourage and reinforce the importance of consumers remaining cautious when making payments. Before the new reimbursement requirements come into force next year, the PSR said it would seek views on the maximum level of reimbursement and claim excess for customers who fall victim to APP fraud (33 pages / 347KB PDF) as well as views on the consumer standard of caution guidance (22 pages / 242KB PDF) and gross negligence.  

In June, the PSR confirmed that sending banks and other payment service providers (PSPs) will have the option to apply a claim excess under the new reimbursement requirement, except in cases where the consumer is “vulnerable”. The regulator stipulated there will be no minimum threshold for claims, but there will be a maximum limit. The PSR is now seeking views on the most appropriate way of structuring a claim excess. This includes whether an excess should be a fixed amount similar to an insurance claim excess, or a percentage of the reimbursement claim amount.  

The PSR also proposes that the maximum reimbursement level should be in line with the prevailing Financial Ombudsman Service (FOS) limit of £415,000 – which around 99.98% of APP fraud fell within, according to UK Finance data for eight PSPs in 2022 which the PSR cited. In this consultation, the regulator is also consulting on whether the maximum level will apply to vulnerable consumers. The maximum level of reimbursement would not, however, prevent PSPs voluntarily reimbursing customers above this limit. The consultation also contains questions on the maximum reimbursement level for the Clearing House Automated Payment System (CHAPS) on behalf of the Bank of England.

Financial regulation expert Andrew Barber of Pinsent Masons said: “The consultation points out the benefits of aligning the cap with the current FOS limit of £415,000. It will be interesting to see if industry agrees with an aligned cap and its views on increasing the cap in future. The PSR is looking for a workable level for the cap that makes sense compared to other caps in the industry and balances meaningful consumer protection with a real incentive for PSPs to introduce and maintain strong anti-fraud systems, while also seeking to protect firms from very large claims.”

“Even so, for smaller firms particularly, the amount proposed could be a significant potential hit to their balance sheets, especially if there were multiple, substantial claims. It will be interesting to see what view the FCA takes on the level of capital both small and authorised payment institutions need to hold to guard against the risks of multiple, significant payouts. Regardless of the ultimate level of the cap, it will be important for both firms and customers to guard against fraud, with firms in particular needing to calibrate additional checks and increasing precautions with the payment size,” Barber added.

In its other consultation, the PSR outlined its proposed approach to the consumer standard of caution that would require consumers have regard to warnings, notify their sending PSP promptly of any scam of which they are the victim and share information with the firm. According to the proposals, before making an APP, consumers should have regard to specific, directed warnings given by their bank, which make clear the intended recipient is likely to be a fraudster. However, a customer who nevertheless proceeds with the payment will not then automatically be grossly negligent.

To assess the degree of the consumer’s negligence, PSPs will need to take into consideration the nature of the warning, the complexity of the APP scam, the consumer’s claims history including “propensity” to fall for such scams and whether the PSP can “reasonably be expected” to have either paused or prevented the payment. If a consumer is subjected to scams of a similar type, firms should consider if this indicates vulnerability rather than gross negligence.

Josie Day of Pinsent Masons said: “Although, under current proposals, consumers are expected to consider the warnings the sending PSP raises prior to making an APP, PSPs would need to ensure these are tailored and specific – firms should be aware that generic warnings will not suffice.”

The proposed standard also contains a prompt reporting requirement for consumers who are, or suspect they are, a victim of an APP scam. Under the current proposals this is to notify their PSP promptly – and no later than 13 months after the last fraudulent payment was made. 

The PSR is also consulting on the possibility of including an information sharing requirement, under which consumers should respond to any reasonable and proportionate requests for information made by their payment firm to help the firm assess a reimbursement claim, or to determine if a consumer is vulnerable. Doing so may mean the firm can stop-the-clock running in respect of the five business-day timeframe within which they are otherwise expected to make reimbursement.

If the PSP can demonstrate that the consumer has been grossly negligent in not meeting one or more of these requirements then the consumer may not be reimbursed, though it will depend on the individual circumstances of each case. Gross negligence will never apply where a victim's vulnerability is a factor in them being defrauded. There is also an exception where the consumer seeking reimbursement has acted fraudulently, known as ‘first-party fraud’.

Day said: “The gross negligence exception is just that, an exception. It is described by the PSR in the consultation as a higher standard than for common law negligence with the PSR saying that a consumer’s standard of behaviour will need to show an extreme degree of carelessness for a firm to demonstrate the exception applies.”

She added: “It will be for the firm to demonstrate its customer fell short of the expected standard of care in respect of any of the proposed requirements and was grossly negligent. Firms must not include wording in their contracts adding further requirements to the three limbs currently proposed, or requiring customers to show they were in fact not grossly negligent, as it is for the firm to prove that they were.”

In October, the PSR intends to consult on the general directions it will give to payment firms requiring compliance with APP scam reimbursement requirements in respect of Faster Payments and CHAPS. By the end of 2023, the PSR said it will publish the claim excess and maximum level of reimbursement, its final guidance on the consumer standard of caution and all legal instruments. The new reimbursement requirement will then come into force in 2024, with the PSR expecting to confirm the implementation date when it consults in October. 

Both the latest consultations are open for comment until 12 September 2023.