New rules on the mandatory reimbursement of victims of APP fraud
This article reflects Fire’s views on the state and implications of the PSR’s Mandatory Reimbursement Directive for victims of APP fraud, which comes into effect on 7th October 2024, and does not account for any modifications or amendments made after this date.
Understanding the new regulations and implications for businesses
Authorised Push Payment or APP scams happen when a scammer tricks someone into sending a payment to an account outside of their control. While the term ‘APP scam’ may not be widely known, the types of fraud it covers are all too familiar.
APP fraud is a blanket term used to cover a wide variety of some of the most prevalent fraud types, across Ireland and the UK, such as imposter scams, phishing scams, investment scams and romance scams.
The latest figures available put losses due to Authorised Push Payment fraud in the UK at £341m in 2023 from 252,600 cases. This equates to a 12% decrease from 2022 but a 12% increase in volume, with 252,600 cases reported in 2023 compared to 224,603 in 2022.
With a significant rise in the number of scams reported and subsequent losses for victims since the pandemic, regulators across the EU and the UK have set their sights on tackling APP scams with the Payment Systems Regulator (PSR) in the UK introducing the APP Mandatory Reimbursement Directive and the EU focusing on consumer protections in PSD3. But are they targeting the right area?
In this blog post, we’ll focus on the UK’s approach, specifically the PSR’s new rules on mandatory reimbursement for victims of APP fraud.
Evaluating the Mandatory Reimbursement Directive
The Mandatory Reimbursement Directive will introduce shared liability for APP scam payments between the sending PSP (the victim’s account provider) and the receiving PSP (the scammer’s account provider), with both being liable for 50% of the total payment value per APP scam case, up to a maximum of £85,000. The directive will be applicable to Faster Payment Scheme (FPS) and GBP payments.
The directive will come into force from 7th October 2024 meaning that all APP scam payments processed after this date are in scope for reimbursement. First introduced by the PSR in June 2023, the directive aims to mandate financial institutions to adopt stronger measures for reimbursing APP scam victims and enhance fraud prevention measures utilised by PSPs.
While we believe that victims of scams require enhanced protections and strive to ensure our customers and their funds are kept safe, we feel that the approach taken as part of this directive is flawed for several reasons.
Customer Experience
Faster Payments’ appeal lies in their speed and ease, but we believe this directive will harm the brand and weaken its position as a global leader in instant payments. The directive will likely negatively impact the customer experience for most Faster Payments processed across the UK that aren’t related to APP scams.
PSPs will introduce increasing barriers for customers attempting to make payments. We believe the friction this will create for new payment methods like Open Banking contradicts the PSR’s stated goal of growing Open Banking as a challenger to the Visa and MasterCard duopoly in the retail payment space.
In terms of reimbursements, while the chargeback models used by card schemes are not without flaws, valuable lessons could have been applied to create a functional, fair, and frictionless model for managing disputes and scam reimbursements in Faster Payments. However, by embedding the new mandatory reimbursement model directly into the Faster Payment scheme rather than introducing it in the outer layers of the ecosystem, we believe the potential for iteration and innovation will be severely restricted.
In our view, this model should have been implemented in a payment arrangement layered over the scheme rather than being integrated into the core of the Faster Payment scheme.
Prevention vs Reimbursement
We believe that focusing resources on mandating reimbursement and shared liability between the sending and receiving PSPs is like closing the stable door after the horse has bolted.
Our view is that prevention is better than cure, and that prioritising industry-wide solutions to tackle fraud before a victim suffers a loss or a scammer makes a gain should be the focus for regulators and financial institutions alike.
While the reimbursement of losses to the victim is welcome, there is no deterrent to the scammer as part of this directive. If the payment has already been made by the victim to the scammer, the scammer will have achieved their goal and will move on to their next victim.
We believe that solutions such as Enhanced Fraud Data, Fraud Overlay and Confirmation of Payee should be prioritised to enable firms and our customers to identify fraudulent payments before they are sent ensuring that the victim is never at a loss and a scammer never makes a gain.
Small PSPs vs Large PSPs
At Fire, we feel that this directive was created with a focus on large banks without considering the impact it could have on competition and innovation in the payments industry.
Small payment and eMoney institutions are the cornerstone of the payments industry in the UK, where the fintech sector is comprised of over 1,600 firms, a number that is projected to double by 2030.
The sector contributes an estimated £11 billion and over 76,000 jobs to the UK economy. Introducing high liability thresholds will create a barrier to entry for new businesses in this sector and hinder investment in existing firms, putting the sector’s growth at risk.
The directive and its requirements also put small PSPs at a disadvantage when compared to larger PSPs in areas such as resourcing, accessibility to data and capacity to absorb losses due to claims. It is important to note that Payment Institutions and eMoney Institutions are not allowed to provide credit services based off customer balances, a key revenue generator for banks and credit institutions.
Most of these smaller PSPs operate on a pay-per-click model, which cannot sustain liability that could reach tens of thousands of pounds for a single case, especially when payments are processed for just pennies.
We believe a full market impact assessment should be done to evaluate the effect of the directive on the fintech market as soon as possible so that safeguards can be put in place to protect not just consumers but the industry as a whole so it can continue to provide for the economy.
The role of social media in APP scams
One of the primary aims of the PSR’s APP Reimbursement Directive is to incentivise payment service providers (PSPs) to invest more in fraud prevention by introducing shared liability across the sending and receiving PSPs.
However, due to its very nature, APP fraud can be difficult to identify and even more difficult to stop, particularly in cases where the scammer has the victim under their “spell”. PSPs cannot block payments indefinitely without due cause. Even in cases where a potential scam payment has been identified and queried with a victim, if they insist on the payment being sent there is nothing the PSP can do.
Financial institutions have and will continue to invest heavily in fraud prevention tools and systems to protect their customers regardless of the reimbursement liability introduced by this directive.
At Fire, we believe that this directive is aimed at the wrong sector. While PSPs facilitate the movement of money from a victim to the fraudster and play a role in tackling fraud, they are not the platforms where the fraud originates. In 2023, 77% of all APP scams began on social media.
It is our firm belief that social media companies must play their part in helping to curb the rise of APP scams, not just in the UK but globally. Without enforcing incentives, such as liability, on social media companies, fraudsters will continue to use these platforms to target victims en masse with limited risk.
We believe that introducing reimbursement liability on PSPs without implementing preventative measures for social media companies will ultimately benefit scammers by offering them new ways to build trust and further manipulate their victims.
This creates a moral hazard, leading victims to believe that even if something seems too good to be true, they won’t suffer a loss: “You can trust me; send the payment, and in the worst-case scenario, you’ll get your money back from your account provider.”
Conclusion
In conclusion, while the introduction of the PSR’s APP Mandatory Reimbursement Directive is a positive step toward protecting victims of fraud, it may not address the root causes of the issue.
The directive’s focus on reimbursing victims after the damage is done, without addressing the source of scams – particularly social media platforms – may leave the door open for fraudsters to continue exploiting vulnerable individuals. The financial burden placed on PSPs, particularly smaller institutions, could also hinder innovation and growth in the fintech sector, potentially creating market imbalances.
Preventative measures, such as enhanced fraud detection tools and stronger collaboration between PSPs and social media companies should be a priority. This would ensure that scams are intercepted before any money is lost, offering more robust protection to both consumers and the industry as a whole.
In the long term, holding social media platforms accountable and encouraging their active participation in fraud prevention is essential for a comprehensive solution to the growing threat of APP scams.
We welcome your thoughts on the PSR’s Mandatory Reimbursement Directive and its implications for APP fraud. If you have questions or would like to discuss this topic further, please reach out to our team. Our experts are available to provide insights and assistance.