The UK Payment Systems Regulator (PSR) is pressing ahead with measures to improve reimbursement rights for consumers who fall victim to "authorised push payment" (APP) frauds, in which they are tricked by a fraudster into transferring money from their bank account to another account. This will be a major departure from the current position, where victims of these frauds are only compensated by payment service providers (PSPs) (normally being banks) on a goodwill basis.
In a report issued last Wednesday, the PSR confirmed plans for a "contingent reimbursement model" (CRM) under which PSPs will compensate eligible victims of this ever-growing type of fraud, now reportedly the second most prevalent in the UK (after card fraud). The plans closely mirror initial proposals made by the PSR in its November 2017 consultation paper.
The PSR's work follows a "super complaint" by Which? in September 2016 about the lack of effective protections for the tens of thousands of APP fraud victims each year and the inconsistency between the treatment of these frauds and those perpetrated in other ways such as via card systems. Multiple organisations, including banks, have responded to the PSR's consultation.
There has been significant, although not unequivocal, support for the idea of a CRM, reflecting widespread recognition of the importance of maintaining trust in the UK retail banking market, particularly given the recent launch of Open Banking. A design phase will now begin, during which a steering group will develop a detailed industry code setting out the rules and circumstances under which PSPs will (on the proposals' current scope) compensate consumer, micro-enterprise and charity victims of APP frauds involving payments between UK accounts. The rules are to be consistent with core principles set out by the PSR, which include incentivising preventative action and delivering consistent outcomes for victims.
Much work lies ahead for the steering group, and the timescales are demanding: the PSR expects an interim code to be in place by September 2018, from which time the Financial Ombudsman Service (FOS) will consider it when dealing with complaints about APP scams, with a final code to be developed by early 2019. Important questions remain about the shape of the code, such as the circumstances in which victims will be compensated. For example, if a victim has met a certain level of care, and a bank has been at fault, that bank will provide compensation. However, a major outstanding issue is whether PSPs will be liable in a "no blame" scenario where neither they nor the victims have breached the requisite standard. The steering group will also need to agree the standards of care expected of PSPs and customers under the scheme. It is also unclear whether individual payouts will be capped at a maximum amount (given that the FOS jurisdiction is limited in any event to £150,000).
The ambitious timescales should not, however, allow a number of broader issues and other initiatives relating to APP and other payment frauds to be overlooked.
For example, for consumers who do not meet the reimbursement criteria, and for the many businesses who also fall victim to APP frauds but are outside the scope of the planned CRM, effective pursuit of civil methods of recovering monies will remain critical. This can, however, be hampered by the existing system. Six responses to the PSR's consultation, including several from PSPs, expressed the view that potential legal and regulatory issues around responding to (and preventing) APP frauds should be addressed before developing a CRM, including in relation to information sharing, freezing accounts and the recovery of funds.
One problem frequently encountered is that enforcement agencies are insufficiently resourced to deal with the rapid proliferation of these frauds, but victims are often not advised of this or of civil recovery methods of pursuing lost assets. This causes delay in seeking legal advice and, meanwhile, the further dissipation of stolen assets. One issue on the agenda for the steering committee should therefore be the information provided to victims about the courses of action available to them.
Likewise, victim access to information about where funds have gone is critical to civil fraud remedies, but court procedures for obtaining this can be slow. Information sharing is an area where work has been done as part of, for example, the development by UK Finance of Best Practice Standards on APP frauds, which retail bank members of UK Finance are now implementing. However, a number of organisations responding to the PSR consultation remained concerned that what is and is not permitted by way of data sharing under current legislation and the forthcoming General Data Protection Regulation must be properly addressed. In addition, the Best Practice Standards focus on information sharing between banks, rather than with the victim who ironically, at present, has the most interest in receiving the information, if they are to recover their monies.
These are points which Pinsent Masons, the only law firm to publicly respond to the PSR's consultation, made in its response. It is therefore pleasing that the PSR has encouraged the setting up of a satellite group of the steering group to focus on civil recovery methods and the barriers to these. The PSR has also made it a core principle of the CRM that other initiatives to prevent and help respond to APP frauds should be leveraged. Such initiatives include the ongoing work of the Joint Fraud Taskforce on a funds repatriation scheme to help trace and freeze assets, and the associated Payments Strategy Forum work on transaction data analytics aimed at identifying mule accounts and potentially also asset recovery. A holistic approach to APP fraud prevention and response is essential to ensure that the various ongoing initiatives work in tandem. Even if the work of the CRM steering group and its civil recovery satellite group are principally consumer-focused, the benefits of a joined-up approach in this area should also filter through to businesses.
Many will be interested to see if the scope of the CRM will be extended in future. Particular issues will include whether it should cover payments to overseas accounts (as some have suggested is essential for the scheme to be effective given the international dimension of many frauds) and whether it should be extended to businesses. If businesses were to be covered, any financial cap on recoveries would be highly relevant, because the sums stolen from businesses through APP frauds can be very large.
The current need for businesses to look elsewhere for protection against APP fraud-related losses is therefore likely to continue, at least to some extent. With this in mind, another positive feature of the PSR's report is its recognition that the CRM should not stifle the commercial innovation of additional measures and products to protect customers. One idea which might be explored by the industry is the development of an insurance-based solution, whereby additional protection for payments (such as those of high value) could be purchased by customers. This would be akin to the Royal Mail's tiered model of postage options, which provide different levels of compensation for lost items. It will be interesting to see whether there is any take-up of this or other innovations.
The authors: Alan Sheeley, Partner, Head of Civil Fraud and Asset Recovery Team; Jennifer Craven, Senior Associate, Pinsent Masons LLP