The UK government has indicated that UK banks will be required to provide refunds to victims of “push payment” fraud (also known as “APP” fraud), as part of a package of proposals to address the significant growth of online scams and financial fraud since the onset of the pandemic.
The proposals are based on a consultation paper published last week by the Payment Systems Regulator (PSR), which is under consultation until January 2022.
APP fraud involves fraudsters tricking a company or individual into making a payment to the fraudster’s account, by impersonating a genuine payee, often through hacking or using a similar email address. The consultation paper notes that in the first half of 2021 more than £355m was lost to this type of fraud, which represents a 71% increase compared with the first half of 2020.
The PSR’s consultation paper sets out three measures that it proposes to introduce in order to tackle APP fraud:
- Publishing scam data: requiring the largest payment service providers (PSPs) to publish a scoreboard of their performance in relation to APP scams, including the rate of APP scams experienced by that provider and the rate of reimbursement to the customers that fall victim to those scams.
- Intelligence sharing: improving intelligence sharing between PSPs about the riskiness of payments in order to improve scam prevention.
- Wider reimbursement: encouraging legislative change to ensure greater reimbursement protections for customers.
The third point stands out both for PSPs themselves and for victims of APP fraud. Many high street banks already sign-up to a voluntary code to combat fraud, which has improved the rate of reimbursement for victims of APP fraud, where those victims have not acted with gross negligence. However, the code is inconsistently applied and the average reimbursement rate is less than 50%.
The PSR’s proposals include suggestions for PSPs to be part of a mandatory regime requiring them to reimburse all victims (subject only to exceptions where a customer does not act appropriately) or to sign-up to a code approved by the PSR that imposes high compliance requirements on PSPs. To the extent that PSPs do not sign up to such a code they would be liable to reimburse all victims of APP fraud, subject only to very limited exceptions (for example, in cases of first-party fraud).
The proposals will offer comfort to potential victims of APP fraud but look to impose very high financial obligations on PSPs. We shall watch with interest to see how the PSR’s proposals may ultimately be implemented.