.svg)
Facing growing criticism of its new rules on APP fraud reimbursement, the UK’s Payments Systems Regulator (PSR) has said it is "confident" that its plans will drive the right consumer outcomes.
The PSR has responded to an open letter from Tony Craddock, director general of the Payments Association (PA), who this week called on the UK government to rethink its approach to authorised push payment (APP) fraud.
Writing to Lord Johnson, minister of state at the Department for Business and Trade, Craddock said the PSR’s new rules on APP fraud reimbursement could harm the payments industry and lead to loss of UK investment.
"While some of the policies to reduce this £485m fraud problem make good sense and will go some way towards reducing APP fraud, two policies have potential unintended consequences, and one has been omitted altogether," he said.
First, the policy that all consumers will be reimbursed for APP fraud (except in cases of “gross negligence”) means that two people could pretend to defraud each other to pocket the reimbursement funds.
Similarly, Craddock said there is an incentive for fraudsters to pretend to be “vulnerable” to strengthen their reimbursement claim and avoid the “gross negligence” exception.
In turn, this could lead to financial exclusion, as banks and financial institutions limit account activity or shy away from opening accounts for customers who present a higher fraud risk, he said.
But the main issue raised by Craddock, which is currently gaining traction among payments industry professionals, is that without involving social media companies, “we will not stop APP fraud at its source”.
Given that up to 80 percent of APP fraud originates on social media, Craddock said that securing involvement from upstream actors is “critical” to preventing APP fraud and reducing consumer losses.
But speaking to VIXIO, a PSR spokesperson said the regulator remains confident that its new rules can and will prevent APP fraud.
“The steps we have announced will establish a clear set of minimum standards of behaviour and encourage all payment firms to step up their efforts to prevent fraud from happening in the first place,” they said.
“This will help us move towards a better payments ecosystem, with greater protections against fraud and, in turn, lower costs of managing the consequences of fraud.”
The spokesperson added that the PSR will continue to work with Pay.UK, the industry and organisations “beyond the payments sphere” to implement its requirements, but did not comment directly on the role of social media companies.
Rethinking reimbursement
Under the PSR’s new rules, both the sending and receiving bank will be held liable for APP fraud reimbursement on a 50/50 basis.
This measure has generally been welcomed by the payments industry as a common-sense approach that will lead to more equal protections against fraud across banks.
However, social media companies will remain outside the scope of the new rules, despite their key role as a launchpad for APP fraud.
Dan Holmes, SME on fraud prevention at financial risk ops platform Feedzai, told VIXIO that although banks have done an “excellent job” of strengthening fraud controls, their work risks being undermined by the hands-off approach to social media companies.
“It is increasingly apparent that social media is proving a valuable tool for scammers to connect themselves with possible victims, long before the victim makes a payment via their banking provider,” he said.
“As a result, banks and others are calling for social media giants to step up and take accountability.”
Gary Prince, CEO of The Payment Firm, a UK-based e-money institution, also told VIXIO that the PSR’s lack of interest in social media companies speaks to its lack of understanding of root causes.
“Their response shows they really have no idea of the reality of how fraud is perpetrated,” he said.
“The onus or responsibility cannot lie solely with the payments industry to catch fraud in flight — it’s about stopping the fraudsters from being able to set up the scam in the first place.”
Looking ahead, Holmes said that there are two potential models that regulators could pursue if social media companies were to be brought into an APP fraud rule-set.
The first is that social media companies are forced to take on some form of financial liability for consumer scams, and the second is that social media companies are forced to improve their fraud defences, with greater control of users and actions taking place on their platforms.
In the short term, Holmes said the second option is the more likely outcome, especially given the many “low-hanging fruits” that social media companies could use to tackle fraud on their platforms.
“Basic controls such as device recognition for fraud prevention and simple velocity checks will allow social media companies to better control the risk of suspicious accounts,” he said.
Paul Davis, director of fraud prevention at TSB, has also said he would favour this approach. Earlier this month, TSB called on Meta — the source of 80 percent of all APP fraud detected by TSB — to implement technical controls to prevent fraud.
“Meta needs to face up to its responsibility: it has a duty of care to the millions of customers who use its platforms, which is all the more important when we see innocent people lose life-changing sums every day," he said.
“Today, we have written to Meta demanding it puts in place the tech interventions urgently required to stem the tide of fraud and protect the many consumers who put faith in its services.”
If increased controls show immediate results, such as an increase in the number of pages or accounts removed due to suspected fraudulent activity, then Holmes said he would expect calls for social media companies to be held financially liable for APP fraud to quiet down.
However: "If they fail to take action and improve their fraud controls, then expect the liability discussion to rumble on for much longer yet.”
