.svg)
The UK Payment Systems Regulator (PSR) has published its consultation on two of its draft directions, which are the legal means to put its new authorised push payments (APP) scam reimbursement requirements in place.
Payments players in the UK now have a broad timeframe for APP fraud compliance.
This is because the PSR has been able to set out its plans following the Financial Services and Markets Act’s passage earlier this month.
The regulator has said that it is aiming to have new requirements in place by April 2, 2024.
However, it has said that stakeholders should expect the compliance requirements to be in place by “no later than Q2 2024”.
In August, the PSR said that it will consult on the maximum level of reimbursement and claim excess, and provide additional guidance on the customer standard of gross negligence.
In September, the PSR will subsequently consult on its draft general direction to require reimbursement for APP scams victims from all payment firms.
By the end of 2023, the PSR hopes to publish the claim excess and maximum level of reimbursement, additional guidance on customer gross negligence and all legal instruments.
“This is a broad package of measures to tackle APP scams and protect victims of these frauds,” said Chris Hemsley, managing director of the PSR. “Our directions will put clear requirements and incentives in place to not only ensure payment firms improve how they stop fraud, but also make sure victims are treated fairly.
“By consulting on these directions now, we are sending a clear signal that we are moving to implement these proposals as soon as possible.”
Overall, the PSR’s plan is for three stages of reforms, including publishing fraud data in a consistent way, which shows rates across the different banks.
According to Max Savoie, partner at Sidley Austin, this may be with a view to naming and shaming, and banks will want to ensure that they are compared in a fair way. “This is particularly the case for banks that are servicing other payment service providers."
The second stage of reform focuses on data sharing, he continued, adding that this has the potential to be helpful for managing fraud risk across the sector.
“Whenever sharing data, firms need to consider the risks that come with that, including the application of competition and data protection laws."
The third stage, meanwhile, is the new reimbursement requirement on which the PSR is currently consulting.
“This will generally push the risk of APP fraud onto banks unless they can demonstrate the customer acted with gross negligence, which in practice may be difficult to prove,” he said. “Vulnerable customers will generally need to be reimbursed even in circumstances of gross negligence.”
Savoie told VIXIO that firms will need to put new procedures in place that enable them to quickly identify in-scope transactions and determine whether a customer is vulnerable for the purposes of the rules.
"There is a lot that firms will need to do in terms of refining their procedures, and there will need to be processes in place for reviewing customer reports, as well as for communicating with other service providers and for meeting reimbursement timelines,” he added.
“The timeframes to make assessments are pretty tight and there are only limited circumstances in which firms will be able to stop the clock."
So far, it cannot be said that the industry is taking the plans lightly. In fact, some proposals from the PSR have courted controversy.
"Measures are clearly needed to combat APP fraud, which can have a devastating impact on victims, but there also needs to be more consideration of the unintended consequences such measures could have on open banking,” Jack Wilson, head of public policy at TrueLayer, told VIXIO.
For example, Wilson cautioned PSR's changes to liability could lead to banks slowing down payments and changing their risk appetites so that more legitimate payments, including in open banking, are blocked or limited.
“Implementing the changes is also likely to add cost to processing payments,” he said
“Such unintended consequences run counter to the PSR's own strategy of enabling account to account payments as a competitive retail payment method.”
For Wilson, existing measures such as Confirmation of Payee and the Contingent Reimbursement Model already show signs of working, with APP fraud trending downwards.
“We think more time is needed to assess this trend before further, more fundamental liability changes are activated."
The Payments Association, meanwhile, said that these rules could result in “unintended consequences”.
For example, the lobbying group said that the decision to split the cost of compensation 50/50 between the sending bank/issuer and the receiving bank/issuer will likely make firms more cautious about opening marginal accounts, hurting low income and/or vulnerable customers.
In addition, the Payments Association echoed others in the industry when it said that social media firms need to be in scope of the plans.
However, this is tough for the PSR to implement, as it has told VIXIO that it is not mandated to regulate social media firms.
"The reason that regulators can't act is because these companies are American, and the US naturally is very protective of its tech industry,” pointed out John Bertrand, director at On Demand Payment Technologies.
Bertrand added that the PSR is “trying to do good” with these plans.
"The issue is reimbursements, which appear to vary a lot between the main banks,” he said. “These new requirements should put more scrutiny on the banks, and mean that reimbursement must be done within 48 hours."
The issue that UK players are now contending with is likely to make its way onto the continent soon, with the European Commission having unveiled extended reimbursement rights in revisions to the Payment Services Directive.
