.svg)
The Payment System Regulator’s (PSR) new authorised push payment (APP) fraud reimbursement rules take effect on October 7, 2024, with many banks and payments firms still unprepared and unhappy, despite the regulator’s concession on the reimbursement limit.
From October 7, consumers will be protected by the PSR's new APP fraud reimbursement rules, with providers required to reimburse up to £85,000 — down significantly from the initial proposal of £415,000, but still a substantial amount.
The new policy has arguably been the first time that the regulator has found itself facing such widespread scrutiny and backlash, with its former managing director, Chris Hemsley, having exited his role suddenly at the beginning of the summer.
However, with a few weeks to go until compliance with the rules is actionable, there are still technical questions to be considered.
"My sense is that some firms are not fully prepared, as they haven’t yet made all the necessary policy and operational changes,” said Max Savoie, a partner at Sidley Austin. “Many may still be in the process of doing so.”
Savoie noted that despite long anticipation, the time between the release of detailed reimbursement rules and the compliance deadline has been short, leaving firms with limited time to act.
"The industry is very much in the process of catching up on the APP fraud requirements as these have been developed very quickly,” agreed Omar Salem, a partner at Fox Williams.
For example, the regulator only published advice on the information that should be provided to customers in August.
“The proposed reduction in the reimbursement cap has been welcomed by the industry, but the PSR will only confirm the cap by the end of September, and the new rules come into force on October 7,” he pointed out.
Moreover, Savoie questioned how much of a difference the reduction in cap makes to the technical changes that firms are having to make in preparation.
"How firms prepare for this is still quite similar, regardless of the recent changes to the reimbursement caps,” he said. “Preparing for reimbursement rules requires collaboration across multiple functions, with teams sitting down and working together.”
Change and complexity
According to Savoie, the challenge for firms is not just about legal and compliance, but also implementing operational changes, as well as changes to customer communications.
He also said that an area where he has seen quite a few questions asked is around scope.
“The PSR has published an indicative list of in-scope payment service providers. However, not all such firms will necessarily be in scope and those that are will probably not be in scope for all payment transactions that they process.
“Firms need to consider whether they fall within the scope, and if so, for which customers and transactions,” he said. “Given the criteria, some parts of the payments sector will fall outside the scope of these rules entirely and others will be in scope only for certain of their activities."
Fox Williams’ Salem said that the reduction of the cap also brings new complexities. In particular, customers will still be able to claim up to £430,000 in compensation for APP fraud by complaining to the Financial Ombudsman Service (FoS).
Another effect is that the cost of reimbursement under the PSR’s rules is split between the sending and receiving payment provider, but if individuals go to the FoS, they are likely to complain about the sending payment provider, which could lead to the full amount being reimbursed by the sending payment provider.
“There is likely to also be a divergence between the approach under the PSR's rules and the FoS, as the FoS has discretion to consider what is fair and reasonable,” he warned.
Variations across the ecosystem
Savoie drew attention to comparable situations in other areas of the payments industry.
"By analogy, if you look at card payments, there are significant exposures for issuers and acquirers, but they are generally manageable,” he said.
He noted that the payments sector has adapted to fraud risks under card scheme rules, stating "fraud risk for the broader sector should not be insurmountable".
However, he warned that smaller providers handling credit transfers and remittance may face significant and uncertain exposure under reimbursement requirements.
“There could be a lingering liability risk with a long tail, particularly given the relatively long timeframe for claims,” he said. “For those not accustomed to managing this type of risk, it could require significant changes."
He added that even firms that will not face massive exposure still have a lot to do, including staff training, reviewing customer communications and contracts, and deciding when to investigate, delay payments, or reject/payout claims.
“The challenge is that there are risks on both sides. If you're overly cautious and investigate everything, you might face higher costs and increased regulatory scrutiny from a consumer protection perspective, and may reduce your ability to split liability with the payment service provider of the payee,” he said.
“On the other hand, if you take a more permissive approach, thinking the cost of investigating isn’t worth it, you risk regulatory scrutiny for not following the spirit of the rules from an anti-fraud perspective and making yourself a target for fraudsters."
How things will look moving ahead
As for what to expect going forward, Salem predicted that firms are likely to look at strengthening their onboarding processes and ongoing transaction monitoring, as well as looking to educate customers about APP fraud and how to prevent it.
“We may also see more friction in the system, with more payments blocked or delayed. It remains to be seen how much more than what they are already doing payment firms can do and how much of an impact this will have.”
Jackie Barwell, fraud product manager at ACI Worldwide, agreed that banks need to revisit their onboarding processes, “at the very least to prevent the onboarding of accounts opened with synthetic IDs”.
“There should be a review and revision of these processes,” she urged. “Improved monitoring will also allow for better investigation into account takeovers. At the end of the day, APP fraud is only possible if fraudsters gain access to an account. This is something everyone needs to address."
But despite the inevitable downsides of the new regulation, there is sympathy in the payments industry towards the necessity of doing something, and the UK is not the only jurisdiction revising and strengthening its fraud protections at the moment.
For example, Singapore has introduced a variety of changes, and the US state of California and the EU are also looking to introduce reimbursement changes.
Barwell said that in the UK there is “a collective feeling that more shared responsibility is needed, particularly in determining liability before gathering all stakeholders”.
She pointed out that banks understand the magnitude of the problem, and even went as far to say that UK banks do not view the change as a bad thing.
“It wasn’t fully thought through, but there’s a consensus that something must happen.
“If you look at the potential unintended benefits, it could lead to effective real-time intelligence sharing across banks, which would be a positive development,” she said, adding that it might compel banks to share intelligence and take the issue more seriously, rather than hiding behind data privacy rules or similar concerns.
“There's some nervousness about stepping outside certain boundaries, but there are already rules in place around fraud detection and prevention within existing regulations."
