APP scams reimbursement
Issue 559: 19 December 2023
APP scams reimbursement
Earlier today (19 December 2023) the Payment System Regulator (PSR) issued Policy Statement 23/4 “Fighting authorised push payment scams: final decision.”
The document outlines the PSR’s final position on, and more information on APP scam reimbursement including:
The consumer standard of caution.
The level of the excess.
The maximum level of reimbursement.
The start date of the policy.
The legal instruments we are using to implement the reimbursement requirement.
The action we’re taking significantly increases the level of protection for people and puts the UK at the forefront of APP fraud protections globally.
Our approach incentivises banks and other payment firms to prevent APP fraud from happening in the first place while ensuring victims are protected in a consistent way.
Payment firms are already getting ready by improving fraud controls and more people are getting their money back. We now expect the momentum to implement the full protections to increase.
We’ll be working closely with Pay.UK and payment firms to make sure they’re fully prepared to implement the new requirement next year.
Chris Hemsley, Managing Director, PSR.
APP scams reimbursement - key points you should know
The PSR’s policy statement is supported by three legal instruments and various ancillary documents - you’ll find them on the PSR’s website here.
At 68 pages the policy statement is not a long read but to make things easier this briefing selects the key points outlined in the policy that you need to know.
PSR’s policy aim
In publishing this policy statement the PSR’s aim is to:
incentivise the payment industry to invest further in end-to-end fraud prevention by making every payment firm meet the cost of reimbursing.
increase customer protections so most victims of APP fraud are swiftly reimbursed, boosting confidence in the UK payment ecosystem.
pursue our long-term ambition for Pay.UK to take on a broader role and actively improve the rules governing Faster Payments to tackle fraud.
The PSR want payment firms to take responsibility for protecting their customers at the point a payment is made and expect the new reimbursement requirement to lead firms to innovate and develop effective, data-driven interventions to change customer behaviour - perhaps by adopting or refining a risk-based approach to payments, with firms making better decisions on when to intervene and hold or stop a payment.
Alongside the requirement to reinsures victims the PSR have introduced a new balanced scorecard of APP fraud data with the first set of data being published in October 2023, which covered fraud performance between January and December 2022.
The PSR notes that concerns were raised by small PSPs, including electronic money institutions (EMIs), that a high maximum limit for reimbursement may create prudential risks and heighten the likelihood of unprofitability and insolvency therefore undermining competition in the sector.
The PSR’s response is that they believe that:
There are active steps that PSPs can take to manage this risk, and their liability under our reimbursement policy, by improving fraud prevention controls to avoid losses arising in the first place. We consider our reimbursement policy to be a proportionate response to tackling the increase in APP scams, by focusing PSPs’ efforts on fraud prevention and consumer protection, while increasing confidence in Faster Payments.
Legal Documents
To achieve their regulatory objective the PSR have published three legal instruments:
A specific requirement (SR1) imposed on Pay.UK to change the Faster Payments rules to include the reimbursement requirement and associated reimbursement rules.
Pay.UK are required to finalise the reimbursement rules by 7 June 2024 and take effect by 7 October 2024 and the rules must apply to all members of Faster Payments that provide relevant accounts.
The APP scam reimbursement rules that Pay.UK must include within the Faster Payments rules are:
Reimbursement requirement: Sending PSPs must reimburse APP scam victims,
except where the consumer standard of caution exception or time limit on claims applies.
Notifying the receiving PSP: When a sending PSP receives a report of an APP scam case, it must notify the receiving PSP within a specified period, to maximise the likelihood of retrieving stolen funds. Pay.UK will determine this period and must keep it under review.
Sharing the cost of reimbursement: If claimed by the sending PSP, a receiving PSP must send 50% of the cost of a reimbursement claim to the sending PSP, within a deadline to be set by Pay.UK. Subject to the claim excess and maximum level of reimbursement, 50% of any retrieved funds that are stolen in an APP scam but then recovered must be returned to the sending PSP by the receiving PSP.
Claim excess: The sending PSP can subtract a sum up to the maximum level of the claim excess from the amount reimbursed to the victim. The claim excess does not apply when the consumer is vulnerable, and the vulnerability had a material impact on the consumer’s ability to protect themselves from the scam. The sending PSP will assess this on a case-by-case basis.
Maximum level of reimbursement: The sending PSP is not obliged to reimburse above the maximum level of reimbursement for a single APP scam case. The maximum level of reimbursement is set by the PSR and covered below.
Time limit to claim: The sending PSP is not obliged to reimburse any APP scam claim where the customer submits the claim more than 13 months after making the last payment in the case. Pay.UK will keep the 13-month period under review.
A specific direction (SD19) given to Pay.UK to create and implement an effective compliance monitoring regime for PSPs, in line with the reimbursement rules and our specific direction on industry.
To ensure the effectiveness of the reimbursement policy, the PSR are directing Pay.UK to create and implement a compliance monitoring regime for the reimbursement rules across all directed PSPs (including indirect participants).
The PSR believe that Pay.UK is best positioned to design the most effective and efficient monitoring mechanism, in conjunction with industry and expect an effective compliance monitoring system to measure whether in-scope PSPs are consistently complying with the reimbursement rules, identify non-compliance, and ensure that where there are compliance issues, Pay.UK takes steps to address these (in line with its compliance management procedures), where it has the powers to do so.
The specific direction requires Pay.UK to:
develop and implement arrangements to monitor compliance by all directed PSPs with the reimbursement rules
monitor the nature, extent and effectiveness of directed PSPs’ compliance with the reimbursement rules
take steps to improve directed PSPs’ compliance, where it has the power to do so
gather data and information from directed PSPs to monitor compliance
report to the PSR on the nature, extent and effectiveness of directed PSPs’ compliance with the reimbursement rules, supported by data gathered from PSPs.
The specific direction requires Pay.UK to submit proposals to the PSR for an effective compliance monitoring regime - Pay.UK must outline:
the data it will collect and review from PSPs
how it will collect this data, including whether it will use a template or an automated process
how frequently it will collect data
how it proposes to analyse the data it collects
how this data will be used by it to monitor and assess PSP compliance with the reimbursement rules how it will share this data with the PSR.
Pay.UK must give directed PSPs reasonable opportunities to make representations to it about its compliance monitoring proposals and Pay.UK must consider these representations, and take them into account as appropriate, ahead of submitting them to the PSR.
Pay.UK must submit its final compliance monitoring proposals for the PSR’s approval by 5 April 2024. It must also formally publish its approved compliance monitoring regime by 7 June 2024. The compliance monitoring regime must then come into force alongside the reimbursement requirement on 7 October 2024.
A specific direction (SD20) given to Faster Payments participants obliging them to comply with the reimbursement requirement and the reimbursement rules.
Given that Pay.UK’s scheme rules only apply to direct participants, the PSR are overlaying the reimbursement rules with a specific direction to all in-scope PSPs.
In-scope PSPs are those which participate in Faster Payments and provide a relevant account in the UK to their service users which can send or receive Faster Payments but excludes credit unions, municipal banks and national savings banks.
The key features of SD 20 are:
Reimbursement requirement: This is the core of the PSR’s APP scam reimbursement policy. The obligation for reimbursable APP scam payments to be reimbursed by the sending PSP to the victim in full, subject to the additional provisions and exceptions set out in the PSR’s specific requirement on Pay.UK.
Scope of the reimbursement requirement: The reimbursement requirement applies to all reimbursable APP scam payments made on or after the start date of the PSR’s policy (7 October 2024).
Obligation on in-scope PSPs to comply with the reimbursement rules:
All in-scope PSPs must comply with the reimbursement rules that Pay.UK creates under the PSR’s specific requirement.Indirect access providers to provide information about their indirect PSP customers: All IAPs must send the PSR a list of indirect PSPs to whom they supply Faster Payments, annually, from 31 March 2024. By 30 April 2024, and monthly thereafter, they must update the PSR with any changes to the list.
These instruments place legal obligations on Faster Payments participants that provide relevant accounts to comply with the reimbursement requirement from the start date.
Reimbursement rules start date
Keep reading with a 7-day free trial
Subscribe to Payments:Unpacked to keep reading this post and get 7 days of free access to the full post archives.