Briefing
Authorised Push Payment fraud: a new mandatory reimbursement regime for UK PSPs
On 7 October 2024, a new mandatory reimbursement regime for victims of authorised push payment (APP) will come into force in the UK. From that date, payment service providers (PSPs) will be required to reimburse in-scope customers who fall victim to APP fraud in most cases. The cost of reimbursement, which is capped at £85,000, will be shared equally between sending and receiving payment firms. In this client briefing, we summarise the new regime and what it means for PSPs.
The road to mandatory reimbursement
APP fraud occurs when someone is tricked into authorising a transfer of money to an account outside their control that they believe belongs to a legitimate payee. In September 2016, the consumer group Which? submitted a super-complaint to the Payment Systems Regulator (PSR) and the Financial Conduct Authority (FCA) in which it noted the increasing prevalence of APP fraud and called on the regulators to take action.
Following the super-complaint, the PSR worked with consumer representatives and the payments industry to develop a voluntary Contingent Reimbursement Model (CRM) Code for APP scams, which came into force in May 2019. Banks that signed up to the Code committed to make a decision regarding reimbursement within 15 working days of being notified of an APP scam by a customer using the Faster Payments System (FPS). Individuals unhappy with the way their complaints were handled by a bank could refer them to the Financial Ombudsman Service (FOS), regardless of whether the bank was a signatory of the Code. More than a dozen UK banks have now signed up to the Code, which is administered by the Lending Standards Board (LSB).
In November 2021, the UK government announced plans for legislation to allow the PSR to make APP fraud reimbursement mandatory for PSPs. Section 72 of the Financial Services and Markets 2023, which received Royal Assent on 29 June 2023, requires the PSR to make APP fraud reimbursement mandatory for payment orders executed over the FPS. This provision came into force on 29 August 2023.
The PSR has published a number of consultation papers (CPs) and policy statements (PSs) regarding the mandatory reimbursement regime. For a summary of the PSR’s original proposals, see our blog post from September 2023.
The PSR has also published several legal instruments related to the reimbursement requirement. These instruments place legal obligations on FPS participants that provide relevant accounts to comply with the reimbursement requirement from the start date. Relevant accounts are accounts which are held in the UK and can send or receive payments using the FPS, but exclude accounts provided by credit unions, municipal banks, and national savings banks.
Reimbursement requirement for APP fraud in Faster Payments
Specific Requirement 1 (SR1) requires Pay.UK, as the independent payment system operator (PSO), to include the reimbursement requirement in the FPS rules. Pay.UK published the final FPS Reimbursement Rules on 3 September 2024. Specific Direction 20 (SD20) contains the APP scams reimbursement requirement and directs in-scope PSPs to comply with the reimbursement rules. Sending PSPs must reimburse all customers who fall victim to APP fraud, subject to the exceptions and limits set out below.
The reimbursement requirement includes payment initiation service (PIS) transactions but does not apply to payments across other payment systems, international payments, or payments made for unlawful purposes. It also does not apply to civil disputes, such as where a customer has paid a legitimate supplier for goods or services but has not received them, has found them defective in some way, or is otherwise dissatisfied with the supplier. The PSR has published guidance setting out high-level factors that PSPs should consider when making a determination on whether a claim is a reimbursable APP scam or a civil dispute.
The sending PSP must notify the receiving PSP within two business hours of an APP fraud claim, and the receiving PSP should provide any relevant information to the sending PSP within three business days. PSPs that do not operate the sending or receiving payment account are out-of-scope. Where a PSP knows or suspects that a person is engaged in money laundering or dealing in criminal property, they must submit a Suspicious Activity Report, and follow their legal obligations.
Sharing the cost of reimbursement
Receiving PSPs must pay sending PSPs 50 per cent of the reimbursement that the sending PSP paid to the customer. Payment must be made within five business days of notification of the reimbursable contribution amount by the sending PSP.
50 per cent of any funds that are stolen in an APP fraud but then recovered must be repatriated to the sending PSP. After 13 months following payment of the reimbursable contribution amount, the status of the FPS APP scam claim will move from dormant to closed without repatriation.
Exceptions for APP fraud claims
Reimbursement is not required where the customer has acted fraudulently (‘first-party fraud’) and where the customer has acted with gross negligence. Gross negligence is already an exception to PSP liability for unauthorised frauds under section 77(3) of the Payment Services Regulations 2017 (PSRs 2017) and is one of the exceptions to reimbursement in the CRM Code. This is the ‘consumer standard of caution exception’ for APP fraud claims.
In December 2023, the PSR issued guidance clarifying the consumer standard of caution exception, which narrows the consideration of gross negligence to four specific circumstances, including the requirement to have regard to interventions, prompt notification, responding to requests for information, and police reporting.
Time limit to reimburse
The sending PSP is responsible for assessing the claim and reimbursing the customer. Sending PSPs must reimburse customers within five business days of the fraud being reported. (This was extended from the 48-hour time limit originally proposed in September 2022.) Pay.UK will keep this five-day deadline under review.
Sending PSPs can ‘stop the clock’ to gather additional information or, where relevant, verify that a claims management company is submitting a legitimate claim. Receiving PSPs must respond to any requests for additional information within 25 business days. Sending PSPs may stop the clock as many times as necessary to complete their assessment, provided they complete their assessment and close the claim within 35 business days.
To reduce uncertainty, the sending PSP should provide an initial indication to their customer of whether their claim falls within the scope of the new reimbursement requirement. This should happen at the time of the claim, where possible.
Claim excess
Sending PSPs have the option to apply a claim excess up to £100. PSPs may levy the full excess, a partial excess, or no excess at all. If PSPs reimburse in full and do not levy an excess, they will not be able to claim back any of the excess from the receiving PSP.
Minimum threshold
There is no separate minimum value threshold for APP fraud claims under the new reimbursement requirement, although some may fall below the excess. The PSR removed the £100 minimum threshold for claims originally proposed in September 2022.
Maximum level of reimbursement
The maximum level of reimbursement for APP fraud claims has been one of the most controversial elements of the new reimbursement requirement. Initially, the PSR proposed to have no cap on reimbursement, but in response to negative feedback, in December 2023, it set a maximum level of mandatory reimbursement at £415,000. This cap also attracted a high level of feedback, particularly from electronic money institutions (EMIs) and other small PSPs, who argued that a high maximum limit for reimbursement could create prudential risks and heighten the likelihood of unprofitability and insolvency for a small number of PSPs, therefore undermining competition in the sector.
Following a consultation launched on 4 September 2024, the PSR decided to lower the maximum reimbursement limit from £415,000 to £85,000. The final limit is aligned with the reimbursement limit of the Financial Services Compensation Scheme (FSCS), and any changes that will be made to the FSCS limit are expected to be tracked.
According to the PSR, compared with the £415,000 limit, the £85,000 limit still provides strong incentives for all in-scope PSPs to take steps to prevent APP fraud and invest in anti-fraud measures. The PSR has found that 99.8 per cent of all APP fraud cases will still fall below the new proposed limit, and around 90 per cent of APP fraud value will be reimbursed. The vast majority of high-value (over £85,000) scams are made up of multiple smaller transactions, which reduces the effectiveness of transaction limits as a tool to manage exposure.
In response to the negative feedback received from smaller PSPs, the PSR noted that the likelihood of a small PSP receiving a high-value scam is low because the overall volume of high-value APP scams is low. It argued that the proposed new limit (relative to £415,000) is likely to reduce firms’ prudential risk, which could reduce the costs associated with the risks of reduced competition and innovation in the provision of payment services and the overall cost of the proposed APP scams policy. It recognised that a higher level of liability on PSPs could disincentivise investment and affect the amount of funds that can be invested in fraud prevention.
Finally, the PSR reasoned that £85,000 is a number recognisable to consumers (as it is aligned with the FSCS reimbursement limit), which will help with consumer understanding and awareness.
Consumers with APP scam claims above the proposed maximum reimbursement limit of £85,000 may still make complaints to their own PSPs (where applicable) with potential further recourse to FOS or the courts should they remain unsatisfied. The FOS has the ability to apply additional award limits where they have a complaint that falls under their wider jurisdiction, such as with regard to the Consumer Duty. It may, therefore, consider other bases for handling complaints in line with its current award limit of up to £430,000.
The PSR will keep its proposed approach under review. The first formal review is expected to take place after the policy has been in place for 12 months. In the meantime, the PSR will monitor the impact of the new changes and make adjustments if necessary.
Time limit to claim
Sending PSPs have the option to deny APP fraud claims submitted more than 13 months after the final payment to the fraudster. This is the same as the time limit for claims for refunds of unauthorised payments under the PSRs 2017. Pay.UK will keep the 13-month period under review.
The 13-month time limit for APP fraud claims under the new reimbursement requirement does not impact the FOS’s scope or processes. If the sending PSP decides to refuse a claim due to the 13-month time limit under the new reimbursement requirement, customers may have the opportunity to a pursue a claim via the FOS up to six years from a problem happening, or longer, if still within three years of the customer becoming aware (or of when the customer should reasonably have become aware) of the problem.
Treatment of vulnerable customers
As part of assessing an APP fraud case, the sending PSP should assess the customer’s situation and any potential vulnerability in line with the FCA’s guidance on vulnerability. Vulnerable customers will be subject to the reimbursement cap, but the customer standard of caution and claim excess will not apply to vulnerable customers. PSPs are expected to comply with the FCA guidance and be mindful of their obligations under the Consumer Duty.
Approach to ‘multi-step’ fraud cases
The new reimbursement requirement applies to a Faster Payment to an account controlled by a person other than the customer, where the customer has been deceived into granting that authorisation for the payment as part of an APP fraud. This includes, for example, where payment is sent via a ‘money mule’, but it does not include fraud across different payment systems, such as where a victim sends a crypto transaction to a fraudster.
Compliance monitoring and record-keeping
Specific Direction 19 (SD19) requires Pay.UK to monitor compliance with the FPS reimbursement rules, and SD20 requires PSPs to collate, retain and provide data to Pay.UK so that it can monitor compliance. The Compliance Data Reporting Standard (CDRS) contains the data and information that directed PSPs are required to collate, retain and report to Pay.UK. All directed PSPs (both sending and receiving PSPs) are required to keep accurate records of the following
- all customer communications and responses relating to an FPS APP scam claim, via any channel, and any subsequent communications;
- all communications between the PSP and any other party in respect of an FPS APP scam claim;
- all communications between the PSP and Pay.UK in relation to the PSP’s Faster Payments APP scam reimbursement processes and/or any potential compliance issues;
- decision-making records about individual FPS APP scam claims, including the final decision and accompanying rationale for making that decision;
- actions taken to remediate customers in relation to an FPS APP scam claim; and
- any reports by first-, second-, or third-line functions relating to systems and controls related to FPS APP scam claims (such as by the PSP’s risk, compliance or audit departments).
Pay.UK published FPS Reimbursement Rules: Compliance Monitoring Regime on 31 July 2024. This document sets out how Pay.UK will monitor and manage directed PSPs’ compliance, both for direct and indirect participants. This includes compliance monitoring, managing the consequences of non-compliance by directed PSPs, and how Pay.UK will work with the directed PSPs and the PSR to report on compliance. Although Pay.UK is responsible for monitoring compliance with the FPS reimbursement rules, enforcement remains the responsibility of the PSR.
New Payments Architecture
The requirement to reimburse victims of APP fraud will carry over into the New Payments Architecture (NPA) being delivered by Pay.UK. The PSR has set a deadline to complete migration to the new infrastructure by 1 July 2026.
CHAPS APP scam reimbursement requirement
Alongside the rollout of the Faster Payments APP scam reimbursement requirement, the Bank of England (BoE), which is the operator of CHAPS (the Clearing House Automated Payment System), has been working with the PSR and CHAPS direct participants to deliver comparable outcomes of consumer protection for retail CHAPS payments while reflecting the unique characteristics of CHAPS as a wholesale payment system.
Following a consultation launched in May 2024, the PSR published a policy statement on 6 September 2024 (PS24/5) along with Specific Direction 21 (SD21), which contains the APP scam reimbursement requirement for CHAPS. The starting date for the CHAPS m reimbursement requirement is 7 October 2024, which is aligned with the start date of the FPS reimbursement requirement. This approach aims to ensure delivery of consistent protections for consumers of CHAPS to be delivered as soon as possible, and to reduce the risk of fraud migrating from Faster Payments to CHAPS.
Similar to FPS, the CHAPS reimbursement requirement will apply to PSPs that provide a relevant CHAPS account, whether or not that PSP is itself a direct participant in CHAPS. A ‘relevant CHAPS account’ means an account that is provided to a service user is held in the UK and can send or receive payments using CHAPS, but excludes accounts provided by credit unions, municipal banks, financial market infrastructure (FMIs) and national savings banks.
As the BoE retains responsibility of CHAPS (including the CHAPS rules), it published draft CHAPS reimbursement rules in August 2024. The rules will be updated by 7 October 2024 to reflect the final position set out in the PSR’s policy statement. All in-scope PSPs must register in line with the requirements set out in the CHAPS reimbursement rules as soon as practicable and no later than 7 October 2024, by providing the information set out in the CHAPS reimbursement rules. This requirement only applies to PSPs who are not already required to register with Pay.UK in relation to Faster Payments. This is to ensure that in-scope PSPs are only required to register once.
The PSR also published the final CHAPS APP Scams Compliance Data Reporting Standard, which contains the CHAPS APP scams data and information that directed PSPs are required to collate and retain for the BoE so it can effectively monitor compliance with the CHAPS reimbursement rules. PSPs will need to report compliance and monitoring metrics to the BoE on a monthly basis. These are aligned with the confirmed metrics for Faster Payments, with the key difference that PSPs are not required to submit nil returns to the BoE if they have not received any APP scam claims in the relevant reporting period.
Other notable differences between the CHAPS rules and the FPS reimbursement requirements are summarised below.
- The CHAPS rules require sending PSPs and receiving PSPs to agree the payment system to be used for sending the reimbursable contribution amount, whereas Pay.UK requires this to be via FPS.
- The CHAPS rules include references to handling a ‘hybrid’ claim, i.e. a claim with a mix of CHAPS and FPS payments. This scenario can arise but has not been covered in the PSR’s legal instruments, and therefore Pay.UK has not addressed it in the FPS reimbursement rules.
- Whereas the FPS rules include references to updating a central claim record, the CHAPS reimbursement rules refer to provision of information bilaterally between the sending PSP and receiving PSP, which may include use of the UK Finance Best Practice System.
- Reporting will be via email to the BoE directly initially rather than via Pay.UK’s system.
- Confidentiality provisions have yet to be added to the CHAPS rules – as a general principle, the BoE and PSPs are subject to a range of statutory and regulatory requirements around keeping customer information confidential, with confidential information disclosable to the extent required by applicable law or regulation such as if required or requested by a court, regulator, government authority, tax authority, etc.
In order to achieve consistency with Faster Payments, the BoE has set the maximum reimbursement limit for CHAPS APP scams to £85,000. The BoE plans to review this limit in 12 months.
Confirmation of Payee
Mandatory reimbursement is not the only way the PSR is trying to tackle APP fraud. In August 2019, the PSR issued Specific Direction 10 (SD10) to the UK’s six largest banking groups, directing their members to implement Confirmation of Payee (CoP) by the end of March 2020. CoP enables customers to check that the name of the person they want to pay matches the name on the receiving account.
SD10 was superseded in February 2022 by Specific Direction 11, which imposed requirements intended to extend the benefits of CoP to more accounts. Pursuant to Specific Direction 17, which the PSR issued in October 2022, around 400 PSPs will be required to implement CoP by 31 October 2024. All signatories of the CRM Code have been required to implement CoP since April 2023.
The PSR has also directed 14 PSPs to provide data every six months showing how effectively they are handling APP fraud.
Amendments to the Payment Services Regulations 2017
In addition, HM Treasury has published a draft statutory instrument that proposes amendments to the PSRs 2017 to enable PSPs to delay making a payment transaction where they have reasonable grounds to suspect fraud or dishonesty. According to the Treasury, the changes will allow PSPs to adopt a risk-based approach to payments and give them more time to assess potentially fraudulent payments when this is needed. The Treasury is expected to lay this instrument before Parliament in due course.
On 9 September 2024, the FCA published a guidance consultation in which it proposed changes to its Approach Document for payment services and electronic money to explain how PSPs should apply the legislative changes to minimise the impact on legitimate payments. The FCA is also consulting on changes to the Approach Document which explain how it expects PSPs to address suspicious inbound payments while continuing to process payments quickly and efficiently. The consultation closes on 4 October 2024, and the FCA intends to publish revised guidance by the end of 2024. For more information, see our blog post.
What should PSPs do now?
The APP scams reimbursement requirement will be the first time that some smaller PSPs will face a similar liability to those that have signed up to the voluntary CRM Code. It will also be the first time that receiving PSPs will be liable for reimbursement. Smaller PSPs may have to make material adjustments to their operating model (including their capital holding) in order to comply with the regulatory requirement.
In its final policy statement (PS23/4) in December 2023, the PSR set out a number of steps that PSPs can take to mitigate APP scam risks, including setting appropriate transaction limits, improving ‘know your customer’ controls, strengthening transaction-monitoring systems, and stopping or freezing payments that PSPs consider to be suspicious for further investigation.
In addition, the FCA in November 2023 published key findings from its review of firms’ systems and controls against money-mule activity, and in February 2024 it published a review of how firms mitigate the risks of APP scams. Both publications offer PSPs examples of good practice and point out areas for improvement.
The PSR says it will publish a post implementation review in 2026, within two years of the new regime coming into force.