Tackling APP scams: PSR Performance report highlights need for change

The Payment Systems Regulator (PSR) published its first Authorised Push Payment fraud (APP Fraud) Performance report, revealing for the first time the full extent of how well banks and other payment firms performed in tackling APP fraud during 2022. As such, the calls to do more to tackle fraud remain very loud.

APP fraud occurs when a customer of a bank is deceived into instructing their bank to transfer money into an account controlled by a fraudster.

The Performance Report reports on data including the UK's 14 largest banking groups, and covers the reimbursement of victims as well as how much money is sent from and received by each payment firm as a result of APP fraud.

Reimbursement of victims

The Performance Report reveals that there are large variations in the approaches being adopted by different banks in assessing APP fraud claims, leading to inconsistent outcomes for customers. Of the 14 major UK banks forming part of the Performance Report, some banks refunded as much as 91% of the total value of APP fraud losses in 2022, whilst others reimbursed as little as 10%.

It is believed that part of the reason for this variation is the differences in membership to the Contingent Reimbursement Model Code (the "CRM Code"), a voluntary industry code launched in 2019 which sets out good industry practice in relation to the assessment and reimbursement of APP fraud losses.

The variation is therefore expected to reduce with the introduction of a new mandatory reimbursement requirement for APP fraud announced by the PSR in June. The new requirement, which is due to come into force in October next year, will introduce consistent minimum standards to reimburse victims of APP fraud within the Faster Payments system, providing significantly wider coverage than the CRM Code (see here for further information).

Rates of fraud

The Performance Report also shows large variations in APP fraud rates, particularly in relation to the rates of the value of APP fraud received into customer accounts (ie. accounts to which fraudsters have access to receive fraudulent funds).

The Performance Report ranks the payment firms which it identified as being the top 20 receivers of APP fraud by value in 2022. The payment firm which received the highest value of APP fraud received £10,335 per £1 million received into customer accounts. In contrast, the payment firm in the top 20 receiving the lowest value of APP fraud received £44 per £1 million received.

Whilst this variation is again likely to be caused in part by the differences in membership to the CRM code, the Performance Report also highlights a correlation between the size of the bank or payment firm and the value of APP fraud received, with newer and smaller payment firms typically having disproportionately higher rates of fraud compared to those which are more established.

Whilst smaller banks and payment firms are likely to be in much earlier stages of preventing fraud, they nevertheless have a regulatory obligation to manage the risk of APP fraud and monitor transactions effectively. The Performance Report reveals that fraudsters are exploiting these weaker controls, suggesting that smaller banks and payment firms in particular need to be doing more.

The new mandatory reimbursement requirement

Whilst progress is being made in the fight to tackle APP fraud, the Performance Report shows that fraud rates remain at unacceptable levels, with huge sums being lost by customers, and more to be done by banks and payment firms.

The introduction of the new mandatory reimbursement requirement for APP fraud is expected to go some way in improving the progress being made by ensuring that both sending and receiving firms are held equally liable to reimburse (in-scope) victims of APP fraud, encouraging these to work together to tighten controls and improve prevention methods.

In its June policy paper the PSR noted its intention to implement the new reimbursement requirement through a combination of Faster Payment rules and PSR directions. The PSR has now completed its consultations on the three proposed legal instruments to be used to implement the new requirement, and on 19 December 2023 published its final policy statement. See our article for more information.

Conclusion

APP fraud rates remain at unacceptable levels, and it is clear that more needs to be done by banks and payment firms to help tackle APP fraud. Whilst the introduction of the new mandatory reimbursement requirement (now expected in October 2024) will be welcomed by victims, only when it is combined with further preventative and responsive activity will the fraud rates reduce.

If you would like to discuss the issues discussed in this article, or the consequences of the introduction of the new mandatory reimbursement requirement, in more detail please contact us on the details below.