PSR: Update on the implementation of APP Fraud protection measures

On 15 May 2024 Managing Director of the Payment Systems Regulator ("PSR"), Chris Hemsley, wrote to the Treasury Select Committee with a progress update on the implementation of measures intended to protect consumers and provide better incentives on Payment Service Providers ("PSPs") to prevent Authorised Push Payment ("APP") fraud.

APP fraud occurs when a customer of a PSP (for example the customer of a bank), is deceived into instructing their PSP to transfer money into an account controlled by a fraudster.

The PSR's progress update comes just a few months before the introduction of the new reimbursement requirement, which is expected to come into force on 7 October of this year. The new requirement will introduce consistent minimum standards to reimburse victims of APP fraud within the Faster Payments System ("FPS"), providing significantly wider coverage in comparison to the Contingent Model Reimbursement Code. For further information on the scope of the new requirement see here.

Firm preparations

The PSR's progress update notes that firms' preparations for the introduction of the new requirement are gathering momentum, with key steps that the PSR expects to see including:

  • Investing in systems and processes to detect and prevent scams, and making use of available data and technology.
  • Reassessing fraud risk management and/ or reassessing transaction limits.
  • Engaging with Pay.UK on the development of the reimbursement claim management system.
  • In the coming months, communicating transparently to consumers and taking proactive steps to notify consumers of the protections available under the new policy.

Pay.UK

As well as working with those in the industry to facilitate engagement and aid preparations, the PSR reveals that it is also working alongside Pay.UK to ensure a consistent understanding of its requirements and support the development of operational guidance.

In its final policy statement, the PSR confirmed the implementation of a specific direction on Pay.UK to create and implement effective monitoring of PSPs, including a requirement on Pay.UK to:

  1. Develop and implement arrangements for the monitoring of compliance by PSPs with the reimbursement rules.
  2. Monitor the nature, extent and effectiveness of such compliance.
  3. Take steps to improve compliance.
  4. Gather data and information from PSPs to monitor compliance.
  5. Report to the PSR on its findings.

For further details see our previous article.

Pay.UK is now in the process of finalising the new reimbursement rules (available in draft form here) for inclusion in the FPS rules, and it's expected that the final version will be published next month following a review by the PSR.

Alongside this, Pay.UK is:

  • Developing a claim management system, which will enable firms to communicate about, and manage, APP fraud claims, as well as allow firms to report data to Pay.UK so it can monitor and manage firms’ compliance with the new rules.
  • Working on contingency arrangements to facilitate inter-firm communication and reporting, mitigating the risk of individual firms not being ready to onboard the claim management system by the introduction of the new requirement.
  • Working with the PSR to design a new data reporting and compliance regime, placing phased obligations on the industry to support the introduction of the new requirement.

CHAPS Consultation

As it stands, the new reimbursement requirement is to apply to payments made within the FPS only, however, the PSR is currently also consulting on the extension of the scheme to payments made within the CHAPS payment system, operated by the Bank of England ("BoE").

Whilst the PSR does not have regulatory powers over the BoE, it continues to regulate the remaining participants in the CHAPS payment system. The PSR has consequently been working with the BoE to define a reimbursement model which is similar to the FPS model but which works with the CHAPS payments system. The specific direction proposed by the PSR for CHAPS payments will direct all in-scope PSPs to comply with the BoE reimbursement rules.

The PSR intends that any further specific direction will be published in September 2024, with a go-live date of 7 October 2024 (such that its introduction is aligned with that of the new FPS reimbursement requirement).

Impact

The PSR believes that the introduction of the new reimbursement requirement will lead to shifts in firm behaviour, greater levels of information sharing and more effective fraud prevention across the payments industry.

Whilst time will reveal the true extent of its effectiveness, there are certainly early indications that PSPs are taking positive steps to improve systems and processes ahead of October. Metro Bank, for example, tells of a 71% uplift in mule payment detection, having implemented a new machine learning model used to detect accounts being used for the transfer of victim funds.

The proposed extension of the requirement to the CHAPS payment system will also increase consumer protections and encourage a wider range of PSPs to adopt new fraud prevention measures, going further to push a cultural shift across the industry as a whole.

If you would like to discuss the issues discussed in this article, or the consequences of the introduction of the new mandatory reimbursement requirement, in more detail please contact a member of our Fraud team.

Key contacts

Related