Regulatory proposals for APP-propriate protection for victims of fraud
Authorised push payment fraud (“APP fraud”) occurs when an individual or a business succumbs to a deception and instructs their payment service provider (“PSP”s), usually their bank, to send money to another account. By the time the fraud is known and reported to the PSP, it is usually too late as the funds will have already been transferred.
While this type of trickery is redolent of the popular satirical television programme ‘Fonejacker’ and would seem to be an incredibly rudimentary and thinly veiled attempt to defraud victims, APP fraud is more sophisticated than one would think. The fraudsters, typically, by virtue of a hacked email account, gain unprecedented access to an individual’s information and purport to be a company with whom the account owner is, or has, done business with. The scammers will then ask for clarification of details or for a payment to be made but, crucially, will assess the contents of the account and wait for the opportune time to seek the information, for example, before completion of a property transaction or after a victims’ recent dealings with their bank. Indeed, it is often the timing of the scam which will serve to disarm the victims and drown out alarm bells.
Tackling APP fraud is therefore a top priority for financial institutions, and it will now be even more incumbent on banks to ensure that they have taken steps to address APP fraud with the upcoming changes proposed by the Financial Conduct Authority (“FCA”) and the APP Scam Steering Group.
Tackling APP fraud has been on the financial sector’s agenda since 2016, when consumer body behemoth Which? submitted a super-complaint about APP fraud to the FCA, as regulator of PSPs, and the Payment Systems Regulator (“PSR”), (the economic regulator for payment systems). Their chief concern, reinforced by looming statistics of victims of APP fraud, was that victims were not afforded sufficient protection by financial institutions.
As it stands, victims of APP fraud can make a complaint to the Financial Ombudsman Service (“FOS”) regarding their own PSP. However, the FOS cannot currently consider complaints made against PSPs who receive their payments. In addition, receiving PSPs have no obligation under the Payment Services Regulations 2017 (“the Regulations”) to cooperate in efforts by the payer’s PSP to recover the funds, where incorrect payment details have been prepared.
Cue the FCA proposals to address this lacuna, which will provide victims of APP fraud access to dispute resolution, complaints procedures and address the framework within which victims can be repaid.
On 26 June 2018, the FCA published a joint consultation paper with the FOS, proposing to extend the jurisdiction of the FOS to enable complaints against receiving PSPs, if they believe the receiving PSP failed to adhere to the Regulations or did not do enough to prevent, or to respond to an alleged APP fraud. The consultation ended on 26 September 2018 and the FCA are expected to provide a final response before the end of the year.
The FCA are also considering compelling service providers to keep and report data of alleged APP fraud complaints, although this will be considered by the FCA in greater detail towards the end of this year.
APP Scams Steering Group (“APP Group”)
In March 2018, the APP Group was established by the PSR to develop a voluntary industry code for the reimbursement of victims of APP fraud. There is a consultation on the draft code which ended on 15 November of this year, and the code is intended to be finalised in early 2019.
Underpinning the proposed code is the principle that banks should act in a way to reduce the occurrence of APP fraud. This, it suggests, is effected by banks:
- Participating in consumer education and awareness.
- Taking reasonable steps to prevent APP fraud by implementing fraud data; and identifying payments that are at higher risk of fraud.
- Intervene on a risk based approach to delay the execution of a payment.
- Receiving banks that hold suspected proceeds of APP fraud - take reasonable steps to freeze the funds and repatriate the monies back to the sending banks.
In addition, all complaints must be handled in line with the ‘Dispute Resolution: Complaints sourcebook’. Should these complaints fail to be adequately addressed by the financial institute, they can be passed to the FOS. The FOS not only offers a further mechanism of redress, it also can apply pressure on the receiving service provider to ensure that funds they are in receipt of are not a profit of fraud or deceit.
As yet, there is no consensus on exactly how the proposals are expected to be implemented to prevent push payment scams and reduce their impact, but in addition to the ones mentioned above, we anticipate that it will also include the collection and publication of scam statistics, increased transaction data analytics and further Know Your Customer requirements, which is the process of a business verifying it clients used in banking regulations and money laundering regulations.
While these proposals, on the proviso that they are implemented, will help to engender a framework within which key objectives such as market integrity and consumer protection can be properly preserved, banks must be aware of the increasingly onerous obligations that may soon become incumbent on them.
Naturally, some of the obligations highlighted above will be more palatable than others. The draconian step of freezing bank accounts that hold suspected proceeds of APP fraud may not be welcomed by all, particularly entrant institutions. Of course, consumer protection is a primary objective for banks, but this objective does not exist in a vacuum. When determining the requirements to be imposed on financial institutions, consideration must equally be given to the integrity objective and the competition objective. While striking the balance may seem to be a Herculean feat, what is appropriate will have to be the decisive factor.