The Payments Systems Regulator announced a consultation on liability for APP scams in November 2017; this is just one of a number of developments on the horizon that will impact how the industry responds to payment fraud.
Payment Systems Regulator’s review
Following its initial response to the Which? super complaint and its decision not to suggest a change in the liability position, the Payment Systems Regulator put in place a number of industry-led measures to better protect consumers and increase awareness of payment scams.
These included collecting and publishing scam statistics, developing best practice standards that banks should follow when responding to scams and developing a common understanding of what information can be shared under the current legal framework.
In November, The Payment Systems Regulator launched a consultation on who should bear the loss for authorised push payment scams. It is considering a contingent reimbursement model, which is likely to see a move of liability towards payment service providers and greater reimbursement of victims of fraud. However, much of this will turn on the interpretation of “requisite level of care” for customers and “best practice standards” for payment service providers.
The FCA has also announced that it will work with banks to tackle concerns relating to APP fraud, respond to the Which? super complaint directly and initiate any further work should issues remain unresolved. FCA supervision will examine evidence received through the super complaint and consider if firm specific issues need to be addressed directly.
Following the proposed implementation of best practice standards by UK Finance and the Payment Systems Regulator’s November announcement, the FCA has announced it will be actively monitoring the adoption, implementation and impact of those standards.
The Payment Services Directive has been replaced by the revised Payment Services Directive (PSD2) and EU Member States have until 13 January 2018 to implement the new rules into national law. PSD2 is effectively a cut and paste from the original regulation, making no significant changes to liability provisions.
The main focus of the change is to increase the scope to include transfers in all currencies where only one of the banks involved is located in the EU, which means compliance with PSD2 when international payments are made to a foreign firm. Brexit is unlikely to change UK law in this area. The UK remains a member of the EU until 2019 and is likely to maintain the same or similar provisions to PSD2 after exit for consistency reasons.
One of PSD2’s core objectives is around bolstering consumer protection against fraud by requiring stronger customer authentication procedures and enhanced secure data communication. However, under PSD2, many customers may no longer use their bank’s website at all, reducing the amount of relevant data available to the banks for fraud detection purposes.
The Competition and Markets Authority plans for open banking to come into effect in January 2018, giving customers more control over their finances by allowing them to view all of their bank accounts, payment accounts and bills in one place such as on an Application Programming Interface (API) through a third party provider. These plans will also support an emerging market of third party products and services. PSD2 goes further in terms of open banking by requiring all payment account providers across the EU to grant access to third parties.
These changes together will see banks open up their payments infrastructure and consumer data assets; a significant change for an industry used to tightening its operating model. It will also mean additional operational pressures around fraud and cyber-attack prevention as banks lose some control over the data they have available to analyse for fraud detection purposes, a reduction in privacy and a more complex market place. Systems will need to be developed to deal with these challenges in a proportionate way to balance customer convenience and customer protection.
In force from May 2018, the General Data Protection Regulation will impact the exchange of data between banks, how banks can collect and use data and the consents needed to process data. All of these areas are critical to the fight against fraud, whether that is how the bank collects data for the purposes of identifying potential frauds or what data it shares with other banks to support customers impacted by fraud.