The Payment Systems Regulator (PSR) published its Report on Authorised Push Payment (APP) scams on 7 November 2017 and announced a Consultation into a model to reimburse victims which it believes could be introduced by the end of September 2018. APP scams are a type of fraud where victims are tricked into authorising payments to a fraudster and are the second biggest type of payment fraud reported by UK Finance.
The Report follows the super-complaint made by the consumer group Which? in September 2016, arising out of a concern that victims of APP scams do not receive sufficient protection, particularly in comparison with the protections against other types of payment fraud such as card payments and direct debits. The Regulator published its response to that super-complaint in December 2016, finding that more needed to be done to address APP scams and setting out a programme of work covering matters such as the reporting of data on the scale of APP fraud and the implementation of best practice standards that sending and receiving payment service providers (PSPs) should follow when responding to a reported APP fraud. The most recent publication reports that good progress has been made on that work and announces a period of consultation in relation to a proposed "contingent reimbursement model", which is supported by the FCA.
The Contingent Reimbursement Model
The Report proposes a model which would see consumer victims of APP scams reimbursed, by either the paying or receiving PSP, depending on whether the PSPs involved have met the standards required of them and whether the victim has taken an appropriate level of care. The Report does not prescribe the standards to be required of both PSPs and consumers under the model, the design and implementation of which it is proposed be led by UK Finance with the Regulator playing an "active observer" role. It does, however, note that the standards required of PSPs are likely to include those industry initiatives already underway, some of which are referred to in this update. It is noted that the standards demanded of consumers need to strike a balance between incentivising them to be careful of scams but without being unreasonably onerous to meet.
Specific factors that are mentioned which might be taken into account include whether the victim has been given a warning about the transaction, either by the PSP or via other industry initiatives due to come into force (for example, payee verification procedures). Thus it appears to be envisaged that a fairly low standard of care will be required of consumers, which is in line with equivalent protections afforded in respect of other types of payment misappropriation, such as the requirement to demonstrate gross negligence by the consumer if withholding a refund for unauthorised payment transactions which fall within scope of the Payment Services Regulations 2009 (PSRs).
An area on which no specific guidance is given, but the Report raises, is the appropriate outcome in circumstances where both the PSPs and the consumer have met the standards set out in the model. The Report moots that the scheme might take either an incentives-based focus to such cases, which would see the victim bearing the loss, or a consumer protection focus which would reimburse the consumer. It is suggested that these reimbursements could come either from the PSPs directly involved or from a central fund to which all PSPs would contribute, and that such contributions could be obtained by the levying of a penalty on a PSP in cases where it has not met its obligations under the model even if the consumer is found not to have taken the appropriate level of care.
Whilst the Report refers to the model reimbursing consumers, it anticipates that it could apply to consumer accounts within the meaning of the Second Payment Services Directive. This would include not only consumers but also small business customers. It is suggested that the model would only cover payments made within the UK and that where fraudsters move misappropriated funds through a chain of accounts, only the first transaction in that chain would be covered to avoid the model being operated in an overly complex and administratively burdensome fashion.
A Consultation on the proposed model has now been opened, closing at 5 pm on 12 January 2018. Guidance on how firms can participate in that Consultation and the questions to be addressed can be found in the Report and Annex 1 which can be accessed via these links: PSR-APP-Scams-report-consultation and APP Scams - Annexes | Payment Systems Regulator (PSR).
This announcement follows a finding by the FCA that the way in which PSPs handle and respond to APP scams is inconsistent and that their existing fraud prevention systems cannot easily detect scams. Thus the drivers behind the introduction of a reimbursement model appear to be harmonisation of the treatment of scam victims across the industry and the incentivisation of PSPs to further invest in more sophisticated fraud prevention.
The proposed reimbursement model is one of a host of industry-wide measures that are already underway or pending, and which look to give consumers better protection against APP scams. Those measures are also principally aimed at fraud prevention, including consumer education and awareness campaigns (underway), the development of identity verification best practice guidelines (to be delivered in 2018) and payee verification checks (to be delivered by 2021).
The Report sets out only high level principles on how the proposed model might operate. It is difficult to see how the Consultation can be concluded and industry-wide consensus on the scheme rules, as well as agreement on matters such as administration of the scheme and dispute resolution, can be reached all within the ten month period envisaged for implementation.
However, despite the scheme being described as voluntary and it being put out to the industry for Consultation, it seems clear that the Regulator expects some form of reimbursement model to be adopted, the Report countenancing the Regulator's use of its statutory powers if the model is not developed in a timely manner. PSPs should therefore seize the opportunity to feedback into the consultation now so as to ensure that any concerns about practical implementation are aired at an early stage.
Whilst it remains to be seen what any model introduced will look like, the proposal seeks to close the redress gap between unauthorised payments (which PSPs have obligations to refund in certain circumstances, under the PSRs) and authorised payments where, historically, customers have had limited rights of recourse, having to bring legal claims typically in breach of contract or negligence. This legal framework is an area which is already under scrutiny in the Courts, with the Court of Appeal due to hear the appeal in December 2017 in the case of Singularis Holdings Ltd v Daiwa Capital Markets Europe Ltd  EWHC 257 (Ch) which has the potential to widen the scope and application of a bank's duty of care to its customer in the context of fraudulent payments.
In the meantime, firms should note that the FCA intends to write to UK Finance member firms specifically asking, amongst other things, whether the Senior Manager tasked with responsibility for financial crimes policies and procedures within their firms is ensuring that there are adequate measures in place to address payment services fraud.