On 28 September 2018, the Authorised Push Payment (APP) Steering Group published the draft 'Contingent Reimbursement Model Code' (the Voluntary Code) designed to help protect consumers from APP fraud.
The Voluntary Code is open for consultation until 15 November 2018 with a final code expected in early 2019.
Timeline of events
Increasing levels of APP fraud and concern that there were insufficient safeguards in place to protect consumers led to the consumer group Which? submitting a super-complaint to the Payment Systems Regulator (the PSR) and the Financial Conduct Authority (FCA).
16 December 2016
In its 90 day response to the super complaint the PSR committed to developing an industry led programme of measures designed to investigate the issues raised.
7 November 2017
The PSR published its report and consultation on APP scams (CP 17/2) setting out the work done by the PSR with the industry over the past 12 months. The PSR consulted on the introduction of an industry led 'contingent reimbursement model'. The PSR asked for feedback on the proposed model and how it should be implemented and administered by 12 January 2018.
The PSR and FCA published a joint statement on the outcome of the consultation on the development of a contingent reimbursement model. The PSR considered that an industry code (developed collaboratively by industry and consumer group representatives) setting out the rules applicable to the model was the most effective way to implement the proposal.
A steering group led by Ruth Evans was set up to develop the Voluntary Code. The group was comprised of representatives from across the industry including banks, consumer action groups and industry bodies. It was responsible for reaching a consensus between members on formalising the model into a set of rules that form an industry code for reimbursement of APP scam victims.
28 September 2018
The steering committee published the draft Voluntary Code. The key points considered by the steering group were:
1. The appropriate outcomes in circumstances where:
- the victim and relevant PSPs have all met the standards of care expected of them under the code (the ‘no-blame’ situation);
- the victim and one or more of the relevant PSPs have all failed to meet the standards of care expected of them under the code (the ‘shared-blame’ situation); and
- The victim has met the requisite the level of care and one or more of the relevant PSPs have failed to meet the standards of care expected of them (the ‘inter-PSP’ blame situation).
2. Defining the requisite level of care a victim of an APP scam must have met to be eligible for reimbursement, including how it can practically be verified.
3. An appropriate set of standards of care that PSPs would need to meet under the code.
4. An appropriate governance arrangement for monitoring implementation and maintaining the code post finalisation.
Here's our high-level summary of what the code says:
The overarching provisions of the Voluntary Code are to (1) reduce the occurrence of APP fraud, (2) increase protection for customers from the impact of APP fraud and (3) minimise disruption to legitimate payment journeys.
The Voluntary Code only applies to APP fraud involving domestic payments affecting consumers, micro-enterprises and small charities. It will not apply to unauthorised transactions, international payments or payments made in other currencies. The Voluntary Code is not in force until it is finalised and therefore will not apply to scams which took place prior to that date.
Expectations on firms
Firms are expected to (1) take reasonable steps to raise awareness and educate customers about APP fraud, (2) collect and provide statistics on APP fraud to the relevant trade bodies and (3) create processes and procedures in place to help with customer aftercare when APP fraud has taken place.
The standards for firms
The standards expected of firms are divided into three core areas. If firms fail to meet those standards, they may be liable for the costs of reimbursement to customers who have been the victim of APP fraud. The core standards are:
- Detection - firms must establish transactional data, customer behavioural analytics and educate employees to identify payments that are at a high risk of APP fraud.
- Prevention - firms should take reasonable steps to (a) provide their customers with effective warnings (including the appropriate actions for customers to protect themselves against APP fraud), (b) open accounts in line with legal and regulatory requirements on customer due diligence, (c) use available shared intelligence sources and industry fraud databases to screen customer accounts, and (d) implement confirmation of a payee in a way the customer can understand.
- Response - where firms have concerns that a payment may be APP fraud, they should (a) delay making payment while they investigate and/or notify the receiving firm, (b) implement best practice standards for corresponding with paying and/or receiving firm, (c) freeze any remaining funds and take steps to repatriate funds to the customer as soon as possible.
The starting point is that firms should reimburse customers that have been victim of APP fraud. However a firm may choose not to reimburse the customer if they can establish that (1) the customer has not acted with the requisite standard of care and (2) the customer's failure to do so had a material effect on the APP fraud taking place.
Firms should make the decision as to whether or not to reimburse the customer within 15 business days after the customer reports the APP fraud. However, in exceptional cases the deadline for the response may be extended by up to 35 business days. If the customer wishes to challenge the decision, they are entitled to do so by making a complaint to the Financial Ombudsman Service (FOS).
Requisite standard of care for customers
In considering whether to reimburse a customer, firms are able to consider whether the customer:
- Ignored effective warnings given by the firm in relation to the risk of APP fraud.
- Did not take appropriate action following a negative Confirmation of Payee result.
- Recklessly shared their personal security credentials and/or allowed access to their banking systems.
- Did not follow its own procedures for approving payments in the case of a microenterprise or a charity.
- Has not acted openly and honestly in their dealings.
- Has been grossly negligent.
In assessing whether the customer should be reimbursed, firms should consider whether any of its own acts of omissions impeded the customer's ability to avoid falling victim of APP fraud.
A customer is considered vulnerable to APP fraud under the Voluntary Code if it would not be reasonable to expect the customer to protect themselves in the circumstances existing at the time they became the victim of APP fraud. This will involve a case-by-case assessment and factors will include:
- All customers can be vulnerable to APP fraud and scenarios may include (a) the personal circumstances of a customer, (b) the timing and nature of the APP fraud, (c) the capacity the customer had to protect themselves, and (d) the impact of the APP fraud on the customer.
- The customer's personal circumstances which led to the vulnerability may be temporary or permanent.
- The capacity of the customer to protect themselves includes the knowledge, skills and capability in engaging with financial services systems and the effectiveness of tools made available to them by firms.
- The impact of the APP fraud includes the extent to which the customer is disproportionately affected by it both financially and non-financially.
Confirmation of Payee On 28 September 2018, the PSR has announced that it plans to consult by December 2018 on using its regulatory powers to give a general direction to firms to implement Confirmation of Payee. It is likely that the direction from the PSR will require firms who participate in faster payments systems to be capable of (a) responding to confirmation of payee requests by 1 April 2019 and (b) sending confirmation of payee requests by 1 July 2019.
There are a number of issues which the steering group has been unable to reach agreement on. In particular, the steering group needs to address:
- Liability for a 'no blame' scenario - the steering group has decided that where the customer has met the requisite standard of care, they should be entitled to reimbursement. However, the steering group has not reached agreement on who should meet the costs of reimbursement where the firm has also met the standard expected of it.
- Liability for a 'shared blame' scenario - the steering group has also not decided what should happen when both firms and customers have failed to meet the requisite levels of care.
- Evidential approach - the steering group has created a working group that will explore the correct approach to investigating and assessing whether firms have met the requisite level of care and what evidence will assist in this decision making process.
- 'Inter-PSP blame' scenario - a working group has been set up to consider the mechanism for inter-firm allocation of reimbursement costs and dispute resolution between firms.
- Governance - It is yet to be decided who will undertake the governance and how this will work in practice. Both UK Finance and the PSR have commented that it will not be appropriate for either of them to perform this function.
Here are our five key points to note
1. Who will govern the Voluntary Code?
As set out by the steering group, in view of the continually evolving sophistication of payment fraud, to remain effective, the Voluntary Code will need to adapt to changes in the way APP fraud is committed. It is therefore important that clear and effective governance is carried out by an appropriate body.
It is yet to be decided who that body will be and this is a key area for consultation. However, the PSR commented in its consultation paper in February 2018 that it did not consider it appropriate for it to take this role. UK Finance has similarly indicated that it would not be able to carry out this function due to potential conflicts of interest.
Suggestions currently include that the New Payment Systems Operator (NPSO) may be able to perform this role. It is unclear what the NPSO's view of this will be, however as set out by the PSR in its consultation in February 2018 "the NPSO may have limited capacity in the medium term to take on this role." A further suggestion has been that the steering group remains constituted and takes on this function itself. However, this is unlikely to be attractive to members of the steering group.
2. Gross Negligence
The Voluntary Code allows a firm to avoid reimbursement where it can show that the customer has been 'grossly negligent'. This is a term usually considered in the context of unauthorised transactions (Payment Services Regulations 2017, Regulation 77(3)).
There is no definition of 'gross negligence' in the Payment Services Regulations 2017 (PSRs 2017) and this term has recently received attention from the FOS where, in its newsletter 'Fraud and Scams: a moving picture' dated 21 August 2018, the FOS said it is concerned over an increasing trend of firms claiming customers have acted with 'gross negligence' in circumstances where the FOS believe the customer has fallen victim to highly sophisticated payment fraud scams.
The FOS says 'gross negligence' should not be referred to lightly and the increasing sophistication of scams means that the bar for gross negligence is high (it's more than just a test of whether someone was careless). FOS' view seems to be supported by the FCA’s draft Approach Document on the PSRs 2017 which stated at paragraph 8.206: “In line with the recitals to PSD2, we interpret ‘gross negligence’ to be a higher standard than the standard of negligence under common law. The customer needs to have shown a very significant degree of carelessness”.
It is therefore interesting, given the uncertainty over the meaning of this term in unauthorised transactions and the comments from FOS that the Voluntary Code now seeks to introduce this concept into APP fraud. In view of this, it may be difficult for firms to resist reimbursement based solely on 'gross negligence' unless the customer has shown a very significant degree of carelessness.
3. Detection and prevention
The standards imposed on firms are broken down into three key areas: (1) detection, (2) prevention and (3) response. If firms fail to meet these standards they may be responsible for meeting the costs of reimbursement.
Detection is likely to be the area that causes firms most concern on the basis that the Voluntary Code appears to ask firms to consider the extent to which it should have identified whether the payment was one which were potentially at risk of being APP when determining whether it has complied with the Voluntary Code.
Given the volume of faster payments made each year this increased expectation on firms to identify fraudulent payments in real time and take steps to block payments is likely to be a contentious area in assessing liability under the Voluntary Code. It may also remove the incentive on customers to be diligent if they believe that firms will block transactions which could be fraudulent. This is likely to be particularly important when considering liability under the 'shared blame' scenario.
4. Broader definition of vulnerability
The broad definition of vulnerability under the code will require a case-by-case assessment with reference to the customer's individual personal circumstances existing at the time of the APP fraud. The consultation paper gives the example of a person who is recently single being more vulnerable to romance fraud. In practice, this is likely to mean that:
(a) it is difficult for firms to detect and prevent payment scams based on vulnerability in real time, because its assessment is not be based on whether the firm has previously assessed the customer as being vulnerable but circumstances far less likely to be known to the firm; and
(b) there is potential for large volumes of customers to be brought into this definition based on their individual personal circumstances. This could remove the incentive for customers to act in accordance with the requisite level of care expected - in favour of justifying why their individual personal circumstances caused them to be vulnerable to the fraud at the time.
5. No blame / shared blame
It is unsurprising that the steering group have found agreeing liability for the 'no blame' and 'shared blame' scenarios among the most challenging. A number of the potential approaches being considered by the working group are premised on firms being liable to pay for the cost of reimbursement in some form.
On the basis that it is a voluntary code, the decision that the steering group make on this point will inevitably have an impact on the number of firms that are prepared to sign up to the Voluntary Code. This could be particularly challenging in the case of inter-PSP disputes where one of the firms involved has not signed up to the Voluntary Code.
It is interesting that one of the options that has been suggested is imposing a charge on certain types of transactions. This combined with the introduction of the Confirmation of Payee could mean that the speed and cost of our existing payment system could look dramatically different in the near future.
The steering group has said that it does not want the introduction of Confirmation of Payee to interrupt legitimate payment journeys unnecessarily. However in so far as any delay is caused, this could arguably impact on a wider number of customers than the number presently impacted by APP fraud.
Clearly, this is a difficult balancing exercise which the steering group has taken time to consider and recommended that a working group is needed to look at this specific issue.
The draft Voluntary Code raises a number of interesting questions, many of which are yet to be answered and are now the subject of consultation. The consultation is due to close on 15 November 2018.
Progress has been made by the steering group on a number of key points, however the number of firms which are prepared to sign up to the entire Voluntary Code in its final form (and therefore the success of the Code as a whole) is likely to be decided by the steering group's decision on the issues yet to be determined.