PSR report and consultation on authorised push payments scams The Payment Systems Regulator (PSR) has today (7 November 2017) published its report and consultation (CP17/2) on authorised push payment (APP) scams. We summarise the background to CP17/2, the work undertaken by the industry and the PSR's recommendations. A list of links to primary sources is set out below in Appendix 1. Key dates Event Key date Which? Super-complaint 23 September 2016 PSR response 16 December 2016 PSR report and consultation (CP17/2) 7 November 2017 Deadline for responses to consultation (CP17/2) 12 January 2018 Identity verification, authentication and risk assessment guidelines June 2018 Information sharing in response to scams From 2018 'Know your Customer' (KYC) data sharing framework Second half of 2018 Implementation of 'Confirmation of Payee' 2018 - 2021 Transaction data analytics rules and requirements 2018 Implementation of UK Finance's best practice standards 2018 Financial crime data and information sharing 2019 Background The Which? Super-complaint On 23 September 2016, Which? made a super-complaint to the PSR ‘Consumer safeguards in the market for push payments'. The focus of the super-complaint was Which?'s concern there was insufficient protection for consumers who had fallen victim to APP scams when compared to other payment methods. Two particular issues were identified:- (1) the extent to which payment service providers (PSPs) could change their processes to reduce consumer harm; and (2) possible changes to legislation or regulation to increase incentives for PSPs and Payment System Operators (PSOs) to ensure that more was done to manage risk and protect consumers from APP scams. The PSR Response The PSR published its formal 90 day response to the super-complaint on 16 December 2016. The key findings were: (1) the way PSPs worked together to respond to APP scams needed to improve; (2) there was evidence to suggest more could be done to identify fraudulent incoming payments and prevent accounts from being under the influence of scammers; and (3) the data available on the type and scale of scams was of poor quality and did not justify a change in liability for APP scams at that stage, but the PSR would keep this under review. The PSR committed to developing an industry led programme of measures designed to investigate the issues raised by Which? in its super-complaint. Terms of Reference Following consultation, the PSR published the final terms of reference for its review of the role of PSOs in preventing APP scams on 30 March 2017. The key objectives were to:- (1) consider whether it would be effective and proportionate for PSOs to play a greater role in preventing and responding to APP scams; and (2) whether it should introduce any proposed changes through regulatory action or other approaches such as industry-led consultation. PSR report and consultation on APP scams The PSR published its report and consultation on APP scams (CP 17/2) on 7 November 2017. This sets out the work done by the PSR with the industry over the past 12 months together with its recommendation for consultation. The 3 key areas of focus are:- (1) a summary of the progress of the industry-led programme of measures set out by the PSR in its 90 day response in December - including the introduction of best practice standards; (2) the outcome of its review of the role of the PSOs in minimising the impact of APP scams on consumers; and (3) consultation on an industry led 'contingent reimbursement model'. Industry measures summary The latest position on the measures undertaken by the industry over the last 12 months is:- Initiative Aim Progress Consumer education and awareness The aim is to give consumers the tools to help protect themselves. The PSR has said industry collaboration and coordination is key to this process. UK Finance is co-ordinating with the Home Office's Joint Fraud Taskforce on the 'Take Five to Stop Fraud' campaign. Guidelines for identity verification, authentication and risk assessment UK Finance is developing best practice guidelines for PSPs when verifying a user's identity. The guidelines will aim to make identity verification more effective and reduce risk when transferring money using different payment types. UK Finance is expected to produce a first draft of the guidelines by the end of 2017, and publish the final guidelines by June 2018. Trusted 'know your Customer' (KYC) data sharing The PSF is developing industry standards and rules for a data sharing framework that PSPs will use to store and share KYC data, initially focusing on business customers. The PSF has proposed that the KYC data sharing framework standards and rules are published in the second half of 2018, with competitive KYC value-added products to launch in 2020. Confirmation of Payee This measure will check that the sort code and account number details By the end of 2017, the PSF will finalise the industry collaborative entered match the intended payee. The person would be notified if the details do not match the name they've entered, and they can choose not to proceed with the payment. rules and requirements for a Confirmation of Payee solution that multiple providers can then offer to PSPs. Best practice standards for responding to APP scam claims (APP reporting standards) UK Finance has developed Best Practice standards in collaboration with the industry in relation to processes that sending and receiving PSPs will follow when dealing with APP scam complaints. A number of PSPs have already implemented the standards and UK Finance has committed to having all of its retail bank members that provide push payment services implement them by Q3 2018. Information sharing in response to APP scams In preparing the Best Practice standards the industry has made good progress in developing its understanding of what information can be shared for the purposes of processing APP scams on the basis of the Data Protection Act 1998. UK Finance is seeking to clarify what information PSPs can share with each other (identifying any barriers to this) and how these can be overcome - particularly in relation to the Data Protection Bill which comes into force in May 2018. Financial crime data and information sharing UK Finance is working on reviewing the financial crime data and information sharing in the industry. It will be working with the government to develop a more effective legal framework on data and information sharing for the purpose of detecting and preventing all types of financial crime. UK Finance is carrying out detailed analysis and planning for these activities over the next two years. Elements of this work will now be taken forward by the government. Transaction data analytics This initiative analyses network-wide payment transaction data to help identify money mule accounts and the flow of funds related to fraudulent activity. By the end of 2017, the PSF intends to finalise the industry collaborative rules and requirements for the transaction data analytics solution. APP scam statistics UK Finance has started collecting statistics on APP scams and the first set has already been published. UK Finance has committed to publishing these statistics on a sixmonthly basis. Recovery of victims' funds The PSR believes PSPs should be able to more quickly and easily trace a scam and, if possible, return money to victims. The Joint Fraud Taskforce is developing a framework for a funds repatriation scheme. This will be a phased approach and could take between 24 and 36 months to fully implement the scheme. The role of PSOs In its 90 day response in December 2016, the PSR committed to investigating the potential for the operators of CHAPS and FPS to play an expanded role in minimising consumer harm from APP scams. In view of its decision to support the proposal to develop the 'contingent reimbursement model' (set out below), the PSR has not sought to expand the role of the PSOs at this stage. Contingent Reimbursement Model In considering the issue of liability, the PSR proposes to consult on the introduction of a 'voluntary contingent reimbursement model'. This is described as an industry led variation on the 'equitable liability model' previously proposed by Financial Fraud Action UK (FFA UK). In summary, under the PSR's proposal, the 'voluntary contingent model' would set out:-:- (1) the circumstances in which consumers would receive their money back from the PSP; and (2) whether the reimbursement would come from the paying PSP or the receiving PSP. The answer to both questions (under the PSR's proposal) would be determined by whether: (1) whether the PSP had met the "required standards" (described as the use of technology, rules and procedures that help prevent and respond to APP scams); and (2) whether the consumer had taken the "requisite level of care". The PSR has provided limited guidance on what may constitute the "requisite level of care" but has commented the standard should be high enough that consumers have an incentive to be careful to avoid scams, but not be unreasonable for them to meet. The PSR has commented that factors to be considered in determining the definition of this term should include:- (1) whether the PSP has warned the customer about the transaction; and (2) whether the confirmation of payee check (once implemented) has informed the customer that the recipient did not match the name the customer had entered. The PSR also provides a number of high-level principles which should also be considered in formalising the model. These include: (1) consumers must have an incentive to take whatever steps they reasonably can to avoid becoming a victim of an APP scam; and (2) PSPs must have an incentive to implement and adhere to agreed standards that help protect consumers from APP scams. The PSR also seeks the industry's views on where liability should rest in a "no blame" scenario (i.e both the PSP and the customer have acted in accordance with the standards and requisite level of care). The PSR appears to rule out the other models considered which placed blame solely on one party - recognising that such a model is likely to reduce incentives for either the customer or the PSP to be vigilant and therefore this could ultimately lead to an increase in APP scams. The PSR considers that its role in creating and implementing the 'voluntary contingent reimbursement model' is that of an "active observer" and it will continue to monitor the industry's progress in designing and implementing the model including:- (1) compliance with its high level principles; (2) the speed of implementation (expected end of September 2018); and (3) whether the chosen implementation options are in the best interests of the end users. The PSR has said that it would consider using its statutory powers if the voluntary model cannot be implemented as above. This may include fines which could be paid into a central fund for reimbursing victims in the 'no blame' scenario. The PSR has asked for feedback on the proposed model and how it should be implemented and administered by 12 January 2018. FCA's response The FCA has today responded to the announcement from the PSR and has said it is supportive of the industry-led initiatives and welcomes the introduction of UK Finance's Best Practice Standards. The FCA has said it will be actively monitoring the adoption, implementation and impact of UK Finance's standards. In particular, the FCA will be writing to PSPs to ask them: (1) If they have committed to adopt UK Finance’s Standards, how they will incorporate them into their policies, procedures and target operating model. (2) Whether the Senior Manager with responsibility for the firm’s financial crime policies and procedures is ensuring that there are adequate measures to address payment services fraud (including push payment fraud). Comment Clearly, there has been significant progress achieved by the industry over the past 12 months. It is positive the PSR and the FCA have recognised this and acknowledge that simply placing liability on PSPs (as suggested by Which?) will not reduce APP scams. To ensure customer vigilance, the PSR has correctly identified a level of responsibility must remain with the customer to exercise a requisite level of care when making payments. However, much will turn on the interpretation of "requisite level of care" for consumers and "best practice standards" for payment service providers in assessing liability. It is also troubling that the two examples given by the PSR of when the customer may be considered to have failed to have acted with a "requisite level of care" both involve the bank flagging the transaction to the customer before liability shifts (i.e. a telephone call or rejected confirmation of payee). Additionally, the PSR's reference to vulnerability impacting on the expected level of care taken by the consumer could also cause further difficulties in setting a clear and objective mechanism for when the customer will be considered liable. It is therefore vital the industry engages with the consultation so that any measures agreed are both practical and workable. Looking forward, the increasing sophistication of banks' fraud detection systems means that fraudsters will continue to target customers as the weakest link in the transaction chain. The PSR's announcement today means it is more important than ever that the industry works together to improve customer education. Excellent work is already underway through initiatives like ‘Take 5’. However, this will be a continuing challenge as the tension increases between customer convenience and customer protection with ever faster payment methods and the introduction of open banking. For further advice and further information, please do not hesitate to contact a member of our team. Richard Hayllar Partner T +44 (0)333 006 0436 Richard.Hayllar@TLTsolicitors.com Russell Kelsall Partner T +44 (0)333 006 0695 Russell.Kelsall@TLTsolicitors.com Warren Clark Associate T +44 (0)333 006 0759 Warren.Clark@TLTsolicitors.com Alanna Tregear Solicitor T +44 (0)333 006 0812 Alanna.Tregear@TLTsolicitors.com Appendix 1 - Useful primary sources links Link Summary Which? super-complaint On 23 September 2016, Which? made a super-complaint 'consumer safeguards in the market for push payments' to the PSR. Payment Strategy forum final strategy A paper on the vision and strategy for the UK payments industry. PSR Response On 16 December 2016, the PSR published its response to the Which? super-complaint. It committed to carrying out further investigation and providing a full report on the progress in 2017. PSR Final Terms of reference In March 2017, the PSR published its Final Terms of Reference on preventing and responding to authorised push payment scams: The role of payment system operators. Payment Strategy Forum's guidelines for Identity Verification, Authentication and Risk Assessment The PSF handed over to UK Finance the development of best practice guidelines for PSP's when verifying a user's identity. Payment Strategy Forum's Trusted KYC data sharing The PSF is developing industry collaborative standards and rules for a data sharing framework that PSPs will use to store and share data. Payment Strategy Forum's Blue Print for the future of UK payments The report setting out the proposal by the PSF on confirmation of payee (page 32). Payment Strategy Forum paper on Financial Crime Data and Information Sharing The report sets out the aims of working with the government to develop a more effective legal framework on data and information sharing for the purposes of detecting and preventing all types of financial crime. Payment Strategy Forum paper on Payments Transaction Data Sharing and Data Analytics A report on the initiative that analyses network wide payment transaction data to help identify money mule accounts and the flow of funds related to fraudulent activity. UK Finance 2017 half year fraud update In September 2017, UK Finance published its first set of statistics on fraud on payment cards, remote banking and cheque. Take five to stop fraud campaign A programme focused on raising awareness of financial crime and fraud. This publication is intended for general guidance and represents our understanding of the relevant law and practice as at 7 November 2017. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication. TLT LLP is a limited liability partnership registered in England and Wales (number OC 308658) whose registered office is at One Redcliff Street Bristol BS1 6TP. A list of members is available for inspection at that address. TLT LLP is authorised and regulated by the Solicitors Regulation Authority number 406297. If you require this information in an alternative format, such as audio, large print or Braille, please contact Lisa Mackay on +44 (0)333 006 1529.This publication is intended for general guidance and represents our understanding of the relevant law and practice as at 9 March 2017. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication. TLT LLP is a limited liability partnership registered in England and Wales (number OC 308658) whose registered office is at One Redcliff Street Bristol BS1 6TP. A list of members is available for inspection at that address. TLT LLP is authorised and regulated by the Solicitors Regulation Authority number 406297. If you require this information in an alternative format, such as audio, large print or Braille, please contact Lisa Mackay on +44 (0)333 006 1529. Which? press-release ahead of the announcement On 25 September 2017, Which? published a press release ahead of the announcement from the PSR. PSR authorised push payment scams report and consultation, Annexes and comparative analysis This paper sets out the work the PSR has done to reduce the harm to consumers from authorised push payment scams. FCA response to Payment Systems Regulator's paper on authorised push payment scams. The Financial Conduct Authority has contributed to the Payment Systems Regulator paper on Authorised Push Payment Scams.