With UK Finance reporting a £92.9 million loss to consumers in the first half of 2018 as a result of Authorised Push Payment (APP) scams, the APP Scams Steering Group (the Steering Group) have published a draft voluntary code (the code). APP fraud is characterised by a transfer of funds executed across Faster Payments, CHAPS or an internal book transfer, authorised by a customer where they are either: deceived into transferring the funds to a different person, or where they believe they transferred funds for a legitimate purpose when it was, in fact fraudulent.

This code, underpinned by the principles of fairness, simplicity and transparency, is argued to be “an important step forward towards better and more consistent protection for consumers and standards in industry”, and is designed to advance the code’s overarching objectives to:

  • reduce the occurrence of APP fraud;
  • increase the number of customers protected from APP fraud, through both reimbursement and reduction of APP fraud; and
  • minimise disruption to legitimate payment journeys.

Broadly speaking, the code is intended to equip both banks and payment service providers (PSPs) to:

  • better detect scams through analytics and training to staff;
  • prevent such scams from taking place by issuing consumer warnings to those at risk;
  • respond to scams including delaying payment to investigate and, where required, providing timely reimbursement.

General requirements

Under the code, firms would be expected to participate in consumer education, raising awareness about APP fraud and the risks of their accounts being used as ‘mule accounts’. As well as this, they would be expected to provide the relevant trade body with statistics on APP fraud and have processes in place to assist with customer aftercare, going beyond simple reimbursement, including referrals for advice and tools for customers to protect themselves.

Sending & Receiving firms

Both sending and receiving firms would be required to detect, prevent and respond to APP fraud, albeit in different ways:

    1. Detect

Sending & Receiving firms: This would include detecting customers who posed a high risk to falling victim to APP fraud. In order to mitigate this risk, firms should establish transactional data and customer behaviour analytics, as well as training their employees on identifying indicators of circumstances posing a higher risk of APP fraud.

    2. Prevent

Sending firms: If firms identify APP fraud risks throughout the payment journey, they must take steps to provide customers with effective warnings, enabling customers to take actions to protect themselves. These should be risk based, tailored to the APP fraud risk indicators and must be understandable, clear, impactful, timely and specific.

Receiving firms: Primarily focusing on preventing accounts being opened to facilitate criminal activity, firms would be expected to ensure any accounts opened should be opened in accordance with legal and regulatory provisions on customer due diligence, employing the usage of intelligence and fraud databases to identify accounts that could be regarded as susceptible to criminal activity.

    3. Respond

Sending firms: If there is ‘sufficient concern’ that a payment is APP fraud, a firm should seek to delay execution of the payment authorisation (in accordance with law and regulation), informing the originating customer. If an APP fraud is reported to a firm, they must notify the receiving firm in accordance with Best Practice Standards, as published by UK Finance.

Receiving firms: If concerns are raised around an account or funds, the receiving firm must respond in accordance with Best Practice Standards. In the event that there are concerns that funds may be proceeds of an APP fraud, the receiving firm must take steps to freeze the funds and take steps to return the funds to the customer.

Reimbursement

As a general rule, if a customer has been a victim of an APP fraud, a firm should reimburse them without undue delay. However, this could be departed from if a customer had acted inappropriately, which would include matters such as gross negligence, recklessly sharing security credentials or failing to take reasonable steps to ensure the payee was who the customer believed they were. When assessing if any of the matters are established, consideration will be made as to whether the absence of the matter would have materially prevented the APP fraud from occurring.

Should firms not meet the standards within the code, they may be responsible for reimbursing a victim of APP fraud – in assessing whether a firm has or hasn’t met the appropriate standard, consideration will be made as to whether complying with it would have had a material effect on preventing the incident.

What next?

The code is currently out for consultation until 15 November 2018, with a view to implementing it in early 2019. The Payment Services Regulator (PSR), who commissioned the Steering Group in early 2018, reported that five retail banks represented have already agreed to implement the code in order to achieve greater consumer protection. The PSR also confirmed it planned to consult by December 2018 on utilising its regulatory powers to issue a General Direction. The General Direction would be given to banks and PSPs to introduce payee confirmation, which banks and payment systems providers participating in the Faster Payments System would be required to:

“Be capable of receiving and responding to confirmation of payee requests from other PSPs by 1 April 2019; and send confirmation of payee requests and present responses to their customers by 1 July 2019”.

In order to align with the work carried out by both the PSR and Steering Group, the FCA are consulting on collecting data on complaints from customers on fraud of this nature, and they propose to include industry efforts on this in their amended Payment Services and Electronic Money Approach Document (Approach Document). Within their Consultation Paper 18/25 they explain that they have amended section 8 (Conduct of Business) of the Approach Document to ensure PSPs make reasonable efforts to recover funds for victims of APP fraud in the same way as is done for payment service users providing an incorrect sort code and account number by mistake. In accordance with the above, the Approach Document also intends to refer to the developments around the code. Here, the FCA will remind PSPs of their obligation to comply with legal requirements to deter and detect financial crime. Within the Consultation Paper, the FCA further details proposed changes to the FCA Handbook, specifically around requesting data from PSPs and credit unions on APP fraud. This will seek to ensure PSPs and credit unions are meeting their obligations to consumers, and providing greater information for the FCA to take supervisory action.

An earlier Consultation Paper 18/16, published this summer, proposed that PSPs would be required to handle any complaints related to APPs in accordance with the DISP section of the FCA Handbook, with eligible complainants entitled to refer complaints to the Financial Ombudsman Service.