Authorised Push Payment (APP) fraud is now the most common type of financial scam in the UK, and in 2023 alone, APP schemes were estimated to have caused losses of almost £460m . That figure, however, is based upon reported losses only, and may well be much higher.
What is Push Payment Fraud?
By now most of us will know what APP fraud entails, but as a reminder push payment scams happen when someone is tricked into sending money to a fraudster posing as a genuine payee. Whereas such schemes started out as relatively straight-forward, perhaps a phone call to trick a payee to transfer assets to a different bank account, or a slightly doctored invoice, fraudsters now employ increasingly sophisticated methods, including social engineering techniques (e.g. analysing publicly available data about the victim) or by gaining unauthorised access to the victim’s electronic data or systems.
The most common type of push payment fraud involves impersonation: the fraudster will present themselves as a trustworthy party, usually though not always a party with whom the victim is already doing business, and demand or encourage payments to an allegedly legitimate bank account. Businesses are the most common victim of this type of push payment scam, but there are a myriad of variations which can affect both businesses and individuals: for example, purchase bargains (where victims are tricked into purchasing a product or service that does not exist), false investment opportunities (where victims are presented with opportunities that ultimately do turn out to good to be true), or advance fee scams (where victims are tricked into believing they are entitled to receive large amounts of case in return for a small upfront payment)..
Customer Protection
Since 2019, business and individual customers have been protected by the Contingent Reimbursement Model (CRM) overseen by the Lending Standards Board. The CRM is a voluntary code supported by 10 signatory firms representing a significant proportion of the UK retail banking sector committing to tackling APP fraud and reimbursing victims. It was updated in December 2023 to introduce additional processes to review accounts and profile inbound payments, and introduce a “Confirmation of Payee” functionality allowing customers to check payee details.
However, the CRM has had mixed success: in 2022 only 61% of APP fraud which fell within the scope of the CRM was reimbursed, increasing only slightly to 67% in 2023
As such, and whilst the CRM may have helped to a degree, the UK Payment Systems Regulator (PSR) has stepped in, and on 7 October 2024 will introduce a new, mandatory requirement for all UK payment service providers (PSPs) to reimburse their customers who become victims of APP fraud .
A New Approach?
From 7 October 2024, PSPs must reimburse consumers who have fallen victim to push payment scam when using the Faster Payments Service. In summary:
- Sending PSPs must reimburse all eligible customers who fall victims to APP fraud, unless the customer has acted fraudulently or with gross negligence.
- Customers must be reimbursed within 5 business days, subject to certain exceptions, with a time limit for making claims of 13 months after the last payment.
- The sending PSP may apply up to £100 excess per claim.
- A receiving PSP must share 50% of the reimbursement claim with the sending PSP. 50% of any retrieved funds that are stolen in an APP scam but then recovered must be returned to the sending PSP by the receiving PSP.
- There is no minimum threshold for a claim. However, the sending PSP is not obliged to reimburse above a maximum level of reimbursement. The maximum reimbursement value is currently £415,000, but the PSR has recently conducted consultation on reducing this to £85,000.
The Bank of England has also announced a comparable reimbursement model for CHAPS payments.
What to do and how to avoid APP fraud
The focus of the new regime is mandatory reimbursement for victims, but businesses should not lose sight of the need to improve their detection systems, prevention being equally as important, if not more so, than the cure. Businesses should focus on reviewing their existing systems and processes to ensure they comply with the new regime, but also improving internal education to better identify potential fraud, and improving systems to protect their customers.
As the new regime ‘beds in’ we can expect to see more developments in this area over the coming months. One particular area where we can see issues arising is assessing whether an APP fraud claim is in fact a civil dispute where a reason for non-delivery of goods or services may not be a fraud, but rather a genuine commercial dispute between contracting parties. PSPs will need to consider such matters very carefully.
Please reach out if you would like to discuss how the new rules might apply to your business.
