In our recent articles, we have examined the new mandatory requirement for all UK payment service providers (PSPs), to reimburse their customers who become victims of APP fraud and the recent changes to the reimbursement cap, as well as the robust checks that will need to be taken to ensure the compensation scheme itself does not fall victim to fraudsters. Adding to this, recent statutory developments allow PSPs to delay transactions where fraud is suspected.
Payments Services (Amendment) Regulations
Alongside these protections, the Payments Services (Amendment) Regulations (Regulations) has recently come into force, introducing the ability for PSPs slow down the sending of an ‘in-scope’ payment where the PSP directed to pay the money has established that there are reasonable grounds to suspect the payment order has been placed subject to fraud or dishonesty by someone other than the payer. An in-scope payment is one which is, on the face of it at least, an authorised push payment executed in the UK in sterling (it does not apply to so-called ‘pull’ payments, i.e. those initiated by the payee such as card payments).
What PSPs need to know
Whereas the legislation recognises that there are significant benefits for consumers and businesses in the speed, ease, and certainty of making payments quickly over the internet or using a mobile phone, the speed of these transactions combined with the sophistication of fraudsters has led to a significant increase in fraud. The Regulations permit PSPs to delay a transaction where the grounds have been established by the end of the day after the day of the order (D+1), and where more time is needed for the payment service provider to conduct further enquires with the customer or a relevant third party. The delay to the payment must be no longer than necessary and, in any event, no longer than the end of D+4.
PSPs must, however, inform the payment service user of the fact of the delay, the reason for it and what information or actions are needed to help the payment service provider decide whether to execute or refuse the payment order. Again, this information must be provided as soon as possible and no later than the end of D+1.
In conjunction with the Regulations, the Financial Conduct Authority (FCA) published its guidance for PSPs to adopt a risk-based approach to processing suspected fraudulent payments when applying these legislative changes (Guidance). The Guidance came into effect on 22 November 2024.
The Guidance confirms that PSPs have until the next business day following receipt of the payment order to satisfy the threshold of ‘reasonable grounds to suspect’ fraud or dishonesty. If it cannot do so, the payment must be released.
Considerations
As to what constitutes ‘reasonable grounds to suspect’ fraud or dishonesty, the FCA directs PSPs to consider:
- That ‘reasonable grounds to suspect’ requires more than mere speculation, but is based on objective factual foundation but falls short of actual knowledge that a fraud is taking place.
- Taking into account the specific circumstances of the individual transaction.
- Having regard to their own corporate intelligence and assessments made using technological solutions (which should be calibrated to detect and prevent fraud while minimising the impact on legitimate payments).
- The best outcome for its customers.
Whereas the FCA’s guidance on this point must be welcomed it is, perhaps necessarily, wide in scope. It helpfully reinforces the position under the Regulations that PSPs may only delay processing a transaction for the purpose of contacting the payer or other relevant third parties to establish whether they should execute the payment order but provides limited specific guidance on what PSPs should do on a more practical level.
Across 2023, fraud cost victims over £1.1bn according to UK Finance with over 230,000 instances of authorised push payment scams in 2023 alone, with losses totalling £459.7m. Only time will tell whether these latest changes make a difference but with APP scams on the rise, any steps taken must be welcome. In the meantime, continuing vigilance are the bywords.
