Proposed Legislation Could Solve Major Problems… But Clarity is Needed
Authorized push payment fraud, or fraud involving a merchant-initiated payment, is a fast-growing problem in the world of payment scams. By 2027, it will cost UK shoppers and companies roughly £738 million per year.
In June 2023, the Payment Systems Regulator (PSR) called attention to how critical it is to tackle this problem. In response, they suggested a plan to pay back victims. The problem is that the industry is not ready.
A recent Payment Association and Form3 survey shows how unready the industry really is and what worries they have as the deadline for new rules inches closer. Let's take a closer look at what the survey found.
Recommended reading
- What is EMV Bypass Cloning? Are Chip Cards Still Secure?
- Terminal ID Number (TID): What is it? What Does it Do?
- Dispute Apple Pay Transaction: How Does The Process Work?
- How Do Credit Card Numbers Work? What do the Numbers Mean?
- What is PSD2? How it Impacts Banks, Businesses & Consumers
- P2P Payment Use in eCommerce Jumps 66% in 2024
APP Scams: The Issue at a Glance
APP scams happen when someone sends money, thinking they’ve received a push payment from a real merchant. However, the APP request is actually a trick being orchestrated by a scammer.
During the APP scam, the fraudster will pretend to be someone the individual trusts, like a bank or utility provider. The scammer then attempts to convince the individual to authorize the payment without much consideration. By the time the victim notices the scam, it’s already too late.
In the first half of 2023, victims lost £293.3 million to APP scams. More than half of these incidents were related to purchase scams, surpassing 100,000 cases for the first time in 2022. Additionally, investment scams accounted for roughly 24% of total APP fraud losses during that period.
Learn more about APP fraudWhat is Changing?
As mentioned above, the Payment Systems Regulator is actively addressing this problem to safeguard consumers. The PSR collaborates with financial institutions, consumer advocacy groups, and law enforcement to combat these scams and prevent payment fraud. According to a new PSR regulation, most victims of APP scams are entitled to reimbursement within five business days if they report the fraud within 13 months of its occurrence.
The responsibility for reimbursement is equally shared between the sending and receiving banks. While there is no set minimum limit for reimbursement claims, the maximum claim limit is still under discussion and determination.
In 2019, the PSR rolled out the voluntary Contingent Reimbursement Model for APP scams, setting up a system for banks and payment services to pay back victims of payment scams. The CRM was crafted to protect consumers financially from scams while also promoting responsible behavior.
Now, the PSR is urging the industry to get moving on the new reimbursement rules. Firms need to step up their game in educating customers about APP scam risks, in tune with the PSR’s Consumer Standards of Caution. We're seeing more banks adding extra steps in the payment process, like double-checking with customers to confirm payments aren't fraudulent, instead of just offering a simple “one-click” option. They're also doing more name-matching on payment instructions to cut down on fraud losses.
The new rules on APP scam reimbursements are expected to kick in by October 2024. This change is going to shift more responsibility from consumers to payment firms, introducing mandatory rules for these firms to compensate victims of scams.
New Policies are Complicated by Operational Diversity
In the Payment Association survey linked above, it’s notable that 68.8% of those who responded are directly linked to the Faster Payments Service (FPS) as selling participants. At the same time, 18.8% manage their financial transactions through a Nostro account with another entity, and 6.2% lean towards agency banking.
This variety in how institutions operate suggests that the PSR’s new regulations might be seen and applied in varied ways across the industry. With such a range of operational models, each institution's ability to handle APP fraud and align with the PSR’s standards could differ quite a bit.
The final version of the legal guidelines, expected by December 2023, will lay out the specifics for refunding scam victims and define important terms like gross negligence and customer vulnerability. This step will add another layer of complexity in ensuring a consistent understanding and application across different types of institutions.
Moreover, this diversity in payment methods and institutional operations could make it really challenging to implement and stick to the new guidelines. This scenario might lead to a patchy and possibly less effective roll-out of these important measures industry-wide.
Lack of Readiness at the Institutional Level
Banks are currently in the fog about the PSR's regulations. They're unprepared for the upcoming changes and seeking more detailed guidance.
The set deadline of October 2024 is a key date for the industry. But, there's a loud call for clearer instructions.
The survey data suggests that 81.2% of respondents feel that the PSR needs to offer more precise guidance, indicating an industry in search of better direction. Additionally, just 12.5% of banks are confident about meeting the PSR’s requirements by October 2024. This suggests that a majority of banks are still looking for clarity to boost their preparations to meet the new standards.
In this context, the need for guidance echoes the ongoing uncertainties that the PSR has yet to address or finalize. The ongoing discussions around defining “gross negligence,” determining what constitutes “prompt reporting,” and understanding the concept of “vulnerability” are clear areas of concern. These issues could act as hurdles, impeding a smooth implementation process.
More Clarity is Needed
The PA survey shows a strong desire for clearer rules among respondents. While there’s agreement on the necessity of these regulations, opinions are divided on needing more time and uncertainty about what lies ahead. Therefore, regulatory bodies should take the lead in providing guidance and fostering collaboration to achieve better outcomes.
Key suggestions include improving data-sharing processes, ramping up educational efforts for those making payments, and creating shared financial and technical responsibilities with technology platforms. Institutions are willing to adapt and comply, but they're looking for a supportive environment that encourages cooperation, knowledge exchange, and shared responsibility.
Some thought leaders in the payment space advocate for involving all players, including tech giants and merchants, and using cutting-edge data-sharing methods. While mandating reimbursements is a step, it doesn't fully address fraud issues and could lead to more first-party fraud.
It’s good to acknowledge the PSR's good intentions. Howevwer, the path to October 2024 appears filled with obstacles, a need for clearer guidelines, and a collective hope for a cooperative approach. It's up to regulatory bodies to answer the call, provide direction, and work together towards a future more resilient to fraud.