It is sadly the case that many of us will know people who have fallen victim to an authorised push payment fraud (APP fraud). Whilst the precise methods may vary, the essence of APP fraud is that a payer such as a bank account holder (the Payer) consents to a payment to a hitherto unknown third party account. This may be because the Payer has been induced to do so by a fraudster, or because an electronic means of giving instructions (such as online banking) has been hacked or intercepted. The transferred funds are then dissipated, often overseas.
The relevant payment services provider (the PSP), such as a Bank, will commonly resist attempts to recover from it on the basis that it was simply complying with its mandate by making the payment as actually/apparently instructed. This leaves the Payer without any obvious recourse. It may nonetheless be possible to recover funds if they have yet to be dissipated, but this is quite rare. The Payer is then left either to seek a goodwill payment from the PSP, or is faced with the prospect of lengthy, uncertain and potentially costly contentious proceedings before the Court or the UK Financial Ombudsman Service (the FOS).
UK Finance (the industry body for UK banks and other PSPs) has recently published the following data relating to APP fraud for all of 2017.
|Total returned to victim
This makes clear both the size of the problem and gives an indication as to the likely number of Payers who make partial/no recovery. There is therefore a compelling case for a regulatory/statutory solution both in the interests of Payers and to bolster the credibility of the sector. This note considers what is currently on the cards.
The Regulatory Response and progress so far
In September 2016 ''Which?' submitted a so-called "super-complaint" to the Payment Systems Regulator, a statutory body, under the control of the FCA, responsible for regulating UK payment services, (the PSR) regarding APP. This has resulted in a variety of initiatives on the part of the PSR, UK Finance, the FCA and other interested bodies. For example, through UK Finance, retail banks have committed to adopting a code of best practice standards to govern APP fraud situations by Q3 of 2018. This includes (amongst other things) the prompt provision of information to Payers when they are suspected to have been the victim of an APP fraud and the freezing of accounts.
Following on from the super-complaint, the FCA has also engaged with PSPs, in particular the retail banks, to understand more about what systems they have in place to prevent APP and to deal with it after the fact. Most recently, in late January 2018, the FCA sent a 'Dear CEO' letter that endorsed the UK Finance code of best practice standards. It also asked firms to consider how they are dealing with APP fraud in the context of the Senior Managers and Certification Regime (SMCR). It asked recipients to consider whether the Senior Manager with the prescribed responsibility for policies and procedures to prevent the Bank being used for financial crime, was dealing with APP adequately. It is well known that 'Dear CEO' letters can be the precursor to FCA Enforcement action and SMCR makes it likely that both the firm and the relevant Senior Manager(s) will be in the frame in respect of relevant failings in due course.
The Contingent Reimbursement model
Plainly all of these developments are to be welcomed and generate hope for a more sympathetic landscape for APP fraud victims in the future. However, in a consultation paper issued in late 2017, the PSR also supported further work to explore the more radical solution of contingent reimbursement. Under this approach, victims of APP fraud would be reimbursed by PSPs where it is not possible to trace and recover stolen funds. Interestingly this approach was also supported by UK Finance and the majority of PSPs responding to the consultation.
In February 2018, following its consultation, the PSR recommended the introduction of an industry code to create the framework for a contingent reimbursement model. Whilst the PSR does not intend to take regulatory action to force PSPs to adopt the code at this stage, it is intended that the FOS can take the code into account when resolving cases against all PSPs and that all PSPs should adopt it as best industry practice. Some may find the trust placed in the industry to police itself, disappointing and surprising given the seriousness of the issue. However, the industry led approach does (in principle) allow the code to adapt quickly to changes in how APP is carried out and prevailing technologies.
The PSR has appointed a steering committee to seek consensus amongst stakeholders regarding the real details of the code. Key issues to be resolved include:
- Whether it will be pre-condition for recovery that the Payer must have met expected standards of conduct and the PSP must have failed in some respect (as most consultees favoured).
- What the expected standards for Payers and PSPs are and how this is assessed.
- How can the code best be implemented across the sector?
It is important to note that the PSR anticipate that the code will not:
- Apply to frauds that pre-date the code.
- Cover an APP to a non-UK PSP.
- Cover more than the first APP, where there are multiple back-to-back payments between PSPs from the fraudsters account.
It is anticipated that an interim code will be in place by September 2018 with the final code in place by early 2019.
Whilst all of these steps are to be welcomed and should hopefully incentivise better behaviour all round, for some they will not go far enough. First, whilst it is heartening to see the industry and the regulator working together collaboratively, it remains to be seen whether the regulator's trust is well placed and whether there will still need to be a mandatory code in due course, combined with enforcement action against PSPs. Second, there is the inherent unfairness in the treatment of those who fall victim to APP before the code is implemented (initially Q3 of this year). Finally, there is a risk that the (currently unclear) standards expected of Payers and PSPs (as appropriate) could easily become overly complex or require fact-specific determinations on a case-by-case basis. If that does happen then many Payers, especially those without the funds to obtain legal input, may find themselves little better off than before.
In short, these are interesting and important times for PSPs, but also for the PSR given its comparative youth and decision to adopt a more light touch approach to this important issue.