The PSR points out that, from the cases reported under the existing voluntary Contingent Reimbursement Model (CRM) Code, currently only 46% of total APP scam losses are reimbursed to the victim. The problem is growing: in 2021, losses to APP scams totalled £583.2 million, a 39% increase on the previous year. Many cases go unreported, so the real figures are likely to be higher.
What is the PSR proposing?
This consultation is designed to ensure that the PSR can make the necessary regulatory changes as soon as the law has been changed - in accordance with provisions in the Financial Services and Markets Bill - to allow it to act on APP scams.
Mandatory reimbursement (in most cases) by sending PSP
- The PSR is proposing requiring all PSPs sending payments over Faster Payments (the ‘sending PSP’) to fully reimburse APP scam victims. Faster Payments was used for 97% of APP scam payments in 2021, so the PSR wants to ‘severely limit fraudsters’ ability to operate within this payment system’.
- As for the CRM Code, both direct Faster Payments participants and indirect PSPs would be covered by the requirements.
- The CRM Code also covers CHAPS and ‘on-us’ payments (ie where the sending and receiving PSPs are part of the same group). While these are outside the PSR’s remit, it is working with the Bank of England – in its capacities as the operator of CHAPS and regulator of Pay.UK – and the FCA on aligning reimbursement requirements across Faster Payments, CHAPS and on-us payments.
- All payers currently covered by the CRM Code – namely consumers, micro-enterprises or charities, as defined in regulation 2(1) of the Payment Services Regulations 2017 – would also be covered under the mandatory reimbursement proposals.
- The definition of an APP scam case in the Financial Services and Markets Bill is one where: ‘(a) the case relates to a payment order executed over the Faster Payments Scheme, and (b) the payment order was executed subsequent to fraud or dishonesty’. The PSR proposes that the rules on mandatory reimbursement apply to authorised payments that meet this definition. The proposed reimbursement rules would apply only to APP scams where the most recent payment was authorised after the PSR’s regulatory requirements came into force.
- Only limited exceptions to mandatory reimbursement would apply, for example where the consumer is involved in the fraud themselves, or where they have acted with gross negligence.
- The PSR states that the exception for gross negligence is ‘a high bar’, which it expects would apply in only a small minority of cases. It quotes the FCA’s guidance in its Payment Services and E-Money Approach Document: ‘In line with the recitals to PSD2, we interpret “gross negligence” to be a higher standard than the standard of negligence under common law. The customer needs to have shown a very significant degree of carelessness.’ The gross negligence exception would not apply where a consumer was vulnerable. The PSR proposes to use the FCA’s definition of a vulnerable consumer from its vulnerable customers guidance: ‘A vulnerable customer is someone who, due to their personal circumstances, is especially susceptible to harm, particularly when a firm is not acting with appropriate levels of care.’
- The PSR recognises that disputes are likely to be brought to FOS in the early days following implementation of its proposals. Its planned post-implementation review would be able to consider the application of the gross negligence exception and whether any additional guidance would be appropriate.
- The sending PSP would have to reimburse the victim as soon as possible and no more than 48 hours from the fraud being reported. But if the PSP had evidence or reasonable grounds for suspicion of either first party fraud or gross negligence, it would have more time to investigate and could delay the payment.
- PSPs would be allowed to set a minimum threshold for a reimbursement claim (of no more than £100), to apply an excess (of no more than £35) and to set a time limit for claims (of no less than 13 months). The PSR expects different PSPs to apply these options in different ways, reflecting factors such as competition and operational efficiency.
Costs of reimbursement to be shared 50:50 by sending and receiving PSPs
- According to the consultation paper, currently sending PSPs pick up the vast majority (over 95%) of the costs of reimbursement under the CRM Code. This gives receiving PSPs little incentive to prevent fraud. There is therefore a proposal to allocate the costs of reimbursement equally between sending and receiving PSPs.
- As for mandatory reimbursement, the rules on allocating the costs of reimbursement would apply to both direct Faster Payments participants and indirect PSPs.
- PSPs could use a dispute management process to adjust the allocation, to better reflect the steps each PSP took to prevent the scam.
- In addition the PSR proposes that, when the consumer has already been reimbursed by the sending PSP under the proposed rules, any repatriated funds (ie where the receiving PSP is able to detect, freeze and return funds stolen as part of an APP scam) should be shared 50:50 between the sending and receiving PSPs to defray their costs of liability for reimbursement. Any repatriated funds remaining after the PSPs have fully defrayed their reimbursement costs would go to the victim.
- The PSR proposes that more tailored criteria for allocation, and associated dispute resolution arrangements, are developed and designated in scheme rules. The CRM Code has identified a set of standards for assessing and allocating liabilities, and the PSR would expect these criteria to build on the CRM Code.
- Pay.UK would be made responsible for making, maintaining and enforcing payment system rules to protect consumers and prevent fraud.
- The PSR expects Pay.UK to consider how quickly it can implement its vision for Faster Payments scheme rules and its role, and what interim arrangements it may need.
- Pay.UK is also developing the UK New Payments Architecture (NPA), which will replace Faster Payments in the next few years. The PSR expects that the NPA’s rules and standards will be fully consistent with its vision for Pay.UK’s role.
- In the short term, the PSR states that there may be a case for alternative options for implementing some elements of mandatory reimbursement, including monitoring and enforcing compliance, and applying rules to indirect PSPs.
The consultation closes on 25 November 2022. The PSR is hosting a virtual roundtable discussion on the proposals on 13 October and stakeholders can register for this event here (by 10 October).
The PSR is planning to publish a policy statement on mandatory reimbursement ‘early in the new year’, and to publish draft regulatory requirements for consultation consistent with the expected statutory deadline of two months following the relevant legislative provisions coming into force. This timetable assumes that the relevant provisions of the Financial Services and Markets Bill come into force around spring 2023. It would like to see its core requirements for mandatory reimbursement in place for consumers as soon as possible, and no later than 2024. In the meantime, it emphasises that PSPs should continue to develop their fraud detection and prevention arrangements as quickly as possible. This message was reiterated in a speech by Chris Hemsley, PSR Managing Director, at the Payments Leaders' Summit UK on 5 October.
In addition to the proposals set out in this consultation, the PSR continues to progress other areas of work on preventing APP scams:
- By the end of 2022, it plans to publish a policy statement and a final direction on Measure 1 (data collection and publication) from its November 2021 consultation, as well as the final data template and reporting guidance. It will ask directed PSPs to submit data to it during spring 2023, and it will publish the first set of data in summer 2023.
- It continues to monitor industry developments under Measure 2 (data sharing) from the November 2021 consultation. After the final rules and standards are complete, it will consider whether it needs to use formal powers to require any PSPs to build and deliver the capabilities to send and receive the relevant data. Irrespective of whether it uses formal powers, it wants PSPs to budget and implement the data-sharing system in 2023.
If you would like to discuss the potential impact of the PSR’s proposals on your business, please get in touch with us.
Authored by Virginia Montgomery.