The planned introduction of the mandatory reimbursement scheme for Authorised Push Payment (APP) fraud in October 2024 is being heralded as a major milestone in protecting consumers and small businesses from fraud.
However, the excessive compensation limit and an unclear definition of payee gross negligence could see the scheme backfire and force smaller payment service providers (PSPs) to exit the market.
These issues must be urgently addressed, with consumer protections balanced with the need to avoid causing irreparable damage to the PSP market.
The appointment of new interim chief, David Geale, at the Payment Systems Regulator (PSR) represents an ideal opportunity to revisit the new rules.
APP fraud threat
There is no denying that APP fraud is a serious problem. £459.7m was lost to APP fraud in 2023, according to UK Finance’s Annual Fraud Report 2024. More concerningly, the number of cases of APP fraud is rising, with 232,429 incidents recorded in 2023 compared to 195,996 in 2021.
Investment and purchase scams were the two largest categories of APP fraud in 2023, accounting for 42% of authorised fraud losses, and losses due to purchase scams up 28% on 2022 levels.
Against this backdrop, the need for improved consumer protection measures is clear.
Mandatory reimbursement scheme
Since 2019, a voluntary code, the Contingent Reimbursement Model (CRM) Code, has been in place to reimburse individuals, charities, and small businesses that fall victim to APP fraud if they are customers of code members.
The new mandatory scheme is designed to provide more widespread protection given the increasing prevalence of APP fraud.
Legislated for by the Financial Services and Markets Bill, the mandatory scheme is due to come into effect on 7 October 2024.
It will compel certain PSPs participating in Faster Payments (those to whom Specific Direction 20 applies) to compensate victims of APP fraud for losses up to a maximum of £415,000, with claims needing to be submitted within 13 months of the fraud occurring.
The paying PSP must also reimburse the victim within 5 business days, and they are entitled to 50% of the payment back. There are some exceptions.
Notably, claims can be refused if gross negligence can be demonstrated on the part of the customer.
The scheme will be administered by Pay.UK, which released the full scope and detail of the regime on 7 June 2024 in readiness for the October 2024 deadline.
The Payment Systems Regulator (PSR) will monitor implementation and can take enforcement action to ensure compliance.
Programme flaws
The concept of a mandatory scheme is positive. Generally, setting clear standards is of benefit to everyone in the ecosystem, with a well-run programme providing clarity and consistency to fraud victims about how claims are managed.
It also provides impetus for PSPs to improve fraud prevention measures, such as implementing strong Know-Your-Customer (KYC) checks, using Account Name Verification, and deploying technology to detect and alert customers to potential fraudulent transactions.
However, there are fundamental flaws in the design of the current scheme that need addressing. The first is the excessively high compensation limit of £415,000, which is out of kilter with the average scam value of £30,000.
Many smaller PSPs will not be able to fund re-imbursing such large amounts so quickly, potentially forcing them to limit their operations to minor retail transactions and thereby diminishing market competition.
The second issue is that there is little clarity on what will constitute gross negligence by payees and allow claims to be refused.
Without a clear definition, it is virtually impossible for PSPs to establish appropriate processes to assess claims. Both issues have been flagged by the industry body, The Payments Association (TPA), which is also calling for a 12-month delay in the implementation of the reimbursement scheme.
The calls for a delay are not unreasonable, and reviewing the current plans and timescales should sit high on the priority list of the new interim PSR chief.
The major flaws of the current scheme aside, there is still a lot of work to be done to fully understand the implications of the recently published rules and to get to grips with the newly released Reimbursement Claims Management Solution (RCMS) from PAY.UK.
In addition to implementing the technology solution, PSPs will need to determine how they evaluate claims, if they will apply a permitted excess of £100 and triggers for further investigations.
Staff will also need to be trained on the new requirements and how to manage claims.
Rethinking the rules
With APP fraud still a major and ever-evolving threat to the payment ecosystem, the mandatory reimbursement scheme is an opportunity to bolster consumer confidence in online payments.
However, the imperative to protect consumers should not mean smaller PSPs are taken out of the market when they help create a more competitive payments market.
With the October deadline for implementation looming large, the fundamental flaws in the scheme’s current design urgently need tackling and the timeline extending to ensure a proper and thorough implementation of the newly released specifications.
