APP Fraud: Payment Systems Regulator Implements Mandatory Reimbursement Regime.

On 7 October 2024, the Payment System Regulator (“PSR”) introduced a mandatory ‘reimbursement requirement’ for victims of authorised push payment fraud. David Geale, Managing Director of the PSR, described the new requirement as “groundbreaking”, noting that it will make it “quicker and simpler for victims of APP scams to get back money they’ve lost to criminals”. This article briefly explores this new reimbursement requirement.

Background

The Faster Payment System (“FPS”) is an initiative among United Kingdom banks. First introduced in 2008, FPS reduced payment times between different banks’ customer accounts from three working days (using the long-established BACS system) to just a few seconds. In 2023, 4.5 billion transactions were process via FPS with a value of £3.7 trillion.

However, the increased speed of transactions has coincided with (or perhaps lead to) a significant increase in Authorised Push-Pay Fraud (“APP Fraud”). APP Fraud occurs when an individual is tricked into sending money to a fraudster. To gain the victim’s trust, fraudsters will often pose convincingly as well-known legitimate businesses or government bodies, such as the Post Office or HRMC. The possible forms of authorised fraud are almost endless – constrained only by the creativity of the fraudsters. In 2023, there were 232,429 reported cases of APP Fraud, causing some £459.7 million in loss.

The Payment System Regulator (“PSR”) was established in April 2015 and has full regulatory powers over the vast majority of Payment Service Providers (“PSPs”) across the United Kingdom. In December 2023, the PSR first announced its intention to implement a mandatory reimbursement requirement. The regulator noted that this requirement was intended to “prompt a step-change in fraud prevention and see the vast majority of money lost to APP frauds reimbursed to victims”.

The new reimbursement requirement

Under the new reimbursement requirement, sending PSPs (i.e. the PSP which is sending the victim’s money) are now required to reimburse all customers who fall victim to APP fraud, subject to the exceptions below. Paying and receiving PSPs will share the cost of reimbursing victims 50:50.

There are three exceptions to the reimbursement requirement:

  • Fraud: The reimbursement requirement will not apply where the customer has acted fraudulently. It is not the purpose of the new requirement to reimburse customers who have been complicit in fraud.
  • Gross negligence: A customer will not be reimbursed where they have acted with gross negligence (i.e. a “significant degree of carelessness”). Where suspected, the burden of proof is on the PSP to prove gross negligence. This exception does not apply to vulnerable customers. A vulnerable customer is someone who, “due to their personal circumstances, is especially susceptible to harm, particularly when a firm is not acting with appropriate levels of care”.
  • Civil disputes: The reimbursement requirement will not apply to civil disputes. For example, where, a customer has paid a legitimate supplier of goods or services but is dissatisfied with them.

The reimbursement requirement also has the following features:

  • Maximum threshold: The maximum level of mandatory reimbursement is £85,000. This is lower than the originally proposed £415,000, but will still cover 99% of claims.
  • Minimum threshold: There is no minimum threshold for victims seeking reimbursement.
  • Time limit to claim: Sending PSPs may deny claims submitted more than 13 months after the final payment to the fraudster.
  • Time limit to reimburse: Sending PSPs must reimburse customers within five business days. However, a sending PSP may ‘stop the clock’ if it has requested additional information and is still waiting for a response.
  • Excess: Sending PSPs may levy an excess up to a maximum of £100 per claim. The sending PSP can decide whether to apply a full excess (£100), a lower excess, or no excess to a reimbursable APP fraud claim. This will not apply to vulnerable customers.

Conclusion

The introduction of the mandatory reimbursement requirement marks a significant advancement in protecting victims of APP fraud by ensuring that they are reimbursed more efficiently and promptly. Moreover, by placing responsibility PSPs to share the reimbursement costs, the regime creates a framework to foster better fraud prevention efforts. As fraud evolves, this new regime is a meaningful step towards improving financial security in an increasingly digital world.

Oliver Fredrickson

October 2024