I’ve just received a cheery email from my credit card provider entitled, “We’re improving your fraud protection.” I assume it is from them: it arrived amongst a barrage of emails telling me not believe what I read in emails. When online scamming was in its infancy, you could spot the difference but, as fraudsters’ skills, use of AI and sophistication has developed, nobody really can any more.
It is important to remember that this is an equal opportunities form of fraud. You don’t have to be online. You don’t even need a mobile phone. If you have a UK bank account and a phone number, the scammers will delight in using their social engineering skills to extract your life’s savings.
In the communication I’ve received, beyond all the good news about the generosity of the bank, there is a brief mention of the Payment Systems Regulator (PSR) [1]. Apparently, they require all Authorised Push Payment (APP) transactions to be subject to a refund within 5 workings days if they are found to be fraudulent. This applies to payments over both Faster Payments and CHAPS. There are exceptions to this, for example where the customer is grossly negligent and not considered vulnerable [2].
There is also a ceiling set on the amount. This was initially announced as £415k but, due to strong resistance from the banks, is now set at £85k. The PSR state that this will cover 99% of APP claims. It happens to be the same amount as individuals can claim for lost savings under the Financial Services Compensation Scheme [3], should their bank become insolvent.
In the early days, Faster Payments was a rather unpredictable experience but, as it has scaled, many of the creases have been ironed out. Confirmation of Payee has helped to ensure that the payment reaches the intended beneficiary. It can take a couple of attempts to get it right. e.g. for dog walkers, they may appear as Wendy’s Walkies, under the name of the owner Wendy Walker and as a business account or a personal account. Still, if you have the correct sort code and account number, things tend to fall into place.
My bank has sent me a similar email, telling me to be wary around One Time Passwords (OTPs) and referring me to the Take Five To Stop Fraud [4] website. Again, it looks plausible and the advice is not unreasonable. It is, however, disappointing that there seems to be very little discussion of mutual authentication these days.
One aspect of the new regime is that all Payment Service Providers (PSPs) must be registered with Pay.UK. Both receiving PSPs and sending PSPs can be liable for any APP fraud. This is a significant departure from the existing regime, where the burden tends to fall on the sending PSP.
Losses due to APP scams are estimated at nearly £500m [5] annually. UK Finance [6] has identified factors which contribute to APP fraud, one of which is perceived urgency in dealing with a situation. While Faster Payments provides real convenience, the transactions are not reversible and so it has become a honey pot for thieves. Once money is transferred to a fraudulent account, it can be sent on to multiple accounts, sometimes with the assistance of money mules, either in the UK or overseas.
Frequently, by the time the fraud is investigated, the money is long gone. In response to this, PSPs are permitted to introduce a delay into the processing of payments. In principle, where a payment appears suspicious, they can put in place a pause of up to four days [7]. Clearly, this has serious implications for transactions such as conveyancing, where a housing chain requires everyone to complete on the same day. Even in simple situations, like paying a credit card bill, delays can result in the cardholder having to pay additional charges and interest.
While it is positive to see the challenges of APP fraud being addressed, it will be interesting to see how these significant changes to the payments landscape play out over the coming months. Activities such as intelligence sharing, risk-scoring and real-time screening [8] will remain central to tackling fraud.
It is interesting to note that in other countries where approaches to Open Banking are being explored, the focus tends to be on data sharing rather than payment initiation. For example, in the US, the Consumer Financial Protection Bureau [9] (CFPB) is working to open up data sharing, to promote innovation in financial services.
References
[1] https://www.psr.org.uk/news-and-updates/latest-news/news/psr-confirms-its-decision-on-app-scams-reimbursement/
[2] https://www.psr.org.uk/media/tbbdhkcx/sr1-consumer-standard-of-caution-exception-dec-2023.pdf
[3] https://www.fscs.org.uk/what-we-cover/banks-building-societies-credit-unions/
[4] https://www.takefive-stopfraud.org.uk/
[5] https://www.psr.org.uk/our-work/app-scams/#:~:text=Every%20year%20thousands%20of%20individuals,to%20APP%20scams%20in%202023.
[6] https://www.ukfinance.org.uk/news-and-insight/blog/how-understanding-human-behaviour-key-effective-prevention-app-fraud
[7] https://www.bbc.co.uk/news/articles/cn7yel28rx6o
[8] https://www.synectics-solutions.com/our-thinking/why-your-app-scam-strategy-must-not-be-swayed-by-the-reimbursement-limit-update
[9] https://www.consumerfinance.gov/about-us/newsroom/cfpb-launches-process-to-recognize-open-banking-standards/
