What Payment Service Providers Need to Consider Ahead of the Implementation of Mandatory Reimbursement for APP Fraud

The contents of this blog are for general information purposes only and do not constitute legal advice. Association of Foreign Banks disclaims liability for actions taken based on the materials. Readers should consult their legal advisers.

The controversial new requirement for all in-scope Payment Service Providers (“PSPs”) to reimburse victims of Authorised Push Payment (“APP”) fraud are due to be introduced from 7 October 2024. This is a significant change for all payment firms and has not been universally welcomed. Amongst the concerns raised is whether the new regime is consistent with the requirement that regulators advance the competitiveness of the UK. On 4 September 2024, the UK’s Payment Systems Regulator (“PSR”) published Consultation Paper 24/11 (CP24/11 available here), which sets out the PSR’s proposal to change the maximum reimbursement value per claim that PSPs would have to pay to victims of APP fraud from £415,000 to £85,000, in line with the maximum level of reimbursement under the Financial Services Compensation Scheme (“FSCS”). The revised limit reflects the PSR’s findings that the overall volume of high-value APP fraud is low and that the claims are usually made up of multiple payments of smaller amounts. CP24/11 closes for comments on 18 September 2024, with the PSR expected to confirm its final approach before the end of September. In this article we consider the key features of the new regime and what PSPs should do as they prepare for implementation.

The New Mandatory Reimbursement Regime

We (BCLP) published an article on the new regime at the start of the year (available here).

The regime applies to PSPs that are participants (directly and indirectly) of the Faster Payments System (“FPS”) and provide accounts that are held in the UK and send/receive payments using FPS. Further, the account holder must be a consumer (individual, microenterprise, or charity). PSPs that are participants of CHAPS may also be in-scope of a comparable model – we discuss these requirements later in this article.

Under the Rules, where a customer submits a claim for APP fraud within 13 months from the date of their last payment, the sending PSP must, within five business days of the victim making the APP fraud claim, reimburse the victim in full. The only exceptions to this rule are where:

• the customer seeking reimbursement acted fraudulently; or
• the customer acted with gross negligence, i.e. outside the consumer standard of caution, although this exception does not apply to vulnerable customers where the vulnerability had a material impact on the customer’s ability to protect themselves from the fraud.

The sending PSP may pause the five business days for a maximum of 35 days to allow for an investigation into the alleged APP fraud. Whilst the Rules are expected to provide a maximum reimbursement level of £85,000, the sending PSP is at liberty to reimburse a value which exceeds such an amount.

Once a sending PSP pays the reimbursable amount as required by the Rules, it will be required to update the FPS APP scam claim record via the RCMS. Thereafter, the receiving PSP will have five business days following a notification from the sending PSP to pay the reimbursable contribution amount, unless the sending PSP voluntarily chose to reimburse the customer for the APP fraud scam, in which case the receiving PSP will be off the hook. The reimbursable contribution amount is calculated by the sending PSP as a proportion of 50% of the reimbursable amount.

For context, the PSR’s latest APP scams performance report for 2023 reported a total of 252,626 cases of APP scams totalling almost £341m.

Importantly, PSPs are required to notify consumers of their rights under the reimbursement requirement by 7 October 2024, and to amend their contractual terms and conditions by 9 April 2025 to include a provision that a PSP will reimburse their consumers in line with the Rules. The PSR’s non-binding information sheet contains suggestions of the type of information PSPs should consider providing in relation to the reimbursement requirement and rules.

The Role of Pay.UK

Pay.UK has published the final version of the FPS reimbursement rules (the “Rules”). Pay.UK has been directed by the PSR to implement the APP reimbursement policy and operate a compliance monitoring regime. All PSPs (whether a member of FPS or not) were required to register with Pay.UK by 20 August 2024. The next key date is 20 September 2024, being the date by which all directed PSPs must be onboarded to the Reimbursement Claims Management System (“RCMS”). The RCMS is a single, whole-of-market solution to facilitate and streamline claims under the APP fraud reimbursement policy. It will automate claim processing and enable PSPs to report claims data to Pay.UK, as required by the PSR.

Preparing for 7 October 2024

We recommend that PSPs consider the following five threshold points as they prepare for implementation:

1. Introducing new policies and procedures: As PSPs will be required to reimburse their customers within five business days of the customer reporting that they have been a victim of APP fraud, we recommend that PSPs consider introducing new policies and procedures (or amending existing ones) to ensure that they can assess whether an APP fraud payment is reimbursable within this short time frame.
2. Defining the circumstances in which the PSP would reject a customer’s APP fraud reimbursement claim. If a claim is denied, PSPs will need to prepare for the risk that the customer could complain via the Financial Ombudsman Service (“FOS”).
3. Establishing additional reserves: As mentioned above, both sending and receiving PSPs would reimburse victims of APP fraud (split 50:50). In anticipation for these reimbursement payments, PSPs may consider whether reserves should be established.
4. The terms entered into with clearing PSPs: Where a PSP uses another PSP to clear transactions, consideration should be given to the terms entered into with that clearing PSP, so it is clear which PSP will be deemed to have received funds that are said to be used in an APP fraud. For example, where Bank A has a customer relationship and arranges a transfer of funds to Bank C, if the transfer is made through Bank B, Bank A should be clear whether it will ask Bank C to reimburse 50% of the sums paid to repay a customer who is the victim of APP fraud. The guidance currently is silent on how such clearing bank relationships should be treated.
5. The new regime does not apply to international payments: Most of the claims we have defended, acting for banks and other PSPs, have been where APP frauds have involved international payments. We consider it likely therefore, that claims will continue to be made against banks and other PSPs where international APP frauds have taken place.

Information Reporting Requirements

The PSR has also published Policy Statement 24/3 (PS24/3 available here) which, among other things, confirms that in scope PSPs will be required to provide their first report to Pay.UK by 6 January 2025. This report must include the total volume of FPS APP scam claims:

• Deemed ‘in scope’ for assessment;
• Determined to be reimbursable;
• Closed within the five business days from the consumer submitting the FPS APP scam claim to the consumer being reimbursed or the claim rejected;
• Where the sending PSP informed the receiving PSP of the claim within the notification period as defined in the FPS reimbursement rules;
• Rejected as the consumer standard of caution exception was applied;
• Where the consumer was identified as vulnerable;
• Reimbursed to the consumer; and
• Where the sending PSP received the reimbursable contribution amount within the timeframe specified.

Although the PSR has confirmed that certain limits will be placed on Pay.UK in respect of the use and disclosure of the compliance data it receives (PS24/3 available here), ultimately, the data received from PSPs will inform the data published by the PSR, which PSPs will in turn be required to publish themselves. Policy Statement 24/2 (PS24/2 available here) confirms that:

• In scope PSPs will need to publish the data received from the PSR by no later than 28 working days from the date of the PSR’s publication. The PSR has said that it will not send directed PSPs any data in advance of their publication date due to the sensitivities of the data collected.
• The PSR’s publication will retain the percentage change of a PSPs year on year change in performance, on the basis that this information gives consumers a relative indication of whether the performance of a PSP has improved or declined.
• The PSR will publish aggregate absolute APP scams data but will not identify the absolute APP scams data at an individual PSP level.

What about CHAPS Payments?

On 8 May 2024, the PSR published Consultation Paper 24/8 (CP24/8 available here), which proposed that all PSPs participating directly or indirectly in CHAPS would be required to reimburse their customers who have been victims of APP fraud. Similarly, the Bank of England (“BoE”) also published its draft CHAPS reimbursement rules, with the intention of providing a consistent outcome for victims of APP scams across CHAPS and FPS and consistent processes for CHAPS and FPS participants.

On 6 September 2024, the PSR published Policy Statement 24/5 (PS24/5 available here), which provided feedback on CP24/8 and confirmed its approach to expanding the reimbursement protections to consumers of CHAPS. PS24/5 also confirmed that these new rules would also come into force from 7 October 2024, i.e. aligned with the date that the BoE’s CHAPS reimbursement rules (available here) and the core FPS mandatory reimbursement regime comes into effect.

Concurrently, the PSR also published Specific Direction 21 (SD21 available here), which the PSR advises should be read alongside the BoE’s CHAPS reimbursement rules and the PSR’s CHAPS Compliance Data Reporting Standard (available here).

Identification of APP Scams and Civil Disputes

Back in June 2023, the PSR confirmed that it was not proceeding with the creation of an actionable right for the consumer to enforce their rights under the mandatory reimbursement requirements through the civil courts. In reality, where payments are not refunded by PSPs, it is likely that complaints would be made to the FOS.

On 18 July 2024, the PSR published draft guidance by way of CP24/10 (available here) intended to support PSPs in their assessment of whether an APP scam claim raised by a consumer is not reimbursable under the reimbursement requirement because it is a private civil dispute.

When assessing, considering the facts available, whether a claim solely relates to a civil dispute and does not therefore fall within the requirements to reimburse, the guidance, although only indicative, sets out the factors that PSPs should consider. In its current draft form, the guidance suggests categorising the factors into the following five key areas:

1. The communication and relationship between the consumer and the alleged scammer;
2. The trading status of the alleged scammer;
3. The alleged scammer’s capability to deliver the goods and services related to the claim;
4. The extent to which the alleged scammer deceived the consumer as to the purpose of the payment; and
5. Information held by the receiving PSP about the relevant account/s.

Responses to CP24/10 closed on 8 August 2024, so we expect to see the final guidance in mid-September.

On 9 September 2024, the FCA published GC24/5 (available here) which is a guidance consultation on APP fraud and enabling a risk-based approach to payment processing. HM Treasury is expected to lay the Payment Services (Amendment) Regulations 2024 before Parliament in due course. The legislation will amend the Payment Services Regulations 2017 (SI 2017/752) to enable PSPs to delay making a payment transaction where they have reasonable grounds to suspect fraud or dishonesty.

Conclusion

We (BCLP) regularly defend claims against banks and other PSPs where sophisticated frauds have been perpetrated on customers and customers then claim redress. Current claims are particularly arising where there are joint mandates and one customer asserts that a transaction was entered into without their consent.

We would be delighted to discuss any of the issues raised in this article, or related to this topic, with you.

• Andrew Tuson – Andrew.Tuson@bclplaw.com
• Tegan Schultz – Tegan.Schultz@bclplaw.com
• Samantha Paul – Samantha.Paul@bclplaw.com

Content Partner

BCLP’s Financial Services Disputes and Investigations Practice:

Operating as one single team, the financial services disputes and investigations practice advises the full spectrum of financial institutions to support them and provide pragmatic and commercially astute guidance to ensure they meet their vast global and local financial regulatory requirements. The team regularly assists clients in preparing for changes in regulations, ensuring that they are operating within the relevant legal framework, and that their staff are trained in and confident with the requirements and expectations imposed by regulators. At the other end of the spectrum, the team has extensive experience in dealing with high profile international regulatory enforcement investigations, complex financial services litigation and criminal prosecutions brought by regulators.

The team works closely and constructively with members of other complimentary practice areas, enabling it to ‘issue spot’ and provide multi-disciplinary advice to clients. The team combines this with an in-depth knowledge of the relevant regulators and how their authorisation, supervision and enforcement divisions operate in practice, together with technical excellence in the relevant law and regulations. A number of the team have gained direct experience from working at the regulators and law enforcement authorities (including the FCA) as well secondments to a range of financial institutions and investment exchanges.

To learn more, visit the BCLP website