Blog· 3min October 2, 2023
The Payments Systems Regulator (PSR) have published a new consultation (CP23/10) on the 28th September regarding Authorised Push Payment (APP) fraud reimbursement requirement. The consultation can be accessed on the PSR website here, with the main change being the delay in implementing the requirements from April to October 2024.
The requirements, which are being currently being finalised, are looking to introduce consistent minimum standards to reimburse victims of APP Fraud (APP Fraud is easiest described as when a fraudster tricks someone into sending a payment to an account outside of their control). These standards are to be delivered around 3 key principles, which are:
In June 2023, the PSR published its policy document (PS23/3) and then followed this with consultations in July (CP23/4) and August 2023 (CP23/6 and CP23/7) looking at the legal requirements, excess levels, maximum claim value and standard of caution respectively.
In the July consultation (CP23/4), it was proposed that the new requirements would be effective from the 2nd April 2024. Following the industry consultation feedback, it has been recognised that the original date of the 2nd April 2024 was an overly ambitious target when considered against the readiness of PSP’s for the new requirements. Pressing ahead with the original April 2024 date would run the risk of inconsistences in application, as well as potentially a negative perception of the new policy objectives for customers.
The consultation is proposing a new date for implementation of the 7th October 2024, a delay of 6 months from the original implementation date. This date is now open for consultation (until the 19th October 2023) and the PSR will confirm in December 2023 the final implementation date of the new regulations.
In the feedback from CP23/4 on the original implementation date there were 4 key areas highlighted by the responses received from the consultation as to why the original April date was unrealistic, which were (CP23/10, Section 4.4):
System Capability:
To mitigate these concerns in CP23/10 (section 4.5/4.6) the PSR is proposing a timeline of:
With the revised timelines to October 2024, it is the view of the PSR consultation that this aligns to the industry requirement of 6-12 months to prepare for the implementation of the new requirements. However there remains a key reliance on pay.uk and the wider industry to develop, build, implement and embed system capability.
Additionally, within the consultation, there is a change proposed in the responsibility for Indirect Access Partners (IAP) who provide connectivity for indirect PSPs regarding communication of the indirect PSPs obligations under the reimbursement requirement (Section 3.3). Originally the responsibility for this communication was going to rest with the IAP however this will now be covered within the issuance of a specific direction to all PSPs. However, to ensure this policy is effective, there is an annual requirement for IAPs to inform the PSR of any indirect PSPs they provide access to, with the first return due by 31st March 2024 for the calendar year of 2023.
The 2 consultations above have now closed, and the industry is awaiting feedback from the PSR on the outcomes of these.
The consultation regarding standard of caution outlines that there are 2 key exceptions to the reimbursement requirements, which are:
Section 3 of CP23/7 proposes that consumers should be subject to an express standard of care in relation to authorised push payments. The standard should consist of three elements:
The consultation is proposing that where a customer, through gross negligence, has not met one or more of the standards then the PSP is not required to offer reimbursement for their APP Fraud claim.
The principles associated with the 2nd and 3rd standards are clear regarding the proposed time bound period of 13 months to make a claim and compliance with the investigation made by the PSP into the claim. However, the interpretation into the 1st standard regarding notification and acknowledgment of warnings into specific fraud risk will be interesting to observe the outcome of the consultation.
Section 3.4 reminds PSPs that they are not able to introduce into their contractual relationship with their customers a transfer of responsibility and still are required to prove gross negligence.
Section 3.7 states “It will be up to providers to develop their own operational approaches and identify effective best practice. The warnings should be consumer, scam, and transaction specific. They ought not to consist of ‘boilerplate’ warnings. PSPs would not be able to legitimately refuse reimbursement claims based on vague, non-specific warnings, or warnings that routinely accompany most or all transactions of a similar type.”
This initial positioning within the consultation provides the opportunity for PSPs to utilise intelligence and Machine Learning to create intelligence intervention strategies for customer journeys. Being able to demonstrate that such warnings have been both provided and acknowledged to customers who then submit a claim under the reimbursement requirements may allow PSPs to instigate under the standard of caution exemption to not reimburse the victim.
Although the date of the implementation is proposed to be delayed until October 2024, there remains a need to continue to focus on those parts of your strategy that are in your control. Whilst the particulars around excess, maximum cap and standard of caution may not be confirmed until December 2023 – understanding the roadmap to be able to manage your liability under the new regulations remains a key focus.
Form3 have been working with customers to manage their liability in regard to APP Fraud risk, including orchestration of inbound and outbound payments for scoring, access to best-in-class scoring models with integrated explainability and alignment to their operational processes. This experience has demonstrated that, even with a delay in the implementation of these new rules, there is a large burden of work on PSPs to be ready to implement, test and operationalise their augmented solutions to be ready by October 2024.
Written by
Chris has worked in UK Banks across Fraud, FinCrime and Analytics for over 20 years.
Recently he has been a guest speaker at multiple events across the UK, Africa and US around the power of data in Fraud Detection and Prevention.