Proposed implementation date for APP Fraud reimbursement – consultation issued for the delay in go-live

The Payments Systems Regulator (PSR) have published a new consultation (CP23/10) on the 28th September regarding Authorised Push Payment (APP) fraud reimbursement requirement. The consultation can be accessed on the PSR website here, with the main change being the delay in implementing the requirements from April to October 2024.

The requirements, which are being currently being finalised, are looking to introduce consistent minimum standards to reimburse victims of APP Fraud (APP Fraud is easiest described as when a fraudster tricks someone into sending a payment to an account outside of their control). These standards are to be delivered around 3 key principles, which are: 

• All Payments Service Providers (PSPs) will be required to reimburse in-scope customers who fall victim to APP Fraud in all but exceptional cases. 
• The cost of reimbursing APP Fraud victims will transition to an equal liability of 50:50 between sending and receiving PSP’s. 
• Additional protection is to be provided to Vulnerable Customers 

In June 2023, the PSR published its policy document (PS23/3) and then followed this with consultations in July (CP23/4) and August 2023 (CP23/6 and CP23/7) looking at the legal requirements, excess levels, maximum claim value and standard of caution respectively. 

In the July consultation (CP23/4), it was proposed that the new requirements would be effective from the 2nd April 2024. Following the industry consultation feedback, it has been recognised that the original date of the 2nd April 2024 was an overly ambitious target when considered against the readiness of PSP’s for the new requirements. Pressing ahead with the original April 2024 date would run the risk of inconsistences in application, as well as potentially a negative perception of the new policy objectives for customers. 

The consultation is proposing a new date for implementation of the 7th October 2024, a delay of 6 months from the original implementation date. This date is now open for consultation (until the 19th October 2023) and the PSR will confirm in December 2023 the final implementation date of the new regulations. 

In the feedback from CP23/4 on the original implementation date there were 4 key areas highlighted by the responses received from the consultation as to why the original April date was unrealistic, which were (CP23/10, Section 4.4): 

System Capability:  

• There is no data solution which enables PSPs to handle case management, communication of settlement and data reporting to pay.UK.  
• Concerns regarding the ability for all PSP’s (regardless of direct vs indirect and size) to communicate effectively and securely regarding potential reimbursement claims. 
• A go-live of April 2024 would not allow timing for full testing of any solutions to address these points. 
  
  Operational Timescales: 
• Time is required to ensure staff awareness and training was completed, as well as IT estate changes – incorporating E2E processes and appropriate warnings. 
• Concerns regarding resource availability for those PSPs who are also gearing towards an October 2024 Confirmation of Payee (CoP) implementation. 
• Commercial resilience regarding increased costs required to implement the new requirements. 
  
  Faster Payment Rules: 
• Concerns regarding the non-publication of the Faster Payment Rules that pay.uk will deliver, as these need to be impact assessed to determine operational readiness. 
  
  Outstanding Policy Points: 
• There are still outstanding points of policy regarding standard of caution (gross negligence), excess level, maximum level of reimbursement and legal instruments – which are not due to be finalised until December 2023. 
• Without these policy clarification points, it is not possible to commit to operational readiness for the new requirements.  

To mitigate these concerns in CP23/10 (section 4.5/4.6) the PSR is proposing a timeline of: 

• Sept 2023 – Publication of draft Faster Payment Rules published (released on 28th September and available here) 
• December 2023 – All legal instruments to be published, consumer standard of caution guidance published (CP23/7), excess and maximum level of reimbursement published (CP23/6) 
• October 2024 – Deadline for introduction of Confirmation of Payee for Group 2 PSPs1 

With the revised timelines to October 2024, it is the view of the PSR consultation that this aligns to the industry requirement of 6-12 months to prepare for the implementation of the new requirements. However there remains a key reliance on pay.uk and the wider industry to develop, build, implement and embed system capability. 

Additionally, within the consultation, there is a change proposed in the responsibility for Indirect Access Partners (IAP) who provide connectivity for indirect PSPs regarding communication of the indirect PSPs obligations under the reimbursement requirement (Section 3.3). Originally the responsibility for this communication was going to rest with the IAP however this will now be covered within the issuance of a specific direction to all PSPs. However, to ensure this policy is effective, there is an annual requirement for IAPs to inform the PSR of any indirect PSPs they provide access to, with the first return due by 31st March 2024 for the calendar year of 2023. 

The 2 consultations above have now closed, and the industry is awaiting feedback from the PSR on the outcomes of these.  

The consultation regarding standard of caution outlines that there are 2 key exceptions to the reimbursement requirements, which are: 

• Where the consumer seeking reimbursement has acted fraudulently (‘first-party fraud’). 
• Where the consumer has acted with gross negligence (the ‘consumer standard of caution’). 

Section 3 of CP23/7 proposes that consumers should be subject to an express standard of care in relation to authorised push payments. The standard should consist of three elements:  

1. A requirement to have regard to warnings, where those warnings are consumer, scam, and transaction specific. 
2. A prompt notification requirement. 
3. An information sharing requirement. 

The consultation is proposing that where a customer, through gross negligence, has not met one or more of the standards then the PSP is not required to offer reimbursement for their APP Fraud claim. 

The principles associated with the 2nd and 3rd standards are clear regarding the proposed time bound period of 13 months to make a claim and compliance with the investigation made by the PSP into the claim. However, the interpretation into the 1st standard regarding notification and acknowledgment of warnings into specific fraud risk will be interesting to observe the outcome of the consultation. 

Section 3.4 reminds PSPs that they are not able to introduce into their contractual relationship with their customers a transfer of responsibility and still are required to prove gross negligence.  

Section 3.7 states “It will be up to providers to develop their own operational approaches and identify effective best practice. The warnings should be consumer, scam, and transaction specific. They ought not to consist of ‘boilerplate’ warnings. PSPs would not be able to legitimately refuse reimbursement claims based on vague, non-specific warnings, or warnings that routinely accompany most or all transactions of a similar type.” 

This initial positioning within the consultation provides the opportunity for PSPs to utilise intelligence and Machine Learning to create intelligence intervention strategies for customer journeys. Being able to demonstrate that such warnings have been both provided and acknowledged to customers who then submit a claim under the reimbursement requirements may allow PSPs to instigate under the standard of caution exemption to not reimburse the victim. 

Although the date of the implementation is proposed to be delayed until October 2024, there remains a need to continue to focus on those parts of your strategy that are in your control. Whilst the particulars around excess, maximum cap and standard of caution may not be confirmed until December 2023 – understanding the roadmap to be able to manage your liability under the new regulations remains a key focus. 

Form3 have been working with customers to manage their liability in regard to APP Fraud risk, including orchestration of inbound and outbound payments for scoring, access to best-in-class scoring models with integrated explainability and alignment to their operational processes. This experience has demonstrated that, even with a delay in the implementation of these new rules, there is a large burden of work on PSPs to be ready to implement, test and operationalise their augmented solutions to be ready by October 2024.