Collaboration across industries – is this the key to solving APP Fraud?

Blog· 6min June 26, 2023

At the beginning of June 2023, the Payments Systems Regulator (PSR) published the latest update regarding the reimbursement requirements for Authorised Push Payment (APP) Fraud in the UK, through the Faster Payment Scheme.

What are the new reimbursement requirements?

By way of a quick recap, the salient points of the new requirements are as follows: 

  • Customers who have been a victim of APP Fraud will be reimbursed by their Payment Service Provider (PSP), provided it is not proved that the customer has been “Grossly Negligent”. Banks are classified as Payment Service Providers 
  • Customers will have to be reimbursed within 5 working days of reporting the Fraud to their PSP; subject to some situations which allow for a longer time. 
  • The liability will be split 50:50 between the sending and receiving PSP. 
  • Exemptions are being defined regarding Vulnerable Customers 
  • PSPs are required to submit their performance regarding APP Fraud, both inbound and outbound, to the PSR for publication 
  • The final points of detail, including effective date, will be open for consultation in Q3, 2023 – with a signpost for 2024 implementation. 

How much of an issue is APP Fraud in the UK?

Based on data from the latest UK Finance Annual Fraud Report, in 2022 value of APP scams amounted to £485.2m across 207,372 cases. This figure is only what is reported, the true volume, including unreported victims of APP Fraud, will be much higher. 

Out of the total £485.2m which was reported, £285.6m was reimbursed back to the victim – which equates to 58.8%. Recovery of these funds is notoriously low, and therefore most of this financial cost is covered by the PSP of the victim only. 

Those cases for which the PSP has not reimbursed the victim (£199.6m), under either the voluntary Contingent Reimbursement Model (CRM) or other principles, result in the victim being financially out of pocket from the Scams, as well as a host of non-financial impacts. 

 

The role of technology companies in APP Fraud

In the same report from UK Finance, for the first-time, data is being published which shows the originating source of APP Fraud, as most of the fraud starts outside of the banking centre. UK Finance summarise this data with the following 2 statements: 

  • 78% of fraud cases originate from online sources. These cases tend to include lower-value scams such as purchase fraud and therefore account for 36% of total losses, 
  • 18% of fraud cases originate from telecommunications, these are usually higher value cases such as impersonation scams and so account for 44% of losses.  

When equating this to volume of APP Fraud in 2022, 162k cases originated online equating to £175m of losses at an average case value of £1,080. By comparison, telecommunication origination cases are 37k worth £213m at an average case value of £5,719. 

However, there is currently no liability or formal obligation for technology companies to contribute to both the prevention and the financial impact associated with APP Fraud. 

But is the heat starting to build on the tech companies to play their part in addressing this ever-increasing challenge? 

So, what is the ask of the technology companies?

Over the last month, there has been increasing pressure on technology companies, particularly Meta (the parent company owning Facebook, Instagram, and WhatsApp) to do more to protect customers from becoming victims of Fraud.  

TSB Chief Executive, Robin Bulloch, has written to Meta calling for them to implement tech interventions which are urgently needed to protect customers from spiralling levels of fraud. The extent of which Meta platform are a source for fraud is laid bare by the stats from TSB: 

  • 80 percent of all purchase fraud cases, with three-fifths (60 percent) of these cases coming from Facebook Marketplace, and a further 18 per cent via Instagram. 
  • 86 percent of impersonation fraud, driven by a sharp increase in WhatsApp-based “friends and family fraud” which has surged by 300 percent in just a year. 
  • 87 percent of all investment fraud, largely driven by Instagram (59%). 
  • On current industry fraud levels, banking sector projections show £250m could be lost to fraud from Meta platforms in 2023.  

A similar message has been presented by Lloyds Banking Group, in a press release calling on Meta, and other tech companies, to do more to stop scams at source and play their part in refunding victims of fraud which originates on their platforms. The stats from Lloyds are very much aligned to those from TSB but include the scary perspective that someone in the UK falls victim to a shopping scam across Facebook (including Facebook Marketplace) and Instagram every 7 minutes. 

Liz Ziegler, Fraud Prevention Director at Lloyds, sums it up in the press release with the following statement, with a call for tech companies to not only stop the scams, but also to be financially responsible when their platform has been used to defraud a victim:

“Banks have been at the forefront of tackling the epidemic of scams, but they cannot fight it alone. It’s high time tech companies stepped up to share responsibility for protecting their own customers. This means stopping scams at source and contributing to refunds when their platforms are used to defraud innocent victims.” 

The sentiment is much wider that just TSB and Lloyds Banking Group, with the details shared by Sky News on 17th June that 9 of the largest banks in the UK (NatWest, Nationwide, Lloyds, HSBC, TSB, Barclays, Santander, Handelsbanken & Starling) had written to the Prime Minister stating that: 

  • Technology companies must contribute to the cost of an online fraud "pandemic" that is undermining international investor confidence in the UK economy. 
  • The National Fraud Strategy, announced by the government in May 2023, was inadequate to tackle the scale of the crisis. 
  • Consideration would have to be made about further action to be taken by the banks, including the slowing down of payments. 
  • The transfer of voluntary measures aimed at the telecoms and tech sectors to become mandated. 
  • The current target of a 10% reduction in online fraud would still leave more than 2 million customers a year suffering harm, this should be a more ambitious 25% reduction – which could be achieved with collective commitment and collaboration.  

They have asked for 3 key actions from tech companies, but this also extends to telecommunication companies too, which are: 

  • To be responsible for stopping scams at source on their platforms 
  • To contribute to refunds for victims of fraud originating on their platforms 
  • For a public register, similar to that which PSP’s will be a part of, showing the scale of these companies failure to prevent scams  

There is a 4th action which I believe is critical which is the collaboration on data between all parties in the ecosystem. For instance,  

  • How could financial data and social media data be linked to utilise both data sets within intelligent intervention to help prevent fraud?  
  • The ability for real-time intelligence regarding customers call activity be available to all players directly, without the need for individual separate integrations 

The letter to the Prime Minster was also signed by Chairman and Chief Executive of UK Finance, the banking lobbying group. However, no reference is made to any involvement with the PSR in this approach to the Prime Minster.

Is Regulation the answer?

Last week, I was involved in a conference discussing the PSR recommendations, and the question was asked – “Will the changes work?”.  

My opinion is that when regulation is forced on an industry, then what you tend to experience is an exploration of how to be compliant with the regulation, rather than ensuring that the actions taken are directly aligned to the problem that the regulation is trying to solve.  

Closer co-operation across all industries is required to address the issues that the UK is facing regarding APP Fraud. This is not just limited to the involvement of the tech and telecoms companies, however. Banks must embrace the changes that are being mandated in the UK around sharing of data and intelligence through the appropriate channels to collaborate on the problems we are facing – for which the UK, as described by the banks, has become “a global hotspot for fraud and scams”. 

Public / Private data sharing must become the norm, however, there needs to be a drive for inclusivity from relevant leadership to make this happen. 

Regulation is a strong tool to be used, but it feels that through a collective lack of movement by the associated industries, the deployment of regulation is the last resort. As an industry we must not seek to see regulation as a negative, but rather an opportunity to make a difference. We will be judged in the years ahead as to the ability of Financial Services, Tech Companies & TelCo’s in moving the dial in preventing the ever-growing issues experienced, both financial and non-financial, around fraud and scams. 

So what happens now….

It is imperative that there is no slowing down in the Economic Crime and Corporate Transparency Bill which is currently progressing through the House of Lords, with aggressive – but realistic – timelines agreed through the consultation to be shortly issued by the PSR. 

PSP’s need to be preparing for the forthcoming regulation changes, the inclusion of a “Failure to prevent Fraud” offence within the bill places a clear emphasis on having “reasonable fraud prevention procedures in place”.  The government has committed to publish guidance providing organisations with more information about reasonable procedures before the new offence comes into force. However, now is the time to be assessing what changes you need to make to ensure compliance with the complete requirements in the new legislation.  

The role of tech companies in the infrastructure and environment of protecting customers must follow separately, but at pace. As an industry we must build trust with our customers that they are being protected when they are a victim of a scam. 

Markets outside of the UK are observing the steps we are taking, and I fully expect similar regulatory requirements to follow in those markets. The extent to which companies within those markets embrace the principles of protecting of customers will, in my opinion, determine the extent to which aspects of regulation are enforced. 

Written by

Chris Oakley Head of Fraud