Why PSPs must act now on PSR requirements

The UK is positioning itself as a world leader when it comes to tackling the scourge of authorised push payment (APP) fraud. Future victims of this type of crime will now be much more likely to get their money back with the UK’s Payment Systems Regulator (PSR) introducing new requirements for banks and payment services providers (PSPs) in an attempt to reduce rates of APP fraud.

When the new PSR regulation comes into place, it will mandate that victims of APP fraud, where the payment is made to another UK Bank Account through FPS or CHAPS – provided that they have not been grossly negligent – will be reimbursed.

Whether banks and PSPs agree with it or not, this legislative change is coming, meaning that they’re going to have to reimburse victims of APP fraud – even if the individual technically isn’t actually their customer.

It’s critical for all banks and PSPs to ensure they take adequate steps to start to implement the new reimbursement requirement ahead of the regulation coming into effect in October 2024, based upon the current consultation from the PSR.

The first step for banks and PSPs is to ensure the regulatory changes are high on the agenda in the boardroom. The C-Suite must understand exactly what’s happening and when so they can take timely and decisive action. This isn’t just because there will be increased financial liability that affects the bottom line; it’s also a matter of reputation.

When the regulations come into effect, banks and PSPs will have to publish their inbound and outbound fraud rates. Therefore, institutions that don’t get their house in order now are likely to find themselves in the headlines for all the wrong reasons when these fraud rates are made public.

If there is to be any progress in the fight against all types of fraud, there needs to be much closer data collaboration and data sharing between financial institutions. Data sharing is a highly-regulated area, with GDPR and the Data Protection Act 2018 meaning banks are tightly restricted in terms of the customer data they can share with third parties.

However, the Economic Crime Bill that has been introduced by the current parliament stipulates that prevention of economic crime is now an acceptable reason for the sharing of data.

Ideally PSPs should look for a technology partner that can enable them to safely share payment data with a consortium of other PSPs to better protect them from attempted fraud.

Banks need a tech partner that is able to carry out full screening on the recipient of a transaction. This might sound simple, but the mechanics are really quite difficult. With an inbound payment, in the Faster Payments System network, receiving banks have 10 seconds to accept a payment.

Banks must find a partner that can help them identify the fraud risk of inbound payments and interrupt the automated process, outside of the scheme stipulated timings, that takes place to credit the money to the customer’s account should there be any suspicions, without disrupting the flow of legitimate payments.

Even financial institutions that are not a direct participant member of the Faster Payment System will need to be talking to their sponsor or Indirect Access Partner (IAP) about how the regulations will affect them.

From a global perspective, there is a lot that other markets can learn from the new PSR requirements and how they are applied.

On 28th June, the European Commission (EC) put forward proposals to update the second iteration of its Payment Services Directive (PSD2) with PSD3. One of the central pillars of PSD3 will be to combat and mitigate payment fraud. The EC has broken this down into four areas that very closely reflect the work that is already underway in the UK.

In essence, the EC wants to enforce a system equivalent to the UK’s Confirmation of Payee (CoP) solution across all payments; encourage cooperation between banks and PSPs through information sharing; give consumers a right of refund if they are a victim of fraud.

The major thrust of the new requirements is about protecting customers, not directly reducing fraud. But the emphasis is now very much on PSPs to put protections in place that address the causes of the problems rather than the symptoms.

While putting better fraud protections in place and partaking in industry-wide efforts to combat fraud will involve an initial cost, in the long term it will keep compensation costs to a minimum and improve both brand perception and Customer Experience for banks and PSPs.