Fraud in payments: a round-up of recent developments
Combating fraud is a major issue for the payments industry. In the UK, recent focus has been on authorised push payment fraud with interventions from the Treasury Select Committee, Pay.UK and the Payment Systems Regulator. Meanwhile, EU-wide guidelines for reporting fraud have been updated.
UK measures to tackle payment fraud
What is APP fraud?
Authorised push payment scams involve a fraudster tricking people to send money from their account to the fraudster. In the first half of 2019, over £200m was stolen from UK consumers in this way. For the firms involved in processing the payment, this type of scam is difficult to detect because the account holder approves the transaction.
What can be done to prevent fraud?
Confirmation of Payee
One proposal is for banks, when they process online payments, to compare the name on the receiving account with the details entered by the payer. Today it is often the case that only the account number and sort code are cross-referenced.
The Payment Systems Regulator has required six major UK banking groups to do just this. The relevant banks have until 31 March 2020 to start providing a “Confirmation of Payee” service. The original deadline had been set for last summer and a Treasury Select Committee report on economic crime has called for any firms which miss the revised date to be sanctioned.
The PSR has recently proposed allowing banks to request an exemption from Confirmation of Payee where it is not reasonable or proportionate for them to comply.
Delaying initial payment
The Treasury Select Committee also argued that a 24-hour delay on first-time payments should be imposed. This would allow consumers time to consider if they are being defrauded but would go against the industry trend towards frictionless and instantaneous payments.
Voluntary industry standards
Last year a voluntary code was introduced to help the industry respond to APP fraud. The code sets standards for monitoring transaction data and giving effective warnings to customers about the risk of fraud.
Reimbursement for innocent victims
A key principle of the code is that customers should be reimbursed for losses, with only limited exceptions. A Contingent Reimbursement Model sets out how money lost to consumers by certain types of fraud should be reimbursed.
Since then, there has been debate about whether the reimbursement model should be made compulsory. The Treasury Select Committee argued that it should and that this should not only cover future fraud but that customers defrauded over the last few years should also be reimbursed.
A compulsory model is likely to require a central fund to reimburse innocent victims of APP fraud. Pay.UK, which operates several payment systems including Faster Payments, has announced that payment providers agree that victims of scams should be reimbursed where both the customer and the payment provider have met the requirements of the industry code (i.e. a “no-blame” scenario). However, Pay.UK also found that there is no consensus on how to finance such a fund for the Faster Payments Scheme.
View from the regulator
In a recent speech, Chris Hemsley, the Managing Director of the Payment Systems Regulator, agreed that a mandatory fund to reimburse victims is not necessarily the correct approach. This is because several institutions, including signatories to the Contingent Reimbursement Model, are already funding claims and others have chosen to participate in a fund.
Interestingly, the speech suggested support for the idea that a bank should be able to recover refund costs from another firm (even one outside the financial sector) if that other firm failed to take reasonable steps to prevent the fraud from happening in the first place.
EU rules on fraud reporting
The revised Payment Services Directive requires payment service providers to provide data about fraudulent payment transactions to their regulators. The European Banking Authority has guidelines on fraud reporting to support the consistent application of this requirement across the EU.
Change to EBA guidelines
The EBA has recently amended its guidelines on fraud reporting under PSD2. The changes are a response to clarifications made by the European Commission on the application of strong customer authentication to merchant-initiated transactions and one-leg transactions (where only one payment service provider is in the EU). The upshot is that two new fields have been introduced for reporting this type of transaction where SCA is not applied.
What happens next?
Pay.UK has suggested that the industry and regulators develop a form of “APP Guarantee” in the Faster Payments Scheme to protect “no-blame” customers. In his speech, Mr Hemsley said that the PSR will look at whether any proposed rule change can be implemented in practice and ensure that Pay.UK can secure compliance with the rules. Meanwhile, the deadline for introducing Confirmation of Payee is 31 March 2020.
Separately, the revised EBA guidelines apply to the reporting of payment transactions initiated and executed from 1 July 2020. These guidelines will continue apply to UK payment service providers during the Brexit transition period.