/regulation & compliance

News and resources on regulation, compliance, legal and governance issues for banks and fintechs.

UK Payments Association calls on new PSR chief to delay APP fraud rules

The UK payments industry has called on the new interim Payment Systems Regulator (PSR) chief to postpone the implementation of new APP fraud rules by a year, warning that failure to do so could lead to "permanent damage" to the sector.

16 comments

UK Payments Association calls on new PSR chief to delay APP fraud rules

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

Last week, after a four-year stint, managing director Chris Hemsley stepped down from the PSR, replaced on an interim basis for nine months by David Geale.

Hemsley had been overseeing plans to improve protections for victims of APP (authorised push payments) fraud that will see the vast majority of money - up to £415,000 - lost to APP frauds reimbursed to victims.

With the new rules set to come into force in October 2024, the UK Payments Association has used the arrival of Geale to call for a 12 month postponement "to ensure the right policies, technology and systems are in place to avoid permanent damage to the UK’s payment industry and its ability to enable safe, instant, cheap and convenient payments".

A briefing paper put together by the industry group argues that a delay to the reimbursement rules will let the industry prepare as well as bring in Big Tech - which it has long said is the source of APP scams - into the process.

The briefing also reiterates the industry's stance that the threshold should be £30,000, not £415,000. With the average scam costing £11,000 for business and £1,500 for members of the public, a recommended mandatory reimbursement threshold of £30,000 is still more than double the average scam for businesses and 20x the average scam for consumers.

The Association last month wrote to the Economic Secretary to the Treasury, Bim Afolami, to protest the cap, calling it "simply not proportionate,"

Riccardo Tordera, head, policy and government relations, Payments Association, says: "If the current changes are implemented, we believe the prudential risk and requirements to participate in the UK payments market will increase significantly - resulting in reduced competition and an increase in the unbanked population.

"It will also result in an increase in cost and friction of real time payments and a decrease in investment into the UK Fintech market due to higher risks of failure and lower profitability."

Sponsored [Webinar] Payment Orchestration: Remaining Relevant in Today’s Market

Comments: (16)

Bill Trueman Director at Riskskill.com

This is a rather a silly debate. It is a simple matter of WHO loses the money. If I as a customer of my bank ('Bank-Customer') instrut them to make a payment to a fraudster to thier bank ('Bank-Fraudster')  - which bank shoudl lose. Reserach by UK payments shows that Bank-Fraudster are a small number of smaller banks. Our experiences are that, driven by UKPayments, the main 'Bank-Customer' banks have included endless "are you sure this is genuine" messages, and 'Bank-Fraudster' have continued to open accounts and disperse money for fraudsters. How and why did they open these accounts for fraaudsters? Was the identitity taken sufficient.

It is about time that the losses were apportioned to the banks that were at fault: so that they can start doing their jobs properly. And the sooner the better.  And why are there limits at all? Why shoudl we 'let Bank-fraudster' off-the-hook' at all.

We'd go further:
- 100% of all losses ought to go to the bank that let the fraudsters succeed with the fraud.  

- The industry body should stop pandering to all the neo banks that want to avoid proper legal customer (fraudster) onboarding due diligence and do what is right for customers. There shodul be a price to pay for cutting corners.  

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

Bingo! This totally resonates with my prediction that this populist PSR APP Scam Compensation regulation will get postponed, if not canceled, after UK elections. Change of PSR Chief is an unexpected windfall for banks.

Last I checked, alleged fraudsters - and even convicted criminals - can get bank accounts, so it makes no sense to hold the payee bank responsible for APP Scam.

Kudos to banks for pushing back against the rollout of this Drunk Under Lamp Post regulation.

Bill Trueman Director at Riskskill.com

@ Ketharaman Swaminathan - this is not regulation driven - but through a voluntary code with PSR pressure and consumer / media led persuasion.

*** Fraudsters should not be able to get accounts *** - it is AML globally that requires the banks to undertake proper customer onboarding: and if the did, then there would / should be no APP fraud. Or money available to claw back. 
Who do you think shoudl be liable? Not the conned customers, nor the paying banks that have simply complied with customer instruction. The bad boys are the fraudsters, and then the banks that have accepted the payments and then taken instructions from a fraudster to further hide the money. A FIRST PRINCIPLE is to 'follow the money' and reverse as much of the process as one can. Exchange of Bills Law and the Cheques Act details these processes as 'Conversion' in law. These are not cheques of Bill, but the principles apply that the receiving entity must operate so as not to pay the money to the wrong person (i.e. a fraudster).  

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

If this compensation policy is voluntary, then my conspiracy theory that banks will delay payments to earn float income seems correct. 

AML is mostly against terrorist funding. There's no AML / Sanctions Screening Check in domestic payments, which comprise bulk of APP Scam cases.

Zillions of builders take money and run away, do you think they don't get to open bank accounts, or that their bank reimburses defrauded customers? Obviously no.There is no law against opening bank accounts to anyone with KYC documents, particularly if they don't have a sticker on their head announcing that they're fraudsters. 

APP FRAUD is an oxymoron. Fraud means Unauthorized Payment. Law already exists to reimburse victims of fraud. APP stands for AUTHORIZED Push Payments, ergo it's authorized, can't be fraud, must be called by a different name e.g. APP Scam.

Most of your other questions are already answered in my blog posts Why Is It So Hard To Catch Cybercriminals?Fraud v Scam: Who Is Liable For CybercrimeWhy Don’t UPI / Zelle Provide Fraud Protection?Three Strike Rule To Eliminate Cybercrime.

I'm glad that some banks like Revolut have already started implementing some form of my Three Strike Rule. 

A Finextra member 

@ Ketharaman Swaminathan - who do you propose should suffer the losses?

A Finextra member 

Ahh.. it's a conspiracty theory. That makes sense. Stupid me to think that this is a legitimate case. Not sure thare are "Zillions" of builders in the world and certianly not in the UK, the country this releates to. 
Fraud also means "wrongful or criminal deception intended to result in financial or personal gain"  so once again, you show you lack of knowledge in this area.

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

@Anon 11 June, 18:43: 

Short Answer: Payor.

Long Answer: Cf. cited blog posts. 

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

@Anon 12 June, 10:43:

It's a fraud by payee on payor, ergo payor can seek legal redress to nail the payee and get their money back. 

But it's not a fraud by bank on payor, so there's no case for bank to reimburse the payor. ICYMI, UK Supreme Court has ruled accordingly in Philipp v. Barclays lawsuit.  

Meanwhile, enjoy your knowledge in this area.

Jackie Barwell Director at ACI Worldwide

Interesting conversation above.  I am in favour of a postponement and adjustment for all the reason cited by the UK Payments Association.  I am a strong believer that when there is a means for a fraudster to be successful, we have to start somewhere to close that loop.  OK, the 'loop' in this case is a vulnerable account owner who gets sucked into what they believe is a credible situation (and there are various ways to interpret vulnerable, I know) - but at the end of the day, criminals are getting money for very little effort.  I have never agreed that the liablity should be equally split between the sending and receiving banks (only) - but what this ruling HAS done is make the whole industry look at how they monitor (properly!!!) every account - and include AML-type activities on ALL their portfolio in order to close the ability for fraudster to have control of accounts into which they persuade the victim to move their money.  I hope this postponement is awarded.  I hope the big tech players are pulled into the mix and the liability is adjusted in the right way.  I hope there is time for the banks to get organised, logistically.  I hope the limit recommendations come into force.  

In my opinion, this has the potential to be a game-changer, forcing banks with weaker onboarding processes to pull up their socks; persuading the industry to look to intelligence sharing in real time.  If this doesn't persuade us to do that - nothing will.

Bill Trueman Director at Riskskill.com

Hi Jackie - surely postponement means that the sending banks (and the conned customers) end up paying for the frauds, and that the receiving banks, having a reprise from suffering the losses- will continue to allow the fraudsters to open accounts and withdraw the money from the ‘system’. it is these receding banks , as the figures have shown, that are allowing this to happen. If these receiving banks had strong AML / KYC controls, and knew their customers (fraudsters), then they would have no problems contacting them, getting the money back (100% of the money!), and/or prosecuting the offenders. 100% liability on the receiving bank would very quickly address the problem, and would tighten up AML / KYC issues. Stalling, and keeping liability with the ‘sending banks’ will allow the problem to continue. The sending banks have spent £millions in repeatedly annoying us with ‘are you sure?’ messages to no avail. And legislation is required to allow better communications. When a sending bank say to a receiving bank: ‘stop the payment to the fraudster’, ‘this is fraud - send it back’ etc; the answer is usually: ‘go away, GDPR applies’ in order to hide/protect the KYC failings. What do you think should happen? ‘Hoping’ that it will be solved when the law prevents it and the culprits (receiving banks and fraudsters gain from this - so are motivated NOT to act) is not really a viable solution. This has been the brunt of the solution for five years and has not worked.

Jackie Barwell Director at ACI Worldwide

Hi Bill, I completely understand where you are coming from - my original hopes for this was that the recipient bank would take 100% of the loss as long as the sending bank could show they'd 'done everything viably possible' to persuade their customer to take the care needed.  But we are where we are - and my opinion is that this is our 'starting point'.  

I really hope (because I'm an optimist, although I've been an eternal one (having been patient for almost 40 years in this trade!) that this will help make fundamental changes in the ability for banks to share intelligence.  Once we get to a point where intelligence is being shared, those organisations who are simply 'not doing enough' (be it at persuading their customers not to make mistakes, or substantially improving their onboarding operations) will be easily identified, and the 'liability share' appropriately adjusted over time.  

I agree - if the fraudsters couldn't get their hands on a bank account, there would be no APP fraud.... but we're miles away from that right now.

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

If people can't drive, there won't be any road accidents. If people can't swim, there won't be any drowning deaths. If ship doesn't sail from the harbor, there won't be any capsizes. Thank goodness we're miles away from "throw the baby out with the bathwater" type of solutions.

In APP Scam, problem is very simple: Payor authorized the payment. Solution is equally simple: Payor must pay. That said, as I've said before, payor has the full right to seek legal redress to get law enforcement to nail the payee and get their money back - but only from the payee and not anybody else.

There's no reason why J6P shareholders of banks, tech companies, telcos, electrical utilities and other companies involved in this transaction must eat the loss caused solely by the negligence of the payor. 

A Finextra member 

Surely if people can't swim, there would be a lot of drownings. Ships can capsize in the harbout.. just needs bad weather. Your examples make no sense. As for your problem soltution - clearly you have no idea. If they bank allows fraud to take place, they the back that allowed the fraud should be liable. 

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

Read above thread. APP Scam is a case of authorized payment, which, by definition, cannot be fraud. This is a scam. Neither Sender nor Receiver Bank - nor any of the other parties - is liable. Payor is solely liable. High time they manned up, faced the reality and took measures to prevent getting scammed the next time. But, that would wasting my breath on an anonymous comenter who doesn't man up enough to reveal their identity.

Bill Trueman Director at Riskskill.com

KS - I agree with previous anonymous sender. It appears that you have not thought this through. The paying customer (your ‘payor’) may not be involved - albeit often a little stupid / naive. It is often the fraudster that is imitating them. The fraudster cons the paying customer who has done nothing wrong. The paying bank does what is instructed. FOLLOW THE MONEY. The only faults are a) the fraudster motivations and dishonesty, b) the receiving banks that have opened up accounts for fraudsters without knowing who they are or where they are or being able to track them, and c) the receiving banks that make payments that are circumspect, not having proper ID and not knowing how or where the money is going, d) the receiving bank when it disburses the money to other receding banks with no responsibility, accountability or considerations of the suspicions involved, e) the receiving banks that then, hide behind the GDPR for not assisting in the investigations and showing their failings for fear of the legal liability for their failings, and f) the reviving banks for not correcting the position because they have no loss. (Worse: often they can make a profit from this by recovering funds and not repatriating the money but applying it to P&L!). Can you see the theme? This is a matter of law and regulatory rules that favour the “payor” (not really a word here). So your suggestions are NOT legally appropriate or fair to customer in the UK. Losing life-savings as a victim of a con, is not always a fair way to attribute liability. Your solution is unfair, unethical, and against the regulatory principles.

Ketharaman Swaminathan Founder and CEO at GTM360 Marketing Solutions

But it's legal in UK. Repeating my past comment:

"ICYMI, UK Supreme Court has ruled accordingly in Philipp v. Barclays lawsuit".

IDK where payor is not a word but it is very much a word in the English Dictionary: "A payor is a person who makes a payment".

[On-Demand Webinar] Creating a Seamless Banking App ExperienceFinextra Promoted[On-Demand Webinar] Creating a Seamless Banking App Experience