Authorised push payments fraud: PSR announces development of industry code for "contingent reimbursement model" to protect customers

The Payment Systems Regulator (PSR) has published the outcome to its November 2017 consultation on a new proposal for a "contingent reimbursement model" (CRM) to protect customers who are tricked into transferring money to fraudsters via an authorised push payment (APP).

Although detail on several key issues is still pending, banks and other payment service providers (PSPs) will need to start thinking about the implications of a new proposed code, from the perspective of liability and in terms of the strength of their identification, authentication and transaction data analytics systems.

New voluntary CRM industry code
The PSR has concluded that a voluntary industry code setting out the CRM's rules is the best way forward. In the PSR's view, such an approach 'is the most effective way to promote the interests of users of payment system services and reduce the consumer harm that APP scams can cause'. The PSR does not consider it necessary 'at this stage' to make the code mandatory for PSPs, but will monitor its adoption and, if required, take steps to ensure consumer protection.
The code will be developed by a new steering group, which will comprise representatives from both PSPs (including UK Finance) and consumer groups (which could include Which?, Age UK, or others). The PSR has appointed an independent chair for the steering group. The chair will be directly accountable to the PSR.

Scope of the code
The PSR has clarified certain points relating to the scope of the proposed CRM code.
At this stage, the PSR has confirmed that eligibility for reimbursement under the code should be limited to consumers, small charities and micro-enterprises, as defined in the Payment Services Regulations 2017.
No international dimension – for now
The PSR also clarifies that the code should only cover push payments between GBP-denominated UK-domiciled payment accounts. However, the future inclusion of payments with an international dimension should not be ruled out by the code.
Push payments via card systems and interbank payment systems

While the code should not apply to push payments made over card systems, it should cover APP scams relating to push payments made by consumers through interbank payment systems, specifically:

  • push payments executed across CHAPS and Faster Payments;
  • ‘on-us’ book transfers where both the sending and receiving accounts are held with the same PSP, and the payment would otherwise have been executed across CHAPS or Faster Payments.
Which PSPs will be covered?
The PSR states that the code should only cover PSPs involved in the initial payment related to an APP scam, meaning the transaction from the victim to the scammer’s first account. PSPs whose accounts are used in the onward transmission of scammed funds are out of scope.
No retroactive reimbursement
The code would only apply to APP scams taking place after its implementation.

Core principles
The new code will be underpinned by a set of 8 core principles:
  1. Incentives for those with the ability to effectively prevent APP scams and reduce their impact;
  2. Consistency of outcomes;
  3. Leveraging existing and future initiatives that are likely to be effective at preventing and helping respond to APP scams;
  4. Adoption by all PSPs that have an element of control over preventing and responding to APP scams;
  5. No contingency on the recovery of funds;
  6. No adverse impact on PSPs’ ability to make goodwill payments;
  7. No adverse impact on commercial development of further protections; and
  8. Capability for becoming part of the relevant considerations that the FOS takes into account.
These are in line with the high-level principles proposed in the consultation, but now also reflect some additions in light of consultation responses and the PSR's further thoughts.
According to the PSR, the steering group’s proposals should be consistent with the core principles but the group should also have regard to simplicity, transparency, and costs, benefits and impact when developing the rules and standards in the code.

Detailed proposals on "blame scenarios" still awaited

Frustratingly for PSPs, while there was general consensus between respondents to the consultation that the consumer should be reimbursed where:
  • the consumer has taken the requisite level of care, but has fallen victim to an APP scam; and
  • those PSPs handling the underlying payment have failed to act in accordance with the standards of care expected of them,
the outcomes in a number of the potential "blame scenarios" have been left to the steering group to resolve. These relate to the most appropriate outcomes in circumstances where:
  • the victim and relevant PSPs have all met the standards of care expected of them under the code (the ‘no-blame’ scenario);
  • the victim and one or more of the relevant PSPs have all failed to meet the standards of care expected of them under the code (the ‘shared-blame’ scenario); and
  • the victim has met the requisite the level of care and one or more of the relevant PSPs have failed to meet the standards of care expected of them (the ‘inter-PSP’ blame scenario).
While the PSR expects the steering group to expedite the work to agree the approach to these scenarios – with a decision by the end of April – it still leaves uncertainty for both PSPs and consumers.
Another point that has been left up in the air for now is what would happen to the money which PSPs who are at fault in the 'shared blame' scenario could be required to pay into a 'central fund' (in place of reimbursement of the victim).

Other key issues left to be decided – or not fully addressed
The other important points to be tackled as a priority by the steering group are:
  • defining the requisite level of care a victim of an APP scam must have met to be eligible for reimbursement, including how it can be checked on a practical level;
  • an appropriate set of standards of care that PSPs would need to meet under the code, including leveraging measures already being developed by industry in relation to (among others) consumer education and awareness, best practice standards for reporting APP scams and guidelines for identity verification; and
  • an appropriate governance arrangement for monitoring implementation and maintenance of the code once finalised.
In terms of legal/regulatory issues raised by respondents, several said that the potential legal and regulatory issues around preventing and responding to APP scams, such as information sharing, freezing accounts and the recovery of funds should be addressed first. The PSR does not think that the CRM needs to be delayed for this, although the proposed steering group could address these issues as part of preparation for implementation. In its response, it states that it does not consider that 'the potential legal barriers to information sharing, freezing accounts and funds recovery are a barrier to developing an industry code.'

The PSR also (still) considers that 'reimbursement should not be dependent on recovery of the funds because this may not always be possible…[and] this should provide strong incentives for effective funds recovery.'

The PSR expects the group developing the industry code to establish a satellite group that will focus on these issues in parallel with the development of the industry code.

Dispute resolution mechanisms
Consumer-PSP disputes

Following the consultation feedback, the PSR considers that there is no need for a separate dispute resolution body or mechanism to handle CRM code disputes. The FOS already has jurisdiction over disputes between consumers and financial businesses, and already handles disputes relating to APP scams so has the requisite experience and capabilities. The PSR also points out that the Open Banking dispute process (the Dispute Management System) is designed to complement the FOS’s role.
PSP-PSP disputes
The PSR has found that the industry is best placed to agree the PSP-PSP dispute mechanism for the new code, which could align with the PSP-PSP dispute process used under Open Banking. While it doesn't hold 'any strong views' on which body should handle such disputes, it doesn't think that it is the appropriate body and recognises respondents' concerns about UK Finance taking on the role, as well as the current limited capacity of another potential candidate, the New Payment Systems Operator (NPSO).

What's the timeline?
The PSR has set out what it describes as a 'challenging' timetable for delivery by the new steering group (see the table below). The PSR wants the group to produce an interim code by September this year, for use by the FOS when dealing with consumer complaints about APP scams. However, certain key issues, including agreement on the outcomes in the no-blame, shared-blame and inter-PSP blame scenarios, will need to be sorted out before this. After a final consultation round, the aim is to have the final code in place in early 2019.
The spotlight is likely to remain on banks' initiatives in this area for some time to come, as the recent House of Commons Public Accounts Committee report on tackling the 'growing threat of online fraud' demonstrates. The Committee's recommendations focused on increased obligations and action points for banks.

Date Milestone
March 2018                  Steering group members appointed and early work to begin
End April   Steering group agrees on appropriate outcomes for no-blame, shared-blame and inter-PSP blame situations
End June  Steering group agrees on: • requisite level of care to be taken by consumers • appropriate standard of care expected from PSPs
End August  Steering group agrees on appropriate governance arrangement for maintaining the code
End August  Steering group agrees on draft of the interim code
End September   Steering group issues interim code for public consultation
By early 2019                      Post-consultation amendments made and final code issued

Share Back to main blog

Related blog posts

Loading data