How could the Payment Systems Regulator’s mandatory reimbursement impact fraud? Three questions from the counter-fraud industry

7 October 2024 will be landmark day for the banking industry and the wider fraud prevention community. The Payment Systems Regulator’s long-anticipated rule changes – to make reimbursement for fraud losses mandatory – officially go live.

In what is arguably the most polarising policy initiative in the history of the UK counter-fraud industry; the implementation of the PSR reforms for Authorised Push Payment (APP) fraud marks a step into the regulatory unknown.

Although some of the steam around the upper limit for reimbursement has been taken out of the debate, following the PSR’s last-minute announcement on reducing the amount from £415,000 to £85,000, the broad outlines of the policy have been clear for some time. All Payment Service Providers (PSPs) will be required to reimburse victims of APP fraud where payments have been made via the faster payments system, with shared liability split 50:50 between the sending and receiving PSP. CHAPs and BACs payments look set to follow.

There are many, particularly consumer groups and those representing the victims of fraud, who see the changes as a victory for innocent victims of a growing fraud threat. Indeed, greater, and better consumer protections should be welcomed. But it is regarded by many in the industry as an ill-conceived policy without precedent that could reduce consumer caution, incentivise people to commit fraudulent acts – so-called ‘moral hazard’ – and make the UK even more of a target for organised fraud.

While some of the financial cost to the industry is to be reduced, the industry remains acutely concerned about the administrative burden and disruptive impact to their operations the changes will bring.

The scale of APP fraud

Regardless of which side of the fence one sits, it is difficult to argue with the need to tackle an issue of this scale through some systemic intervention. According to the financial industry body UK Finance, consumers lost nearly £460m to APP fraud in 2023 alone.

The PSR is clear that more needs to be done, and forcing the full cost of reimbursement to be shared evenly between sending and receiving banks will drive investment in even more fraud detection systems. Indeed, it would appear this is already having some effect with a range of cross-industry initiatives and new solutions emerging to respond to the problem, including our own peer-to-peer communication initiatives.

But no policy sits in a vacuum and however well-intentioned, there are growing concerns that not enough thought has been given to mitigating against some of the potential unintended consequences of the policy. Therefore, it leaves us with three questions…

1. How will the PSR reforms impact first party fraud?

As we noted in a recent article for Credit Connect, Cifas research shows that public attitudes to first party fraud continue to point to an increasing societal view that committing fraud is acceptable, with 1 in 8 adults admitting to perpetrating some type of first party fraud in the last 12 months. The danger is that the PSR rule changes will only contribute to the problem.

While the PSR policy provides an exemption around individual consumers acting fraudulently, industry has been critical about the lack of detailed guidance around the standard of proof required to trigger this, and at a loss as to how the exemption might apply in practice. For the scheme to work effectively, this gap must be closed to ensure it does not drive a new ‘cash hacks’ trend on social media.

2. Does the reimbursement scheme make the UK even more attractive to career criminals?

Organised fraud groups invariably view well-intentioned initiatives as a new vector through which to amass criminal wealth; a phenomenon played out during the Covid pandemic and the chronic misuse of  Government support schemes. With the amount of money in question, it is probably less a question of if organised criminals will seek to exploit the new scheme and more of how.

Whether by enticing members of the public to pose as victims of fraud and offering ‘muling’ facilities (the laundering of money via third party accounts) in return for a share of the proceeds, the sale of ‘crime-as-a-service/fraud-as-a-service’ toolkits, or by simply exacerbating the issue of money mule recruitment, it will be no surprise to the counter-fraud community when evidence of criminal exploitation of the policy emerges.

3. Will the PSR changes mean Government has less impetus to tackle fraud?

The reimbursement policy – and indeed the growing political focus on fraud more generally – has been driven by increasing pressure from the public and consumer groups to tackle the growing epidemic of APP fraud. If this goes, the impetus for Government to act could also reduce accordingly. It is noticeable that the political focus on APP policy has driven attention away from other growing fraud types such as identity fraud and fraud against business.

Some in the industry have raised concerns about how the policy may lead to a breakdown in consumer trust in the payments system. When the inevitable disruption to frictionless banking and legitimate payments are inadvertently caught in the crossfire, the relationship between consumers and the industry is bound to come under strain. There are also those that worry that the cost of complying with the policy may simply become financially unsustainable and potentially lead to the end of free banking for consumers in the UK.

Despite these concerns, it seems clear that implementation will go ahead and the impact for consumers will be positive. But the industry’s concerns are real and not insignificant. There is an urgent need to consider some important mitigations.

• First: The PSR itself should work closely with industry to discover pain-points and issue guidance as necessary. This must complement guidance and policy implemented by the Financial Ombudsman Service (FOS) who will handle any complaints regarding an institution’s implementation.
• Second: Law enforcement partners should stand ready to prosecute the most egregious cases of exploitation of the new rules, demonstrating that first party fraud will not be tolerated.
• Third: The Government must do more to stem the problem by preventing re-victimisation. According to Victim Support, 18% of victims who are repeat victims of fraud, account for 35% of all fraud. Here, Cifas stands ready to help. We have launched our new APP Victim Check service to ensure that through the sharing of data on victims of APP fraud, effective controls and protections can be put in place to prevent re-victimisation across all accounts that a victim holds.

Overall, the rule changes around reimbursement to tackle APP fraud are welcome as is the Labour Government’s manifesto commitment to delivering a new Fraud Strategy. It is essential, however, that this strategy focuses on preventative measures to ensure the UK is not seen as a ‘soft target’. With over three-quarters of APP fraud originating online this strategy should do more to encourage social media platforms to play a full and fair role in the fight against fraud – including sharing data with those further down the value chain.

The APP reimbursement policy is undoubtedly well-intentioned and good news for consumers, but it comes with risks. For the rule changes to work for both consumers and industry, the PSR needs to work across the system to track and respond to unintended consequences. But this is not for the PSR alone, Government needs to urgently address the gaps in wider fraud policy to move beyond dealing with the symptoms to instead tackling the causes.

How Cifas’ solutions can help

We provide products and services to help organisations tackle emerging fraud threats and trends. Our ‘APP Victim Check’ and ’Beneficiary Checks’ solutions, together with the real-time customer monitoring tool ’Vision’, not only help firms comply with the upcoming PSR rule changes, but also enables access to fraud-risk data from more than 750 organisations to protect the bottom line. For more information, visit here.