Confirmation of mandatory reimbursement for APP fraud

The Payment Systems Regulator (“PSR”) has confirmed that reimbursement for authorised push payment (“APP”) fraud will become mandatory from Q1 2024.

The PSR has for several years indicated that it intends to make reimbursement mandatory in cases of APP fraud (i.e. where a fraudster tricks someone into sending a payment to an account outside their control) – see its Consultation Papers from November 2021 and September 2022. On 7 June 2023 the PSR published a Policy Statement confirming that, from Q1 2024, payment service providers (“PSPs”) will be obliged to reimburse victims of APP fraud where the payment takes place over the Faster Payments system.

Key takeaways

• Faster Payments sent and received by PSPs (including payment initiation service transactions) in the UK will be in scope. Payments which take place across other payment systems and international payments will be out of scope.
• The reimbursement obligation will apply to consumers, microenterprises and charities.
• Sending PSPs will have to reimburse all customers who fall victim to APP fraud within five business days, save where the ‘clock is stopped’ temporarily to permit the sending PSP to gather further information (e.g. from the customer).
• The receiving PSP will have to pay 50% of the reimbursement to the sending PSP. Pay.UK will produce operational guidance and processes for the reimbursement process between sending and receiving PSPs.
• The obligation to reimburse the customer will not arise (i) where the customer has acted with ‘gross negligence’ (the PSP will have the burden of showing gross negligence); (ii) where the customer has acted fraudulently (‘first-party fraud’); (iii) in the case of unlawful payments; or (iv) in the case of civil disputes (such as where the customer has paid a legitimate supplier of goods or services but is dissatisfied with them).
• Sending PSPs will have the option to apply a claim excess. The PSR will consult on the appropriate level for this in Q3 2023.
• There will be no minimum value threshold for APP fraud claims. There will be a maximum level of reimbursement for APP fraud claims (by value) which the PSR will consult on in Q3 2023.
• Sending PSPs will have the option to deny APP fraud claims submitted more than 13 months after the final payment to the fraudster (although the customer could still take its claim to the FOS if the PSP opts to deny the claim).
• If a customer is vulnerable, the PSP will have to reimburse the customer without considering whether the customer acted with gross negligence and without applying any excess.
• The obligation to pay compensation will be incorporated by Pay.UK into the Faster Payments rules (following a direction from the PSR to do so) and via a direction from the PSR to all in scope PSPs, requiring them to comply with the Faster Payments rules.

Timing

• Q3 2023: PSR consultations on the claim excess and maximum level of reimbursement and guidance on the gross negligence standard.
• Q4 2023: publication of legal instruments relating to reimbursement obligation and confirmation of the claim excess, maximum level of reimbursement and guidance on gross negligence standard.
• Q1 2024: obligation to reimburse comes into force.
• In the meantime, the PSR has made clear that it expects industry to start implementation work now.

Comment

Gross negligence exception

In practice, the new requirement is likely to mean that the majority of APP claims will be reimbursed. The gross negligence exemption will be difficult for a PSP to establish based on the information that the customer opts to provide with their claim. This creates the risk of increasing moral hazard by removing customer responsibility when making payments and increasing fraud as customers take less care. The PSR’s response to this point (which was raised in response to the September 2022 consultation) is that there is no credible alternative to gross negligence that would likely meet its objectives. It remains to be seen whether the level of excess will be sufficient to encourage appropriate customer caution.

Vulnerable customers

The obligation to reimburse vulnerable customers without considering whether the customer acted with gross negligence and without applying any excess is likely to have wide application. The FCA’s latest Financial Lives survey found that, in May 2022, 47% of UK adults showed 1 or more characteristics of vulnerability.

Apportionment between sending and receiving PSPs

Practical challenges may also arise where sending PSPs must exercise judgement regarding compensation, on the basis that the receiving PSP, the PSR or Pay.UK may come to a different decision regarding the same case. For example, a PSP will need to exercise judgement when determining whether (i) there has been gross negligence; (ii) there has been first-party fraud; (iii) the customer is vulnerable and (iv) the case is in fact a commercial dispute, rather than fraud. There is a risk that a sending PSP (whose customer is the victim) adopts a broad interpretation to determining whether compensation must be paid, while the receiving PSP adopts a narrower approach, and disagrees that any compensation could be paid to which it should contribute 50%. In particular, while the PSR envisages information sharing between PSPs, the sending and receiving PSPs may nevertheless have access to different information about the underlying customer and transactions and may therefore form different views about them.

The precise nature of the obligation on the receiving PSP to pay the sending PSP 50% of the reimbursement should become clearer when the legal instruments implementing the new obligation are published. In the longer term it is anticipated by the PSR that Pay.UK will be responsible for enforcing the reimbursement obligation, however, given Pay.UK’s current lack of enforcement tools in the shorter term the PSR will have a role in enforcing compliance via its direction to PSPs to comply with the new Faster Payments rules.

Consumer Duty

The Policy Statement notes that the new reimbursement requirement aligns with the new requirements under the Consumer Duty (which comes into force on 31 July 2023) to support good customer outcomes. Delivering good outcomes could include acting to prevent fraud e.g. providing customers with information about high-risk payments or informing consumers of account controls which could help keep them safer. However, it is possible that a PSP could act to deliver good outcomes (i.e. the PSP takes appropriate action to prevent fraud and issues the customer with numerous warning prompts) but the customer does not achieve a good outcome because the customer opts to make the payment despite the warnings issued. This frequently occurs, for example where the fraudster has built a relationship with the customer over a period of time.