As the Payment System Regulator considers the responses to the call for views on Authorised Push Payment Scams Teresa Connors from Payment Matters considers whether the proposed measures to fight fraud might have unintended consequences.
We are pleased to feature this perspective guest blog from Teresa Connors from Payment Matters.
Only 45% of reported Authorised Push Payment (APP) losses are reimbursed or repatriated. APP scams trick payees into sending payment from their bank account to a a fraudster, the fraudster often impersonates a known entity such as a large corporation or bank.
Scams are sophisticated and can trick the vulnerable and the vigilant, wrecking lives causing financial and emotional distress. The Payment System Regulator (PSR) has signalled intent to significantly improve customer protection and has sought feedback on two consultations, including three proposed measures to complement Confirmation of Payee (CoP) and the Contingent Reimbursement Model (CRM).
The measures proposed are sound, but could they bring unintended consequences?
How effective are CoP and CRM?
CoP and CRM are relatively new weapons in the fight against fraud and have helped to curb customer losses. It has been costly for providers to implement CoP and CRM, and both carry ongoing costs to the P&L.
CoP was introduced in February 2020 and checks, upon setting up or changing a payee’s account details, that the information entered matches the name of the account that payment is intended for; this helps to avoid payments to unintended recipients and provides assurance.
The CRM was introduced in May 2019, it protects victims of fraud by reimbursing or repatriating funds. The providers that have signed up to the Code account for more than 85% of transactions made over Faster Payments however, even with this reach issues remain, among them:
- The reimbursement obligations, including exceptions, to the Code are open to interpretation.
- The Code can be difficult to apply in practice.
- Many customers fall outside the protection of the Code as not all Payment Service Providers (PSPs) participate; non-participating PSPs are not under a general requirement to refund customers who have not done anything wrong.
What are the three complementary measures proposed and potential unintended consequences?
1: Improving transparency on outcomes by requiring PSPs to publish their APP scam, reimbursement and repatriation levels.
At industry level this data would be helpful. However, making the data public without context and appropriate communication could potentially:
- Erode trust in the system.
- Bring increased reputational risk to providers with a higher proportion of vulnerable customers.
2: Greater collaboration to share information about suspect transactions, requiring PSPs to adopt a standardised approach to risk-rating transactions and to share the risk scores with other PSPs involved in the transaction.
- Mandating greater collaboration, with effective controls, standards and interpretation should have a direct and significant impact, increasing customer protection.
3: Introducing mandatory protection of customers by changing industry rules so that all payment firms are required to reimburse victims of APP scams who have acted appropriately.
- Of the measures proposed this would have the greatest impact and would afford the greatest customer protection, it would also partially increase parity with some other payment types e.g., credit cards.
- Reimbursing a greater proportion of fraud, risks adding pressure to PSP balance sheets which are stretched due to Covid response and a continued low interest rate environment; might providers have to balance the cost of fraud against other priorities? E.g. developing new propositions.
The consultations are wide ranging and sought feedback beyond the measures above, we look forward to seeing how the responses help shape the PSR’s response and next steps.