Northey Point’s response to the Payment Systems Regulators consultation on Authorised Push Payment (APP) Scams (CP21/10).
Introduction
This paper sets out Northey Point’s response to the PSR’s Authorised Push Payment (APP) Scams consultation (CP21/10).
Mike Chambers is a recognised authority on retail payments and, as Chief Executive Officer, led Bacs Payment Schemes Limited (Bacs), the UK’s biggest retail payment system, from 2004 until 2018. During this time, he successfully steered the company through a record number of payment processing, technological, regulatory and innovative customer proposition ‘firsts’ including extending Bacs’ product offering to include the ownership, management and market adoption of the Current Account Switch Service (CASS) and the Cash ISA Transfer Service.
During his time at Bacs, Mike also led the UK’s systemically important RTGS payment system (CHAPS) as its CEO and operated the UK’s Faster Payment Scheme as its first Chief Executive creating the Payment System Operator (Faster Payment Scheme Limited).
Mike was an integral part of the industry initiative which led to the New Payments Architecture (NPA) vision (including concepts such as Request to Pay and Confirmation of Payee), the regulatory endorsed merger of the UK’s retail payment schemes and the formation of Pay.UK.
Having successfully merged Bacs into Pay.UK, Mike has developed a portfolio[1]including roles as chairman[2], payments advisor, Non-Executive Director, ambassador. Mike also publishes a newsletter which provides an informed insight into the UK’s retail payments landscape[3].
Consultation Response
The levels of APP Fraud in the UK are eye watering with £355m of fraud in the first half of 2021, exceeding card fraud for the first time. Despite the introduction of the Contingent Reimbursement Model (CRM) and Confirmation of Payee (CoP) the levels of fraud continue to grow and are causing significant harm to UK consumers and businesses.
Posing as a legitimate payee or creating a fraudulent reason for a payment is becoming a growing and rewarding enterprise – the payments industry, its regulators and our government need to do better. Wherever an organisation sits within the payments value chain it is inexcusable not to take action on this blight on payments in the UK.
Trust and confidence in digital payments caused by APP Fraud is being eroded and will threaten the societal shift to a digital payments economy.
We note that the primary purpose of this consultation paper is to consult on the three proposed measures rather than explore the further measures that the PSR is considering. Our response to the consultation paper reflects our role in the industry and focusses on those areas of the consultation most appropriate to us. Given this approach our submission does not follow the question based structure of the consultation.
As we seek to address the blight of APP Fraud there is a need to prevent it happening in the first place, with supporting reimbursement safeguards in place to address victims how have exercised sufficient caution (and are not subject to an undue liability shift as PSPs seek to protect themselves). Our concern is that the current emphasis and activity is a mirror image of this – i.e. reimbursement fist and mitigation second.
Whilst we broadly agree with the desired outcomes of the three proposed Measures we believe that there is insufficient focus on initiatives and solutions that seek to thwart the fraudster pre-event. After all, thwarting the fraudulent event in the first place both denies the fraudster of the fruit of his or her labour and also protects consumers from the significant harm that an APP fraud causes, even if ultimately they are reimbursed.
We implore industry, regulators and government to focus on preventing APP Fraud from occurring in the first place. It is our view that there are a number of initiatives that could prevent occurrence in the first place – ranging from education (building on the excellent work of UK Finance and the Take Five initiative), achieving Confirmation of Payee service ubiquity, intelligence sharing and deploying the new Request to Pay framework launched by Pay.UK. Preventing a fraud event thwarts the fraudster, minimises the financial risk to banks and protects consumers from undue stress and worry.
A model to explore might be that receiving banks that work with businesses that use channels whereby the paying PSP or the payer cannot validate the originator of the messages identity in channel should automatically accept full liability for any fraud.
Whilst, in principle, we support the three proposed Measures we have the following high level observations:
We are concerned over unintended consequences of the publication of comparative APP scam data. Our concern is that the publication of this data may lead the fraudster to target those PSPs amongst the 14 that have the greater figures and, in addition, lead the fraudster to ‘trickle down’ their efforts to smaller PSPs on the assumption that these institutions might be weaker in this area due to less regulatory oversight.
The desire to improve data sharing to improve detection and prevention of APP scams has the opportunity to make a significant difference. Subject to addressing data issues such as ‘whose data is it’ and establishing the sharing protocols we would expect recent developments in AI and Machine Learning capabilities to be able to make a significant contribution to thwarting the fraudster.
Whilst a statement that making the reimbursement of scam victims mandatory may seem attractive, we question whether this may have an adverse impact in areas such as sending bank complacency and an increased (and inappropriate) liability shift to the end user who is least able to protect themselves and act to stimulate increased fraudster activity.
We fully support a review of the respective liabilities between the sending and receiving PSPs, as we are concerned that the receiving PSPs actions and incentives may be based on a liability model that does not reflect their role on a transaction. The receiving PSP should know who their customer is and should have a greater obligation to prevent unauthorised receipt and disbursement of funds that it has received into the account.
Receiving PSPs need to do more to ensure that a consumer is able to validate the originator of the message in channel. With SMS and E-mail there is no way for a customer to tell that the request is genuine. Currently the only option would be out of channel telephone call to a listed number or visiting independently the secure website/app of the initiator. With the increasing demand of immediacy of payment and convenience, both options are too full of friction to realistically expect consumers to perform. We believe that the recent deployment of Request to Pay (RtP) here in the UK has the potential to adders this fraud vector.
The past few years have seen notable activity to address the issue of APP Fraud. Whist the introduction of the CRM, consumer education initiatives and CoP are not perfect and have variation and coverage deficiencies they have made a difference and can be regarded as successes. However, despite this the APP Fraud economy is outstripping other forms of growth in banking, payments and the economy at large.
There has been a call for social media platforms to do more, which we’d fully agree with, but we implore the industry and the regulator to do more in respect of preventing APP Fraud from occurring. Initiatives such as CoP and Request to Pay (RtP) are great examples of proactively and creatively tackling payment fraud.
We note the views regarding focussing on the Faster Payment scheme being at the vanguard of investing to prevent fraud but (a) note that whilst fraud though systems such as CHAPS may be numerically lower the value has the potential to be much higher and (b) establishing a CRM ‘insurance pot’ via the Faster Payment tariff does not represent an investment to prevent fraud but offers a blunt tool to offset the PSPs financial losses.
It is inconceivable to think that the PSR may be denied the ability to act in an appropriate way due to a statutory constraint and we welcome HM Treasury’s announcements in this regard.
If the CRM initiative is to prevail we agree that the voluntary nature of participation is confusing, has different levels, appears to be inconsistently applied and suffers from low reimbursement levels. If CRM is to be a useful ‘post event’ tool then these apparent deficiencies should be addressed although, in our view, compulsion to participate may be offset by a criteria / rules based choice to participate or offer an alternative that, at least, offers the same protection. A model where it is clear which banks are part of the CRM arrangement may increasingly lead to the fraudster gravitating to the greatest point of vulnerability.
Notwithstanding our reservations, we understand how the three performance measures have the potential to add value we stress the importance that the data published should be accessible via a single source (i.e. without the need to visit multiple PSP websites and then having to interpret the results) and be easy to interpret by the consumer.
We see value in voluntary opt-ins to Measure 1 although consider that, in reality, only those ‘with a good story to tell’ will actually opt in and are concerned that CHAPS is out of scope.
We believe that there is a real risk that changes to protections in one payment scheme will drive payment volume to alternative schemes which are less attractive to end users. In addition we also believe that such changes will lead fraudsters to alternative payment systems that are not subject to similar anti-fraud protections.
We note that the views that Pay.UK could administer and enforce the aspects of the propsoed Measures and could resource themselves accordingly. However, it is our view, that the real issue is that as a scheme operator there are a limited number of ‘tools’ that a scheme operator may levy with scheme restrictions and expulsion being a reality which would have a significant end user detriment.
We note that some of the subscribers to the CRM code have either built or invested in solutions that allow them to make payment requests by SMS or e-mail. This creates a confusing narrative for consumers of other banks who in compliance with the code provide very strict guidance to never click on a payment link sent by SMS or e-mail. We don’t think that SMS/E-mail is the appropriate channel for a bank to be using given that the consumer can’t in channel validate the originator of the message. Furthermore how can a consumer exercise sufficient caution if one PSP says clicking on payment links by SMS is OK, whereas other banks say don’t. Such mixed messages undo all the great work in consumer education.
Mike Chambers, January 2022