/regulation & compliance

News and resources on regulation, compliance, legal and governance issues for banks and fintechs.
Which? calls for post-Brexit rule change to protect victims of APP fraud

Which? calls for post-Brexit rule change to protect victims of APP fraud

Consumer group Which? is urging the UK Government to introduce a post-Brexit rule change that would force banks to reimburse victims of authorised push payment fraud.

Currently, 18 banks are signed up to a voluntary code of conduct that should see victims of bank transfer scams reimbursed.

The latest figures show that more than £200m was lost to APP fraud in the first six months of 2020. But despite the introduction of the code of conduct, just 38% was reimbursed to victims. That’s a fall on the second half of 2019, when 41% was returned.

In August, Which? published a report alleging that scam victims were facing a lottery when it came to getting their money back, with banks applying the code poorly and inconsistently. Reimbursement rates by individual banks fluctuate dramatically, with one firm fully reimbursing just one of victims, whereas another had fully reimbursed 59%. Which? believes the current lack of consistency means many customers face a lottery when it comes to trying to get their money back.

Not all banks are signed up to the code, and the Payment Systems Regulator currently lacks powers to force banks to make reimbursements under the EU's PSD2 Directive, which prohibits EU member states from pushing payment service providers to go beyond the terms set out in the legislation.

The consumer champion argues that a post-Brexit change in legislation would provide the regulator with the power to direct the Faster Payments Scheme to introduce a new guarantee into its rules that includes protection for victims of APP fraud - similar to the guarantee in place for direct debits.

In a statement, Which? says: "Which? believes that by making these changes the Government can show that it will use the legal flexibility resulting from Brexit to benefit consumers - and could potentially cut the amount consumers lose to bank transfer fraud by tens of millions of pounds a year."

Digital payments will be discussed in depth at EBAday 2020. For delegate passes, register now and join leaders from across Europe's payments ecosystem as EBAday addresses 'The Turning Point in Payments Transformation'.

Comments: (4)

Kevin Smith
Kevin Smith - Riskskill - Reading 22 October, 2020, 11:38Be the first to give this comment the thumbs up 0 likes

So which organisation is Which? suggesting should reimburse the cardholder who was the subject of an APP fraud scam? The bank that hosts the customer's account from which the monies were taken with the cardholder's agreement, or the financial institution who opended the account that receievd the fraudulent funds, i.e. the fraudster. The challenge is we are not preventing APP scam issues, we are just shifting liability from a customer who was "tricked' to their own bank.

Dave Birch
Dave Birch - Tessier Ashpool S.A. - Guildford 22 October, 2020, 12:301 like 1 like

Why not make the mobile operators pay, since they allow spoof SMS messages that appear to come from the customer's bank.

Dulce Alvarez
Dulce Alvarez - Fiserv - London 22 October, 2020, 12:48Be the first to give this comment the thumbs up 0 likes This article is misleading. Indeed PSD2 scope does not include consumer protection against fraud. However there is European legislation which does : directive 97/7/ec on the protection of consumers in respect of distance contracts, directive 2011/83/eu on consumer rights, directive 2005/29/ec on unfair commercial Practices, and directive 93/13/eec on unfair terms in consumer contracts All these directives should be part of the UK law... and they need to be maintained-enhanced post Brexit.
Jan-Olof Brunila
Jan-Olof Brunila - Swedbank - Stockholm 23 October, 2020, 08:44Be the first to give this comment the thumbs up 0 likes

If banks or ASPSP:s as regulators call us, should foot the bill for APP fraud, the protection needs to be financed, i.e. end users of payments need to pay enough for the payment service to cover refund rights for fully authenticated credit transfers that prove to be fraudulent. In the payment cards industry the business model includes liability rules for cases where the payee is not paying back wrongfully received funds. The alternative protection is to add more security features that make payer life harder.The PSD 2 makes it harder for the payment service providers to reclaim monies from the fraudulent payee due to the "finality of payment rule" and most consumer protection regulations assume that the payee will repay the wrongfully received funds, which does not apply to fraudsters. The PAD regulation gives all EU citizens the right to obtain a payment account - so fraudsters have a legal right to "join" the payment service. The absense of sensible "scheme" rules in combination with instant payments, the internet/mobile networks and digital transaction verification are the  fuel components that propel this kind of fraud and will make a ASPSP liability rule expensive. 

Trending