Long reads

PSR Consultations: Could the proposed measures to fight fraud have unintended consequences?

Teresa Connors

Teresa Connors

Client Director, Payment Matters

Only 45% of reported Authorised Push Payment (APP) losses are reimbursed or repatriated. APP scams trick payees into sending payment from their bank account to a a fraudster, the fraudster often impersonates a known entity such as a large corporation or bank. Scams are sophisticated and can trick the vulnerable and the vigilant, wrecking lives causing financial and emotional distress. The Payment System Regulator (PSR) has signaled intent to significantly improve customer protection and is seeking feedback on two consultations, including three proposed measures to complement Confirmation of Payee (CoP) and the Contingent Reimbursement Model (CRM).

The measures proposed are sound, but could they bring unintended consequences?

How effective are CoP and CRM?

CoP and CRM are relatively new weapons in the fight against fraud and have helped to curb customer losses. It has been costly for providers to implement CoP and CRM, and both carry ongoing costs to the P&L.

CoP was introduced in February 2020 and checks, upon setting up or changing a payee’s account details, that the information entered matches the name of the account that payment is intended for; this helps to avoid payments to unintended recipients and provides assurance.

The CRM was introduced in May 2019, it protects victims of fraud by reimbursing or repatriating funds. The providers that have signed up to the Code account for more than 85% of transactions made over Faster Payments however, even with this reach issues remain, among them:

  • The reimbursement obligations, including exceptions, to the Code are open to interpretation.
  • The Code can be difficult to apply in practice.
  • Many customers fall outside the protection of the Code as not all Payment Service Providers (PSPs) participate; non-participating PSPs are not under a general requirement to refund customers who have not done anything wrong.

What are the three complementary measures proposed and potential unintended consequences? 

1) Improving transparency on outcomes by requiring PSPs to publish their APP scam, reimbursement and repatriation levels.

At industry level this data would be helpful. However, making the data public without context and appropriate communication could potentially:

  • Erode trust in the system.
  • Bring increased reputational risk to providers with a higher proportion of vulnerable customers.

2) Greater collaboration to share information about suspect transactions, requiring PSPs to adopt a standardised approach to risk-rating transactions and to share the risk scores with other PSPs involved in the transaction.

  • Mandating greater collaboration, with effective controls, standards and interpretation should have a direct and significant impact, increasing customer protection.

3) Introducing mandatory protection of customers by changing industry rules so that all payment firms are required to reimburse victims of APP scams who have acted appropriately.

  • Of the measures proposed this would have the greatest impact and would afford the greatest customer protection, it would also partially increase parity with some other payment types e.g., Credit cards.
  • Reimbursing a greater proportion of fraud, risks adding pressure to PSP balance sheets which are stretched due to Covid response and a continued low interest rate environment; might providers have to balance the cost of fraud against other priorities? E.g. developing new propositions.

The consultations are wide ranging and seek feedback beyond the measures above, the PSR is keen to hear the views of all stakeholders in the payments value chain, the feedback window is open until 5pm 8th April 2021.

Comments: (1)

Jeremy Light
Jeremy Light - Fourdotzero - London 31 March, 2021, 17:121 like 1 like

The answer is yes – unless fraud is dealt with properly, it will lead to unintended consequences, specifically a higher cost of entry for payment innovators and for new entrants, in turn creating a regulatory moat protecting large incumbents from competition - in direct contradiction to the PSR’s purpose.

Like quality in manufacturing, to be effective and efficient, fraud controls should be embedded in banking processes rather than bolted on.

The APP consultation measure to make the CRM code more effective in reimbursing victims will have no direct effect on APP fraud, except perhaps to prompt banks to improve their controls. The root cause of APP fraud is the ability of fraudsters to use bank accounts to receive funds, so the measure to publish APP scams data is a good one – provided it separates out the receiving bank data, from the sending bank data. The proposed measure to standardise and share fraud data between banks is also useful, in particular to trace transfers across multiple accounts.

However, a harder line is needed to give teeth to APP fraud controls - the PSR should be calling for banks to improve their KYC processes, and embed AI to monitor their accounts for handling APP payments, especially to detect fraudulent incoming payments and subsequent payments onforwarding.

The consumer protection consultation gives the impression of regulation looking for a problem. The dynamics and risks of A2A push payments in UK retail commerce are unknown, and unquantifiable until this type of payment is established in UK retail. The cards networks are no guide, although their mature chargeback controls appear to be the model. However, cards are inherently risky, and as a result the cards industry spends billions on combatting fraud. In contrast for example, the iDeal A2A push payments system in the Netherlands, used in 60% of ecommerce payments, after 15 years of operation still has no chargeback controls, and very little fraud. Adding a consumer protection overhead to A2A retail commerce payments before they have barely started in the UK (with open banking and request-to-pay) risks a significant slowing in innovation and take-up.

Generally, with new technology to make banking better, and regulation better, a wholesale rethink and reinvention of banking regulation is required - dealing with the root causes of payments fraud is a good place to start.