APP Fraud Reimbursement Scheme comes into effect: what will the impact be?
The Scheme
The Authorised Push Payment (APP) fraud reimbursement scheme came into effect today (Monday October 7th 2024). Launched by the Payment Systems Regulator (PSR) to replace a previous voluntary code, it requires sending and receiving payment service providers (PSPs) to share the cost of reimbursing victims on a 50:50 split.
The intention of the scheme is to protect victims of APP fraud and to try to improve fraud prevention measures. The PSR recently confirmed that the maximum liability amount per fraudulent transaction has been capped at £85,000. This is significantly down from the previously mooted £415,000, addressing some of the PSP liquidity concerns whilst still covering 99% of claims for customers.
Now the scheme has come into effect, what can we expect to happen?
Our Head of Financial Crime, Jessica Cath, was joined by Senior Manager, James Dodsworth, for a LinkedIn Live discussion on the APP Fraud Reimbursement Scheme on 7 October 2024. Click here to watch the recording.
Understanding eligibility and exemptions
The scheme was originally announced back in June 2023, so there is an argument that all in scope firms should be up and running the scheme with no issues. The reality may be a little different however, with some firms delaying addressing the scheme with a belief the whole thing would be delayed until 2025 at the earliest.
The PSR previously wrote to all PSPs it believed to be in scope earlier in 2024. The basic eligibility requirements being that the PSP is a member of the Faster Payments Scheme (FSP), and that they hold relevant accounts, that is, they issue accounts with sort codes and account numbers. The reimbursement scheme is mandatory for those who fall into these criteria.
Can a firm be exempt from the scheme? Circumstances will obviously vary from firm to firm but one consideration is to assess if a firm undertakes authorised push payments in any part of its customer journey. If they are not enabling customer-authorised payments, they would not meet the liability criteria for the scheme.
If a firm assesses that they do not meet the eligibility criteria for the scheme, they should contact pay.uk stating they are not in scope and await further contact.
Expectations and impacts
The purpose of the scheme is to protect customers from fraud, with fraud losses for the UK in 2023 over £1 billion. By having the scheme in place, the regulator’s expectation is that firms will take fraud more seriously, with the 50:50 split incentivising a collaborative approach across the industry.
Meanwhile, the origin of a significant part of those fraud losses are from scams are from social media, mobile network providers and technology companies – none of which are included in this scheme. In Australia, they are proposing a different approach with banks and social media companies in line to be fined up to AUD$50m if they fail to protect customers from scams. It will be interesting to see if something similar eventually comes into play in the UK (as is being discussed with the new Labour government).
The scheme will bring other impacts, ironically one of them might be an increase in certain types of fraud and a change in behaviours:
- 1st party fraud – fraud undertaken by the customer themselves
- 2nd party fraud – where a person gives their personal identification information (PII) to someone else to use fraudulently
- Money mule accounts – someone who allows their bank account to be used to transfer monies
- Genuine customers changing behaviours - a level of complacency to customer behaviour, as they know that almost no matter what they will be compensated, and do less to protect their accounts and transactions
- APP claims management companies – Just like PPI and car emission firms, expect to see a huge uptick in firms that state they can “help” customers recover lost funds from fraud and take a cut for the privilege
Consumers can make claims up to 13 months after the transaction takes place, meaning that a wave of unexpected payouts may occur at almost any time.
What Next?
All eyes are on the effect the scheme may have on smaller PSPs who will potentially struggle with the £85,000 reimbursement cap, especially as they may be targeted by fraudsters due to the perception that they will have weaker fraud controls than tier 1 banks.
There is no doubt the industry will be watching developments very closely, with continued lobbying to take place over the cap value being lowered further even before there has been any tangible outcomes of the scheme.
As the impact begins to become clear, firms should make sure they are operating effective and embedded APP fraud controls as part of a holistic approach to fraud prevention, detection and remediation:
- Undertake a Fraud Risk Assessment, considering the operational impact of APP fraud reimbursement requirements
- Ensure you have adequate systems, tools and resources to deal with the full life cycle of reimbursements, from alerts through to data gathering and sharing, to the recovery of losses
- Put in place clear management information (MI), data and information sharing channels internally and with other PSPs
- Train employees appropriately, from internal analysts looking at alerts and claims, and any customer facing employees who will be talking to victims, or maybe even perpetrators
For support in these areas, please contact James Dodsworth, Senior Financial Crime Manager at Thistle Initiatives: james.dodsworth@thistleinitiatives.co.uk.