The Authorised Push Payment (APP) fraud reimbursement scheme came into effect today (Monday October 7th 2024). Launched by the Payment Systems Regulator (PSR) to replace a previous voluntary code, it requires sending and receiving payment service providers (PSPs) to share the cost of reimbursing victims on a 50:50 split.
The intention of the scheme is to protect victims of APP fraud and to try to improve fraud prevention measures. The PSR recently confirmed that the maximum liability amount per fraudulent transaction has been capped at £85,000. This is significantly down from the previously mooted £415,000, addressing some of the PSP liquidity concerns whilst still covering 99% of claims for customers.
Now the scheme has come into effect, what can we expect to happen?
Our Head of Financial Crime, Jessica Cath, was joined by Senior Manager, James Dodsworth, for a LinkedIn Live discussion on the APP Fraud Reimbursement Scheme on 7 October 2024. Click here to watch the recording.
The scheme was originally announced back in June 2023, so there is an argument that all in scope firms should be up and running the scheme with no issues. The reality may be a little different however, with some firms delaying addressing the scheme with a belief the whole thing would be delayed until 2025 at the earliest.
The PSR previously wrote to all PSPs it believed to be in scope earlier in 2024. The basic eligibility requirements being that the PSP is a member of the Faster Payments Scheme (FSP), and that they hold relevant accounts, that is, they issue accounts with sort codes and account numbers. The reimbursement scheme is mandatory for those who fall into these criteria.
Can a firm be exempt from the scheme? Circumstances will obviously vary from firm to firm but one consideration is to assess if a firm undertakes authorised push payments in any part of its customer journey. If they are not enabling customer-authorised payments, they would not meet the liability criteria for the scheme.
If a firm assesses that they do not meet the eligibility criteria for the scheme, they should contact pay.uk stating they are not in scope and await further contact.
The purpose of the scheme is to protect customers from fraud, with fraud losses for the UK in 2023 over £1 billion. By having the scheme in place, the regulator’s expectation is that firms will take fraud more seriously, with the 50:50 split incentivising a collaborative approach across the industry.
Meanwhile, the origin of a significant part of those fraud losses are from scams are from social media, mobile network providers and technology companies – none of which are included in this scheme. In Australia, they are proposing a different approach with banks and social media companies in line to be fined up to AUD$50m if they fail to protect customers from scams. It will be interesting to see if something similar eventually comes into play in the UK (as is being discussed with the new Labour government).
The scheme will bring other impacts, ironically one of them might be an increase in certain types of fraud and a change in behaviours:
Consumers can make claims up to 13 months after the transaction takes place, meaning that a wave of unexpected payouts may occur at almost any time.
All eyes are on the effect the scheme may have on smaller PSPs who will potentially struggle with the £85,000 reimbursement cap, especially as they may be targeted by fraudsters due to the perception that they will have weaker fraud controls than tier 1 banks.
There is no doubt the industry will be watching developments very closely, with continued lobbying to take place over the cap value being lowered further even before there has been any tangible outcomes of the scheme.
As the impact begins to become clear, firms should make sure they are operating effective and embedded APP fraud controls as part of a holistic approach to fraud prevention, detection and remediation:
For support in these areas, please contact James Dodsworth, Senior Financial Crime Manager at Thistle Initiatives: james.dodsworth@thistleinitiatives.co.uk.