APP Fraud – A little more conversation

In recent years, “authorized push payment” (APP) fraud, in which a payer is tricked or defrauded into authorizing a payment to a criminal, has increased in both value and volume, with many people suffering financial harm. and important emotional.

In the UK, if a payment has not been authorized by the payer, the Payment Services Regulations 2017 (PSR) provide legal protection for consumers against fraud. However, where a customer has authorized a payment in accordance with the terms of their agreement with their account provider, the PSRs state that the customer is responsible for that payment. This is the case even if they accidentally typed the wrong beneficiary account details or were tricked into making the payment to a fraudster.

The judiciary and the legislature have recently looked into the liability of banks when people fall victim to authorized push payment scams.

What is the government proposing to do about APP fraud?

HM Treasury is pushing forward proposals that will force customers to be reimbursed for APP fraud losses. This was announced in the Queen’s Speech at the official opening of Parliament in May 2022. The intention is to use the Financial Services and Markets Bill to amend PSRs. The PSRs provide that when a payment is executed in accordance with the unique identifier (eg account number and sort code) provided by the customer, a payment service provider has correctly executed the payment.

The government amendment will clarify that this regulatory provision does not affect the ability of the payment systems regulator (PSR) to use its existing regulatory powers in relation to APP fraud. This will allow PSR to establish an accountability framework for APP fraud using its existing powers and ultimately improve reimbursement outcomes for victims.

To bring this change into effect, HM Treasury intends to require the PSR to publish a draft regulatory requirement for consultation within two months of the provisions coming into force, and to impose a regulatory requirement within six months following the entry into force of the provisions.

The authors expect the consultation with further details in the fall of 2022.

What do the courts do?

The courts’ approach to APP fraud also appears to be changing. The recent judgment of the Court of Appeal in the case Phillip vs Barclays the case has the potential to significantly expand the liability of payment service providers for APP fraud.

The plaintiff in this case – Mrs Philipp, who together with her husband had been duped by fraudsters out of her savings – alleged that the bank had breached the Quincecare obligation, i.e. the obligation for a bank to fail to pay when it suspects the payment instruction is an attempt to embezzle the customer’s funds.

The High Court quashed the claim on the grounds that Quincecare had no app for authorized payments, including APP fraud. The Court of Appeal, however, disagreed, finding that there is no reason in principle why a bank cannot be held liable for authorized payments where it suspects that the customer is the victim of fraud. ‘a scam. The case will now go to trial (or to the Supreme Court). If the reasoning of the Court of Appeal is followed, this will represent a very significant extension of the liability of payment service providers for APP fraud.

The more recent case of Federal Republic of Nigeria v JPMorgan does, however, offer some comfort to banks, reminding them that Philipp does not (yet) establish conclusively that a duty of care arises in APP fraud, and that the Quincecare duty is a very factual and limited duty.

Policy Behind Existing UK APP Fraud Protection Measures

In the UK, customers have long been protected against losses resulting from unauthorized transactions. In general terms, the rationale behind this is that payment service providers, such as banks, bear the loss of this activity because they have the greatest ability to help prevent such crimes. For example, payment service providers determine the payment methods available with a particular account (for example, a payment card or the use of an online banking portal). Payment service providers are also well placed to have anti-fraud measures in place to help prevent unauthorized transactions. For example, by implementing identity verification processes (such as SCA) and investing in advanced security systems and developing fraud detection tools.

From a social policy perspective, it also makes sense to demand that those with the richest pockets and the best means of recovering fraudsters’ funds bear the risk. After all, banks are arguably best placed to address this. Banks are also often in the best position to trace and recover funds.

It is this ideology that has largely steered us towards the current position that sees payment service providers, in particular a payer’s payment service provider, being held responsible for putting in place some kind of policing insurance to protect users of their products against authorized push payment fraud. Arguably, in many cases, these payment service providers are also in the best position to prevent such fraud by using real-time transaction analysis and, as the beneficiary bank, ensuring that customers are genuine. , conduct transaction monitoring to identify suspicious payment patterns.

Therefore, the argument is that while the payment service provider can help prevent such APP fraud, it should expect to bear the risk of such losses when such fraud continues to occur.

What can the financial services industry do against APP fraud?

Financial institutions should consider implementing measures to prevent fraud related to unauthorized and authorized payments. Such measures would also help reduce liability exposure. These could include:

(a) work with government and law enforcement to deter and disrupt criminals and better track, freeze and return stolen funds; (b) work with Pay.UK to put in place information sharing processes that allow banks to share data to better detect and prevent financial crime; (c) the introduction of Banking Protocol – a revolutionary rapid response system through which branch staff can alert police and trading standards of suspected fraud; (d) work with the government to make possible legislative changes to account opening procedures to help the industry act more proactively on suspected fraud and prevent criminals from gaining access to financial systems ; and (e) exploring new ways to track stolen funds moved between multiple bank accounts.

Disclaimer – This is not just a problem for the financial services industry

In the authors’ opinion, more needs to be done to prevent these types of frauds from happening in the first place. The idea that this is a problem for the financial services industry alone, however, is entirely misguided for a number of reasons:

  • First, the role of a payer’s payment service provider in securing their customer’s loss to certain types of APP fraud (such as romance scams) is less clear. It is less clear how a payment service provider could know that a customer has been convinced to make a payment to a fraudster under false pretences; where they thought that person needed help when in fact that person didn’t.
  • Second, most APP fraud is due to some form of social engineering. The instigation of this activity often takes place outside the banking system. For example, using tactics such as fraudulent phone calls, text messages and emails, as well as fake websites and social media posts, criminals seek to trick people into handing over personal details. and passwords, or personal information. This information is then used to target victims and convince them to authorize payments. Therefore, there is a growing belief that other sectors, such as social media platforms and telecom providers, could do more to help combat fraud.

Help from other sectors

Rightly, regulators tend to want to see victims of APP fraud reimbursed, but the proposals so far place the blame squarely on the banks.

It is encouraging that we are starting to see regulatory activity demanding that other sectors do more to help tackle this fraud, for example, through proposed amendments to the Online Harms Bill. However, they are unlikely to go far enough, and they are still not enough to compel companies in these other sectors to play a role in compensating victims as well.

This article first appeared in Thomson Reuters Regulatory Intelligence on July 7, 2022

Comments are closed.