Details of new UK requirements
Scope
The new reimbursement requirement will cover individual consumers, microenterprises, and charities. Eligible transactions must go through the Faster Payments System, which is where 97% of APP fraud payments occur. This means that international payments and payments across other systems such as CHAPS are excluded from the scope. (However, in June 2023 the Bank of England announced its intention of introducing a reimbursement requirement for victims of APP scams using CHAPS for which work is currently underway.) The PSR gives the example of a customer sending money to an account in their name held with a crypto exchange, which is then used to pay a fraudster through cryptocurrency. In such a scenario, the transaction would not be covered by the reimbursement policy because the transaction involved in the fraud occurred outside of the Faster Payments System. Payments made for unlawful purposes and civil disputes are also excluded from reimbursement requirements.
Exceptions
Exceptions to compulsory reimbursement cover instances where the customer has acted fraudulently by committing first party fraud, and where there has been gross negligence by the payer. The PSR has published high-level guidance on what is meant by ‘gross negligence’ and an appropriate ‘minimum consumer level of caution’. A claim excess will also be applicable up to a maximum of £100 per claim.
What is 'gross negligence'?
The PSR describes gross negligence as a ‘very high bar which will critically depend on the individual circumstances of each case’. It only expects it to apply in a ‘small minority’ of cases, and never where a victim's vulnerability is a factor. The consumer needs to have shown a significant degree of carelessness.
Consumer standard of caution
When assessing whether a consumer has been grossly negligent, firms should consider whether the consumer applied a standard level of caution. The consumer standard of caution consists of:
- The requirement to have regard to interventions: firms can consider whether the consumer received specific interventions from their PSP or by a competent national authority, such as the police, before executing a payment order.
- The prompt reporting requirement: victims should report the matter promptly to their PSP upon learning or suspecting that they have fallen victim to an APP scam, no more than 13 months after the last relevant payment.
- The information sharing requirement: victims should respond to requests for information made by their PSP to help it assess a reimbursement claim.
The policy reporting requirement: victims should, after making a reimbursement claim, consent to the PSP reporting to the police on their behalf, or if requested should report the details of the APP scam directly to the police.
Vulnerable customers
Acknowledging that some individuals may be at greater risk from social engineering due to vulnerabilities that impair decision-making, customers deemed vulnerable will be excluded from the claim excess and gross negligence clauses. The PSR states that firms should evaluate each customer’s circumstances on a case-by-case basis.
As per the PSR, financial institutions should refer to the Financial Conduct Authority’s (FCA) definition of ‘vulnerable’:
“A vulnerable customer is someone who, due to their personal circumstances, is especially susceptible to harm, particularly when a firm is not acting with appropriate levels of care.”
Cost allocation
For those transactions eligible for refund, the costs of reimbursement will be allocated equally between the sending and receiving PSPs, with a default 50:50 split.
The PSR’s reasoning for this split is that it will help incentivise both sending and receiving PSPs to increase customer protections. This liability split marks a significant change, as under the current voluntary CRM code it is only the responsibility of the sending PSP to reimburse the customer.
Outcomes-based approach
Unlike many other regulatory statutes, the reimbursement requirements do not mandate that PSPs meet any particular standards or take any particular actions, but rather imposes penalties based on undesirable outcomes. This means the model completely moves away from tick-box compliance to be 100% focused on effectiveness. In adopting an outcome-based approach, the PSR says it is “giving … the industry the space to innovate and to choose how best to deliver the new reimbursement requirement”.
The PSR's multi-pronged approach
In addition to the new reimbursement requirement, the PSR is taking other actions to tackle APP fraud. These include the publication of performance metrics, with the PSR instructing 14 PSPs to provide six-monthly data demonstrating their effectiveness in combating fraud, serving as an accountability and transparency mechanism. In July 2024 the PSR will publish the second round of APP fraud performance data.
Another component of the PSR’s approach is increasing intelligence sharing, with expectations of PSPs to have implemented aspects of an enhanced fraud data sharing initiative by the end of 2023. Finally, the PSR will continue expanding the roll out of the CoP scheme.