Introduction
It’s no secret that fraud is one of the most pressing threats to financial institutions, exacerbated by recent stormy economic conditions. Authorised push payment (APP) fraud has quickly become one of the most significant types of payment fraud globally. A report by UK Finance calls attention to post-pandemic authorised fraud trends, underlining the continuance of social engineering schemes which manipulate victims into forfeiting sensitive details or transferring funds. In the UK, in 2022 there were around 207,000 reported APP fraud cases on personal accounts, with fraud losses totalling £485 million, a number which is likely an underestimate. In the first half of 2023 alone, APP fraud losses totalled £239.3 million, highlighting this isn’t a problem that's going away.
These figures led the UK government to take decisive action to prioritise fraud by announcing a fraud strategy in May 2023. The new strategy focuses on three pillars: stopping scammers from reaching people in the first place, bringing more fraudsters to justice, and empowering people to better protect themselves. It aims to reduce fraud by 10% on 2019 levels by December 2024.
The prevalence of APP fraud has led to an increase in regulatory expectations for firms to remedy weaknesses in their systems and controls. Most notably, in early June 2023, the UK’s PSR outlined new requirements for reimbursing victims of APP fraud within the Faster Payments System. Following a number of consultations, the reimbursement requirements were published in December 2023, and are due to come into force on 7 October 2024. As of that date, payment service providers (PSPs) will be required to fully reimburse victims of APP fraud within five business days. Costs will be split 50/50 between the sending and receiving payments institutions, with limited exceptions for customer fraud and gross negligence (see details below). This is a huge change for all UK financial institutions.
What is APP fraud?
APP fraud is a scam where fraudsters trick victims into sending them money. Depending on the type of scam, the fraudster could pose as a legitimate entity or a trusted individual like a bank employee. The victim and account holder ‘authorises’ the transaction and forfeits their money under false pretences.
As per the Payment Systems Regulator (PSR), this is grouped into two categories where:
- The payer intends to transfer the funds to a person other than the recipient but is deceived into transferring the funds to the recipient.
- The payer intends to transfer the funds to the recipient but is deceived as to the purposes for which they are transferring the funds.
Examples
Romance scams, where a fraudster builds an online relationship with a victim and requests a money transfer for various reasons. These reasons can consist of bogus medical expenses or travel costs to meet the victim, which never transpires.
Impersonation scams may involve the fraudster pretending to be a bank employee or government official, convincing the victim that their bank account is compromised and urging them to move their funds to a ‘trusted’ bank account which is actually under the fraudster’s control.
Other examples of APP fraud include employment scams, rental scams, and charity donation scams —where money is sent under false pretences to secure employment, a rental apartment, or donate to a charitable cause.
Global position
While the UK’s extensive reimbursement model is a “world first”, other jurisdictions grappling with high fraud rates are also considering regulatory changes to protect consumers. Most notably, the EU is considering amending the second Payment Services Directive (PSD2) to include refund rights for victims of fraud in two situations: when name verification services fail or when a fraudster impersonates a bank employee and “spoofs” the victim. In the latter case, the proposed amendments stipulate that the fraud must be ‘convincing’, which could include replicating the bank’s email address or phone number exactly. The proposed directive states that refunds will not be granted in other cases of 'gross negligence', such as “falling victim more than once to the same kind of fraud”.
In the US, the seven banks that own Zelle, a peer-to-peer payment platform notoriously used by fraudsters, are currently preparing a “major rule change” that would require banks to compensate customers who become victims of certain kinds of scams. This development comes after stark criticisms and a push to ensure that banks reimburse consumers when they are defrauded.
While nowhere near as comprehensive or significant as the changes in the UK, these noteworthy developments mark a global shift in APP fraud losses increasingly being borne by financial institutions.