PS23/4
Policy statement
Fighting authorised
push payment
scams:
final
decision
December
2023
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
2
Contents
1 Executive summary 3
2 Introduction 5
3 Legal instruments 10
4 Start date and implementation 21
5 Consumer standard of caution exception 26
6 Excess 32
7 Maximum reimbursement level 38
8 Next steps 43
Annex 1 Cost benefit analysis 47
Annex 2 Equality impact assessment 65
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
3
1 Executive summary
1.1 We are taking bold action against authorised push payment (APP) scams. In our June 2023
policy statement PS23/3: Fighting authorised push payment fraud – a new reimbursement
requirement, we introduced a new reimbursement requirement within Faster Payments
to improve fraud prevention and focus firms’ efforts on protecting customers.
1.2 In this document we are setting out the final detailed parameters of the reimbursement
requirement policy. These are:
• Clarifying the consumer standard of caution exception, which narrows the consideration
of gross negligence to four specific circumstances, including the requirement to have
regard to interventions, prompt notification, responding to requests for information
and police reporting. This exception does not apply to vulnerable consumers.
• Allowing sending payment service providers (PSPs) to apply an excess up to £100
to a claim under this policy, except for claims made by vulnerable consumers.
• Setting the maximum level of mandatory reimbursement at £415,000. This level
applies to all consumers.
1.3 The maximum level of reimbursement has attracted a particularly high level of feedback,
and involves difficult trade-offs. We will supplement our existing evidence base by
monitoring the incidence and impact of high value APP scams over the next ten months
before the start date. We may consult on revising the level ahead of October if there is
convincing evidence to do so.
1.4 We consider that the overall package will introduce important incentives to prevent fraud,
provide a very high degree of consumer protection, particularly for those losing larger sums
of money to APP scams, while also ensuring that customers continue to take care when
making payments.
1.5 We are also confirming the policy start date of 7 October 2024. We want protection for
consumers to be delivered as soon as possible, but were mindful of the risks that an earlier
start date could pose to effective implementation. October 2024 is the earliest date that the
critical systems and processes can be in place. We recognise this will still be a challenging
target for some PSPs, but the protection of APP scams victims must be prioritised.
1.6 Industry should already be preparing to implement the reimbursement requirement and
continued collaboration between all stakeholders in the months ahead will be important
to achieve effective implementation.
1.7 We are working closely with Pay.UK and PSPs to ensure preparedness and effective,
timely implementation backed by our regulatory oversight and powers. We will also
collaborate with stakeholders to design our monitoring and compliance framework,
and develop our approach to evaluating our work on APP scams.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
4
1.8 To implement the reimbursement requirement, we are now publishing the three legal
instruments which give effect to the reimbursement requirement:
• A specific requirement imposed on Pay.UK to include the reimbursement
requirement in the Faster Payments scheme rules.
• A specific direction given to participants in Faster Payments, obliging them to
comply with the reimbursement requirement and the reimbursement rules.
• A specific direction given to Pay.UK to create and implement an effective compliance
monitoring regime.
1.9 We are not acting alone in fighting APP scams. We are engaging extensively with the
Financial Conduct Authority (FCA), the Treasury, the Home Office, Ofcom, the Financial
Ombudsman Service, the Department for Science, Innovation and Technology, law
enforcement and other public bodies to stop fraud against UK consumers. The Home
Office Fraud Strategy supported our policy of placing reimbursement on a mandatory
footing ‘without delay’.
1
1 https://www.gov.uk/government/publications/fraud-strategy
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
5
2 Introduction
In June we published our policy statement
PS23/3: Fighting authorised push payment
fraud
– a new reimbursement requirement. Within that publication, we set out our
proposals for a new reimbursement requirement for victims of APP
scams within
the
faster payment system.
Since the publication of our June policy statement, we have engaged extensively with
industry and consumer gr
oups to help inform the implementation and final details of our
reimbursement policy. We published four consultations in August and September of this
year, seeking views on:
• our proposed start date
• our legal instruments requiring Pay.UK and Faster Payments participants to implement
the requirements of our reimbursement policy
• the value of the excess and maximum reimbursement level for Faster Payments
and CHAPS
• the final details of the consumer standard of caution exception, including the express
standard of care expected of consumers.
This document sets out a summary of the responses we received to each of these
consultations, alongside our view on the points raised by respondents.
Terminology in this policy statement
Reimbursement policy
The policy set out in our June policy statement,
and
augmented by this policy statement,
which together
introduce consistent minimum standards to reimburse
victims of APP scams.
Reimbursement requirement
The
specific clause in the specific direction on
industry
,
which requires the sending PSP to reimburse
APP scam victims
subject to the exceptions and
additional provisions set out in our
specific
r
equirement on Pay.UK, where
the consumer standard
of caution e
xception and time limit does not apply.
Reimbursement rules
The schedule of Faster Payments
scheme rules that
our
specific requirement on Pay.UK obliges Pay.UK
to
create. A draft version was published alongside
our
consultation CP23/10: Specific Direction on
Faster
Payments participants – implementing the
reimbursement requirement. We are requiring Pay.UK
to publish the final version by 7 June 2024.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
6
Faster Payments
scheme or
Faster Payments
The payments system designated by
the Treasury.
It
should not be taken as a reference to individual
payments or their speed of settlement.
Faster Payments
scheme rules
The whole of the standards governing participation
in
the Faster Payments scheme.
Faster payment
Any of the four categories of payments tha
t are
facilitated by the Faster Payments
scheme.
Vulnerable consumer
S
omeone who, due to their personal circumstances,
is
especially susceptible to harm – particularly when
a
firm is not acting with appropriate levels of care.
PSPs should evaluate each cu
stomer’s circumstances
on a case
-by-case basis to help determine the extent
to which their characteristics of vulnerability, whether
temporary or enduring, led them to be defrauded,
and
therefore whether they meet the definition
of
vulnerability.
Background
2.1 In our June policy statement PS23/3: Fighting authorised push payment fraud –
a new reimbursement requirement, we set out our proposals for a new reimbursement
requirement for victims of APP scams within Faster Payments. We aim to:
• incentivise the payment industry to invest further in end-to-end fraud prevention
by making every payment firm meet the cost of reimbursing
• increase customer protections so most victims of APP fraud are swiftly reimbursed,
boosting confidence in the UK payment ecosystem
• pursue our long-term ambition for Pay.UK to take on a broader role and actively
improve the rules governing Faster Payments to tackle fraud.
2.2 We want payment firms to take responsibility for protecting their customers at the point
that a payment is made. In doing so, we expect the new reimbursement requirement to
lead firms to innovate and develop effective, data-driven interventions to change customer
behaviour. This could include adopting or refining a risk-based approach to payments, with
firms making better decisions on when to intervene and hold or stop a payment. The
Treasury has committed to legislate to provide clarity on the ability to make risk-based
delays to payments to support PSPs fraud prevention efforts.
2.3 Alongside the new requirement to reimburse victims, we are increasing transparency with
a new balanced scorecard of APP fraud data. We published our first set of data in October
2023, which covered fraud performance between January and December 2022. Our goal
is to set minimum standards, define the outcomes we expect and align financial and
reputational incentives for payment firms.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
7
2.4 In response to our consultations, some stakeholders sent us additional comments
addressing these topics. However, these letters emphasised issues already raised
via responses to our formal consultations and our engagement sessions. In this paper
we have also set out our final position on each policy area. We have also published
an annex summarising responses to each of the above consultations in more detail.
We have carefully considered all representations.
2.5 Our policy is ambitious, comprehensive and world-leading. Its successful implementation
will require regular collaboration among stakeholders. We will continue to engage with
industry in the lead up to the implementation. We will also continue to engage with the
FCA, the Treasury, the Home Office, Ofcom, the Department for Science, Innovation and
Technology, the Financial Ombudsman Service, law enforcement and other public bodies
to stop fraud against UK consumers.
2.6 We recognise the concerns raised by small PSPs, including electronic money institutions
(EMIs), that a high maximum limit for reimbursement may create prudential risks and
heighten the likelihood of unprofitability and insolvency for a small number of PSPs,
therefore undermining competition in the sector. However, there are active steps that
PSPs can take to manage this risk, and their liability under our reimbursement policy, by
improving fraud prevention controls to avoid losses arising in the first place. We consider
our reimbursement policy to be a proportionate response to tackling the increase in
APP scams, by focusing PSPs’ efforts on fraud prevention and consumer protection,
while increasing confidence in Faster Payments.
2.7 It is imperative that PSPs continue their preparations to ensure they are ready to
implement the policy on the start date. We know that our incentives are already
working, with PSPs taking steps to improve end-to-end fraud prevention and
reduce the incidence of APP scams while protecting consumers.
2.8 The reimbursement requirement and rules are part and parcel of Faster Payments rules.
PSPs’ compliance with the reimbursement requirement and rules is ancillary to their
execution of payment transactions using Faster Payments. If a consumer is unhappy
with how their PSP has assessed their APP scam claim under our policy, then they
can take their complaint to the Financial Ombudsman Service. The Financial
Ombudsman Service will consider what is fair and reasonable in circumstances
regarding the individual complaint. For more information on how the Financial
Ombudsman Service currently considers complaints about APP scams please
see Fraud and scams (financial-ombudsman.org.uk)
.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
8
Table 1: Summary of key changes
Consultation
Policy
changes and clarifications
A section 55 specific
requirement given
to
Pay.UK to change
the
Faster Payments
rules
to include the
reimbursement
require
ment
and
associated
reimbursement rules
A section 54 specific
direction given to Pay.UK
to create and implement
an effective compliance
monitoring regime for
PSPs in line with the
reimbursement rules
and
our specific
direction
on industry
A section 54
specific
direction given to
industry obliging PSPs
to
comply with the
reimbursement
requirement and the
reimbursement rules
We have made changes
and clarifications to all three
legal
instruments. These include both substantive policy
changes and definition
al changes in the terms used.
The contents of the changes we have made are set out
on
pages 13 to 17 of this document.
We originally proposed issuing a ‘
general’ direction to
payment firms under the powers set out in s
ection
54 of the
Financial Services (Banking Reform) Act 2013. We ultimately
decided to issue a ‘
specific’
direction instead. Our reasoning
for this is set out
on page 14.
Policy start date and
implementation
We consulted on two possible
start dates for our
reimbursement
requirement policy: 2 April 2024,
or
7 October 2024.
We confirm that the start date for the reimbursement
requirement
policy is 7 October 2024. We have set out
our
reasoning on Pages 21 to 24.
We set out our proposals for supporting Pay.UK and
industry
to be ready for this start date on pages 24 to 25.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
9
Consultation
Policy
changes and clarifications
Consumer standard of
caution
exception
We have amended the proposals outlined in our August
consultation document as follows:
• When assessing whether a consumer has been grossly
negligent, PSPs may now consider whether a consumer
received tailored, specific interventions from a
competent national authority, such as the police,
before executing a payment order (page 29).
• We have made it clear that PSPs are required to make
an assessment of the risks associated with a proposed
payment, rather than an assessment of the likelihood
that a prospective recipient is a fraudster (page 29).
• We have removed the requirement for PSPs to
establish that a prospective payment is ‘likely to be’
an APP scam before they can issue a specific,
tailored warning (page 29).
• We have clarified that consumers who rely on a third-
party claims management company (CMC) to make
a reimbursement claim are subject to the same
expectations on information sharing as consumers
who raise their claims directly with their PSP (page 30).
• We have permitted PSPs to report the details of the
APP
scam to the police on the consumer’s behalf or request
that a consumer directly reports an APP scam to the
police after raising a reimbursement claim (page 31).
Optional
excess that
PSPs may levy
We confirm that PSPs will be permitted to charge an
excess
up to a maximum of £100 per claim (page 32).
We set out how this
permitted excess is to be met by
sending and receiving
PSPs in a particular case (page 35).
We confirm that this excess may not be charged to
vulnerable consumers
(page 37).
Maximum
reimbursement level
We confirm that the maximum reimbursement level will
be
set at £415,000
(page 38). Sending PSPs
are not required to
(but may choose to)
reimburse more than the maximum
reimbursement level for
a single APP scam case.
We confirm that this maximum will apply to all in
-scope
consumers, including
vulnerable consumers.
We confirm that this maximum cap will not automatically
be
indexed to inflation.
We will monitor high value scams
ahead of implementation
and
may consult on changing the maximum level if there is
convincing evidence to do so.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
10
3 Legal instruments
T
he final package of legal instruments we are issuing to give effect to our reimbursement
policy
are:
• a specific requirement (SR1) imposed on Pay.UK to change the Faster Payments
rules to include the reimbursement requirement and associated reimbursement rules
• a specific direction (SD19) given to Pay.UK to create and implement an effective
compliance monitoring regime for PSPs, in line with the reimbursement rules and
our specific direction on industry
• a specific direction (SD20) given to Faster Payments participants
2
obliging them
to comply with the reimbursement requirement and the reimbursement rules.
These instruments place
legal obligations on Faster Payments participants that provide
relevant accounts
to comply with the reimbursement requirement from the start date.
Those firms
should be preparing to comply with these obligations.
We have published these legal instruments alongside this
policy statement.
Background
3.1 In our June policy statement, we outlined that we intended to issue three legal
instruments that would give effect to our APP scams reimbursement policy and
place legal obligations on industry to comply with it. We committed to consult
on these legal instruments before issuing the instruments by December 2023.
3.2 We set out our intention to issue these instruments by exercising our powers under
section 55 of the Financial Services (Banking Reform) Act 2013 (FSBRA) for the first time,
alongside our powers under section 54 of FSBRA.
Our consultation proposals
3.3 We consulted on all three legal instruments to obtain further views on how these would
give effect to our policy. We also asked for specific feedback on each instrument.
2 All PSPs participating in the Faster Payments Scheme that provide relevant accounts. Relevant accounts are
accounts which are held in the UK and can send or receive payments using the Faster Payments Scheme,
but exclude accounts provided by Credit Unions, Municipal Banks, and National Savings Banks.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
11
Table 2: The legal instruments we consulted on
Instrument
Instrument function
Specific requirement
imposed on
Pay.UK
to
amend Faster
Payments rules
(
section 55 of FSBRA)
Requires Pay.UK to
create the ‘reimbursement rules’. Pay.UK
will do this by
amending Faster Payments rules to include:
• the reimbursement requirement and its scope
• sharing the cost of reimbursement
• the time limit to reimburse victims
• the obligation of the sending PSP to notify the receiving
PSP that an APP scam has happened
• the allocation of retrieved (‘repatriated’) scam funds
between PSPs
• ‘Stop the clock’ provisions
• the ability to charge a claim excess
• the ability to impose a maximum level of reimbursement
• a time limit for victims to claim.
Specif
ic* direction
to
directed PSPs
(
section 54 of FSBRA)
Sets out the reimbursement requirement, its scope
,
and directs
all
directed PSPs to comply with the reimbursement rules.
Indirect access providers
must inform us of all indirect PSP
customers they provide access to.
*This was initially published as a
draft general direction,
changed to a specific in response to feedback
, and consulted
upon as such.
Specific direction
to
Pay.UK
(
section 54 of FSBRA)
Directs Pay.UK to monitor PSPs
’ compliance with the
reimbursement rules
and specific direction on in-scope PSPs.
Directs Pay.UK to provide us with compliance data to inform
any enforcement
or other regulatory action we may take and
help
us assess the policy’s effectiveness.
Directs
Pay.UK to propose, publish and implement an effective
compliance monitoring regime
, approved by the Payment
S
ystems Regulator (PSR).
Feedback we received
3.4 We received responses from a range of stakeholders, including PSPs, wider industry
and trade groups, consumer groups and other interested parties.
3.5 Most respondents agreed with our approach to issue three legal instruments to
give effect to the policy. Some raised concerns about Pay.UK’s ability to monitor
and enforce the reimbursement requirement and about the development of a
reimbursement management system (RMS). (See Chapter 4 for more information
about the systems that will help industry implement the reimbursement requirement.)
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
12
Specific requirement 1 imposed on Pay.UK
3.6 Most respondents agreed with our proposal to impose a specific requirement on Pay.UK
to change the Faster Payments rules. Several respondents made suggestions about the
‘stop the clock’ provision, including expanding it to allow sending and receiving PSPs to
communicate about the assessment of an APP scam case. Other responses asked for
further clarity on how we expect a firm to communicate with a consumer, and how
quickly a sending PSP should make the receiving bank aware of the reported scam.
3.7 A few respondents commented on the drafting of the vulnerable consumer exception,
saying that the wording did not articulate the intent set out in our June policy statement.
Specific direction 20 given to industry
3.8 Most respondents asked for clarity on the scope of the (as then published) general
direction, and which participants it would cover. Many respondents welcomed our
change to a specific direction, while asking for further clarity around certain definitions.
3.9 Some respondents were concerned that our proposal to exclude credit unions,
municipal banks and national savings banks would create inconsistent outcomes.
A couple of respondents felt that we had not provided sufficient reasons for this
proposal and pointed out that credit unions are not immune to APP scams. Another
underlined that these PSPs can be receivers of APP scams. Other respondents stated
that their members broadly agreed with our proposal to exclude PSPs that are exempt
from the liability requirements for fraudulent unauthorised payments, on the basis
that fraud rates among these entities were low.
3.10 Many respondents felt it was the PSR’s job to ensure that all indirect PSPs
were aware of their obligations under the reimbursement requirement.
3.11 Most respondents welcomed the change to annual reporting for indirect access
providers. However, several respondents were concerned that annual reporting
would not be sufficient to make sure all participants were aware of their obligations.
We received feedback that indirect access providers should inform us of any changes
in terms of indirect PSP customers entering or leaving the market. Some concern was
raised around this being a duplication of our annual FSBRA section 81 information
request that underpins our access to payments systems work.
3
3.12 Several respondents stated that there should be a service-level agreement for
receiving PSPs to provide information to the sending PSP.
Specific direction 19 given to Pay.UK
3.13 Most respondents agreed with our general approach to compliance monitoring and the
underlying principles. However, they also asked for further information on the compliance
process. Many requested further clarity on how we, in tandem with Pay.UK, would
incentivise firms to prevent APP scams.
3 Access to payment systems https://www.psr.org.uk/our-work/access-to-payment-systems/
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
13
3.14 Some respondents suggested that it should not be direct participants’ responsibility
to liaise with their indirect participants on behalf of Pay.UK. Respondents also thought it
was important for Pay.UK to have a mechanism in place to interact with all PSPs directly.
3.15 There were mixed views on the frequency of reporting to Pay.UK, with preferences
varying from monthly to yearly. Several respondents highlighted the cost and burden
associated with more frequent reporting and suggested we should give guidance outlining
best practice for this. Most respondents agreed with the types of data we proposed in the
consultation on our specific direction to Pay.UK, though most also had further suggestions.
3.16 One respondent said the direction should place an ongoing obligation on Pay.UK to define
the future governance around compliance.
Summary of key changes
3.17 We have made some changes to the legal instruments after considering all the responses
to our consultations.
3.18 The key changes are outlined in Table 3 below.
Table 3: Key changes made to the legal instruments
Specific requirement imposed on Pay.UK
‘
Stop the clock’
We have amended the grounds on which a sending PSP can
‘stop
the clock’. It can now do so when contacting the receiving
PSP
to gather evidence to inform their assessment of reported
APP
scam cases. We have also clarified the 35-business day
timescale withi
n which the sending PSP must make a decision
on
whether to reimburse an APP scam case under the policy.
These amendments allow the sending PSP to make a more informed
assessment. The receiving PSP
may hold key evidence that will help
inform the sending PSP
’s assessment of any APP scam case, and it
is right that we
provide enough time for it to deliver this information
to the sending PSP.
However, to ensure that
there is no unnecessary
delay to consumer reimbursement
, the sending PSP must arrive at
an outcom
e after 35 business days, regardless of how many times
(and for how long)
‘stop the clock’ is used.
Receiving PSP
must respond
to
a request from
a sending PSP
We have required Pay.UK to include an obligation
in the
reimbursement rules
for the receiving PSP to respond to
the
sending PSP’s information requests. This applies where
a
sending PSP has requested further information for its
assessment
of an APP scam claim.
This change ensures that
a receiving PSP provide information
promptly when requested by a sending PSP using ‘stop the clock’
to
investigate an APP scam claim. This should avoid undue delays
in
the sending PSP arriving at a decision.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
14
An assessment
outc
ome
(under
the
reimbursement
policy) by the
sending PSP
is
final
We have
included a provision for the reimbursement rules to
clarify
that the assessment outcome by the sending PSP is final.
Any
subsequent differing outcome (by a court or an alternative
dis
pute resolution scheme, such as the Financial Ombudsman
S
ervice) will not be treated as a reimbursement under the policy
and
will not incur any apportioning of liability under the policy.
This means that, unless otherwise specified in the dispute
decision,
the sending PSP will be liable for the full reimbursement amount
if
they have decided not to reimburse the consumer, and the
case
is overturned.
This is not a change to the policy as outlined in June, but a
clarification of its extent. We want
to reduce the potential for
disputes
between PSPs and provide clarity around cost allocation.
Specific direction given to directed PSPs
Change from
g
eneral to
s
pecific direction
on
industry
We changed the nature of our direction
given to industry from
general to specific.
When consulting on the specific requirement and specific direction
given to Pay.UK, we also published a draft general direction to industry.
We were not formally consulting
on it at that
time but wanted to gather
views on the package of instruments as a whole. We received a lot of
feedback asking that
we clarify the scope of the direction.
The change to the nature of the direction more clearly defines the
PSPs
in scope of the reimbursement policy. It provides a clear set
of
criteria that can be practically applied to determine whether a
PSP
is in scope. This reduces confusion around the scope and
obligations of
payment initiation service providers (PISPs),
EMIs
, and other non-bank PSP arrangements.
Indirect access
providers (IAPs)
are
not required
to
pass on notice
of
obligations to
indirect PSPs
We have removed the obligation on IAPs to
pass on the information
about indirect PSPs’ obligations under this policy.
We want to
take responsibility for making sure that directed PSPs
are
aware of and clearly understand our policy. We will therefore
undertake industry engagement to make directed PSPs aware of
their obligations by the start date.
IAPs must
provide us
with
details of
indirect
PSPs
We have added an obligation
for all IAPs to provide us annually
with
a list of indirect PSPs to whom they provide access to
Faster
Payments, starting from 31 March 2024. We have also added
that by
30 April 2024, and monthly thereafter, all IAPs must provide
us
with an update containing any changes to the list.
This change strikes
a balance between ensuring that the list of PSPs
in scope of the policy is as up
to date as possible, while maintaining
a
proportionate reporting obligation. IAPs will only need to compile a
full list once a year, notifying us only if they start or stop providing
access to an
indirect PSP in the meantime.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
15
We will share this list with Pay.UK so it understands who could be in
scope of
the reimbursement policy. The information in the list could
also be used by PSPs to contact each other, and therefore
discharge
their obligations on informing each other of
the perpetration of APP
scams.
It will also prevent sending PSPs taking up resources by
c
hasing receiving PSPs who have left the market for reimbursement.
We have also included
a provision setting out that we may, in
guidance, specify
the format and content of the list IAPs must
provide to us.
If we do produce guidance, we will consult on this
in
early 2024, ahead of the 31 March 2024 date for IAP submission.
This would
provide sufficient time for IAPs to prepare to use any
agreed
template.
Removal of
data
reporting
obligation
on
PSPs
We have removed the requirement
for directed PSPs to report data
to Pay.UK.
O
nce the compliance monitoring regime has been finalised, we plan
to consult on a further direction
which will direct in- scope PSPs to
report data under that regime to Pay.UK.
Specific direction given to Pay.UK
Removal of
specified data
points
We have removed the minimum data points we were directing
Pay.UK to collect as part of its compliance monitoring regime.
We still require Pay.UK to submit compliance monitoring
proposals
to us and expect it to include metrics in its proposals.
After
consultation, we will give a further direction in 2024
to
provide specific clarity on the extent of the compliance
monitoring
regime, including the data-reporting requirement.
We have made this change to give more room for Pay.UK
to
create a holistic compliance monitoring regime.
Removal of
responsibility
on
the PSR to direct
Pay.UK on the
framework
if
proposals are
not brought
forward
We have removed wording to the effect that the PSR would direct
Pay.UK on a compliance monitoring framework should
it not bring
forward proposals.
We have
a range of regulatory tools at our disposal should Pay.UK
fail
to comply with its obligations by the deadline.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
16
All instruments
Excluding
credit
unions,
municipal banks
and national
savings banks
We are excluding credit unions, municipal banks and national
savings
banks from the scope of the reimbursement policy.
These
entities offer savings and loan accounts, from which payment
can generally only be made to nominated accounts, making them
much less susceptible to APP scams than other PSP types. Our
recent
data publication
4
shows only three credit unions received a total of 41
report
ed APP scams in 2022, with a combined value of approximately
£17,000. We do not consider
the burden of complying with our
requirements is
proportionate to this small number of APP scams.
These
institutions also provide an important financial inclusion role,
which could be impacted
negatively by having to comply with the
requirements. They were excluded from the PSRs 2017 for
similar
reasons
, so excluding them from the reimbursement requirement
aligns with wider legislation.
Any payments sent to or from credit
unions, municipal banks and national savings banks will not be
covered by the reimbursement requirements.
Key date
changes
We have made several changes to the dates by which Pay.UK
must
meet its new obligations. The original dates were intended
as
stretch targets to better understand what was possible. After the
consultations, we have amended these dates to a point we consider
ambitious
, but feasible:
Compliance monitoring proposals submitted: 5 April 2024
.
By
this date, Pay.UK must submit its proposals for its compliance
monitoring regime to us.
Compliance monitoring regime published: 7 June 2024
. By this
date, Pay.UK must publish the final compliance monitoring regime.
Final
Faster Payments reimbursement rules published:
7
June 2024
. By this date, Pay.UK must have finalised and published
its
Faster Payments scheme reimbursement rules in line with our
specific
requirement.
Implementation date of the policy: 7 October 2024.
On this
date
the reimbursement requirement will apply to directed PSPs
and
victims of APP scams must be reimbursed under the policy.
For
more information, see Chapter 4.
4 APP Fraud performance data https://www.psr.org.uk/information-for-consumers/app-fraud-performance-data/
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
17
Definition
changes
We received various comments and suggestions to clarify certain
definitions. We have taken these into account where appropriate
and
amended the legal instruments to reflect them. Below we
have
included changes to definitions where there have been
significant
calls for clarity. For the full list of defined terms,
please
see the interpretation section of the legal instruments in
our
supplementary publication alongside this policy statement.
Account controlled by the consumer
– this definition was added
to
provide more clarity for the scope of the definition of an APP
scam
payment.
APP scam payment
– we have included ‘relevant account’ to part 4
of the definition of ‘APP scam payment’ to provide further clarity
on
the line a payment must cross in order to satisfy the scope of this
definition and fall within the scope of the policy.
Relevant account
– this was previously ‘payment account’.
However,
there was confusion surrounding our definition and
that
of he FCA. The definition remains unchanged, aside from the
exclusion of credit unions, municipal banks and national savings
banks
, and the specification that a relevant account is provided to
‘
service users.’ The inclusion of service users within the definition
of
relevant account provides more clarity for receiving accounts by
distinguishing
a head office collection account from that held by a
service user.
Service
user – has been included and defined as a person who uses
a service provided by a payment system and is not a
participant of
that payme
nt system. This definition was included to distinguish
an
‘end user’ of Faster Payments from participants.
Member of Faster Payments
– has been included and
defined
as directly connected settling and directly connected
non
-settling participants.
This
definition provides more clarity around the extent of the
direct
participants in scope of the policy, and by extension the
indirect participants
.
Miscellaneous
drafting changes
for
clarity
We received various drafting comments and
suggestions.
These
did not cause us to make a change in policy from our
June
policy statement, so we have not outlined them in detail here.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
18
Legal instruments in detail
Specific Requirement 1 on Pay.UK
3.19 We are requiring Pay.UK to create the reimbursement rules. These will be a schedule of
the Faster Payment rules created pursuant to our section 55 specific requirement. Pay.UK
will include these in the Faster Payments scheme rules and will maintain and evolve these
rules over time – for example, as data and technology improve. These rules must apply to
all members of Faster Payments that provide relevant accounts.
3.20 The reimbursement rules must be finalised by Pay.UK no later than 7 June 2024, though
they will not take effect until the start date of 7 October 2024. We published a draft copy
of these rules alongside our consultation on the specific direction to Faster Payments
participants in September 2023.
5
3.21 We require that the following are included in the reimbursement rules:
• Reimbursement requirement: Sending PSPs must reimburse APP scam victims,
except where the consumer standard of caution exception or time limit on claims applies.
• Notifying the receiving PSP: When a sending PSP receives a report of an APP
scam case, it must notify the receiving PSP within a specified period, to maximise
the likelihood of retrieving stolen funds. Pay.UK will determine this period and must
keep it under review.
• Sharing the cost of reimbursement: If claimed by the sending PSP, a receiving
PSP must send 50% of the cost of a reimbursement claim to the sending PSP,
within a deadline to be set by Pay.UK. Subject to the claim excess and maximum
level of reimbursement, 50% of any retrieved funds that are stolen in an APP scam
but then recovered must be returned to the sending PSP by the receiving PSP.
• Claim excess: The sending PSP can subtract a sum up to the maximum level of the
claim excess from the amount reimbursed to the victim. The claim excess does not
apply when the consumer is vulnerable, and the vulnerability had a material impact
on the consumer’s ability to protect themselves from the scam. The sending PSP
will assess this on a case-by-case basis.
• Maximum level of reimbursement: The sending PSP is not obliged to reimburse
above the maximum level of reimbursement for a single APP scam case. The maximum
level of reimbursement is set by the PSR, which we expand on in Chapter 7.
• Time limit to claim: The sending PSP is not obliged to reimburse any APP scam
claim where the customer submits the claim more than 13 months after making
the last payment in the case. Pay.UK will keep the 13-month period under review.
3.22 We provide more information on how these policies will operate in practice in Chapter 5
of policy statement PS23/3: Fighting authorised push payment fraud – a new
reimbursement requirement.
5 PSR CP23/10, Specific Direction on FPS participants – implementing the reimbursement requirement
(September 2023): https://www.psr.org.uk/publications/consultations/cp23-10-specific-direction-on-fps-
participants-implementing-the-reimbursement-requirement/
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
19
Specific Direction 20 to industry
3.23 As Pay.UK’s scheme rules only apply to direct participants, we are overlaying the
reimbursement rules with a specific direction to all in-scope PSPs. In-scope PSPs
are those which:
• participate in Faster Payments
• provide a relevant account in the UK to their service users which can send or
receive Faster Payments.
3.24 The above excludes credit unions, municipal banks and national savings banks
(see Table 3 above).
3.25 The specific direction contains the following key features:
• Reimbursement requirement: This is the core of our APP scam reimbursement
policy. The obligation for reimbursable APP scam payments to be reimbursed by the
sending PSP to the victim in full, subject to the additional provisions and exceptions
set out in our specific requirement on Pay.UK.
• Scope of the reimbursement requirement: The reimbursement requirement applies
to all reimbursable APP scam payments made on or after the start date of this policy
(7 October 2024).
• Obligation on in-scope PSPs to comply with the reimbursement rules:
All in-scope PSPs must comply with the reimbursement rules that Pay.UK creates
under our specific requirement.
• Indirect access providers to provide information about their indirect PSP
customers: All IAPs must send us a list of indirect PSPs to whom they supply
Faster Payments, annually, from 31 March 2024. By 30 April 2024, and monthly
thereafter, they must update us with any changes to the list. For the avoidance
of doubt, if there are no changes to the list in a calendar month, the IAP does not
need to provide a report.
Access to payments section 81 vs section 54 Specific Direction 20 to industry
We currently collect similar data on indirect PSPs under our access to payments
systems work. This dataset is broader and captures more information than will be
collected under the specific direction. More PSPs will need to report to us under
the specific direction. PSPs already reporting to us under access to payments
systems information requests can combine the report with the obligation set out
under this specific direction.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
20
Specific Direction 19 to Pay.UK
3.26 To ensure the effectiveness of the reimbursement policy, we are directing Pay.UK
to create and implement a compliance monitoring regime for the reimbursement
rules across all directed PSPs (including indirect participants).
3.27 Pay.UK is best positioned to design the most effective and efficient monitoring
mechanism, in conjunction with industry. We would expect an effective compliance
monitoring system to measure whether in-scope PSPs are consistently complying
with the reimbursement rules, identify non-compliance, and ensure that where there
are compliance issues, Pay.UK takes steps to address these (in line with its compliance
management procedures), where it has the powers to do so.
3.28 Using our powers under section 54 of FSBRA, we are giving a specific direction to Pay.UK to:
• develop and implement arrangements to monitor compliance by all directed PSPs
with the reimbursement rules
• monitor the nature, extent and effectiveness of directed PSPs’ compliance with
the reimbursement rules
• take steps to improve directed PSPs’ compliance, where it has the power to do so
• gather data and information from directed PSPs to monitor compliance
• report to us on the nature, extent and effectiveness of directed PSPs’ compliance
with the reimbursement rules, supported by data gathered from PSPs.
3.29 The specific direction obliges Pay.UK to submit proposals to us for an effective
compliance monitoring regime. As part of these proposals, Pay.UK must outline:
• the data it will collect and review from PSPs
• how it will collect this data, including whether it will use a template or an
automated process
• how frequently it will collect data
• how it proposes to analyse the data it collects
• how this data will be used by it to monitor and assess PSP compliance with
the reimbursement rules
• how it will share this data with us.
3.30 Pay.UK must give directed PSPs reasonable opportunities to make representations to it
about its compliance monitoring proposals. Pay.UK must consider these representations,
and take them into account as appropriate, ahead of submitting them to us.
3.31 Pay.UK must submit its final compliance monitoring proposals for our approval by
5 April 2024. It must also formally publish its approved compliance monitoring regime
by 7 June 2024. The compliance monitoring regime must then come into force
alongside the reimbursement requirement on 7 October 2024.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
21
4 Start date and
implementation
T
he start date for the reimbursement requirement is 7 October 2024.
This means that any reimbursable
Faster Payments scam payments that take place on
or
after 7 October 2024 will be covered by the reimbursement requirement. Where the
claim
is made up of a series of payments, any payment made prior to the start date for
the
new reimbursement requirement are not covered by it.
The start date does not prevent PSPs from voluntarily reimbursing victims of APP fraud
sooner
, including providing reimbursement under the contingent reimbursement model
(
CRM) Code. We expect the CRM Code requirements to stay in place until the start date.
Background
4.1 We confirmed in our June policy statement that the new reimbursement requirement
would come into force in 2024. We committed to consult on a specific start date later
in the year and set out our view that an appropriate start date would strike the balance
between bringing in protections for consumers as soon as possible, while giving industry
sufficient time to prepare. We also set out our expectation that industry should start
work to implement the new reimbursement requirement as soon as possible.
4.2 The start date for the reimbursement requirement does not prevent PSPs from
voluntarily reimbursing victims of APP scams sooner, including under the CRM Code.
Our consultation proposals
4.3 In July 2023 we consulted on an implementation date of 2 April 2024. We invited views
on the time and resources the industry needed to reach operational readiness, to help
us decide on a practical, but ambitious date. While we want the new requirement to be
in place protecting consumers as soon as possible, consultation responses made it clear
that a start date of April 2024 would not give many firms enough time to be ready to
prepare for the reimbursement requirements.
4.4 After considering the feedback to the July consultation we consulted again in
September 2023 on a start date of 7 October 2024.
The feedback we received
4.5 We received 28 responses on our proposed start date of 2 April 2024. While consumer
representatives supported the policy coming into force at the earliest opportunity,
most industry representatives told us that this date was not operationally practical.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
22
4.6 Respondents highlighted key dependencies for operational readiness. These were:
• Systems capability: Respondents pointed out that there is no set of services to
which all PSPs – of different systems and types – have access that allows them
to communicate claims, manage cases, and agree settlement and liability.
• Operational timescales: PSPs told us they would need time to train staff,
build or integrate IT systems and change the way they handle APP scams.
• Reimbursement rules: PSPs said they would need sufficient time to review
these before implementation.
• Policy finalisation: Respondents representing PSPs stated that industry would
find it difficult to prepare operationally and design end-to-end processes or develop
systems until the policy package had been finalised.
4.7 PSPs estimated that they needed a further 6-12 months from the publication of our
final policy. Estimates varied based on the size of the PSP, and whether it was already
a signatory of the CRM Code or not.
4.8 In light of this feedback, we consulted on a revised start date of 7 October 2024.
We received a total of 20 responses. The majority of industry representatives
welcomed the change, but indicated that this date might still be challenging.
4.9 Feedback from consumer groups was varied. Some respondents raised concerns
that a start date of October 2024 would leave victims of APP scams without additional
protections for longer. One consumer representative considered the later implementation
date a setback for consumers, but recognised that there were dependencies which
support the 7 October 2024 date.
4.10 Some PSPs highlighted that an October 2024 start date coincides with the deadline
for Group 2 PSPs to implement Confirmation of Payee (CoP).
Our view
4.11 We are setting a start date of 7 October 2024. We think this achieves our aim of
providing additional protections for APP scam victims as soon as possible, while setting
an ambitious but feasible date for industry to implement the reimbursement requirement.
4.12 We recognise concerns raised by consumer groups that this date leaves consumers without
further protection for longer than if we had chosen an earlier date. But implementing the
policy too soon may lead to other negative outcomes for consumers, such as market exits
by PSPs, inconsistent application of the requirements or PSPs restricting consumers’
access to accounts.
4.13 We recognise that the deadline for Group 2 PSPs to introduce CoP is 31 October 2024
6
.
It might be challenging for some PSPs to implement both CoP and the reimbursement
requirement at the same time. However, the expansion of CoP checks is a long-standing
requirement announced in October 2022, and we will continue to engage with and support
Group 2 PSPs.
6 PSR PS223, Extending Confirmation of Payee coverage ( October 2022): PS22/3 Extending Confirmation of Payee
coverage | Payment Systems Regulator (psr.org.uk)
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
23
4.14 We consider it is achievable for industry to implement the reimbursement requirement
by 7 October 2024. We set out our thinking on dependencies in further detail below.
Systems capability
4.15 We recognise that the development of certain systems will help industry implement
and comply with elements of the reimbursement requirement.
4.16 Throughout this policy statement we refer to the systems that help implement
the reimbursement requirement as reimbursement management systems (RMSs).
For example, an RMS could help PSPs communicate securely with one another,
manage their own APP scam cases, settle liability between sending and receiving
PSPs and/or report data to Pay.UK.
4.17 We recognise that comprehensive RMSs may not be available, or required, for all PSPs
to adopt by the implementation date of 7 October 2024. Where industry does not consider
it can deliver comprehensive RMSs by the start date, we expect industry to collaborate to
develop the minimum RMSs that it considers necessary to implement the reimbursement
requirement. Our expectation is that industry should come together to ensure that it has
these capabilities. Our role is to facilitate these discussions and ensure there is a focus
on compliance by the start date.
4.18 In the medium term, we anticipate that industry may develop more comprehensive RMSs,
and even a reimbursement management platform (RMP) which integrates multiple RMSs
into a single platform. It will be largely for PSPs and Pay.UK to decide the most efficient
means of meeting the reimbursement requirement.
Development of reimbursement rules
4.19 Respondents to both consultations emphasised that they could not plan or begin to
operationalise the reimbursement requirement until Pay.UK has published the final
reimbursement rules.
4.20 We are directing Pay.UK to publish the final reimbursement rules by 7 June 2024.
This requirement is set out in our section 55 specific requirement on Pay.UK. We expect
the operational guidance to be published at the same time as the reimbursement rules.
4.21 However, Pay.UK acknowledges industry’s requests for clarity on the reimbursement rules
at the earliest opportunity. In addition to the draft rules already published alongside our
consultation in September (CP23/10)
7
Pay.UK intends to make a near-final version of the
draft rules available as early as possible. This approach will give industry sufficient clarity
to prepare, while allowing Pay.UK to make minor changes to the rules to accommodate
the development of the operational guidance and compliance monitoring proposals.
4.22 We recognise that PSPs will require the reimbursement rules and operational guidance
in order to finalise their preparations, however, industry can begin to operationalise the
reimbursement requirement before this. Industry should already be preparing to
implement the reimbursement requirement.
7 PSR CP23/10, Specific Direction on FPS participants – implementing the reimbursement requirement
(September 2023):
https://www.psr.org.uk/publications/consultations/cp23-10-specific-direction-on-fps-
participants-implementing-the-reimbursement-requirement/
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
24
Finalisation of the policy
4.23 The legal instruments we are publishing oblige industry to implement the
reimbursement requirement by 7 October 2024. Meanwhile, this policy statement
sets our final policy on the level of excess and maximum reimbursement, and the
consumer standard of caution exception.
4.24 Respondents to the consultation informed us that PSPs would need between
six and 12 months from when we finalised our policy to implement the
reimbursement requirement. Industry has about ten months to implement
the policy from the date we are publishing our final policy positions.
Implementation plans
4.25 Many respondents to the consultations emphasised the need for Pay.UK to set out
its implementation delivery plans. We are working with Pay.UK to ensure industry
can see these plans in good time and that these plans are being discussed in the
industry workshops Pay.UK are holding.
Next steps
4.26 Now that we have published the legal instruments, set the start date and finalised the
outstanding policy issues, we expect industry’s preparations for the reimbursement
requirement to gather momentum.
4.27 We will continue to monitor Pay.UK’s and PSPs’ progress towards implementation
throughout 2024.
Pay.UK readiness
4.28 Pay.UK’s obligations are set out in the legal instruments we have now published.
We will hold Pay.UK to account for meeting these obligations and use regulatory
tools and powers, where necessary, to ensure compliance.
4.29 As the payment system operator (PSO) of Faster Payments, Pay.UK will also play
a role in implementing the reimbursement requirement beyond its obligations in the
legal instruments. This could include facilitating PSPs’ implementation and compliance,
for example, by providing central mechanisms for communication, information sharing
and/or settlement. Ongoing engagement between Pay.UK and Faster Payments
participants will be vital here.
4.30 We recognise that PSPs will not be able to finalise their preparations for implementation
until Pay.UK has published the final Faster Payments scheme reimbursement rules,
the accompanying operational guidance and the compliance monitoring regime.
4.31 We have structured Pay.UK’s formal obligations in phases (see Chapter 3). We are
working with Pay.UK to agree when it will share near-final versions of rules, guidance
and compliance monitoring proposals with industry. We expect Pay.UK to do this as
soon as possible. This approach will also allow us to monitor Pay.UK’s progress
towards meeting its obligations.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
25
4.32 We expect Pay.UK to:
• submit the compliance monitoring proposals to us for approval by 5 April 2024
• publish the approved compliance monitoring regime by 7 June 2024
• publish the final version of the reimbursement rules by 7 June 2024.
4.33 We also expect Pay.UK to develop a robust implementation delivery plan, including
contingency arrangements to ensure it is able to meet its obligations by the start date.
We expect Pay.UK to share its implementation delivery plan with industry in good time.
We will monitor Pay.UK’s progress against this plan.
PSP readiness
4.34 APP scams are not new, and many PSPs have systems in place to receive and handle
APP scam claims from their customers. But we appreciate PSPs may have to alter
existing systems or processes. For example, PSPs may need to retrain staff in
identifying vulnerability.
4.35 Pay.UK has set up industry working groups and is designing a wider engagement
strategy to support industry implementation. We will remain in close contact with
Pay.UK to understand its assessment of industry readiness and any challenges faced
by PSPs. Where possible, we expect Pay.UK to support PSPs in their preparations.
4.36 We will continue to engage directly with PSPs and trade associations to understand
any relevant challenges, and we will set up a process to address their implementation
and policy questions in a timely manner. We recognise that PSPs may need further
clarification of the policy, and we will set up a process for them to contact us with
questions. We provide more information about this process in Chapter 8.
4.37 We recognise that some firms will be concerned about the impact of the
reimbursement requirement. However, firms can limit their exposure to liability
under the policy by improving their fraud detection and prevention capabilities
before the start date. PSPs should also be collaborating with Pay.UK to deliver
systems which will support implementation.
4.38 In preparation for the start date, we expect PSPs to have firm plans for how they
will communicate this new consumer protection to their customers, in line with the
FCA’s Consumer Duty. We will expect PSPs to encourage their customers to report
fraud (we note that the excess amount may dissuade some from reporting – see Chapter 6
for more detail), and to make it an easy and accessible process for consumers to do this.
4.39 Our reimbursement policy aligns with the work done by the FCA and the wider
ecosystem to prevent APP scams. The FCA recently published two reviews, covering
the proceeds of fraud detecting and preventing money mules
8
and anti-fraud controls
and complaint handling.
9
8 FCA, Proceeds of Fraud – Detecting and preventing money mules (October 2023) Proceeds of fraud –
Detecting and preventing money mules | FCA
9 FCA, Anti-fraud controls and complaint handling in firms (November 2023) Anti-fraud controls and complaint
handling in firms (with a focus on APP Fraud) | FCA
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
26
5 Consumer standard of
caution exception
In August
, we consulted on proposals outlining our draft policy approach, CP23/7: App Fraud
–
The consumer standard of caution. Following consultation, we now confirm that our final
approach to the consumer standard of caution
exception will consist of:
• The requirement to have regard to interventions: Consumers should have regard
to interventions made by their sending PSP or by a competent national authority,
such as the police. Those interventions must clearly communicate the PSP’s or police
assessment of the probability that an intended payment is an APP scam payment.
• The prompt reporting requirement: Consumers should, upon learning or suspecting
that they have fallen victim to an APP scam, report the matter promptly to their PSP
and,
in any event, not more than 13 months after the last relevant payment was authorised.
• The information sharing requirement
: Consumers should respond to any reasonable
and proportionate requests for information made by their PSP to help them assess a
reimbursement claim. This includes requests under our ‘stop the clock’ rules.
• The police reporting requirement
: Consumers should, after making a reimbursement
claim, and upon request by their PSP, consent to the PSP reporting to the police
on the
consumer’s behalf, or request the consumer directly report the details of an APP scam
to a competent national authority.
Where a consumer has, with gross negligence, not met one or more of those standards,
their
PSP would not be required to reimburse a consumer who had fallen victim to an
APP
scam. If a consumer is classed as vulnerable, the consumer standard of caution
exception
can’t be used by the PSP to deny reimbursement. We interpret ‘gross
negligence’ to be a higher
standard than the standard of negligence under common law.
The consumer needs to
have shown a significant degree of carelessness. Alongside this
document, we are separately
publishing our Consumer standard of caution exception
notice
and associated Consumer standard of caution exception guidance.
Th
ese documents should be read together.
Background
5.1 Within our June policy statement, we introduced a general requirement: that sending
PSPs must reimburse their consumers who have fallen victim to an APP scam. We did
state there would be an exception to reimbursement – the consumer standard of caution –
and we would publish further guidance on this.
5.2 The Consumer standard of caution exception is the four items listed in the
Consumer standard of caution exception notice published alongside this document.
https://www.psr.org.uk/app-scams-reimbursement-sr1-payuk/
. The exception applies
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
27
where a consumer who is not vulnerable has, with gross negligence, not met one or more
of those standards.
5.3 In June and July 2023, we held a series of engagement sessions with industry trade
bodies, PSPs, consumer groups and other interested parties on our approach to producing
guidance on the consumer standard of caution exception. Those sessions aimed to gather
provisional views from stakeholders, to test our preliminary reasoning, and to help inform
the options we were considering in the lead up to our consultation. We committed to
producing relevant guidance and this, including the application of the exception, has
been published in the Consumer standard of caution exception guidance alongside
this policy statement.
Our consultation proposals
5.4 In August, we published our consultation document outlining our draft policy approach.
We set out our proposals that consumers would be expected to meet an express standard
of caution when executing authorised push payments. We proposed that the standard
should consist of three elements:
• a requirement to have regard to interventions
• a prompt notification requirement
• an information-sharing requirement.
5.5 We proposed that where a consumer has, with gross negligence, not met one or more of
those standards, their PSP would not be required to reimburse them (that is, the consumer
standard of caution exception). We included both a draft policy notice in Annex 1 of that
consultation paper, and draft guidance in Annex 2.
The feedback we received
5.6 We received 36 written responses to our consultation, the majority of which came
from PSPs and their representative bodies. A smaller number of responses came
from consumer and interest groups, solicitors and private individuals.
5.7 Overall respondents’ views differed, with PSPs and their representative bodies
largely – though not entirely – arguing for stricter controls on a consumer’s eligibility for
reimbursement, while consumer groups argued the opposite. There was broad agreement
both for our generalised approach of specifying a standard of care to which consumers
should be subject, and of prohibiting PSPs from adding to or subtracting from that standard
through their contractual relations with consumers. There was also broad support for our
proposal that PSPs should be required to demonstrate when a consumer, with gross
negligence, had not met one or more of the standards of care we specify.
5.8 There was broad support for expecting consumers to promptly notify their PSP when
they suspected they had fallen victim to an APP scam, and to respond to reasonable
and proportionate requests for information from their PSP in assessing a reimbursement
claim. However, PSPs on the whole argued that these expectations should not sit within
a ‘standard of caution’, as they felt that the word ‘caution’ implied things a consumer
could be expected to do before issuing a payment instruction. We consider that the
word ‘caution’ can reasonably be taken to imply ‘all action taken by a consumer up until
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
28
the point at which their claim for reimbursement is determined.’ Our view is that the
consumer standard of caution exception therefore takes into account all actions both
pre- and post-transaction up to the point at which the consumer is reimbursed.
5.9 There was widespread, though not unanimous, concern among PSPs that the test of
‘gross negligence’ set too high a bar for PSPs to demonstrate and was too imprecise for
them to apply in practice. Our June policy statement sets out our rationale for arriving at
‘gross negligence’ as the appropriate level for the consumer standard of caution exception.
We made clear in that document that we see no credible alternative to gross negligence
that would likely meet our objectives. We consider that this will drive appropriate
incentives on PSPs to prevent APP scams and to protect consumers. Gross negligence
means that reimbursement is not always automatic and provides an appropriate incentive
for customers to take care. We have set out further guidance to support PSPs in their
application of the consumer standard of caution exception.
5.10 Both PSPs and consumer groups expressed objections to the proposal that consumers
should have regard to warnings. PSPs argued that our proposals did not place strong
enough obligations upon consumers, while consumer groups argued that warnings were
ineffective and should not be relied upon at all, instead preferring more direct forms of
intervention in the consumer’s payment journey. We recognise these views, however,
we consider interventions play an important role in a PSP’s efforts to prevent APP scams
and to alert the consumer to a potential APP scam risk. We want the industry to move
away from relying on the provision of static warnings to encourage consumer caution.
We have set out further in the Consumer standard of caution exception guidance and
below what we mean by an intervention.
Our view
5.11 We received broad support for our approach of specifying an exhaustive standard of care
that consumers can be expected to meet.
5.12 We have maintained our position that where, through gross negligence, a consumer
who has not been classed as vulnerable fails to meet one or more of the standards of
care we specify, they are no longer entitled to reimbursement under the reimbursement
requirement. In other words, the consumer standard of caution exception applies.
5.13 The standard of care includes the following:
• A requirement to have regard to interventions: Consumers should have regard to
specific, directed interventions made either by their sending PSP, or by a competent
national authority. That intervention must offer a clear assessment of the probability
that an intended payment is an APP scam payment.
• A prompt notification requirement: Consumers should, upon learning or
suspecting that they have fallen victim to an APP scam, report the matter promptly
to their PSP and, in any event, not more than 13 months after the last relevant
payment was authorised.
• The information sharing requirement: Consumers should respond to any reasonable
and proportionate requests for information made by their PSP to help them assess a
reimbursement claim. This includes requests under our ‘stop the clock’ rules.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
29
• The police reporting requirement: Consumers should, after making a
reimbursement claim, and upon request by their PSP, consent to the PSP reporting
to the police on the consumer’s behalf or request the consumer report directly the
details of an APP scam to a competent national authority.
5.14 Only in circumstances where a consumer has, as a result of gross negligence, not met
one of the four requirements listed above will a PSP be able to refuse a reimbursement
request. The standard of caution exception does not apply to customers identified as
vulnerable. We’ve explained these requirements in further detail below.
5.15 Simply failing to meet one of these requirements is not, of itself, sufficient reason
for a PSP to refuse reimbursement. The PSP needs to look at the reason why the
consumer did not meet the requirement, in order to determine whether the
consumer was grossly negligent.
5.16 We interpret ‘gross negligence’ to be a higher standard than the standard of
negligence under common law. The consumer needs to have shown a significant
degree of carelessness. The onus will fall on the PSP to prove a consumer has
behaved with gross negligence.
The requirement to have regard to interventions
5.17 There was significant disagreement with both the substance and the wording of
our proposal that consumers must have regard to tailored, specific warnings raised
by their PSP before an authorised push payment is executed, where those warnings
make clear that the intended recipient is likely to be a fraudster. Some PSPs and industry
representatives suggested that consumers should have to obey warnings given by their
PSP. Others suggested that the warning requirement should not be placed on consumers
as this provides an easy way for the PSP to refuse reimbursement. In response we have
adjusted the wording of this requirement to enable PSPs to consider whether or not the
consumer had regard to an intervention or failed to do so with gross negligence.
5.18 The word ‘intervention’ makes clear that in addition to making consumers aware of the
risk of proceeding with a payment, PSPs can be expected to pause and potentially reject a
payment instruction where appropriate. Where a PSP personally engages with a consumer
to help assess the trustworthiness of a prospective payment, this does not mean the PSP
is able to transfer responsibility for assessing transaction risk entirely onto the consumer.
5.19 Our updated wording also provides a choice of evidentiary burdens for PSPs to meet when
making interventions, noting that consumers will understandably place less weight on a
weak intervention than a strong one.
5.20 We agree with those respondents who said that PSPs ought to be able, when assessing
whether a consumer was grossly negligent, to take into account any evidence that, before
executing an authorised push payment, a consumer was provided with warnings by the
police or another competent national authority. We have, however, concluded that any
interventions offered by the police would need to be tailored and specific to an individual
consumer and the transaction they are proposing to undertake.
5.21 We acknowledge the concerns of those respondents who argued that the words
‘likely to be a fraudster’ created evidentiary challenges and legal risks for PSPs who
sought to produce a specific, tailored warning for a consumer about to authorise a push
payment. We are aware of some instances where PSPs already go significantly further
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
30
than this requirement by clearly signalling that a prospective payee is committing a scam.
We have made clear that PSPs may characterise their interventions as relating to a
prospective transaction, rather than requiring them to make a positive evaluation of
the prospective recipient to a transaction.
The prompt notification requirement
5.22 We received broad support for the proposal that a consumer should promptly notify
their PSP once they believe, or suspect, they have fallen victim to an APP scam.
We therefore propose to maintain our existing wording for this requirement.
5.23 We expect consumers to inform their PSPs promptly of a suspected APP scam.
What constitutes a prompt notification will depend upon the circumstances of each
individual case, including the point at which the consumer became aware that they were
a victim of an APP scam. Where PSPs suspect that a consumer has not reported promptly,
they should take steps to understand the circumstances, including whether there were
other reasons for the delay.
5.24 We do not agree with those respondents who argued that, in determining whether a
consumer has reported ‘promptly’, no allowance should be made for any time taken
by the consumer to first report their suspicions to the police. We agree that consumers
should be encouraged to report the details of an APP scam to their PSP promptly to
support repatriation efforts, however, any delays to this due to the consumer reporting
directly to the police should not be considered evidence of grossly negligent behaviour.
The information sharing requirement
5.25 We received broad support for our proposal that consumers should respond to reasonable
and proportionate requests for information made by their PSP.
5.26 We do not agree with those respondents who argued that the disclosure obligations
placed on consumers should be strict, in the sense that any request made by a PSP,
however excessive or vague, must be met with full and frank disclosure. We acknowledge
the concerns raised by those respondents that overly burdensome disclosure obligations
on consumers may deter them from making or continuing with claims.
5.27 We acknowledge the argument raised by some respondents that, in the absence of strict
disclosure obligations placed upon consumers, meeting the evidential burden necessary to
identify whether that consumer has acted with gross negligence becomes difficult. However,
information provided directly by a consumer in response to a disclosure request will not be
the only information in the possession of, or available to, a PSP. There are other sources of
information including information available from the receiving PSP on the recipient account.
5.28 We acknowledge the concerns raised by some respondents that where a consumer chooses
to rely upon a claims management company (CMC) as an intermediary for the submission of
reimbursement claims, this will make it more difficult for PSPs to issue information requests
directly to the consumer in question. Our view is that the disclosure expectations of
consumers remain the same, regardless of whether they choose to avail themselves
of a CMC. If the consumer, with gross negligence, fails to respond to reasonable and
proportionate information requests made by their PSP, they are ineligible for reimbursement.
What constitutes a prompt notification will depend upon the circumstances of each individual
case, including the point at which the consumer became aware that they were a victim of an
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
31
APP scam. Where PSPs suspect that a consumer has not reported promptly, they should take
steps to understand the circumstances, including whether there were other reasons for the
delay. We have clarified this point in the guidance accompanying our formal policy instrument
on the consumer standard of caution exception.
The police reporting requirement
5.29 Respondents’ views were divided on whether a consumer ought to be required to
report an APP scam to the police as a condition of seeking reimbursement under
the policy from their PSP.
5.30 We acknowledge feedback that a police reporting requirement would serve to deter
first-party fraud. But we also understand the concerns raised that a requirement to report
to the police before the APP scam is reported to the PSP may impact the chances of the
PSP successfully repatriating misappropriated funds.
5.31 Police reporting is an essential tool in tackling APP fraud, it enables wider action to bring
perpetrators to justice and therefore acts as an effective deterrent to committing fraud.
It also unlocks the further provision of support for victims. We are therefore keen to
encourage systematic reporting of APP scam fraud cases to the police.
5.32 We have chosen to adopt a middle ground of permitting PSPs to request that a consumer
agrees to have the details of their case shared with the police after they have raised a
reimbursement request, or at the PSP’s request agree to report to the police directly.
Only in circumstances where a consumer who has not been classed as vulnerable, with
gross negligence, refuses either option for notifying the police will a PSP be able to refuse
a reimbursement claim. We recognise there may be situations where the consumer may
be reluctant to give their PSP consent to report to the police, in such circumstances we
would expect PSPs to support their consumer in making the report. A refusal itself does
not amount to gross negligence. In making a determination about gross negligence, PSPs
should have regard to the PSR’s guidance on the consumer standard of caution exception.
Next steps
5.33 We will monitor and gather data on the effectiveness and impact of the policy as part
of our evaluation of the policy. See Chapter 8 for more information about our approach
to evaluation.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
32
6 Excess
In this chapter we set out our updated position on the excess. In our June policy
statement, we
said sending PSPs would have the option to apply a claim excess
under
the new reimbursement requirement. We said that the excess would not
apply
to vulnerable customers.
Following industry consultation, we now confirm that:
• we will allow sending PSPs to levy an excess up to a maximum of £100 per claim
• the sending PSP can decide whether to apply a full excess (£100), a lower excess
or no excess to a reimbursable APP scam claim
• any future changes to this value will be subject to PSR review.
Background
6.1 When we published our reimbursement policy, we said that sending PSPs have the option
to apply a claim excess to manage the risk of moral hazard. This is the risk that customers
are likely to exercise less caution where they are confident that they will be reimbursed.
We consider that an excess set at the appropriate level will encourage consumers to
exercise caution when making a payment. We also confirmed that the excess would
not apply to vulnerable consumers.
6.2 We recognise that the decision on the value of a claim excess is finely balanced. We have
engaged extensively with industry and consumer groups to gather available evidence and
feedback on our proposals.
Our consultation proposals
6.3 In August, we consulted on the value of the excess. Table 4 below summarises the
proposals we set out in
CP23/6: APP fraud – Excess and maximum reimbursement level
for Faster Payments and CHAPS.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
33
Table 4: PSR’s proposals for the excess
Application
of
the policy
PSPs would be free to levy
the full excess, a partial excess or no
excess
at all.
Factors to
consider
The relevant factors
for the PSR to consider when deciding the
level
of excess are:
• Incentivising customer caution and influencing customer
decision-making.
• The level of operational demand for PSPs (either in applying an
excess or in excluding low-value claims).
• Ease of understanding for consumers.
• Minimising financial loss for consumers.
The option
s
presented
We suggested
three possible options for how the excess could be
structured. The
se were:
• Fixed excess: Any reimbursement claims under this amount would
not receive any funds, and PSPs could deduct this amount from any
valid reimbursement claims above it.
• Percentage excess: The excess would be a percentage of the
reimbursement claim amount. All valid claims would receive some
funds, but PSPs could deduct the excess percentage amount from
the reimbursement.
• Percentage excess with a cap: The excess would work as
a percentage excess up to a certain financial limit. The excess
could be no more than this limit, regardless of the value of the
reimbursement claim.
We asked respondents to
suggest what the value should be for
the
excess structure that they recommend.
We also asked respondents to consider if:
• they had any data or evidence to support decisions on how the
excess should be calibrated
• the excess should remain static or change with inflation or some
other metric
• there were factors respondents thought we should consider as part
of the review of the excess level and structure.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
34
Feedback we received
6.4 We received responses from a range of stakeholders, including PSPs, industry and trade
groups, consumer groups and other interested parties.
6.5 Most respondents disagreed with our proposal that PSPs should have the option to apply
a partial excess, as well as to not levy an excess at all. The arguments against this were
that the excess would likely become a point of competition, which would lead to the
excess being competed out entirely and therefore have a limited impact on moral hazard.
Some respondents also argued that the excess would need to be consistently applied
across PSPs to aid consumer understanding. In contrast to this, one respondent argued
that the regulator should not force PSPs to provide less protection to their customers than
they currently do under the CRM Code. Another respondent said that firms should have
the discretion to set their own parameters for protecting their customers beyond the
minimum standards set for industry.
6.6 Respondents generally agreed with our list of proposed factors to consider in the
formulation of an excess. 18 respondents put forward a set of alternative factors
that we should consider in the formulation of an excess, including:
• impact on competition
• increasing fraud risk-awareness for consumers
• financial impact for firms
• ensuring consistent reimbursement outcomes for victims.
6.7 Respondents also unanimously agreed that the excess should not increase automatically,
such as with inflation or another metric, without further PSR review.
6.8 A significant number of respondents expressed a preference for a fixed excess, with
smaller numbers preferring a percentage excess or a combination fixed and percentage
excess. Of those preferring a fixed excess, responses ranged from £5 to £250 with
the most commonly suggested being a £100 fixed excess and a £250 fixed excess.
Consumer groups strongly opposed the introduction of an excess.
Our view
The value of the excess for Faster Payments
6.9 The excess will be set at a maximum value of £100. A maximum claim excess of
£100 is an effective way of encouraging customer caution. A fixed excess, communicated
well, will encourage customers to remain vigilant when making a payment and therefore
mitigate the risk of moral hazard. We agree with respondents’ views that a maximum
claim excess would be easier for customers to understand, given the existing parallels in
the insurance market. Setting the maximum value at £100 would also minimise financial
harm to consumers, while ensuring that caution is maintained in the system.
6.10 We recognise the impact that a £100 maximum excess will have on overall reimbursement
rates. Data from UK Finance indicates that up to 32% of cases would receive no
reimbursement. While by volume this impacts approximately 30% of cases, it represents
less than 1% of the total value of APP fraud cases. In addition, in cases where the loss
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
35
exceeds £100, victims could have the level of reimbursement reduced by up to £100.
10
Overall, the level of reimbursement by value could be around 4% lower with a £100
excess than if there were no excess. We recognise the risk that a fixed maximum claim
excess would focus PSPs’ resources on the detection and prevention of higher-value
fraud, while weakening incentives on PSPs to tackle low-value fraud, which could result
in fraud migrating to below the level of the excess. However, the excess does not entirely
remove the incentive for PSPs to tackle fraud below £100, as vulnerable customers would
be exempt from any excess the sending PSP chooses to levy.
6.11 While we received mixed views on the value of a fixed excess, the arguments for a
£250 excess also applied to a £100 excess. However, comparatively, a £100 excess
would represent less financial harm to consumers and ensure by volume more scam
victims would receive some reimbursement. A claim excess of £250 would exclude
over 50% of cases from receiving any reimbursement. Of the values we presented for
a fixed excess, there were a significant number of respondents advocating for £100.
6.12 We welcome the additional factors suggested by respondents and taken them
into account in coming to a view on the appropriate excess. Our policy will increase
consumers’ awareness of scams, as knowledge of the reimbursement requirement
increases, and as a direct result of PSPs putting out clear messages on how
consumers can protect themselves from scams. Our definition of consumer
includes microbusinesses, smaller charities, and individuals, and we are not proposing
to consider these groups differently in respect to the application of the excess.
6.13 As part of our decision-making, we considered the impact the excess could have on
competition and whether it incentivises caution for both smaller and larger payments.
We recognise that the excess will have a greater impact on smaller payments than
larger payments, but we consider this a reasonable trade-off when measured against
other factors such as minimising financial loss for consumers. While other excess
options would better combat moral hazard for smaller and larger payments, when
considered along with other factors, a £100 fixed excess remains the best option.
6.14 We are committing to reviewing the excess and the impact this has on the reporting of low-
value APP scams through our evaluation of the policy and as we gather data and intelligence.
Application of the policy
6.15 The sending PSP can decide whether to apply the excess at the maximum value (£100),
or a lower excess (at any value up to the maximum) to a reimbursable APP scam claim.
The sending PSP also has the option to not apply an excess at all.
6.16 If a sending PSP chose not to apply an excess, or to apply an excess below the maximum
of £100, it cannot claim the amount not levied from the receiving PSP as part of the
50- 50 liability split between sending and receiving PSPs. All 50-50 liability splits must
be calculated on the assumption that a £100 claim excess has been applied. The table
below sets out an illustrative example.
10 For more detail on these calculations, see: CP23/6: APP fraud: Excess and maximum reimbursement level for
Faster Payments and CHAPS, (August 2023), Annex 1, paragraph 1.4.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
36
Table 5: Illustrative example of impact of levying an excess on a 50-50 liability split
Excess
levied on
£1
,000 scam
Amount
reimbursed
Sending PSP
liability
Receiving PSP
liability
£0
£1,
000
£550
£450
£50
£950
£500
£450
£100
£900
£450
£450
6.17 We are not requiring sending PSPs to levy a claim excess. Consistent with our June
policy statement, the application of an excess remains optional. We agree with the
arguments put forward by some PSPs that we would not want to reduce the level of
protections offered through our policy, below that of the protections they previously
had under the CRM Code or their own PSP’s existing practice.
11
This would go against
the aims of this policy.
6.18 Given that we are permitting, but not mandating PSPs to levy a maximum claim excess
of £100, PSPs must not indicate in their communications to their customers that they
are levying an excess because we require them to do so. Firms should also not seek
to suggest that their overall potential liability cannot be more than the amount we
require them to reimburse.
6.19 As set out in Chapter 4, PSPs need to have regard to their broader regulatory obligations
when implementing the reimbursement policy. For example, in line with the consumer
understanding outcome of the FCA’s Consumer Duty, PSPs should consider how they can
ensure that communications about the excess are clear. In line with their Consumer Duty
obligations (which came into force in July this year) PSPs should consider how they can
ensure communications about the excess are clear and how they can help customers
to make informed decisions. For more information, please refer to Chapter 4.
Impact on reporting
6.20 We recognise that setting a maximum claim excess could impact scam reporting under
£100 and weaken incentives on PSPs to tackle lower-value scams. However, it does not
remove the incentive on PSPs to manage and mitigate risks for low-value scams entirely
as vulnerable customers will be exempt from paying the excess. The excess is also
levied at a claim level. As we know that some claims involve multiple payments, it is
possible that more than one low-value transaction could, in aggregate, exceed the
maximum claim excess and therefore be eligible for reimbursement.
6.21 On balance we consider a maximum claim excess as the most appropriate way to
incentivise consumer caution and manage the risk of moral hazard. We would expect
PSPs to consider the impact of consumer vulnerability in every claim they assess.
11 As this is the case with TSB and its Fraud Refund Guarantee policy: https://www.tsb.co.uk/fraud-prevention-
centre/fraud-refund-guarantee/
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
37
6.22 We recognise that where a sending PSP opts to levy a claim excess, this will have an
impact on how data collected for APP fraud performance data publishing will be reported
by the PSR. A decision has not yet been taken as to whether the application of an excess
will be regarded as partial or full reimbursement. In the first quarter of 2024, we will
consider the impact of levying an excess on the overall volume and value of fraud
sent and reimbursed, as we evolve our future approach to Measure 1 reporting.
Vulnerability
6.23 As we set out in our June policy statement, vulnerable consumers are exempt from any
excess the sending PSP chooses to apply. This is not a blanket exemption: in determining
whether a consumer falls under the vulnerability exemption, PSPs should carry out a
case- by-case assessment to understand how the consumer’s vulnerability led to them
being defrauded. The FCA defines a vulnerable consumer as: ‘Someone who, due to
their personal circumstances, is especially susceptible to harm – particularly when
a firm is not acting with appropriate levels of care.’
12
Firms should understand that
characteristics of vulnerability are likely to be complex and overlapping, and the FCA’s
guidance makes clear that a consumer’s financial resilience is also a factor when assessing
vulnerability. We expect PSPs to broaden their assessment of vulnerability to consider
the financial impact of levying an excess on consumers with low financial resilience,
and exempt consumers from the excess where its application will lead to financial stress.
Firms should ensure that they are meeting the expectations of the FCA’s FG21/1:
Guidance for firms on the fair treatment of vulnerable customers, and the Consumer Duty
when engaging with consumers to assess vulnerability. We recognise the need for
further clarification to ensure consistent understanding and application of the vulnerability
exemption by PSPs. Please refer to Chapter 8 for more details.
Next steps
6.24 The fixed £100 excess will not increase automatically, such as in line with inflation or any
other index, and will be subject to PSR review.
6.25 We will monitor and gather data on the effectiveness and impact of the policy as part of
our evaluation of the policy and we will review whether any adjustments to the excess
are required. See Chapter 8 for more information about our approach to evaluation.
12 FG21/1: guidance for firms on the fair treatment of vulnerable customers, page 3
https://www.fca.org.uk/publication/finalised-guidance/fg21-1.pdf
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
38
7 Maximum reimbursement level
In this chapter we set out our updated position on the maximum reimbursement level.
I
n our June policy statement, we committed to limiting the reimbursement requirement
with a maximum level of reimbursement for APP scams occurring over Faster Payments
.
PSPs are not required to reimburse victims above this limit, although they may choose
to
do so if they wish. Having consulted on the issue, we now confirm that:
• the maximum reimbursement level is £415,000 per claim
• the maximum level of reimbursement will apply to all in-scope consumers.
There are no exemptions for vulnerable consumers
• the maximum level will not increase automatically with inflation or any other metric.
• We will monitor the incidence and impact of high value APP scams over the next
ten months before the start date. We may review the level of £415,000 ahead of
October if there is convincing evidence to do so.
Background
7.1 In September 2022, we consulted on introducing the reimbursement requirement without
any upper limit. While responses were generally supportive of the policy, some PSPs were
concerned at the impact an uncapped liability might have on firms’ prudential controls and
market stability.
7.2 We listened to respondents’ views and committed in our June policy statement to the
principle of introducing a maximum level of reimbursement. While considering the impact
on market stability, we also wanted to align with consumer protections in other payment
systems and establish clear parameters for the scope of the reimbursement requirement.
7.3 In June and July, we held engagement sessions with industry trade bodies, PSPs and
consumer groups. We discussed the appropriate value for the maximum level for the
reimbursement requirement and attempted to establish the most important factors for
consideration. These sessions helped us to gather initial views from stakeholders and
informed the questions on which we subsequently consulted.
Our consultation proposals
7.4 We consulted in August on an appropriate maximum level of reimbursement and
whether it should apply to claims from vulnerable consumers. We published our
proposals in CP23/6: APP fraud – Excess and maximum reimbursement level for
Faster Payments and CHAPS.
13
These are summarised in Table 6 below.
13 CP23/6: APP fraud: Excess and maximum reimbursement level for Faster Payments and CHAPS
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
39
Table 6: Our proposals for maximum level of reimbursement
Parameters
of
the policy
T
he maximum reimbursement level would apply to all consumers,
including those who might be classed as vulnerable
.
Factors to
consider
The relevant factors
for the PSR to consider when deciding what the
level of maximum reimbursement
are:
• The level of PSP liability.
• The ability of the cap to cover the majority of cases.
• Appropriate coverage of all fraud types to incentivise PSP
anti- fraud measures.
The option
presented for
Faster Payments
A maximum level of £415,000.
We also asked respondents if:
• This level should align with the Financial Ombudsman Service’s
award limit or increase in line with other metrics.
• We should consider any other factors as part of the consultation.
• They could provide any data on cases that would not be fully
reimbursed above this maximum reimbursement level.
The feedback we received
7.5 We received 36 responses to the consultation from a range of stakeholders, including
PSPs, industry trade bodies, consumer groups and other interested parties.
7.6 Respondents generally agreed that the maximum level of reimbursement should apply
to all consumers, including those who might be classed as vulnerable. Respondents
suggested that this would ensure consistency, make it easier for consumers to
understand, and reduce the burden on the Financial Ombudsman Service. Respondents
also suggested that fraudsters would target vulnerable consumers even more than they
do currently, if we exempted vulnerable consumers.
7.7 Respondents broadly agreed with the factors we proposed to consider when setting the
maximum level. Industry respondents, in particular, felt that some factors were more
important than others, including the level of liability for PSPs, and the ability to incentivise
anti-fraud measures. Respondents suggested several other factors to consider, including
the impacts on competition, PSP solvency, and payment friction. They added that we
should consider these factors against both the key policy outcomes and the impact of
other elements of the overall policy.
7.8 Respondents generally disagreed with a maximum level of £415,000 for a variety
of reasons, with some arguing it was too low or and others that it was too high.
Smaller PSPs argued that this limit could impact their viability and lead to market exits
as a result. They pointed out that the vast majority of fraud by value would be covered
by a lower limit, such as £30,000 or £85,000. Other PSPs were in favour of the £415,000
limit, feeling that it would ensure consistency with the Financial Ombudsman Service’s
current maximum award limit of £415,000 for a single complaint. Most consumer groups
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
40
were also not in favour of any maximum level being applied, arguing that it might lead
to life-changing losses not being fully reimbursed.
Our view
Parameters of the policy
7.9 The maximum level of reimbursement will apply to all APP scams claims made
over Faster Payments, including claims from vulnerable consumers. This will ensure
consistency and set clear expectations for both firms and consumers. We recognise
respondents’ concerns about vulnerable consumers, but we expect firms to take extra
steps to ensure that vulnerable consumers are protected when making payments, and that
the necessary tools are in place to prevent scammers exploiting consumers’ vulnerabilities.
7.10 We note concerns from stakeholders about the definition of vulnerability as applied by the
FCA. We will mirror the definition in our reimbursement policy, but we will monitor its
impact as part of our evaluation of the policy.
Factors to consider
7.11 We believe that we correctly identified the main factors to consider when we consulted
on setting the maximum level of reimbursement, and have used these factors to make
the final policy decision. These were:
• the level of PSP liability
• the ability of the cap to cover the majority of cases
• appropriate coverage of all fraud types to incentivise PSP anti-fraud measures.
These factors will also help to inform our evaluation of the policy.
7.12 We welcome the additional factors suggested by respondents, including on competition
and proportionality. We believe that it is important that the policy ensures consistent
reimbursement outcomes for victims of fraud, and that the maximum level is simple for
consumers to understand and for PSPs to apply. We address the concerns about PSP
solvency, and the impact a potential maximum could have on competition and stability,
in the section below.
The value of the maximum level of reimbursement
7.13 We confirm that the maximum level of reimbursement is £415,000.
7.14 We note the high level of interest in this subject, and acknowledge the views expressed
by both PSPs and consumer groups. We acknowledge the view from PSPs, particularly
smaller payment firms and EMIs, that a higher maximum limit will raise concerns about
solvency and potential market impacts. Similarly, we acknowledge the views of consumer
organisations that are keen to see reimbursement for all losses, including the most
valuable cases, by removing the maximum limit altogether.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
41
7.15 As we made clear during consultation, we want to ensure appropriate coverage of all
fraud types. This will incentivise PSPs to build stronger anti-fraud measures. We note
that a significant proportion of investment scams in particular would exceed a £30,000
or £85,000 limit. Based on industry data, we recognise that a significant proportion of
total fraud value would also sit above these limits.
7.16 We consider there is merit in applying a maximum reimbursement level that takes into
account the Financial Ombudsman Service’s current award limit for a single complaint of
£415,000. As set out in our consultation, this is sufficiently high that most victims would
be unaffected by it. Setting a limit substantially beneath £415,000 would encourage
victims whose reimbursement is capped at the limit to refer a complaint to the Financial
Ombudsman Service to try to recover the balance of their losses, which is likely to lead
to uncertainty over outcomes for both PSPs and consumers.
7.17 It should be noted that wherever we set the reimbursement limit, victims will retain their
existing rights under the FCA Handbook to refer complaints to the Financial Ombudsman
Service if they consider they have suffered losses because of the acts or omissions of the
sending PSP and the receiving PSP. This means they are able to make two complaints (one
to each PSP) about their losses from a single payment and those complaints will be subject
to separate ombudsman service award limits. Where a scam has resulted in the victim
making multiple payments, they may be able to make several complaints against the same
parties, with each complaint again subject to a separate ombudsman service award limit.
It follows that victims who have lost very large sums are already entitled to seek redress
of more than £415,000 by bringing multiple complaints to the Financial Ombudsman Service
and they will continue to have that right after the reimbursement rules are introduced.
7.18 The reimbursement rules and their award limit differ from the rules which govern
complaints under the Financial Ombudsman Service’s dispute resolution rules (DISP).,
14
PSPs should therefore inform victims of APP scams that, in addition to their right to seek
reimbursement under the reimbursement rules, they have the right to bring complaints
against sending and receiving PSPs if they are dissatisfied with their conduct and consider
this has caused their loss. Such complaints may ultimately be referred to the Financial
Ombudsman Service.
7.19 We recognise that for some smaller PSPs, high-value claims in light of a maximum limit
of £415,000 could present prudential risks. However, based on the evidence that we have,
we have assessed the prudential risks to PSPs from rare high-value claims as being low.
15
7.20 There are a number of steps that firms can take to mitigate these risks in the ten months
before the start date. In line with our strategic objectives, we consider it imperative that
PSPs put in place robust and effective fraud prevention controls. We encourage PSPs to
take steps to mitigate the risks of reimbursement liabilities and to do this prior to our policy
coming into effect. These include considering appropriate transaction limits, improving
‘know your customer’ controls, strengthening transaction-monitoring systems and stopping
or freezing payments that PSPs consider to be suspicious for further investigation. PSPs will
also be able to utilise data- and intelligence-sharing tools to facilitate improved risk detection
and fraud prevention. We set out more information on this in Chapter 8.
14 Dispute Resolution: Complaints Sourcebook (DISP) in the Financial Conduct Authority (FCA) handbook:
https://www.handbook.fca.org.uk/handbook/DISP/2/?view=chapter
15 See Annex 1: Cost Benefit Analysis
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
42
7.21 Our policy aims to prevent APP scams and incentivise PSPs to improve their fraud
controls, including for high-value fraud. We remain of the view that a £415,000 limit
strikes the right balance between protecting and reimbursing nearly all consumers,
and incentivising PSPs to improve their fraud protections, while providing the
certainty to PSPs of a known limit and therefore capping their liability.
Next steps
7.22 The maximum reimbursement level of £415,000 will not increase automatically
with inflation or any other metric.
7.23 We recognise that setting the maximum level involves difficult trade-offs, and this issue
attracted a particularly high level of feedback. We will supplement our existing evidence base
by monitoring the incidence and impact of high value APP scams over the next ten months
before the start date. We will consider the impact on PSPs, consumers and competition.
7.24 This monitoring will not be a perfect indication of what will happen after 7 October 2024,
because we expect our policy to incentivise a more risk-based approach by firms, and
stronger incentives to detect the frauds. However, it will allow us to add further analysis
to our evidence base. If there is convincing evidence from this exercise that a different
maximum cap would produce better overall outcomes for consumersand competition,
we will consult on changing it in advance of the implementation date.
7.25 We will also monitor and gather data on the impact of the policy as part of our
evaluation of it, and consult on any changes as appropriate. See Chapter 8
for more information about our approach to evaluation.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
43
8 Next steps
This chapter sets out next steps in our work to fight APP scams.
Implementation
8.1 Cross-industry collaboration is essential to successfully implementing the new
reimbursement requirement by day one. We set out in Chapter 4 the actions
we expect industry to take to prepare for the policy start date.
8.2 We remain committed to supporting industry with the interpretation and consistent
application of the new reimbursement requirement. We will set up a clarifications
process in the first quarter of 2024 to encourage a consistent approach to
implementation across industry.
Compliance monitoring
8.3 The legal instruments we have published alongside this policy statement set out
the obligations Pay.UK and directed PSPs must comply with by the start date of
7 October 2024.
8.4 We will create a compliance-monitoring regime to assess whether Pay.UK is complying
with the obligations set out in the section 55 specific requirement and the specific
direction to Pay.UK.
8.5 We are directing Pay.UK to create and implement a compliance monitoring regime for all
requirements across all directed PSPs (including indirect participants). In conjunction with
industry, Pay.UK is best positioned to assess the most effective and efficient monitoring
mechanism. As we set out in Chapter 3, we intend to consult on directing PSPs to comply
with Pay.UK’s compliance monitoring regime and report data to Pay.UK. We will consult
on this direction once Pay.UK has drafted its compliance monitoring proposals.
We anticipate this will be in spring 2024.
8.6 We recognise that there are factors limiting Pay.UK’s ability to monitor and enforce
compliance with the reimbursement rules. We are also responsible for ensuring
compliance with our directions. We will therefore support Pay.UK in enforcing the
reimbursement policy. We will also be responsible for enforcing compliance of directed
indirect PSPs, as Pay.UK’s enforcement remit currently only extends to direct PSPs.
8.7 We are supporting Pay.UK to design its compliance monitoring proposals.
We are working together to ensure our respective approaches to compliance
monitoring achieve comparable outcomes and avoid overlap or gaps.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
44
8.8 We are also exploring how we could evolve our work on publishing a balanced scorecard
of APP scam data (see table 7 below) once all directed PSPs must report data to Pay.UK.
16
8.9 We will gather views from stakeholders in the new year to inform our thinking.
We will then consult on our approach to compliance monitoring in spring 2024.
Evaluation
8.10 The UK is the first country in the world to implement consistent minimum standards
to reimburse victims of APP scams and we recognise that there is widespread interest
in our policy.
8.11 In our June policy statement, we committed to monitoring the effectiveness of our
policy from day one and publish a post-implementation review within two years of
the start date. Consistent with this, the recent independent review of the future of
payments commissioned by the Treasury recommended that we conduct a review
of the reimbursement policy after 12 months of implementation.
8.12 We will regularly gather relevant data to monitor the effectiveness of the policy
and to assess potential policy risks. This includes the potential risk of market exits,
moral hazard, firms restricting customers’ access to accounts and fraud migrating
to other payment systems.
8.13 The post-implementation review will assess the effectiveness and impact of the policy,
and our wider interventions to fight APP scams, such as our balanced scorecard of APP
scam data. Where possible, we will use data-led insights to evolve the reimbursement
requirement into a more nuanced and sophisticated policy.
8.14 Alongside our work on evaluation, we also expect Pay.UK in its role as payment systems
operator to use the insights gained from overseeing and monitoring the Faster Payments
scheme reimbursement rules, and monitoring compliance with it, to evolve the rules
as appropriate.
8.15 We will gather views from stakeholders in the new year to inform our thinking.
We will then consult on our approach to evaluation in spring 2024.
CHAPS
8.16 Our reimbursement requirement applies to payments sent via Faster Payments.
The Bank of England has announced its intention that a comparable model should
apply to CHAPS payments. In the interests of consistency, the Bank will seek to draft
relevant CHAPS scheme rules as closely as possible to those that will be implemented
in Faster Payments. However, there may be some discrepancies to account for
differences in the characteristics and users of the two payment systems.
8.17 We asked several questions on the Bank’s behalf in consultation paper CP23/6:
APP fraud – Excess and maximum reimbursement level for Faster Payments and CHAPS.
We have passed relevant feedback to the Bank to take into account when drafting the
CHAPS scheme rules.
16 https://www.psr.org.uk/publications/legal-directions-and-decisions/specific-direction-18/
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
45
8.18 We are working closely with the Bank to support implementation. We are considering
giving a specific direction to CHAPS participants to support implementation of the
comparable model for CHAPS. This would mirror, where possible, the direction on
Faster Payments PSPs. If we decide to give a direction, we expect to consult on
the specific direction by the end of Q1 2024.
Beyond the reimbursement policy
8.19 The table below shows our ongoing approach to tackling APP scams, beyond the
reimbursement policy.
Table 7
The balanced
scorecard of APP
scam data
In March 2023, we directed 14 PSP groups to collect and
report
data on their management of APP scams using three
performance metrics.
• Metric A: The proportion of APP scam victims left out
of pocket.
• Metric B: APP scam rates for each sending PSP.
• Metric C: APP scam rates for each receiving PSP (not including
any money that has been returned to the victims).
We published this balanced scorecard of
2022 APP scam data in
October 2023
.
17
We will collect
the 2023 cycle of APP scam data in February 2024
and
publish it in July 2024.
Confirmation of
Payee (CoP)
Confirmation of Payee (CoP) is a
name-checking service that
aims
to prevent certain types of scams and misdirected payments.
In Octob
er 2022 we directed about 400 PSPs to implement a
system to offer CoP to their customers.
Our
direction required Group 1 PSPs to implement a CoP system
by
31 October 2023, increasing CoP coverage from 92% of Faster
Payments transactions to 99%.
Almost all Group 1 PSPs complied
by their deadline
and we are working with delayed parties to
ensure
they implement CoP at the earliest opportunity.
Group 2 firms are required to comply by 31 O
ctober 2024.
These
firms should already be preparing to onboard.
17 https://www.psr.org.uk/information-for-consumers/app-fraud-performance-data/
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
46
Enhanced Fraud
Data (EFD)
W
e have tasked industry with developing a data- and intelligence-
sharing tool to
facilitate improved risk detection
and fraud prevention.
For example,
by stopping or delaying high-risk payments.
The
industry supports this initiative and agrees that Enhanced
Fraud
Data (EFD) will help prevent fraud. A UK Finance pilot last
year showed that EFD sharing between sending and receiving
firms
can significantly improve fraud detection.
Pay.UK, with the support of UK Finance, is now taking forward a
project
to deliver EFD. Pay.UK has consulted on the first iteration
of
data standards to support this information sharing and is working
towards building an application p
rogramming interface (API)
solution
through which standardised customer data will be sent.
We
expect PSPs to start implementing aspects of the system
at
the earliest opportunity.
We are monitoring progress and consider
ing whether we need
to
take further action, including using our statutory powers to
require implementation
.
Scam origination
We will
work with industry to consider how we can collect data
show
ing where APP scams originate. Publication of this data
can
raise awareness of the platforms, such as social media and
telecoms firms,
at the highest risk of being targeted by fraudsters.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
47
Annex 1
Cost benefit analysis
In June this year, we published a cost benefit analysis alongside our policy
statement
setting out our final decision on a new reimbursement requirement on
PSPs.
That assessment concluded that the new reimbursement requirement would
provide very substantial benefits overall, with PSPs incentivised to improve their fraud
prevention capabilities, custom
ers enjoying greater protections, and fraud victims
having
more certainty and less stress and psychological costs.
While the main cost of the policy will be the payment of substantial sums by PSPs to
victims, our cost benefit analysis did not focus on this
impact, as it represents a transfer
from PSPs to customers, which would cancel each other out
if accounted for separately
as
a cost and as a benefit. Instead, our analysis focused on the costs to PSPs of increased
investment in fraud prevention, and the p
otential increase in friction that customers
making payments may experience.
In June, there were still a number of elements of the final policy that were not finalised.
Having
taken account of these features of the policy and reflected on additional evidence,
our overall assessment remains that the benefits of our policy are likely
to substantially
outweigh its costs.
Introduction
1.1 In June this year, we published a policy statement setting out our final decision on a
new reimbursement requirement on PSPs.
18
This included a cost benefit analysis that
concluded that the new reimbursement requirement would provide very substantial
benefits overall, with PSPs incentivised to improve their fraud prevention capabilities,
consumers enjoying greater protections, and fraud victims exposed to less uncertainty,
stress and other psychological costs.
1.2 At that stage, several elements of the final policy were yet to be finalised, including:
a. the level of excess that PSPs could impose
b. the maximum claim limit that PSPs would be required to reimburse
19
c. the exact composition of the standard of responsibility that PSPs could
require from consumers
20
d. the legal instruments we would use to implement the policy.
21
18 PS23/3: Fighting authorised push payment fraud: A new reimbursement requirement, (June 2023), Annex 4;
PS23/3: Fighting authorised push payment fraud: A new reimbursement requirement, (June 2023).
19 Consultation CP 23/6: APP fraud: Excess and maximum reimbursement level for FPS and CHAPS, (August 2023).
20 Consultation CP 23/7: APP fraud: The consumer standard of caution, (August 2023).
21 Consultation CP23/10: Specific Direction on FPS participants - implementing the reimbursement requirement,
(September 2023); Consultation CP 23/4: APP fraud reimbursement requirement - draft legal instruments,
(July 2023).
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
48
1.3 This cost benefit analysis provides an update to the assessment that we published
in June, reflecting:
a. costs and benefits affected by the final levels of excess (£100) and maximum
reimbursement limit (£415,000) – drawing on the assessment of costs and
benefits that we included in that consultation
22
b. specific points raised during our August consultations
c. other aspects of our evidence base where we have collected more recent data.
How will the policy improve outcomes?
1.4 Our June cost benefit analysis sets out in detail the causal chain leading from the
reimbursement requirement to lower levels of APP scams. Both sending and receiving
PSPs will be incentivised to strengthen their APP fraud detection and prevention
capacities, and to more effectively cooperate in this and the recovery of lost funds.
As a result, losses to consumers are reduced.
23
1.5 We also set out our baseline assumptions
24
– in particular on the impact of other PSR
policies in relation to APP fraud, including:
a. publishing PSP-level data on APP fraud, which we did in October
25
b. the requirement on additional PSPs to provide confirmation of payee (CoP) checks,
with the first group of firms providing these from October 2023 onwards, at the latest.
Additional consultations and cost benefit analysis
1.6 We recently consulted on the level of the excess and of the maximum reimbursement
level. As part of that consultation, we pointed to a number of relevant costs and
benefits that were likely to be affected by the introduction of these features to
the reimbursement requirement.
Impact of a £100 excess
1.7 We estimated that cases with claim values below £100 currently account for just under
1% of APP fraud losses (or around £4.5 million per annum), although they account for 32%
of cases.
26
Overall, the level of reimbursement would be around 4% or £18 million lower
with a £100 excess than if there were no excess.
27
While this effect on the overall level
22 Consultation CP 23/6: APP fraud: Excess and maximum reimbursement level for FPS and CHAPS,
(August 2023), Annex 1.
23 See Figure 1 in PS23/3: Fighting authorised push payment fraud: A new reimbursement requirement,
(June 2023), Annex 4.
24 See paragraphs 1.4 to 1.10 of PS23/3: Fighting authorised push payment fraud: A new reimbursement
requirement, (June 2023), Annex 4.
25 APP Fraud Performance Report, (October 2023).
26 Data provided by UK Finance in relation to eight PSPs for H2 2022.
27 Consultation CP 23/6: APP fraud: Excess and maximum reimbursement level for FPS and CHAPS
,
(August 2023), Annex 1, paragraph 1.4.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
49
of reimbursement is not substantial, we noted that an excess of £100 does offer the
following benefits:
a. Lower administrative costs for PSPs due to fewer claims that must be processed
and reimbursed.
b. Lower costs from payment friction if PSPs see lower-value transactions as less
risky in terms of reimbursement liability.
c. Reduced risk that moral hazard materially impacts behaviour and greater incentives
on consumers to exercise caution.
Impact of a £415,000 maximum level of reimbursement
1.8 We estimated that cases that exceed £410,000 account for around 4.5% of APP scam
losses by value, representing less than 0.1% of cases by volume.
28
Overall, the level
of APP scam reimbursement would only be reduced by just over 2% (or £12 million
per annum) as a result of a £415,000 limit.
29
While this change in the overall level of
reimbursement would be small, relative to having no maximum cap, the limit should
reduce the impact of moral hazard for high-value payments and the prudential risk
that an uncapped liability would place on smaller PSPs.
1.9 We examine these impacts in more detail in the last section of this annex.
Respondents’ views on the recent consultations
1.10 We received 40 responses to the consultation on setting the excess and maximum
reimbursement level for Faster Payments and CHAPS. Our consultation paper included
a cost benefit analysis, but it did not explicitly ask for views on the assessment itself.
However, we summarise the relevant responses below.
Impact of the excess
1.11 Some respondents agreed with the considerations in our cost benefit analysis,
30
specifically on the impact of an excess on reducing friction to customer journeys for
low- value transactions. Overall, respondents’ views on an excess pointed to six key
considerations that would affect the effectiveness of the policy, as set out below.
Risk of inconsistent outcomes for consumers
1.12 Fourteen respondents, comprising PSPs, trade bodies and consumer groups, felt that
allowing PSPs to apply an excess would lead to inconsistent outcomes and consumer
confusion. Consumers could potentially have different outcomes depending on which
bank they used. Additionally, PSPs could choose not to apply the excess to gain a
competitive advantage, with PSPs competing on this rather than on fraud prevention.
These points are dealt with in paragraphs 1.49 to 1.50, below.
28 Data provided by UK Finance in relation to eight PSPs for H2 2022.
29 Consultation CP 23/6: APP fraud: Excess and maximum reimbursement level for FPS and CHAPS
, (August 2023),
Annex 1, paragraph 1.14.
30 Different PSPs agreed with different aspects. Since there was no CBA specific questions asked, there is no
count of who agreed/disagreed.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
50
Increase in lower-value scams
1.13 One industry organisation argued that an excess would reduce the likelihood of a PSP
intervening in a consumer’s payment journey, especially for lower-value scams, resulting
in an increase in these types of scams, and further harming consumers. These points are
dealt with in paragraphs 1.39 to 1.40, below.
Consumers turning to the Financial Ombudsman Service to overturn decisions
1.14 One respondent stated that having a higher excess would incentivise consumers to try to
get decisions overturned by the Financial Ombudsman Service. As we have set the level
of excess at £100, we do not consider this to be a material risk, nor that it is likely to lead
to material additional costs for the industry or for consumers.
Reduction in consumer caution
1.15 A number of respondents claimed that applying an excess would promote consumer
caution for lower-value transactions and increase fraud risk awareness. However, several
others noted that there was little evidence to show that an excess incentivises consumer
caution. Citing qualitative research, one consumer body explained that scams often
occurred when victims are especially stressed or distracted. An excess would not
therefore affect consumer caution. Other stakeholders stated that the option to apply
an excess would cause confusion, which would reduce the effect on customer caution.
These points are dealt with in paragraph 1.72, below.
Administrative and operational costs
1.16 While several respondents agreed with our assessment that PSPs’ administrative
and operational costs would be slightly reduced by the option to apply an excess,
they argued that this should not be a consideration. In their view, the goal should be to
drive consumer caution. Other PSPs noted that an excess would still involve operational
demands to manage the case, although they would expect to see this diminish as
consumer awareness increased and APP scams declined. One respondent argued that
an excess would allow PSPs to discount a significant number of claims, weakening the
effectiveness of the policy, as they would be less incentivised to detect fraud, especially
low-value scams. These points are dealt with in paragraph 1.61, below.
Under-reporting of APP scams
1.17 Some respondents, including a trade body and a consumer body, stated that applying
an excess could lead consumers to under-report lower-value scams. This would leave
the industry with less data to identify APP scams and address the harm that they cause.
These points are dealt with at paragraph 1.70, below.
Impact of the maximum level of reimbursement
Prudential risk and impact on competition/international competitiveness
1.18 Fourteen respondents were concerned that setting the maximum level of reimbursement
at £415,000 would have a prudential impact on smaller PSPs. They argued that as the
net capital requirements for many of the smaller PSPs are set at £350,000, a £415,000
maximum threshold is too high and puts smaller PSPs at risk of insolvency. Industry
groups representing smaller PSPs suggested that the largest fraud values on their
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
51
platforms were typically below the Consumer Credit Act 1974 limit of £30,000,
and therefore setting a limit in that range would be proportionate.
1.19 One respondent pointed to a reduction in basic bank account facilities as a result of PSPs
resorting to providing only ‘closed-loop’ savings products, or reducing maximum account
balances or transaction values in order to de-risk.
1.20 Respondents went on to state that this would have an impact on the level of competition
in the industry, creating barriers to entry and disincentivising innovation. The high
reimbursement limit would also disincentivise investment in the UK payments market
due to this higher liability and make the industry less internationally competitive.
1.21 We respond to these points as they relate to the setting the limit at £415,000 in
paragraphs 1.31 to 1.32, as well as dealing with the more general question of
the impact on competition and innovation in paragraphs 1.65 to 1.68.
Costs to customers
1.22 One respondent stated that the maximum limit could increase costs for consumers by
requiring them to purchase insurance for high-value transactions above the reimbursement
limit. We note that we have decided on a relatively high maximum limit. The policy,
therefore, greatly increases consumer protection for the vast majority of consumers,
with APP fraud losses above this level being extremely rare at present, as set out above.
1.23 Another respondent argued that the limit would put victims of APP fraud on a more
favourable footing than victims of other crimes, and that other consumers would be
effectively funding reimbursement through costs, charges and other non-interest fees
paid to PSPs. We note where costs to PSPs are, in some sense, passed on to consumers,
this would not necessarily affect the overall level of net benefits or costs incurred as a
result of the policy.
1.24 Another respondent pointed out that the limit would result in firms having to create greater
friction in payment journeys to limit the risk of significant financial loss, which is a point
that we had assessed in our June assessment, as set out in paragraph 1.62, below.
Moral hazard and consumer caution
1.25 Several respondents, including PSPs and trade bodies, questioned whether setting the
maximum level of reimbursement at £415,000 struck the right balance between PSP and
consumer responsibility, and would be effective in reducing the impact of moral hazard.
Most respondents were in favour of setting the limit to reflect the Financial Services
Compensation Scheme (FSCS) threshold. They argued that it be consistent with the
FSCS’s consumer protection coverage and avoid consumer confusion, and that it
would cover a majority of APP scam cases. Respondents also noted that the Financial
Ombudsman Service limit is set to include market factors other than APP scams, and
felt therefore that mirroring it does not set the right level of protection. We set out
our response to these considerations in paragraph 1.73, below.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
52
Impact of changing to a specific direction
Excluding credit unions from the direction
1.26 We consulted on changing our approach to implementing the policy, from imposing
a general direction on the industry to applying a specific direction to named PSPs.
Several respondents noted that this proposal excluded credit unions, municipal
banks and national savings banks from being directed as part of the reimbursement
requirements. One industry body noted that having these exemptions risked inconsistent
outcomes for consumers and could be potentially confusing to them. They argued that
this could be exacerbated by the profile of consumers who use those services –
generally people who face financial difficulty or vulnerability.
1.27 Other respondents pointed out some potential unintended consequences of exempting
these firms from the reimbursement requirements. Fraudsters could be incentivised to
migrate to these accounts, thereby making them appear more risky, and leading to other
PSPs subjecting payments to these accounts to enhanced checks or restricting payments
to these accounts to mitigate the reimbursement liability risk. In addition, this could make
the firms less attractive to consumers, decrease their incentives to invest in fraud
prevention and make them more vulnerable to scammers.
1.28 Some respondents, including trade bodies and PSPs, noted that we did not include a
rationale for the exclusion of credit unions, municipal banks and national savings banks.
They also pointed out that if the rationale for being exempt was limited profit margins,
then this rationale could also be applied to EMIs. We respond to these points in
paragraphs 1.33 to 1.36, below.
Our assessment of the additional considerations
Impact of the maximum reimbursement limit
1.29 We addressed a number of the issues that emerged from these consultations in
our earlier assessments
31
and we refer to relevant points from those analyses below.
In this section we deal with two specific issues that were not explicitly referenced in our
earlier assessments.
Analysis of prudential risk and its impact on competition
1.30 We have considered industry’s concerns about the potential impact on smaller PSPs of
setting the maximum level of reimbursement at £415,000, especially payment firms and
electronic money institutions, most of whom have capital requirements set at £350,000.
32
Based on APP fraud data that we have analysed, we found that small PSPs do not at
present see APP fraud levels anywhere near these values, on average, and that high-value
31 In one or both of the main cost benefit analyses in PS23/3, Fighting authorised push payment fraud: A new
reimbursement requirement (June 2023), Annex 4, and the assessment published as part of consultation paper
CP23/6, APP fraud: Excess and maximum reimbursement level for FPS and CHAPS (August 2023), Annex 1.
32 Some payment institutions may have lower initial capital requirements.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
53
claims at such levels are very rare.
33
In addition, as noted in paragraph 1.18, above, smaller
PSPs have told us that they typically face APP fraud cases under £30,000 in value.
1.31 Based on the evidence that we have, we have assessed the prudential risks to PSPs
from rare high-value claims as being low for a number of reasons:
a. First, such high-value claims are very rare, even among the largest PSPs. Smaller
PSPs are unlikely to face a number of low-frequency, high-value frauds in a given year:
for example, in 2022, only approximately 25 APP fraud claims exceeded £410,000 out
of a total of more than 200,000 reported APP fraud cases.
b. Second, while funding conditions in the sector may deteriorate, they have remained
fairly robust to date, with most loss-making firms continuing to receive required funding.
c. Most importantly, there are a number of steps that PSPs can take to mitigate the
risks of high-value APP fraud transactions moving through their accounts. We will
work with impacted firms alongside the FCA to mitigate the impact, where possible,
if increased prudential risk arises.
Exclusion of credit unions from the policy
1.32 As set out in Chapter 3, above, we have excluded credit unions, municipal banks and
national savings banks from the reimbursement requirement. As set out there, this is
based on comparing the limited benefits of including them (as APP fraud involving
credit unions is currently very rare) with the potentially material costs.
1.33 On limited benefits, our data indicates that reported APP scams being sent to credit unions
are rare, with just three credit unions appearing among around 180 firms that received APP
fraud in 2022, accounting for about 40 instances of APP scams and losses totalling in the
region of £20,000, out of a total of £385 million of total APP scam losses in our dataset.
34
The accounts provided by credit unions are not high risk (mainly savings and loan accounts)
and outbound payments can usually only be sent to nominated accounts. As such, it is also
unlikely that fraud will migrate to these institutions if they are excluded from the scope of
the policy.
1.34 On costs, the extra burden of even partially complying with the policy could generate
significant costs for credit unions, impact negatively on financial inclusion and reduce the
availability of affordable credit, which could particularly affect more vulnerable low-income
consumers. This rationale is consistent with the reason for the exclusion of these kinds of
firms from the PSRs 2009.
1.35 We have not reflected this further in this cost benefit analysis, as the impact of excluding
credit unions is not material in the context of the wider policy.
33 See consultation paper CP23/6, APP fraud: Excess and maximum reimbursement level for FPS and CHAPS
(August 2023), page 16, which shows that a tiny fraction of claims are above £350,000 at present: that is,
approximately 40 cases per year across the whole sector.
34 Data we have collected from the 14 major banking groups in the UK. For caveats on the data, see the data notes
section in the APP fraud performance report (October 2023), Technical annex.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
54
Overall assessment of the costs and benefits
1.36 Our assessment of the main costs and benefits is set out in detail in Annex 4 to our
June policy statement. We summarise these again in table 8, below. We then set
out our overall assessment of these costs and benefits, noting where these have
changed as a result of:
a. updates based on responses to our more recent consultations, especially
in relation to the levels of excess and maximum reimbursement limit.
b. revised assessment of those costs and benefits that are impacted by the
final levels of excess and maximum reimbursement limit.
c. areas where we have more recent data or updated information that affects
our estimates of some costs and benefits.
Table 8: Summary of main benefits and costs
Benefits
Relative magnitude
Costs
Relative magnitude
Reduced
incidence
of
APP scam cases
High
– indicative
estimate
£70 million
to
£127 million per year
Increased investment
in
fraud prevention
by
PSPs
High/medium overall
–
at the PSP level,
proportionate to
the
scale of fraud
being
tackled
More
consistency
and
certainty
in
relation to
reimbursement
for
victims
High
Administrative costs
of
investigating and
delaying suspicious
payments, pursuing
completed payments
and resolving disputes
Medium
– indicative
estimate £17 million to
£38 million
per year
Increased recovery
of
APP scam funds
at
receiving PSPs
Medium
Costs to consumers of
increased friction
and
delayed payments
Medium
– indicative
estimate £6 million to
£25 million
per year
Level playing field
across different
PSPs
Medium
Reduction in
competition and
innovation
Low/medium
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
55
Benefits
Relative magnitude
Costs
Relative magnitude
Improved
reimbursement
rates
for victims
High
Increase in reported
APP
scams
Low
Moral hazard and lack
of consumer
caution
Low
Potential exclusion of
consumers in opening
new accounts or
accessing certain
services
Low
Migration to other
payment methods
Low
Benefits
Better prevention of APP scams
1.37 In paragraphs 1.40 to 1.58 of the cost benefit analysis that accompanied our June policy
statement, we concluded that, with the new reimbursement requirement, all PSPs
would face stronger incentives to detect and prevent APP fraud and recover funds from
fraudsters’ accounts, with both sending and receiving PSPs being required to reimburse
victims in almost all cases. Even sending PSPs that already reimburse (some of their)
customers would still have increased liability for reimbursement costs from APP fraud
due to the APP fraud transactions that they would be liable for as a receiving PSP.
1.38 Some consumer groups took the view that allowing PSPs to apply a £100 excess
would weaken PSPs’ incentives to detect and prevent low-value scams, thereby
reducing the policy’s impact on fraud reduction overall. However, we do not think
this is a likely outcome. The £100 excess will reduce the overall level of reimbursement
by around 4% or £18 million, compared to having no excess. This level of reduction in
reimbursement means that this impact on incentives would not be material.
1.39 In addition, as set out in Chapter 6 above, the policy exempts vulnerable consumers from
paying the maximum claim excess. Also, we note that the excess is applied to the entire claim,
which could include multiple low-value transactions. Therefore, PSPs are still incentivised to
identify and prevent low-value fraudulent transactions. In any case, many of the anti-fraud
measures that PSPs are likely to implement will help to reduce fraud at all values.
1.40 Similarly, as noted in the cost benefit analysis that we published as part of our consultation
on the maximum reimbursement limit, a maximum reimbursement level could in principle
weaken PSPs’ incentives to increase their investment in APP fraud prevention. However,
cases that exceed £410,000 account for around 4.5% of APP fraud losses by value and less
than 0.1% of cases by volume.
35
Overall, the level of APP scam reimbursement would only
be reduced by just over 2% or £12 million per year. The small number of APP fraud claims
35 Data provided by UK Finance in relation to eight PSPs for H2 2022.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
56
affected means that we would not expect this reduction in incentives to prevent APP scams
to be significant.
1.41 We have updated our quantification of the reduction in APP fraud presented in paragraphs
1.52 to 1.58 of the cost benefit analysis for the June policy statement, based on more recent
data. We applied the same methodology, but used PSP-level data that we collected under
Specific Direction 18 requiring publication of information on APP scams.
36
This gave us more
recent data that covered a higher proportion of APP fraud and transactions: APP scams sent
from 14 PSPs in 2022, covering over 95% of Faster Payments transactions. As with the
previous analysis, we looked at those PSPs whose APP scam rates were higher than
average and calculated how much the value of APP fraud would fall if poorer-performing
PSPs managed to reduce their APP fraud rates to the average levels. We found:
• for sending PSPs, if PSPs with above-average rates of APP scams aligned with
the median rate, APP fraud losses would fall by over £70 million per year
• for receiving PSPs, if PSPs with above-average rates of APP scams aligned with
the median rate, APP fraud losses would fall by over £127 million per year
1.42 These are two ways of looking at the effect on the same set of fraudulent transactions –
from the sending and receiving sides, respectively. They indicate the overall magnitude of
the potential impact of stronger incentives on sending and receiving PSPs, and of stronger
incentives for PSPs on both sides to cooperate. They should not be thought of as separate
impacts that can be aggregated, although the PSPs assumed to reduce their fraud levels
on the sending and receiving sides do not completely overlap, so between £70 million
and £127 million is likely to be a conservative estimate.
1.43 These estimates of the likely benefits are substantial, but they could well underestimate
the scope for improved APP scam prevention, for two reasons:
• The estimates are based on PSPs improving to the level of current median rates
of fraud sent and received. The reimbursement requirement will strengthen the
incentives for all PSPs – those whose performance is good, average and poor at
present – to take further steps to prevent fraud.
• Our updated analysis is based on data from 14 of the largest PSPs, covering the vast
majority of Faster Payments transactions (95%) and a similar proportion of reported
APP fraud over Faster Payments (over 90%). We have not made any assumption
about the transactions and the PSPs that fall outside the analysis. Any reduction
in APP fraud sent or received by other sending PSPs not covered in our dataset
as a result of the policy is not reflected here.
1.44 On the other hand, there are also arguments that these estimates may overstate the
likely impact on APP fraud:
• There is a risk that the new reimbursement requirement could lead to some customers
exercising less caution when making payments, offsetting some of the potential gains
from enhanced detection and prevention by PSPs. The application of an excess of up
to £100 per claim should help to manage this risk (see Chapter 6 above).
36 The specific direction applied to 14 of the largest UK PSP groups to collect and provide data to the regulator
which will cover 95% of transactions.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
57
• Allowing PSPs to apply a claim excess and to apply a maximum level of
reimbursement may reduce the costs of reimbursement to PSPs and so reduce
PSPs’ incentives to invest in improved APP fraud prevention. However, as set out
above, in both cases, the overall reductions in PSPs’ reimbursement liabilities are
not substantial as a result of these measures.
1.45 Taking all of the above into consideration, between £70 million and £127 million remains a
reasonable conservative estimate for the likely impact of fraud reduction. Customers and
PSPs avoid the costs of prevented fraud on an ongoing basis – where those anti-fraud
measures remain effective – whereas some of the relevant costs are more short-lived
and may be incurred mainly in the early years of the policy.
Increased recovery of APP fraud funds by receiving PSPs
1.46 In 2022, among PSPs that received over £100,000 in APP fraud, the share of fraud losses
that were recovered ranged from 0% to 34%. On average these PSPs recovered only 6%
of APP fraud received, with 85% of these PSPs recovering less than 10% of fraud losses.
In addition, from the perspective of sending PSPs
37
, 14% of APP fraud losses that were
(voluntarily) reimbursed came from recovered funds. These low levels of recovery suggest
that there is room for substantial improvement given stronger incentives on both sending
and receiving PSPs as a result of the shared liability under the reimbursement requirement.
1.47 With both sending and receiving firms being equally liable for reimbursing victims,
the incentives for PSPs to pursue successful recovery of funds will be significantly
strengthened.
38
An increase in successfully recovered funds should also act as a
disincentive to fraudsters, which should lead to fewer APP scam cases and lower
costs for PSPs in reimbursing victims.
More consistency and certainty for victims
1.48 There continues to be a wide variation in reimbursement rates across individual PSPs.
Annual data for 2022 shows a range of 10% to approximately 91% in share of losses
reimbursed by value.
39
A mandatory reimbursement policy ensures consistency in how
victims of APP fraud and APP fraud losses are treated by PSPs. This will increase trust in
Faster Payments for consumers, as they can be confident that they will be reimbursed
where they have exercised appropriate caution. This will improve choice and competition
for payments users.
1.49 The policy gives PSPs the option to apply an excess of up to £100 to a reimbursable APP
scam. Some stakeholders (see above) felt that this could result in inconsistent outcomes
for consumers. However, our view is that making the excess optional seeks to strike a
balance between applying an excess (which mitigates the impact of moral hazard) with
ensuring that consumers do not end up worse off than they are now under the CRM Code
37 This analysis is done using data from 13 of the 14 banking groups that provided us with data relating to APP
scams under Specific Direction 18 requiring publication of information relating to authorised push payment
scams (March 2023). The one PSP excluded from the calculation did not provide us with the value of fraud
recovered from individual receiving PSPs.
38 As stated in consultation paper CP23/6, APP fraud: Excess and maximum reimbursement level for FPS and CHAPS
(August 2023), Annex 1, a fixed excess means that lower-value fraud does not qualify for reimbursement, and
PSPs’ incentives to recover funds from fraudsters may be weakened. However, the overall level of reimbursement
would only be around 4% lower with a £100 excess, so the effect would not be material.
39 APP fraud performance report (October 2023), page 7.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
58
or specific PSP reimbursement policies, where no excess is levied. In any case, even with
a £100 excess, over 95% of losses would still be reimbursed, by value. Therefore, even
with some variation in excess levels across PSPs, consumers as a whole will enjoy greater
consistency and certainty.
Level playing field across PSPs
1.50 As set out in our June cost benefit analysis, a reimbursement system with a consistent set
of criteria will provide a level playing field among PSPs. This will benefit both consumers and
those PSPs that currently already focus on protecting their customers from APP fraud.
A number of stakeholders have argued that competition could be harmed by the
reimbursement requirement – an issue that is dealt with at paragraphs 1.64 to 1.68 below.
Improved reimbursement rates for APP fraud victims
1.51 As set out in our June cost benefit analysis, improved reimbursement rates will have a
significant positive impact for victims. In addition to money lost to the fraud itself, victims
may face psychological and other costs as a result of these crimes.
40
Making fraud less
likely to happen in the first place will mitigate these issues, which are likely to have a
particular impact on vulnerable customers. Increased confidence and certainty – for victims
and consumers in general – from the new reimbursement requirement are likely to be
important benefits of the policy.
Costs
Increased investment in fraud prevention by PSPs
1.52 As set out in our June assessment, we have not included the direct costs for PSPs of
increasing their rates of reimbursement as part of our cost benefit analysis. We have not
taken the approach of directly balancing the costs of increased reimbursement that PSPs
will face against the benefits of increased reimbursement that victims will receive. That
approach would simply find a large cost on one side cancelled out by the same scale of
benefit on the other.
41
Rather, we have focused on the change in incentives and their
effect that will be caused by the new reimbursement requirement.
1.53 As set out in the June assessment, increased reimbursement costs will mean that PSPs
will now have much stronger incentives to invest in their fraud detection and prevention
systems. The policy will also lead to much stronger incentives for sending and receiving
PSPs to cooperate more effectively on fraud detection and prevention. These additional
costs – from increased spending by PSPs on their fraud detection and prevention systems
40 Even if victims are fully reimbursed, they will still suffer a cost for losing the money in the first place
(for example, overdraft or interest costs, late-payment penalties, or loss of interest on savings) and will
face the stress and anxiety of not knowing if and when they will be reimbursed.
41 The largest direct financial cost of the policy is the reimbursement of losses by PSPs to victims, which is also the
largest direct financial benefit. This represents a transfer and, in our approach, does not affect the net benefit or
cost of the policy overall. However, this assumes, on a conservative basis, that PSPs and consumers are given
equal weight in our assessment. If effects on consumers, in particular victims, are given more weight (for
example, by taking account of the impact of APP fraud losses on victims relative to the impact of additional
liabilities on financial institutions), then our assessment would be even clearer on the net benefits of the policy.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
59
– represent the relevant cost for the purposes of our cost benefit analysis and are likely
to be the most significant relevant cost that arises due to the policy.
1.54 While we have not been able to quantify the likely costs with precision, we pointed to
a number of relevant points in assessing the likely overall magnitude of these costs:
a. The costs that different PSPs are incentivised to incur will vary widely, depending
on the level of APP scams that each PSP sends and/or receives.
b. The costs that individual PSPs are incentivised to incur will be proportionate to
the scale of their fraud issue.
c. PSPs are already investing in fraud detection and prevention. It is the incremental
costs that result from our policy that are relevant to our assessment, not PSPs’
current or total spending on APP fraud detection and prevention.
d. Costs are likely to be higher in the early years of the policy, as PSPs invest in their
fraud detection and prevention systems and set up processes to cooperate with other
PSPs more effectively.
1.55 As set out in the cost benefit analysis published as part of our consultation on the
excess
42
, relative to having no excess, PSPs’ reduced reimbursement costs could reduce
their incentive to invest in APP fraud detection and prevention. This reduces the benefit of
fraud prevention investment, but it also reduces the relevant costs for PSPs. As a £100
excess is estimated to result in 4% of APP fraud losses being unreimbursed relative to
having no excess, the overall effect on firms’ incentives is unlikely to be material.
1.56 As with an excess, a maximum reimbursement level could weaken PSPs’ incentives to
increase their investment in APP fraud prevention. However, the extremely small number
of APP fraud claims affected by the £415,000 maximum reimbursement level and the very
small share of value of losses affected mean that we would not expect this reduction to
be material.
Administrative costs to PSPs
1.57 As set out in more detail in our June policy statement, we concluded that our policy
was likely to lead to PSPs incurring additional administrative costs that they do not face
at present, especially for PSPs that were not already CRM Code signatories. While several
PSPs argued that these costs would be substantial, none submitted any estimates of
these costs and we noted a number of factors that were likely to limit the scale of these
costs. For example, CRM Code signatories already face many of the relevant costs in
managing cases, dealing with reimbursements, informing receiving PSPs and so on.
42 See consultation paper CP23/6, APP fraud: Excess and maximum reimbursement level for FPS and CHAPS
(August 2023), Annex 1, paragraph 1.9.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
60
1.58 In our previous cost benefit analysis, we produced an illustrative assessment of the
potential scale of the incremental administrative costs for PSPs. We assumed that:
CRM Code signatories were likely to face lower incremental costs than other PSPs
43
,
and administrative costs would be (broadly) proportionate to PSPs’ APP fraud liabilities,
but there are likely to be some economies of scale.
44
1.59 We have updated this analysis using data on APP fraud received by over 180 PSPs,
collected as part of our recent publication of PSP-level performance. Based on this APP
fraud data for 2022, our analysis produces a wide range of values: between £17 million
and £38 million per year. As we concluded in our June cost benefit analysis, while these
are not precise estimates, they do provide a useful illustration of the potential overall scale
of the incremental costs faced by PSPs.
Table 9: Estimated administrative costs for PSPs
Value of APP
fraud
received at
each
PSP (2022)
Number
of
PSPs
in
category
Number of
PSPs in
category that
are CRM
Code
signatories
Admin cost
per PSP
–
baseline
Admin cost per
PSP –
based
on 10%
share
of PSP
liability
>£10 million
14
7
£1 million
£2.1 million
£5
million to £10 million
6
2
£500,000
£762,000
£1
million to £5 million
13
1
£250,000
£230,000
£500,000 to
£1 million
7
0
£100,000
£71,000
£100,000 to
£500,000
23
0
£50,000
£21,000
<£100,000
117
0
£25,000
£1,000
Total
– excluding CRM Code signatories
£17 million
£21 million
Total
– including CRM Code signatories
£22 million
£38 million
1.60 As set out in the cost benefit analysis that we published as part of our excess consultation,
a fixed excess of £100 would mean that many low-value claims are no longer reimbursed,
leading to fewer claims and reducing administrative costs for PSPs. APP fraud cases below
£100 currently account for under 1% of APP fraud losses and 32% of cases. While this is
not the main consideration of the excess, it will decrease administrative costs for PSPs.
43 For example, as set out in Table 9, 14 PSPs received APP fraud in excess of £10 million in 2022. Of these, seven
were CRM Code signatories. In calculating the overall cost ‘excluding CRM Code signatories’, we assume that
those firms that are not signatories would incur material costs in administering claims and reimbursements,
while those that are already doing this under the CRM Code would not.
44 As set out in Table 9, we have used two different approaches to estimating PSP-level costs: a ‘baseline’ that
assumes some economies of scale; and a share of APP fraud liabilities that assumes that costs are proportionate
to the value of losses reported.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
61
Although we expect that the policy will impact PSPs’ operational demand to manage
case reports, these costs should fall over time as APP scams decrease.
Costs to consumers of friction and delayed payments
1.61 As set out in our June assessment, there are likely to be costs to customers if PSPs’
introduction of stronger fraud controls leads to a higher number of payments
being queried, delayed or even declined. That assessment also included an illustrative
assessment of the potential scale of the relevant costs, based on current rates of APP
fraud and some reasonable assumptions of the possible costs to customers from delayed
payments. This analysis produced a wide range of potential costs, between £2 million and
£30 million per year, although we would expect the level of friction to fall over time.
1.62 As set out in the cost benefit analysis that accompanied our consultation on the level of
excess, with a £100 excess, PSPs would not be liable for lower-value fraud, while
customers might face less payment friction and so associated costs would be lower.
Having said that, the excess applies at the claim level, so PSPs would still have an
incentive to minimise fraud losses even for lower-value transactions, as losses at these
levels could form part of a higher-value claim.
Reduction in competition and innovation
1.63 In our June cost benefit analysis, we noted that a large number of stakeholders had
argued that the reimbursement requirement would reduce competition and innovation.
We assessed the risks under a number of headings in the assessment, covering:
• whether there are any PSPs where reimbursement liabilities would be likely to
raise prudential risk and hence lead to their exiting the UK market
• whether additional reimbursement costs for PSPs would be likely to reduce innovation
and competition between PSPs, including deterring entry and expansion
• whether the administration of the reimbursement system would affect sponsor
banks’ willingness to provide access to Faster Payments for indirect PSPs on
reasonable terms
• whether the reimbursement rules would be likely to affect payment initiation service
providers’ (PISPs’) ability to gain new business in account-to-account retail, due to any
increased friction imposed by PSPs or increased costs associated with payment
initiation service transactions.
1.64 As set out above, a number of respondents to our consultation on the maximum
reimbursement level raised the risk that smaller payment firms could be forced to exit
the UK market if the level of maximum reimbursement were set too high. Based on the
evidence that we have, we have assessed the prudential risks from the policy to be low.
While we have looked at PSPs’ potential future liabilities based on data on APP fraud
sent and received by PSPs in 2022, the reimbursement regime does not take effect
until October 2024, so there is scope for these levels to change substantially –
including for relevant PSPs to improve their controls and manage the risk.
1.65 We also note that, while funding conditions in the sector may deteriorate, they have
remained fairly robust to date, with most loss-making firms continuing to receive
required funding.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
62
1.66 We are working closely with the FCA to ensure that at-risk firms mentioned in paragraphs
1.64 and 1.65 are aware of their likely future liabilities and are taking steps to improve their
APP fraud detection and prevention measures in advance of this policy taking effect. Given
this early intervention, we do not expect that competition in the market will be negatively
impacted by the new reimbursement requirement.
1.67 More broadly, and as set out in our June assessment, the policy is designed to impose
financial costs on those PSPs that are least effective in preventing fraud against and by
their account holders. The potential exit of a firm that performs particularly poorly in this
regard does not reduce effective competition across the market. Poorly performing firms
losing market share and potentially exiting a market is how effective competition works.
Other potential consequences of the policy
Increase in reported APP fraud numbers
1.68 As set out in our June cost benefit analysis, the new reimbursement requirement could lead
to a short-term increase in the volume of reported APP fraud, as it is likely that there is a
material quantity of APP fraud going unreported at present. Greater clarity and consistency
for consumers are likely to lead to an increase in the level of reported APP fraud. This
represents additional costs to PSPs, but it also represents a benefit to those victims who
would otherwise have been left out of pocket having decided not to report their loss. As
such, the net costs are likely to be modest.
1.69 Conversely, as set out in the cost benefit analysis that we published as part of our excess
consultation, an unintended consequence of allowing PSPs to impose an excess is that it
could lead to some victims not reporting lower-value APP fraud losses. However, any
under-reporting would be reduced by vulnerable customers still reporting scams as they
will be exempt from the application of the excess. In addition, given that levying an excess
of up to £100 is optional for PSPs, customers would still report APP fraud if they believed
that their PSP could partially reimburse them or recover the funds. Nonetheless, we would
still expect to see some under-reporting of lower-value APP fraud as a consequence of the
£100 excess, with a potential impact on, for example, the ability of PSPs to quickly identify
accounts being used by fraudsters.
Consumer caution and moral hazard
1.70 As set out in our June assessment, moving to a system of consistent reimbursement
could lead to an increase in payments where customers have not exercised appropriate
caution, in the knowledge that any losses will be fully reimbursed. We recognise that this
is a risk that should be managed, and we believe customers and PSPs share the risk.
PSPs should put effective protections in place and can take many actions to prevent
APP fraud, such as introducing more effective warnings when customers are making
payments. Recognising that many victims are socially engineered into being scammed,
we have introduced policies to encourage consumer caution, where appropriate, including:
• a consumer standard of caution exception that does not mean automatic
reimbursement and provides an appropriate incentive for consumers to take care
• a claim excess that should mitigate the impact of moral hazard alongside the actions
PSPs can take to prevent APP fraud
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
63
1.71 The option for PSPs to apply an excess will help manage the risk of moral hazard and
incentivise customers to exercise caution, helping to minimise any increase in APP
fraud as a result of the new reimbursement requirement. A fixed £100 excess is easy
to understand and, if communicated well, will encourage consumers to exercise
appropriate caution and reduce relevant costs for PSPs.
1.72 In addition, we noted that the maximum reimbursement should also increase customer
caution in relation to high-value transactions. However, we already expect customers to
exercise significant caution in making such payments. In setting the maximum level of
reimbursement at £415,000, we have taken into consideration the level of PSP liability for
reimbursement, while also ensuring that the limit covers all fraud types and the majority of
APP fraud cases to incentivise anti-fraud measures. As noted in paragraph 1.40 above, the
share of APP scam claims that exceed the £415,000 limit is extremely low, so we would
not expect the limit to affect consumer caution materially.
Potential exclusion of some consumers
1.73 In the June cost benefit analysis, we considered the risk of vulnerable customers being
‘de-banked’ or of PSPs limiting the services available to some customers. We agreed that
there was a risk that some PSPs may conclude that certain groups not classed as
vulnerable are higher risk, and subsequently implement greater friction with payments or
remove some services. We also assessed the risk that enhanced scrutiny for new
accounts could lead to some consumers finding it more difficult to access some services.
While we expect the overall cost to be small, this could have a material negative impact on
some consumers. Existing regulatory requirements – for example, FCA requirements for
PSPs to consider the needs of their customers, including the recently introduced
Consumer Duty, as well as PSPs’ obligations under the Equality Act 2010 – should
minimise this risk. We will consider the risk of vulnerable consumers being de-banked as
part of our post-implementation review.
Migration to other payment methods
1.74 As set out in our June cost benefit analysis, there are a number of ways in which our
policy could, in principle, lead to some switching away from Faster Payments for some
payments. These could include:
a. scammers migrating to other payment schemes
b. consumers switching to other payment methods in response to increased friction
c. PSPs ‘nudging’ payers away from Faster Payments.
1.75 We found that these alternative channels have some existing customer protections in
place and note that the Bank of England intends to introduce equivalent reimbursement
requirements for CHAPS payments, while we are working with the FCA to consider
what additional protections could be put in place for ‘on-us’ payments.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
64
Conclusion
1.76 In June this year, we published a cost benefit analysis alongside our policy
statement setting out our final decision on a new reimbursement requirement on
PSPs. That assessment concluded that the new reimbursement requirement would
provide very substantial benefits overall, with PSPs incentivised to improve their
fraud prevention capabilities, customers enjoying greater protections, and fraud
victims having their money reimbursed with very limited exceptions.
1.77 We have consulted on a number of elements of the policy that were not finalised in
June 2023 – in particular, the levels of the excess and maximum reimbursement limit,
in particular. We have decided on a fixed £100 excess and a £415,000 maximum
reimbursement limit, and have now revised some of the relevant costs and benefits in our
assessment as a result. We have also updated other aspects of our evidence base where
we have more recent data or updated information.
1.78 We conclude that a £100 excess is likely to materially increase net benefits overall relative
to our June cost benefit analysis. It should reduce PSPs’ costs in processing claims, since
there will be fewer reimbursable claims, while also reducing the costs from friction in
payments and reducing the impact of moral hazard, but without materially affecting PSPs’
incentives to invest in the prevention of APP scams.
1.79 A maximum level of reimbursement of £415,000 is likely to lead to a small increase in the
net benefits overall relative to our June cost benefit analysis. It should reduce the
prudential risk that an uncapped liability would place on smaller PSPs, although we think
the overall effect will be small, given the low share of APP scam losses affected.
1.80 Having made these updates and reflected any additional evidence, our overall assessment
remains that the benefits of our policy are likely to substantially outweigh its costs.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
65
Annex 2
Equality impact assessment
In line with our Public Sector Equality Duty (PSED) under the Equality Act 2010,
we
have assessed the likely equality impacts of the new reimbursement requirement.
We
have consulted on the final detailed parameters of our reimbursement policy,
the
legal instruments that bring the requirements into effect, and the impact of
our
final policy package on specific groups.
Approach to assessment
2.1 Section 149 of the Equality Act 2010 requires us to consider the likely equality impact
of our policy on the public, including on people with the following relevant protected
characteristics: age, disability, gender reassignment, pregnancy and maternity, race,
religion or belief, sex, sexual orientation, and marital status. We have looked at a
broad range of evidence to support our assessment, including data from the
Victims Commissioner and the responses to our consultations.
All customers
2.2 As a result of the new reimbursement requirement, we expect PSPs to prevent
more APP scams. This would be a positive impact for people across all demographics,
including those with protected characteristics.
Interaction with vulnerable customers
2.3 We recognise that there is likely to be a significant overlap between vulnerable
customers and those with certain protected characteristics. For example, as we
noted in our June 2023 policy statement, evidence shows that older customers
are more likely to be victims of APP scams.
2.4 We have taken the interests of customers in vulnerable circumstances into account.
According to the FCA’s definition, a ‘vulnerable customer’ is ‘someone who, due to
their personal circumstances, is especially susceptible to harm – particularly when a firm
is not acting with appropriate levels of care’. As further set out in the FCA guidance,
‘Characteristics of vulnerability may result in consumers having additional or different
needs and may limit their ability or willingness to make decisions and choices or to
represent their own interests. These consumers may be at greater risk of harm.’
45
Some types of vulnerability can negatively affect decision-making, leading to people
being at greater risk from social engineering and less able to exercise caution to protect
themselves from APP scams.
45 FG21/1 Guidance for firms on the fair treatment of vulnerable customers (February 2021) Page 3
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
66
The equality objectives
Remove or minimise disadvantages suffered by people due to
their protected characteristics
2.5 Several PSPs previously reported that there is no typical high-risk service user for APP
scams. We think that it is therefore unlikely that certain groups with protected characteristics
will experience greater friction in payment journeys or the removal of some banking services.
We will consider evidence of this occurring, as part of our post-implementation review
(see Chapter 8 for further information on our approach to evaluation).
Take steps to meet the needs of people from protected groups
where these are different from the needs of other people
2.6 We recognise that there may be a significant overlap between vulnerable customers
and those with certain protected characteristics. We require PSPs to exempt vulnerable
customers from the customer standard of caution exception and the claim excess.
This is a proactive step to meet the needs of vulnerable people with protected
characteristics who may be more susceptible to APP scams.
Encourage people from protected groups to participate in public
life or in other activities where their participation is
disproportionately low
2.7 A decrease in successful APP scams and clearer, more consistent consumer protections
will inspire greater confidence for all consumers using Faster Payments.
Equality risks and mitigations
We have identified the following risks and have tailored our policy to mitigate them.
Groups being disproportionately impacted by the claim excess
2.8 We accept that some groups may be disproportionately impacted by the claim excess,
particularly those groups from low-income households which could disproportionately
affect some people with specific protected characteristics. For example, Pakistani and
Bangladeshi households are consistently the most likely out of all ethnic groups to live
in low-income households.
46
Our policy requires PSPs to exempt vulnerable consumers
from the claim excess, keeping in mind that the FCA’s guidance makes clear that low
financial resilience is also a form of vulnerability. To determine whether a consumer falls
under the vulnerability exemption, PSPs should carry out a case-by-case assessment to
understand how the consumer’s vulnerability led to them being defrauded. Firms should
understand that characteristics of vulnerability are likely to be complex and overlapping.
We expect PSPs to consider the financial impact of the excess on consumers with
low financial resilience and exempt them if the excess will lead to financial stress.
46 www.ethnicity-facts-figures.service.gov.uk/work-pay-and-benefits/pay-and-income/people-in-low-income-
households/latest
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
67
We will monitor this issue, and consider it as part of our post-implementation review.
See Chapter 8 for further information on our approach to evaluation.
Groups being disproportionately impacted by the customer
standard of caution (gross negligence)
2.9 We have taken proactive steps to ensure those with characteristics of vulnerability linked
to a specific APP fraud cases are adequately protected. Our policy requires PSPs to assess,
as part of the claim, whether these characteristics prevented the individual from taking
appropriate steps to protect themselves, and hence whether they should be considered
vulnerable. Vulnerable customers are exempt from the consumer standard of caution.
Groups being disproportionately impacted by maximum level
of reimbursement
2.10 Vulnerable consumers will be exempt from both the excess and the consumer standard
of caution, but they will not be exempt from the maximum level of reimbursement.
We accept that some people may be disproportionately affected by this. However,
from our available data we know that the likely total number of customers affected
by the maximum level of reimbursement will be extremely low.
2.11 We expect PSPs to take steps to reduce APP scams. They will be incentivised to tackle
fraud above £415,000 due to the significant liability that still results from these frauds,
with PSPs liable for reimbursement up to the maximum limit. We consider that a
£415,000 limit strikes the right balance between protecting and reimbursing the vast
majority of consumers, and protecting PSPs from the potential prudential risk from very
large frauds. We consider that there are steps PSPs can take to manage the prudential
risk, which we set out in Chapter 7.
Increased customer reluctance to use payment services
2.12 There is a risk that increased warnings and other fraud-prevention measures introduced by
PSPs could cause vulnerable consumers to experience heightened fear of APP fraud and
therefore reduce or stop their use of Faster Payments, undermining their confidence in the
system. We expect that this risk will be mitigated as customers will also be more aware of
their rights to reimbursement if they do fall victim to APP fraud. PSPs will be expected to
make their customers aware of the new protection that is available as part of the
reimbursement scheme. We also consider that the new reimbursement requirement will
lead to fewer APP fraud cases, which should increase confidence in the payment system.
As industry work on data- and intelligence-sharing continues, we expect our policy to
incentivise greater risk-based, targeted interventions to alert consumers to specific fraud
risks, rather than the proliferation of generic warnings we have seen under the Contingent
Reimbursement Model Code. We will continue to monitor the impact of our policy through
the evaluation process. However, we do not consider that we should need to take any
further mitigating action at this point.
Fighting authorised push payment scams: final decision
PS23/4
Payment Systems Regulator
December 2023
68
Claim excess driving excessive caution
2.13 There is a risk that any claim excess may worry some customers, including some
with specific protected characteristics. Some could become overly cautious with
Faster Payments transactions for fear of losing the excess amount, even when the
payment is legitimate. While this may occur, without our policy the risk for many
customers would be a total loss of funds if they fell victim to APP scams. The excess
is voluntary for PSPs to introduce. Following our consultation on the value of the excess,
we have chosen an excess of £100, which we believe is a reasonable level to encourage
sufficient customer caution. Meanwhile, our policy will encourage PSPs to take further
action against APP scams, ultimately reducing their prevalence. This in turn will increase
confidence in Faster Payments transactions as a safe form of payment.
Increased friction
2.14 Under our proposals, PSPs will be incentivised to introduce stronger fraud controls to
reduce the incidence of APP scams. This could mean that more genuine payments are
also stopped because they trigger PSPs’ detection processes or are considered higher risk.
This could affect people with certain protected characteristics more than other customers,
as they may be perceived as more likely to become victims of APP scams.
2.15 Our view is that some additional friction for a small proportion of payments is an
acceptable price for preventing APP fraud and achieving increased customer protection,
including additional protection for those most vulnerable to becoming victims. We also
note that current industry initiatives to improve data-sharing between PSPs and increased
incentives to improve fraud detection and prevention should help to minimise the number
of payments stopped.
FCA Consumer Duty
2.16 We consider the Consumer Duty to be a significant mitigation against the equality risks
that we have identified. We will work closely with Pay.UK and the FCA to help ensure
that customers are treated fairly and equally.
Monitoring and evaluation
2.17 As part of our post-implementation review, we will assess whether in practice the
policy causes any additional equality impacts or issues, and consider what changes and
mitigations are necessary. The monitoring regime will help to ensure that any negative
outcomes for specific groups are identified and mitigated as soon as possible.
