The UK continues to be engulfed by fraud on an unimaginable scale. Fraud now accounts for 40% of all reported crime.1 Many scams go unreported, so the actual number may be substantially higher. In my last open letter, I outlined how the authorities need to support stepping up fraud prevention and law enforcement.
This week, the Payment Systems Regulator (PSR) has confirmed new rules that will require payment firms to reimburse victims of Authorised Push Payment fraud (APP fraud, or scams). This move will effectively increase the expected returns to fraudsters and may lead to a series of unintended consequences, as we outline below. The UK risks a significant increase in fraud unless there is determined action in the broader fight against fraud.
Overview of the new reimbursement rules
The PSR issued its policy statement2 this week, and will consult on a number of specific aspects, before it sets out detailed guidance. In sum, the PSR policy envisages:
- Sending and receiving payment firms will share the cost of reimbursing victims 50:50
- Most APP fraud victims will be reimbursed within five business days3, with additional protections to cover vulnerable customers
There are two exceptions to this: firstly, where the customer has acted fraudulently (‘first-party fraud’) and secondly, where the customer has acted with gross negligence.
- There will be a claim excess and maximum level of reimbursement, other than for vulnerable customers.4 The PSR will consult on this aspect later this year
- The new rules will apply to Faster Payments – the payment system across which the vast majority of APP fraud takes place
- The new reimbursement requirements will come into effect in 2024
Why scams are often not preventable at payment system level
This would be less of a problem if all scams could be easily identified and prevented at a payment system level. Unfortunately, at the moment, they’re not.
A greater understanding of where and how scams start is key to preventing, and to ultimately reducing, fraud.
Data from UK Finance shows5 that the vast majority of fraud starts outside the banking sector, with 78% of fraud cases originating from online sources, such as social media. A further 18% of fraud cases originate from telecommunications. It’s only once fraudsters have tricked a victim into making a payment, that the scam reaches the payment firms.
Currently, there’s limited information available to payment providers to safely identify a scam. Typically, there are two sets of controls:
- Certain hard checks that can identify fraud with certainty: e.g. around where the funds are being sent to (Confirmation of Payee) – but fraudsters are smart and usually use mules or agents that make their accounts available. At the moment there is little data sharing – often due to restrictions under personal data protection laws – which means payment firms are left largely in the dark about the nature of the payment or details of the third parties involved
- Simple patterns and AI models that can identify potential fraud for investigation: It is only by blocking the account or transaction, and then the payment provider conducting an investigation that fraud can be confirmed
Take a typical “Mum / Dad” scam as an example: The fraudster contacts the parents via WhatsApp, claiming to be a daughter or son who has lost their phone but urgently needs to pay a bill. The parent is put under pressure to transfer an amount, say £100, to pay the bill. At the payment system level, how can this scam be stopped? All the payment provider sees is the payee, the amount and the reference text – and some contextual information such as the time of day. The payee is unlikely to be flagged by Confirmation of Payee as a mule is collaborating with the scammer. The payment looks legitimate, so – unless the payment provider’s system flags it as an unusual pattern for investigation – there is no way that this could be identified as a scam.
The reasons why reimbursements will encourage scams
Leaving aside the question of whether it’s appropriate to ask payment providers to reimburse scams they didn’t cause and for the most part they can’t prevent, the real issue is that further incentives are created for fraudsters to commit scams. This risks offsetting the government’s prevention and law enforcement efforts.
- With customers no longer expected to carefully consider the services, goods and other items they’re buying, they will naturally lower their guard, the most important first line of defence against scams is being removed – allowing fraudsters to succeed much more easily in their scams
- Additionally, first party fraud is also likely to rise significantly, e.g. “victim-pretence” (fraudsters acting as victims), “fraud-muling” (victims colluding with fraudsters for a share of the APP fraud reimbursement proceeds), or through “soft fraud” (e.g. claiming APP fraud reimbursement on genuine purchases, for goods they’ve bought that did not meet expectations)
- The shift in liability and the increased fraud levels will pose a cost that will ultimately need to be passed on to customers. Financial institutions will need to pass on these reimbursement costs. The reimbursement rules effectively create a “tax” on all users and will increase the cost of payments either directly, or through other charges, by financial institutions. In essence, all customers will be asked to pay for those customers that are being reimbursed
- Extensive blocking of accounts and payments by payment providers will cause severe customer detriment to UK SMEs
- This customer detriment will translate into damage to the UK economy. Blocking at scale has the potential to lead to “an effective end of faster payments”, as some in the industry have called it. The delays in being paid will lead to more businesses failing as their cash flow comes under further pressure
Tide’s call to action
We would have preferred a focus on prevention and law enforcement rather than inadvertently, and further, risking fraud through reimbursement. But we believe that the focus must now be on risk mitigation, and this will require the authorities to significantly step up their fight against fraud.
The advent of generative AI hands fraudsters another tool to increase the sophistication and scale of their scams. The new PSR rules are likely to inadvertently increase the incentives to do this, so it’s vital that the authorities ramp up their action without delay.
We have previously outlined four sets of actions that will make a real difference. We have now updated these due to the PSR’s decision6 on APP scam reimbursements:
Mandatory data sharing to prevent fraud by expanding the existing Confirmation of Payee (CoP). CoP, an existing service that allows Tide to check whether the name of a payee matches the account and sort code details provided, should be extended. This service can make a vital contribution to preventing fraud:
- Mandating all financial institutions to take part in CoP, as currently not all of them are
- Mandating Payment Service Providers to add risk assessment data (e.g. how long the payee has been a customer, how many non-fraudulent transactions they have undertaken)
- Mandating social media and telecommunications companies to maintain adequate records of all their advertisers and users, and contribute to CoP data by linking in their records (e.g. via the payment details they hold on advertisers)
Zero tolerance law enforcement policy funded by an anti-fraud tax. The UK should adopt a zero tolerance stance on those that commit scams:
- Mandatory reporting to the police of all instances of fraud by financial institutions
- Mandatory investigation of all fraud by the police
- Introduction of an anti-fraud tax on the value chain to fund the required law enforcement capacity: from online ads to telecoms to payments7
Minimising the unintended consequences of the PSR’s mandatory reimbursement regime. We would like to see the PSR (with Pay.UK) minimise the risk of unintended consequences as it designs its arrangements for reimbursement. In particular, we would like to see appropriate levels of excess and maximum amounts in these new arrangements. The exact definition of gross negligence will be critical to maintain vigilance in the most important first line of the defence against scams: the customer. Law enforcement must support payment providers in investigating first party fraud.
Giving customers a choice about the level of fraud protection they seek. This will empower sophisticated customers the opportunity to opt out of fraud controlling and transaction blocking.
Despite our concerns about unintended consequences of reimbursement, we remain fully committed to playing our part in the fight against fraud:
- We are investing heavily in advanced machine learning models to better detect potential fraud
- We have long participated in Confirmation of Payee
- Tide is a member of StopScams159, which provides a number, 159, for victims to call if they think they have been scammed, or are in the process of being scammed
- We are working with agencies, including law enforcement (such as the Police and the National Crime Agency), CIFAS, UK financial trade bodies (including UK Finance and Innovate Finance), amongst others, to ensure our members and their money are protected
Combating fraud is a relentless focus for us and we are committed to real and lasting action in this area, but we – along with the payments industry – need the support of the authorities.