Nine months left to prepare for mandatory APP scams

Explore the key steps firms need to consider taking to get ready

6 min read

Background

In June 2023 we published a blog article discussing the Payment System Regulator’s policy statement creating a new reimbursement requirement for Authorised Push Payment scams. On 19 December, the PSR published an APP scams reimbursement policy statement (PS23/4) setting out final sets of requirements alongside the relevant legal instruments to give effect to the policy and other helpful materials and guidance. This is particularly important given the October 2023 APP scam fraud performance report which suggests that even where these PSPs are reimbursing victims of APP scams on a voluntary basis, there are currently inconsistent outcomes for customers who report APP fraud to their PSP. Furthermore, there are weak controls that are exploited by fraudsters, and there is still more to be done to address gaps in controls to prevent such fraud by in-scope firms. The policy start date is confirmed as 7 October 2024 which is recognised as a challenging target.

Key steps firms need to consider taking to get ready

Based on the feedback that the PSR has received, it might take firms between 6 – 12 months from the publication of the final policy (19 December) to prepare for the new requirements. As such, it is imperative that all in-scope payments service providers (PSPs) act now. Preparation should consist of both.

1) Prevention and Detection: Taking steps to review and enhance PSP’s fraud prevention and detection capabilities. This may include utilising available data sharing resources (for example, CIFAS), placing limits on payment transactions, improving ‘know your customer’ controls, strengthening inbound and outbound transaction-monitoring systems and freezing unusual payments for further investigation, etc. The PSR have also made it clear that they expect PSPs to plan in advance how to communicate this new consumer protection to their customers, in line with the FCA’s Consumer Duty. It is also critical that there is careful consideration of characteristics of customer vulnerability when making decisions about fraud claims.

2) Operational Readiness: PSPs will need to take steps to ensure readiness for the live date across people, process and technology components of the operating model. This may include:

a) System updates to facilitate management of reimbursement cases or capture all required reporting data;

b) Process design such as development of decision trees for assessing if a customer has been grossly negligent or handling a case as a recipient PSP;

c) Planning for impact on fraud operations such as loss forecasting, resource management and training of staff.

3) Legal & Compliance: Getting ready to comply with the PSR’s requirements and utilising available legal tools to limit exposure. This may include providing the relevant training to staff, creating a well-thought through strategy for consumer interventions to ensure PSPs are able to take advantage of the consumer standard of caution exception (see below), reviewing terms & conditions with customers, reviewing any other relevant contractual arrangements (for example, where a part of the relevant process is outsourced to a third-party provider), reviewing and updating the relevant policies and procedures, etc.

The PSR intends to support the industry with “interpretation and consistent application” of the new reimbursement requirements. For this reason, they will set up a clarification process for Q1 2024 to “encourage a consistent approach to implementation across industry”.

How KPMG can help

To help firms prepare for this new requirement, KPMG has set up a specific APP scams multi-disciplinary task force that can help with prevention and detection; operational readiness; and compliance. This team consists of highly experienced fraud and financial crime experts, payment experts, regulatory compliance specialists and lawyers.

As an example, this team can help you with gap analysis for controls, liability management strategies, updating policies and procedures, reviewing technological preparedness for the coming changes, among other things. In addition, our legal team can review existing customer and vendor terms and arrangements and suggest changes as appropriate.

We have also developed a readiness assessment/gap analysis tool to facilitate our initial discussion on this and provide preliminary assessment of overall gaps in your firm’s readiness for APP mandatory reimbursement requirements.

Please get in touch if you would like to receive any further information on this and book a free of charge initial meeting.

What’s new in PS23/4?

PS23/4 contains a final set of the PSR’s policy decisions on mandatory reimbursement requirements and various changes and clarifications to these requirements. It also contains helpful guidance and the three finalised legal instruments:

Specific Requirement (SR1): which requires Pay.UK to incorporate the PSR’s mandatory reimbursement requirements into the Faster Payment rules (Rules). Draft version of the Rules was published in CP23/10 and the final Rules are due to be published by 7 June 2024. SR1 contains a number of clarifications and changes, such as amending the grounds on which a sending PSP can ‘stop the clock’ and confirming that regardless of how many times the ‘stop the clock’ provision is used, the sending PSP must make a decision on whether to reimburse an APP scam case within 35 business days. The assessment outcome by a sending PSP is final, which means that the sending PSP will be liable for the full reimbursement amount if they have decided not to reimburse the customer and the case is overturned.
Specific Direction (SD20): which requires Faster Payments participants to comply with the reimbursement requirements and the reimbursement rules. Faster Payments participants are PSPs that participate in the Faster Payments Scheme (directly or indirectly) and provide relevant accounts (accounts which are held in the UK and can send or receive payments using the Faster Payments Scheme), but exclude accounts provided by Credit Unions, Municipal Banks, and National Savings Banks. It also contains a number of changes, including deciding not to require Indirect Access Providers (“IAPs”) to pass on notice of obligations to indirect PSPs and instead requiring IAPs to provide the PSR with a list of indirect PSPs to whom they provide access to Faster Payments on an annual basis with duty to update.
Specific Direction (SD19): which requires Pay.UK to create and implement an effective compliance monitoring regime. Please see section “Key dates” below for the timeline on this.

The PSR has also provided its (near)* final policy decision on the following:

Provision	Applies to vulnerable consumers?
Consumer standard of caution exception Available where a sending PSP can demonstrate that a victim of APP scam has, as a result of gross negligence, not complied with one or more of the following: 1. Requirement to have regard to interventions: such interventions can be made by sending PSP or a competent national authority (e.g., police, the National Crime Agency) and should be bespoke, specific, directed and clearly communicate assessment of the probability that an intended payment is an APP scam payment. 2. Prompt reporting requirement: victims of APP scams should report the matter to their PSPs promptly and in not more than 13 months after the last relevant payment was authorised. 3. Information sharing requirement: victims of APP scams should respond to any reasonable and proportionate to the value and complexity of a claim requests for information made by their PSP. These requests must be strictly limited to essential information needed for the PSP to establish either whether the consumer has been subjected to an APP scam, or for the purposes permitted under our ‘stop the clock’ provisions. Consumers who rely on a thirdparty claims management company (CMC) to make a reimbursement claim are subject to the same expectations on information sharing as consumers who raise their claims directly with their PSP. 4. Police reporting requirement: victims of APP scams should, after making a reimbursement claim, and upon request by their PSP, consent to the PSP reporting to the police on the consumer’s behalf, or request the consumer directly report the details of an APP scam to a competent national authority. Please note that a standard of “gross negligence” is a high bar to reach that requires a significant degree of carelessness and the burden of proof that this standard has been met rests on the PSP. As such, a mere fact that a victim of an APP scam has not complied with one of the above provisions does not free the PSPs from having to reimburse the victim of an APP scam.	No
Excess All in-scope PSPs will be able to apply an excess of up to £100 to a claim, however, may choose to apply a lower excess or none at all. When splitting liability on a mandated 50:50 basis between the sending and the receiving PSP, the liability split must be calculated on the assumption that a £100 claim excess has been applied (even where the sending PSP chooses not to apply it).	No
*Maximum level of mandatory reimbursement Maximum level of mandatory reimbursement set at £415,000 per claim. The PSR will monitor “the incidence and impact of high value APP scams over the next ten months” and, if it deems it necessary, it might consult on revising this level ahead of 7 October 2024. Please note that victims of APP scams remain entitled to refer complaints to the Financial Ombudsman Service (“FOS”) if they consider they have suffered losses because of the acts or omissions of the sending PSP and the receiving PSP. Furthermore, where the victim’s claim was rejected, but FOS has then decided to award reimbursement to victim, the sending PSP will have to bear the full costs of this reimbursement (up to £415,000 which is also the current award limit of a single complaint to the FOS), as the receiving PSP will no longer be liable for payment (s. 5.15 of SR1 provides: “the receiving PSP is not liable to pay any amount in relation to […] any payment the sending PSP makes to its consumer after it has closed a claim, whether by reimbursement or rejection. This includes any payment made as a result of a court or ADR decision subsequent to the closing of the claim.”	Yes

Provision

Applies to vulnerable consumers?

Consumer standard of caution exception

Available where a sending PSP can demonstrate that a victim of APP scam has, as a result of gross negligence, not complied with one or more of the following:

1. Requirement to have regard to interventions: such interventions can be made by sending PSP or a competent national authority (e.g., police, the National Crime Agency) and should be bespoke, specific, directed and clearly communicate assessment of the probability that an intended payment is an APP scam payment.

2. Prompt reporting requirement: victims of APP scams should report the matter to their PSPs promptly and in not more than 13 months after the last relevant payment was authorised.

3. Information sharing requirement: victims of APP scams should respond to any reasonable and proportionate to the value and complexity of a claim requests for information made by their PSP. These requests must be strictly limited to essential information needed for the PSP to establish either whether the consumer has been subjected to an APP scam, or for the purposes permitted under our ‘stop the clock’ provisions.

Consumers who rely on a thirdparty claims management company (CMC) to make a reimbursement claim are subject to the same expectations on information sharing as consumers who raise their claims directly with their PSP.

4. Police reporting requirement: victims of APP scams should, after making a reimbursement claim, and upon request by their PSP, consent to the PSP reporting to the police on the consumer’s behalf, or request the consumer directly report the details of an APP scam to a competent national authority.

Please note that a standard of “gross negligence” is a high bar to reach that requires a significant degree of carelessness and the burden of proof that this standard has been met rests on the PSP. As such, a mere fact that a victim of an APP scam has not complied with one of the above provisions does not free the PSPs from having to reimburse the victim of an APP scam.

No

Excess

All in-scope PSPs will be able to apply an excess of up to £100 to a claim, however, may choose to apply a lower excess or none at all. When splitting liability on a mandated 50:50 basis between the sending and the receiving PSP, the liability split must be calculated on the assumption that a £100 claim excess has been applied (even where the sending PSP chooses not to apply it).

No

*Maximum level of mandatory reimbursement

Maximum level of mandatory reimbursement set at £415,000 per claim. The PSR will monitor “the incidence and impact of high value APP scams over the next ten months” and, if it deems it necessary, it might consult on revising this level ahead of 7 October 2024.

Please note that victims of APP scams remain entitled to refer complaints to the Financial Ombudsman Service (“FOS”) if they consider they have suffered losses because of the acts or omissions of the sending PSP and the receiving PSP. Furthermore, where the victim’s claim was rejected, but FOS has then decided to award reimbursement to victim, the sending PSP will have to bear the full costs of this reimbursement (up to £415,000 which is also the current award limit of a single complaint to the FOS), as the receiving PSP will no longer be liable for payment (s. 5.15 of SR1 provides: “the receiving PSP is not liable to pay any amount in relation to […] any payment the sending PSP makes to its consumer after it has closed a claim, whether by reimbursement or rejection. This includes any payment made as a result of a court or ADR decision subsequent to the closing of the claim.”

Yes

PS23/4 and accompanying legal instruments and documents published by the PSR on 19 December 2023 are not the only documents PSPs have to refer to when preparing for the new mandatory requirements for victims of APP scams. They also have to refer to the PSR’s PS23/3 policy statement published in June 2023, as well as other relevant resources such as the FCA’s vulnerability guidance FG21/1 and be mindful of the general FCA’s consumer duty obligations. There are also other available resources that PSPs might find helpful, such as the FCA’s multi-firm review on “Proceeds of fraud - detecting and preventing money mules” and “Anti-fraud controls and complaint handling in firms (with a focus on APP Fraud)”. Also, please note that the HM Treasury “has committed to legislate to provide clarity on the ability to make risk-based delays to payments to support PSPs fraud prevention efforts.”

Key dates

Q1 2024: the PSR to set up a clarification process to encourage a consistent approach to implementation across industry.
31 March 2024: deadline for IAPs to provide the PSR with a first list of indirect PSPs to whom they provide access to Faster Payments.
5 April 2024: deadline for Pay.UK to submit to the PSR its proposals for its compliance monitoring regime
7 June 2024: deadline for Pay.UK to publish the final Faster Payments scheme reimbursement rules and an approved by the PSR compliance monitoring regime.
7 October 2024: the new mandatory reimbursement requirements come into force. Payment made prior to this date are not covered by the reimbursement requirement.
HM Treasury has committed to legislate to provide clarity on the ability to make risk-based delays to payments to support PSPs fraud prevention efforts, however no date has been set for this.