Skip to main content
main content, press tab to continue
Article

Authorised Push Payment (APP) fraud: The new reimbursement requirements

By Julie Baker and Joanna Carruthers | May 9, 2024

How do the new faster payment rules impact your business, and can insurance provide any relief for Financial Institutions (FIs)?
Financial, Executive and Professional Risks (FINEX)
N/A

The UK Payment Systems Regulator (PSR) published its final position on APP fraud reimbursement requirements in Policy Statement 23/4 Fighting APP scams: Final decision at the end of 2023. The reimbursement requirement aims to improve fraud prevention in the faster payments system and focus firms’ efforts on providing a very high degree of consumer protection.

Notably, the Bank of England also intends to launch a comparative reimbursement model for Clearing House Automated Payment System (CHAPS) payments but on a different time frame.

What are the new requirements?

Under the new reimbursement requirement, which becomes effective on the 7th October 2024, APP fraud victims will be reimbursed by in-scope payment service providers (PSPs). In-scope PSPs are those which:

  • participate in Faster Payments
  • provide a relevant account in the UK to their service users which can send or receive Faster Payments. (Indirect PSPs who gain access to the Faster Payment Scheme (FPS) via an Indirect Access Provider (IAP).

The above excludes credit unions, municipal banks and national savings banks[1]

The sending PSP will reimburse fraud victims in most cases, with the cost of reimbursement split 50/50 between the sending and receiving PSP. The maximum mandatory reimbursement is set at £415,000 per claim for all victims and PSPs may apply an excess of up to £100. The excess does not apply to vulnerable consumers. Subject to this claims excess and maximum reimbursement, 50% of any recoveries made by the receiving PSP are to be reimbursed back to the sending PSP.

The maximum of £415,000 per claim aligns to the Financial Ombudsman Service’s (FOS) award limit, with the intention being that victims will not refer cases to the FOS for resolution. Sending PSPs may choose to reimburse victims above this mandatory level, however there have been heightened unprofitability and insolvency concerns raised by smaller PSPs. The PSR has registered these concerns, with encouragement to improve on the fraud prevention controls and adoption of Confirmation of Payee (CoP) if not already in place, to avoid losses in the first place.

Is there a standard of care expected of consumers?

In order to be reimbursed, consumers must exercise a standard of caution. This includes 4 specific elements:

  1. 01

    The requirement to have regard to interventions

    The consumer must have received an intervention which must offer a clear assessment of the probability that an intended payment is an APP scam payment. Generic warnings will not suffice. The intervention may come from the consumer’s PSP or from a competent national authority, e.g. the police.

  2. 02

    The prompt reporting requirement

    With a long stop date of 13 months after the last relevant payment was authorised.

  3. 03

    The information sharing requirement

    The consumer should respond to reasonable and proportionate requests for information made by the PSP to help with assessment of their claim.

  4. 04

    The police reporting requirement

    Consumers may consent to the PSP reporting to the police on their behalf, or do it themselves.

The burden of proof rests with the PSP to show not only that the consumer failed to meet one or more of the elements of the standard of caution, but also that they have done so with “gross negligence”.

The consumer standards do not apply to vulnerable people.[2]

What are the insurance implications?

Currently, PSPs are not required to reimburse victims of APP Fraud. However, since 2019, there has been a voluntary code, the Contingent Reimbursement Model (CRM)[3], which a number of leading banks in the UK have signed up to and under which they have reimbursed victims. However, outcomes have been inconsistent with reimbursement rates differing significantly.[4]

The new requirements will change the Faster Payment rules and place an obligation on the PSPs to reimburse victims under the same set of reporting criteria and assessment of any APP claim for consistency. Subject to policy terms and conditions, a broad form Civil Liability policy should capture this legal liability. The nature and size of APP fraud losses on an individual basis will mean that claims will likely fall within the PSP’s self-insured retention, with limited possibility to aggregate losses together to form a Single Loss/Claim.

On an annual basis, many financial institutions are reporting huge loss exposures with the trend likely to continue, especially when considering the potential capabilities of Artificial Intelligence (AI).

Since this exposure is labelled ‘fraud’, some insureds may expect to see such exposure captured in a Crime/Bankers Blanket Bond policy. The ‘social engineering’ coverage generally afforded under such policies (this may differ geographically) is usually limited to inward payment instructions that are fabricated and purport to be sent by a customer, but are not. In this instance, APP claims are not fabricated but are legitimate instructions provided by the PSP’s customers. Even if coverage were provided and there was a possibility to aggregate losses together to form a Single Loss/Claim, there is concern that these upward and volatile fraud trends would equate to volatile premiums for policies that have generally benefited from a degree of stability.

Speak to WTW Today

Reach out to your WTW contact for more information on how we can assist. Also, look out for the future episode in our podcast series, All Eyes on FIs, where we will discussing our potential available solutions which WTW are in the process of developing for APP Fraud with the London insurance market.

Footnotes

  1. See Specific Direction 20 or clause 3 of ps23/4. Return to article
  2. See Clause 5 of PS23/4. Return to article
  3. The Contingent Reimbursement Model Code (CRM Code). Return to article
  4. See PSR’s APP Fraud Performance Report – October 2023. Return to article

Authors


Banking Industry Leader, GB FINEX Financial Institutions

Joanna Carruthers
Director | FINEX Financial Institutions

Contacts


GB Head of FINEX Financial Institutions

Global Head of FINEX Financial Institutions
email Email

Contact us