The UK Payment Systems Regulator (PSR) published its final position on APP fraud reimbursement requirements in Policy Statement 23/4 Fighting APP scams: Final decision at the end of 2023. The reimbursement requirement aims to improve fraud prevention in the faster payments system and focus firms’ efforts on providing a very high degree of consumer protection.
Notably, the Bank of England also intends to launch a comparative reimbursement model for Clearing House Automated Payment System (CHAPS) payments but on a different time frame.
Under the new reimbursement requirement, which becomes effective on the 7th October 2024, APP fraud victims will be reimbursed by in-scope payment service providers (PSPs). In-scope PSPs are those which:
The above excludes credit unions, municipal banks and national savings banks[1]
The sending PSP will reimburse fraud victims in most cases, with the cost of reimbursement split 50/50 between the sending and receiving PSP. The maximum mandatory reimbursement is set at £415,000 per claim for all victims and PSPs may apply an excess of up to £100. The excess does not apply to vulnerable consumers. Subject to this claims excess and maximum reimbursement, 50% of any recoveries made by the receiving PSP are to be reimbursed back to the sending PSP.
The maximum of £415,000 per claim aligns to the Financial Ombudsman Service’s (FOS) award limit, with the intention being that victims will not refer cases to the FOS for resolution. Sending PSPs may choose to reimburse victims above this mandatory level, however there have been heightened unprofitability and insolvency concerns raised by smaller PSPs. The PSR has registered these concerns, with encouragement to improve on the fraud prevention controls and adoption of Confirmation of Payee (CoP) if not already in place, to avoid losses in the first place.
In order to be reimbursed, consumers must exercise a standard of caution. This includes 4 specific elements:
01
The consumer must have received an intervention which must offer a clear assessment of the probability that an intended payment is an APP scam payment. Generic warnings will not suffice. The intervention may come from the consumer’s PSP or from a competent national authority, e.g. the police.
02
With a long stop date of 13 months after the last relevant payment was authorised.
03
The consumer should respond to reasonable and proportionate requests for information made by the PSP to help with assessment of their claim.
04
Consumers may consent to the PSP reporting to the police on their behalf, or do it themselves.
The burden of proof rests with the PSP to show not only that the consumer failed to meet one or more of the elements of the standard of caution, but also that they have done so with “gross negligence”.
The consumer standards do not apply to vulnerable people.[2]
Currently, PSPs are not required to reimburse victims of APP Fraud. However, since 2019, there has been a voluntary code, the Contingent Reimbursement Model (CRM)[3], which a number of leading banks in the UK have signed up to and under which they have reimbursed victims. However, outcomes have been inconsistent with reimbursement rates differing significantly.[4]
The new requirements will change the Faster Payment rules and place an obligation on the PSPs to reimburse victims under the same set of reporting criteria and assessment of any APP claim for consistency. Subject to policy terms and conditions, a broad form Civil Liability policy should capture this legal liability. The nature and size of APP fraud losses on an individual basis will mean that claims will likely fall within the PSP’s self-insured retention, with limited possibility to aggregate losses together to form a Single Loss/Claim.
On an annual basis, many financial institutions are reporting huge loss exposures with the trend likely to continue, especially when considering the potential capabilities of Artificial Intelligence (AI).
Since this exposure is labelled ‘fraud’, some insureds may expect to see such exposure captured in a Crime/Bankers Blanket Bond policy. The ‘social engineering’ coverage generally afforded under such policies (this may differ geographically) is usually limited to inward payment instructions that are fabricated and purport to be sent by a customer, but are not. In this instance, APP claims are not fabricated but are legitimate instructions provided by the PSP’s customers. Even if coverage were provided and there was a possibility to aggregate losses together to form a Single Loss/Claim, there is concern that these upward and volatile fraud trends would equate to volatile premiums for policies that have generally benefited from a degree of stability.
Reach out to your WTW contact for more information on how we can assist. Also, look out for the future episode in our podcast series, All Eyes on FIs, where we will discussing our potential available solutions which WTW are in the process of developing for APP Fraud with the London insurance market.