Authorised Push Payment ("APP") fraud occurs when fraudsters trick individuals or businesses into authorising a payment to an account controlled by the fraudster. Unlike other types of fraud, APP fraud involves the victim willingly initiating the transaction, often under false pretences or through deception, making it challenging for banks to detect and prevent. Fraudsters use numerous, constantly evolving techniques to trigger APP fraud, such as impersonation, investment fraud or invoice redirection. Increasingly, artificial intelligence plays a role.
Fortunately, some conscientious victims who initiate such payments do have some recourse - presently through a voluntary code agreed between the majority of payment service providers. From 7 October 2024 that protection will be extended following new rules issued by the Payment Services Regulator ("PSR") under powers granted in ss.54 - 55 of the Financial Services (Banking Reform) Act 2013.
This article gives a brief overview of the current and future arrangements.
The Contingent Repayment Model
A voluntary code established in 2019 (to which ten major Payment Service Providers are signatories), applies to APP fraud affecting personal customers, small charities with an income of less than £1m, and micro-enterprises (as per the HMRC definition).
In the event of an APP fraud, signatories to the voluntary code are obliged to repay sums paid out to within the jurisdiction, whilst the discretion to refuse reimbursement remains available where the customer have ignored a warning, made the payment without a reasonable basis for believing the payment to be genuine transaction, did not follow it's own procedures or was in some other way grossly negligent in its handling of the payment.
Where no PSP is at fault, the loss is paid out of a fund into which all signatory PSPs contribute. Where two PSPs are at fault, each will cover 50% of the reimbursement. If the customer is also at fault, each will bear ⅓ of the responsibility, so the customer will receive a ⅔ recovery.
Mandatory Model
From 7 October 2024, mandatory protection will apply to instances of APP fraud made through the Faster Payments system where the recipient account is within the UK. Victims will have 13 months within which to make a claim to the sending Payment Service Provider.
As with the current voluntary model, this protection only extends to personal customers, small charities with an income of less than £1m, and micro-enterprises.
The new Faster Payment Rules are in the process of being finalised but a draft is available at Pay.UK. However, victims can expect to receive reimbursement within 5 business days, albeit this can be extended to a total of 35 business days if the sending PSP needs to undertake investigations.
This protection is not however a blank cheque. Protection will be limited to £415,000 for each case, and it is likely that most PSPs will apply an excess of no more than £100. Consumers must also make sure to exercise care when sending payments, such conduct to be measured against the Consumer Standard of Caution produced by the PSR. PSPs can refuse to repay victims where they have failed to meet this standard through gross negligence, although there is an exception for where a consumer suffered the loss as a result of a vulnerability. The burden of proof for showing that a consumer has breached the standard of caution is on the PSP.
The Take Away
These rule will affect Faster Payments, whilst similar rules are being developed for payments made by CHAPS. Individual, micro-entities and charities will benefit but larger entities will not.
All private consumers and businesses alike should continue to exercise caution when making electronic transfers of any kind, particularly when very large sums are involved, or new account details are being used.
Entities that may benefit from the protection should ensure that their internal policies are reviewed bearing in mind the specific provisions of the updated Faster Payment Rules to ensure that they are aware of the limitations of the cover and able to avail themselves of it if needed.
Nothing in this new legislation takes away from the urgency by which any case of fraud should be treated. If you believe you or your business has been the victim of fraud, contact our partner Matthew Garbutt in our Fraud Prevention and Recovery Team immediately.
/Passle/6491ca5e863f054b458578e8/MediaLibrary/Images/2024-06-24-10-22-51-636-667948fb9652f7f51e9f024c.png)
/Passle/6491ca5e863f054b458578e8/SearchServiceImages/2024-07-03-12-24-22-765-668542f66618c8d1f97d6338.jpg)
/Passle/6491ca5e863f054b458578e8/MediaLibrary/Images/2024-06-28-13-41-15-998-667ebd7b684459b9689032f3.png)
/Passle/6491ca5e863f054b458578e8/SearchServiceImages/2024-06-19-15-45-35-067-6672fd1fa20a640e0c9a8d0a.jpg)