6th December 2017
On 7 November 2017, the Payment Systems Regulator (PSR) issued a consultation paper in relation to ‘authorised push payments’ [1], which will affect how financial institutions prevent push payment fraud, as well as how customers are compensated once a fraud has taken place. (The paper refers to all ‘payment service providers’, who enable the transfer of funds using a payment system. On the basis that most individual and commercial customers will have a bank account, we will refer to ‘banks’ in this note. Our comments will apply generally, however, to all payment service providers.)
Payments are described as ‘push payments’ when the payer obtains the payee’s account details and instructs their bank to send (or push) money to it. The opposite ‘pull payment’ is where the payer provides the payee with the relevant account details, and the payee is authorised to take (or pull) funds from the payer’s bank account.
A push payment fraud will therefore involve the fraudster somehow persuading the consumer to organise a transfer from the consumer’s account to the fraudster’s account. Examples could include:
In most cases, the customer will notify the bank only after the payment has been made, by which time the fraudster will have made off with the funds by transferring them out of the offending bank account and possibly out of the country. These types of frauds are being increasingly reported in the mainstream press, as well as the financial services industry’s perceived inconsistent treatment of such frauds, with some banks admitting fault for allowing the fraud and reimbursing the victim; while others do not.
UK Finance have recently published data on this growing problem [2], citing that there were 19,370 cases in the first six months of 2017, with over £101.2 million being sent by customers (both individuals and business) who had been tricked into authorising a payment. Around 88 per cent of those payments were made by individuals, losing on average £3,000; with the remainder being made by businesses who lost on average £21,500 per case.
The figures indicate that almost a quarter of those losses (£25.2 million) were returned by financial providers, but there are now calls for changes to legislation and/or to the regulatory framework, so that banks are required to do more.
A ‘super-complaint’ was submitted by the consumer action group Which? to the PSR in September 2016 entitled ‘Consumer safeguards in the market for push payments’ [3]. Which? argued that consumers do not receive sufficient protection from this type of fraud, compared to the protections in place for other types of fraud (for example credit card and direct debit frauds). Which? suggested that where such frauds have taken place, legislation or regulation should be changed so that:
The PSR responded to Which?’s complaint in December 2016 [4] and the latest paper is a report of the work that has been done since that date, as well as timelines for implementation of further measures.
UK Finance has also drafted a set of best practice standards that banks should follow when responding to reported push payment scams [5], which are:
Retail banks offering push payment services have agreed to implement these standards by the third quarter of 2018.
UK Finance are also seeking to take various further measures, including:
The main subject of the PSR’s response is a consultation on the suggested ‘contingent reimbursement’ scheme. The PSR believes that banks have a role to play in preventing such scams, and that having no responsibility to reimburse customers provides weak incentives for banks to take responsibility for doing so. A model has therefore been proposed that makes reimbursement contingent on the actions of the banks both sending and receiving the funds when a push payment scam occurs. (The scheme could introduce eligibility criteria for reimbursement that may include, for example, whether the victim’s bank had warned the victim about the transaction.)
The PSR has suggested that a contingent reimbursement model should be introduced by the end of September 2018, and that UK Finance is best placed to develop and implement such a model.
The introduction of a reimbursement model would not prevent individual consumers bringing court action against a bank if they felt that the bank had failed to take steps to prevent their losses.
The PSR’s consultation is open until 5 pm on 12 January 2018.
Current indications from the PSR are that it does not intend to compel banks to compensate victims of push payment scams, but believes a contingent reimbursement model is appropriate. If such a scheme is implemented, it will be even more incumbent upon banks (and all financial institutions/payment service providers) to ensure that they have taken steps to prevent push payment scams taking place.
_______________________________________
[1] https://www.psr.org.uk/sites/default/files/media/PDF/PSR-APP-Scams-report-consultation_1.pdf
[2] https://www.ukfinance.org.uk/authorised-transfer-scams-data-h12017/
[3] https://www.psr.org.uk/sites/default/files/media/PDF/which-super-complaint-sep-2016.pdf
[4] https://www.psr.org.uk/sites/default/files/media/PDF/PSR-Which-super-complaint-response-December-2016_0.pdf
[5] https://www.ukfinance.org.uk/authorised-transfer-scams-data-h12017/