12th March 2019
Banking & Finance Litigation specialists Louise Power and Rachel Elgar provide an update on proposed measures for combatting authorised push payment fraud.
Payments are described as ‘push payments’ when the payer obtains the payee’s account details and instructs their bank or other payment service provider to send (or push) money to it. A push payment fraud will therefore involve the fraudster somehow persuading the customer to organise a transfer from the customer’s account to the fraudster’s account. Examples could include:
The hacking of e-mail or other accounts, and the proliferation of personal data available via social media and even the dark web, enable fraudsters to impersonate and deceive customers in increasingly varied and sophisticated ways.
In most cases, the customer will notify the bank or other financial services firm only after the payment has been made, by which time the fraudster will have made off with the funds by transferring them out of the offending bank account and possibly out of the country.
Another issue is the fact that the customer has, albeit unwittingly under the influence of fraud, authorised the push payment. That means that firms have typically been within their rights to refuse to refund victims.
Authorised push payment fraud is a serious and fast-growing problem. UK Finance (UKF) has reported that £145 million was lost to this type of fraud in the first half of 2018 alone and there are significant difficulties in tackling the problem.
For example, since push payment fraud is authorised by the victim, and frequently uses deception and social engineering rather than merely hacking accounts or payment details, many existing technology-based security measures can do little to prevent it.
The mainstream press has also reported a perceived inconsistent treatment of such frauds within the financial services industry, with some firms much more readily reimbursing the victim than others.
The last few months have therefore seen calls for changes to legislation and/or to the regulatory framework, so that financial services institutions are required to do more.
A ‘super-complaint’ was submitted by the consumer action group Which? to the PSR in September 2016 entitled ‘Consumer safeguards in the market for push payments’. Which? argued that consumers do not receive sufficient protection from this type of fraud, compared to the protections in place for other types of fraud (for example credit card and direct debit frauds).
In November 2017 the PSR consulted on how financial institutions deal with push payment fraud, as well as how customers are compensated once a fraud has taken place. In February 2018 following that consultation, the PSR confirmed that it would proceed with plans to better protect victims of push payment scams by implementing a scheme that would make reimbursement contingent on the actions of the firms both sending and receiving the funds when a push payment scam occurs.
In March 2018 the PSR established a dedicated steering group, comprised of industry and consumer representatives, to lead the development of a voluntary industry scheme to reduce the occurrence of push payment fraud and to lessen the impact of such scams that do occur.
In September 2018 the steering group published a draft contingent model code which aims to ensure that the scheme is designed in the best way to minimise fraud and to protect victims.
The voluntary code is underpinned by the following core principles:
On 28 February 2019 the steering group gave this press release, announcing the final form of the code. The code is now available here and will come into effect on 28 May 2019.
The Financial Conduct Authority (FCA) has, as of 31 January 2019, brought into force new rules so that customers who have fallen victim to authorised push payment fraud can now seek recompense from the firm which received the funds, as well as from their own firm through which the funds were sent. Payment service providers are now required to handle complaints about alleged authorised push payment fraud in line with the Dispute Resolution: Complaints sourcebook (DISP) in the FCA Handbook. Customers can also now pursue the matter through the Financial Ombudsman Service (FOS) if they are not satisfied with the support that they receive from the institutions themselves.
In a recent decision, also in January 2019, the FOS ordered Santander to refund a customer who had been tricked out of £12,000 and stated that the customer was a “victim of a sophisticated scam with social engineering at the very heart of it”. The chief executive of the FOS commented that “It’s not fair to automatically call a customer grossly negligent simply because they’ve fallen for a scam. That’s especially true in light of the sophisticated ways criminals exploit banks’ security systems”.
The Santander decision and those comments, along with the FCA’s new rules, are likely to be very helpful for customers who have fallen prey to authorised push payment fraud and are seeking reimbursement. They do not, however, address the issue of how to prevent fraud in the first place.
A tool which could potentially make significant progress into preventing authorised push payment fraud is a software-based security solution known as ‘confirmation of payee’. Under this scheme, customers who are sending payments will be able to check that the name on the beneficiary account matches that of their intended recipient.
Confirmation of payee is, however, unlikely to represent a complete solution in itself. The scheme’s algorithm produces a ‘match’, ‘no match’ or ‘possible match’ response; and data [1] shows that, as a result of variations in names, spellings, abbreviations and nicknames, ‘match’ accuracy rates are currently only at around some 60%. Research has also shown that in around 35% of authorised push payment frauds happening today, fraudsters’ payee accounts would generate a ‘match’ or ‘possible match’ result, thereby not prompting the victim to realise that there was something wrong (and therefore most likely not preventing the fraud). It is anticipated that, as customers become more familiar with the logic behind the confirmation of payee system and how it works, accuracy rates will improve. Unfortunately, however, fraudsters are also likely to become increasingly wise to the system, and to adapt their methods and account names accordingly.
It was previously anticipated that confirmation of payee would be implemented across the UK by July 2019. However that no longer looks achievable and UKF has stated that it expects it will be some time in 2020 before the scheme is up and running. As well as operational difficulties in implementing IT alterations and updates across all customer channels to accommodate confirmation of payee, many financial institutions are struggling to prioritise that alongside other urgent and ongoing regulatory-driven reforms. UKF has also commented that if too tight-a timetable for implementation is recommended, the industry risks creating a two-tier system, where only the big institutions are able to offer the scheme quickly, forcing customers to choose between them and the smaller institutions (who should be encouraged for competition reasons).
Other measures which, as part of a multi-layered approach, are likely to have a significant impact on the prevention or minimising of authorised push payment fraud include increased customer awareness and education. That can be achieved through the efforts of financial services industry trade bodies, institutions themselves and by responsible reporting within the press.
In addition, Artificial Intelligence solutions, such as advanced analytics and machine learning, and/or new behavioural biometrics offerings [2], combined with dynamic and real-time messaging to consumers, could be the key to spotting where fraud is afoot, and then preventing or interrupting it before the fraudster makes off with the funds.
In our experience, push payment scams often target the most trusting and most vulnerable people and can involve life changing sums of money. We have seen a number of frauds that involve money being transferred internationally and the individual only noticing that something was wrong days or weeks later. Although often neither the bank nor the customer are really at fault (because of the sophistication of the scam), they are left to pick up the pieces.
It is clear that there is a willingness by both regulators and financial institutions to tackle authorised push payment scams.
It is important to consider the issue of whether a customer should receive compensation when a scam has occurred, and if so, from whom. The recent FOS Santander decision is illustrative of FOS’ view that it is incumbent on banks to take responsibility.
However, the more important issue for lenders is how such scams can be prevented. Technological advances in the ways that payments are made and the security surrounding such payments will be crucial. Scammers move with technology and create ever more sophisticated ways to dupe customers. Banks and other financial institutions must also utilise technology to keep up and combat fraud.
____________________
[1] Source: ThreatMatrix (LexisNexis) 13 February 2019
[2] which analyse myriad behavioural parameters to detect social engineering or whether a person is being manipulated by a fraudster