A New Reimbursement Requirement for Authorised Push Payments

In 2019, the Payment Systems Regulator (PSR) introduced the voluntary Contingent Reimbursement Model Code (the CRM Code) for Authorised Push Payment (APP) scams to provide a framework for banks and payment service providers to reimburse victims of payment scams. The CRM was designed to strike a balance between protecting consumers from the financial impact of scams while also encouraging responsible behavior.¹

The new reimbursement requirement for APPs is likely to come into force in October 2024 and it will shift the liability more from consumers to the payment firms and bring mandatory reimbursement requirements to payment firms to compensate victims of scams.

Highlights

APP scams occur when the consumer transfers funds to another person/entity assuming they are for legitimate purposes but are in fact fraudulent. APP has become one of the most significant types of fraud and it poses a significant threat across the globe. These scams can take various forms, such as fraudulent requests for payments, investments, or payments for goods and services that are never delivered. APP fraud losses reached £485.2 million in 2002; down 17% compared to 2021. Within this, 57% of all reported cases related to purchase fraud, with case volumes breaking 100,000 for the first time. Investment fraud continued to be one of the largest proportions of APP losses (24%). Overall, the amount of APP fraud losses reimbursed under the CRM Code increased by 5% in 2022, compared to the previous year.²

APP scams are not limited to specific groups. The PSR has been concerned about the rise of these scams and has taken steps to address this issue and protect consumers . PSR collaborates with financial institutions, consumer groups and law enforcement agencies to address APP scams and prevent payment fraud. The PSR’s new reimbursement requirement will require most APP scam victims to be reimbursed within five business days (provided they make a claim within 13 months of the fraudulent transaction), with sending and receiving firms splitting the costs of reimbursement 50:50 between sending and receiving firms.³ Whilst there is no minimum threshold for APP fraud claims, a maximum threshold value is currently being determined as part of the ongoing consultation.

Key Considerations

The PSR expects industry to start working now to implement the new reimbursement requirements. Payment firms and banks should review and assess their existing fraud prevention and due diligence policies and procedures, and reimbursement efforts to ensure they align with the new requirements. Payment firms should develop clearer communication strategies to educate customers about the risks of APP scams, which should align with the PSR’s Consumer Standards of Caution.⁴ Many banks have put in friction into the payment process by asking the consumer to check and confirm the payment is not fraud rather than offering a ‘one-click’ service. They are also checking for name matches on payment instructions prior to executing payments to reduce the fraud losses that they will become liable for.

In addition, payment firms and banks should conduct thorough risk assessments to identify vulnerabilities within their payment systems and ensure they have an appropriate fraud risk management framework in place.

Guidehouse can assist payment firms with the following services:

• Conduct a fraud risk assessment to identify and help prioritise risk responses in the areas of highest exposure or impact;
• Review fraud risk management programmes to assess their maturity and effectiveness; and
• Evaluate transaction monitoring rules aligned with red flags to detect APP fraud, mule account identification and develop remedial measures.