New rules for reimbursement on authorised push payment fraud (APP) are coming into force in the UK

New rules for reimbursement on authorised push payment fraud (APP) are coming into force in the UK - given the upcoming deadline on 7 October 2024, what do payment service providers need to consider?

The Payment Systems Regulator (the PSR) in the UK is introducing a new mandatory reimbursement framework in relation to payment services providers (PSPs) dealing with customers that are victims of APP on 7 October 2024. Despite calls from certain sectors of the payments industry for the deadline for implementation to be pushed back, the PSR has re-iterated that the framework will be implemented as planned and without delay. We set out an overview of the key requirements applicable to relevant PSPs that are in scope and how the reimbursement framework is proposed to operate.

1. What are the high level requirements?

The new reimbursement requirement will introduce, for the first time, consistent minimum standards to reimburse victims of APP fraud and essentially it will:

• require sending PSPs to reimburse all-in scope customers who fall victim to APP fraud in most cases;
• involve the sharing of costs for reimbursing victims on a 50:50 ratio between sending and receiving PSPs; and
• provide additional protection for vulnerable customers.

The PSR have now published three legal instruments which give effect to the reimbursement requirement: (i) a specific requirement (SR1) imposed on Pay. UK to include the reimbursement requirement in the Faster Payments scheme rules; (ii) a specific direction (SD20) given to participants in Faster Payments, obliging them to comply with the reimbursement requirement and the reimbursement rules; and (iii) a specific direction (SD19) given to Pay. UK to create and implement an effective compliance monitoring regime for PSPs.

2. Who does the new reimbursement requirement apply to?

The new requirement for reimbursement for victims of APP fraud will apply to all participants in the Faster Payments Scheme (both direct participants of FPS and “indirect access providers) and that provide “relevant accounts” to customers in the UK. For the purposes of the APP fraud reimbursement scheme, relevant accounts are accounts which are operated by a PSP in the UK and can send or receive payments using the Faster Payments Scheme, but exclude accounts provided by Credit Unions, Municipal Banks and National Savings Banks. The PSR has explained that it is increasing protections within FPS because currently the majority of APP fraud is enacted within FPS. It is noted that the Bank of England (BoE) has announced its intention for a comparable model to apply to CHAPS payments.

3. What are the key components of the reimbursement obligation?

3.1. The following are the three key components of the reimbursement obligation:

i. Claim excess: Sending PSPs would have the option to apply a claim excess under the new reimbursement requirement up to a maximum of £100 per claim.
ii. Maximum level of reimbursement: There is a maximum level of reimbursement for APP fraud claims (by value) under the new reimbursement requirement and this is set at: £415,000 per claim.
iii. Minimum threshold: There is no separate minimum value threshold for APP fraud victims.

4. Are there any exceptions to the general reimbursement obligation?

• the consumer seeking reimbursement has acted fraudulently. This is known as the ‘first-party fraud’ exception; or
• the consumer has, with gross negligence, not met one or more of the four standards set out by the PSR under the ‘consumer standard of caution’.

It is noted that the definition of ‘consumer’ for the purposes of the APP fraud reimbursement framework includes micro-enterprises, smaller charities, and individuals, and the PSR is not proposing to consider these groups differently in respect to the application of the new rules.

A. Disapplication of the consumer standard of caution for vulnerable consumers.

The consumer standard of caution is being disapplied for vulnerable consumers. Where a consumer is classed as “vulnerable”, PSPs would not generally be able to rely upon the consumer standard of caution exception to deny a customer’s reimbursement. This would be the case even in circumstances where the customer has, as a result of gross negligence, not complied with one or more of the four standards set out above under the consumer standard of caution exception.

B. Why does the classification of a customer as vulnerable matter?

The classification of a customer as being vulnerable is important for the following reasons:

• the claim excess (which is optional for sending PSPs and up to a limit of £100 per claim) does not apply when the consumer is vulnerable, and the vulnerability has a material impact on the consumer’s ability to protect itself from the scam; and
• the consumer standard of caution explained above is also being disapplied for consumers who are vulnerable to a particular scam.

5. Time limit for reimbursement

The sending PSP must reimburse any reimbursable APP scam payment to the victim within five business days of the victim making an APP claim to the sending PSP. However, the sending PSP may exercise a ‘stop the clock’ provision that enables it to pause the five business-day reimbursement timescale.

A PSP can stop the clock if it has asked for additional information to assess the claim and is still waiting for a response.

When a sending PSP exercises the ‘stop the clock’ provision, the five business-day reimbursement timescale is paused at the point where the sending PSP sends its request for information.
An APP scam claim may be closed either by reimbursement of the consumer where appropriate or by rejection of the claim, with an explanation of the reasons. If a claim for reimbursement is denied, customers will still be able to make a claim via the Financial Ombudsman Service.

6. Intersection with the Payment Services (Amendment) Regulations 2024

The rules on time limit for reimbursement of victims of APP fraud should be read alongside the introduction of new legislation amending the Payment Services Regulations 2017 (The Payment Services (Amendment) Regulations 2024.) that allows PSPs to delay the execution of an outbound payment transaction by up to four business days from the time the payment order is received.

The proposed legislative developments reflect the UK Government’s overarching aim to deliver a sophisticated fraud strategy that tackles incidents of APP fraud effectively. Currently, the Payment Services Regulations 2017 require that once an outbound payment order is received, the amount of the payment transaction is credited to the payee’s PSP’s account by the end of the next business day from receiving the payment order (D+1). Under the Payment Services (Amendment) Regulations 2024, PSPs would be allowed to delay the execution of an outbound payment transaction by up to four business days from the time the payment order is received where:

• there are reasonable grounds to suspect a payment order from a payer has been placed subsequent to fraud or dishonesty perpetrated by someone else (excluding the payer); and
• those grounds are established by no later than the end of the next business day following receipt of the payment order.

The delay may only be used where the payer’s PSP requires further time to contact the customer or a third party, such as law enforcement, to establish whether to execute the payment. Moreover, PSPs would be required to inform customers of any delays, the reasons behind their decision, and what information or actions are needed to help the PSP decide on whether to execute the order (unless doing so would be unlawful). It is noted that PSPs will be liable for any interest or charges resulting from a delay to payments.

HM Treasury intends to lay this instrument before Parliament in summer 2024 and for it to commence at the same time as the PSR’s rules on mandatory reimbursement for APP fraud take effect (7 October 2024).

7. Allocation of reimbursement between sending and receiving PSPs

When an APP scam claim is reported to the sending PSP, it must tell the receiving PSP within the notification period, in order to maximise the opportunity for repatriating stolen funds - the notification period would be set by Pay.UK.

If requested by the sending PSP, the receiving PSP must pay the sending PSP 50% of the lower of:

• the amount the sending PSP has paid to the victim; or
• the required reimbursement amount, if different.

The sending PSP may only claim the ‘specified amount’ from the receiving PSP after the sending PSP has reimbursed the victim. The specified amount would need to be paid by the receiving PSP within a reasonable period of time (to be defined by Pay.UK).

If the sending PSP chooses not to apply the maximum claim access value (up to £100 per claim), then the receiving PSP may deduct 50% of the maximum claim excess amount (i.e., £50) from the specified amount.

Notwithstanding the above, the receiving PSP is not liable to pay any amount in relation to:

• any voluntary reimbursement falling outside the scope of the APP fraud reimbursement requirement;
• any payment the sending PSP makes to its consumer after it has closed a claim, whether by reimbursement or rejection. This includes any payment made as a result of a court or ADR decision subsequent to the closing of a claim.

8. PSR consultation on compliance and monitoring in relation to the FPS APP scams reimbursement requirement

On 17 April 2024, the PSR published a consultation seeking views on the data and information that PSPs will be required to provide to Pay.UK to enable it to fulfil its compliance and monitoring role. The document sets out the PSR’s proposals for all PSPs in-scope of the reimbursement requirement policy to report data and information to Pay.UK, and sets out requirements for how this data must be provided, and how it will be managed. The PSR’s key proposals contain the following:

The PSR have explained that they propose to deliver the above by introducing new requirements within the existing specific Directions 19 and 20 and they had been seeking feedback to this consultation by 28 May 2024.

9. FPS participants potentially in scope of the PSR’s Specific Direction 20

On 21 May 2024, the PSR published a list of PSPs that participate in the FPS and therefore may fall in scope of the PSR’s Specific Direction 20 (SD20) (Faster Payments APP scam reimbursement requirement). The PSR have published this list to assist PSPs understand whether they are captured by SD 20. It is noted that this list was further updated on 14 June 2024.
Event though the PSR has mentioned that they cannot guarantee this is a complete list, they have assumed that all firms on this list fall under this category. That being said, the PSR have clarified that all firms should remain responsible for determining their legal obligations.

Our Payment Services Regulatory team will be monitoring next steps and shall keep you up-to-speed with the latest developments on the mandatory reimbursement framework.