PSR's New Directive: Publishing Fraud Enabler Data to Hold Tech Firms Accountable

The Payment System Regulator sends Dear CEO letters to tech firms and social media platforms on publishing fraud enabler data

On 8 November 2024, the Payment Systems Regulator (PSR) published a Dear CEO letter to tech firms, dated 6 November 2024, regarding its plans to publish data on firms that enable authorised push payment fraud (APP fraud). In December 2024, the PSR plans to publish data on the firms that are most commonly reported as enabling contact between fraudsters and victims. The Dear CEO letter has been sent to the relevant firms ahead of publishing that data, in order to set out the aims of publishing the data, how it collected the data and its future plans for publication.  

The PSR’s fraud enabler data publication

The Payment Systems Regulator (PSR) has classified the prevention of Authorised Push Payment (APP) as one of their key strategic priorities. For that reason, and in attempt to prevent fraud from occurring in the first place, the PSR have announced dedicated data gathering efforts that will enable them to understand the ways in which fraudsters contact victims and earn their trust. In this respect, the PSR sent the Dear CEO letter to notify them of the upcoming PSR fraud ‘enabler’ data publication. The initiative runs in parallel with the recently introduced fraud reimbursement framework for payments executed via FPS or CHAPS. 

Notified firms had the opportunity to discuss the proposal with the PSR, or share their comments with the PSR, by 4 December 2024.

Who does the term enabler apply to?

The PSR have defined ‘an enabler’ as an entity that a victim reported as either:

a. a platform or service through which the fraudster made contact with the victim; or 
b. a website or platform where the victim saw an advertisement or profile that led to an APP scam.

Benefits of publishing fraud enabler data

The PSR believes that data insights can provide a powerful gateway to encourage a stronger ecosystem response to prevent APP fraud. Specifically, the regulator considers the main benefits of the data gathering exercise to be the following:

• Raising consumer awareness: publicly available data can help consumers decide whether to execute certain payments.
• Raising customer vigilance on the runup to Christmas when more consumers are likely to be shopping online.
• Providing valuable insights: the relevant data will enable payment firms to build dedicated risk profiles of transactions based on the actual manner their consumers use platforms and services. Platforms will also be encouraged to collaborate closer with payment firms to share data across industries, better target interventions and build resilience to stop consumers from being caught out.
• Highlighting the platforms and services that are most often exploited by fraudsters: firms will be able to see the extent of fraud originating on their platforms and have a reputational incentive to do more to prevent it.

Fraud enabler data standardisation

The PSR have noted that in earlier fraud-related data publications victims could not always identify the service or platform that enabled contact between them and a fraudster. For that reason, the PSR now aims to standardise the way fraud enabler data is collected in the future by:

a. Ranking firms by the number of times they were reported from fraud victims as an enabler; 
b. Publishing rankings of firms by specific sectors or sub-sector such as the most common enabler recording amongst listing or auction sites, the most common among social media platforms, and so on.

The PSR proposes to publish fraud enabler data every year and expect that they will be able to build greater consistency in their data collection from 2026.

What are the nuances of the PSR’s dear CEO letter aimed at tech firms?

The latest dear CEO letter signals a swift in the PSR’s longstanding approach of articulating dear CEO letters mainly to regulated payment firms (i.e. payment service providers and electronic money institutions). Given the swift in the regulator’s approach, it would be interesting to see of whether this signals a broader trend of a somewhat more interventionist approach by the PSR vis-à-vis tech companies that frequently interact and/or partner with payment firms or if this is aimed to be a one-off publication aimed to tech firms.

It is noted that the Dear CEO letter imposes material obligations on social media platforms and they will be bound by the new reporting obligations notwithstanding the fact that they are not regulated by a UK financial services regulator in relation to their platform operations. Also, given the PSR’s intention to rank firms based on the number of times they were reported from fraud victims as an enabler and make the relevant data publicly available, it is evident that tech firms are under a reputational risk of being ‘named and shamed’ under the PSR’s new data gathering exercise. In this respect, tech firms will need to inform accordingly their internal compliance and control mechanisms, increase their scrutiny and pay additional importance to the content that might be active in their platforms. Arguably, this is also likely to bring about additional operational and internal regulatory compliance costs for social media platforms and tech firms.

In addition to the above, it would also be interesting to see how the new reporting obligations under the PSR’s Dear CEO letter will be aligned with the expectations and requirements on firms set out under the UK’s Online Safety Act 2023 that introduced specific duties on internet platforms about having robust systems and processes in place to manage harmful content on their sites, including illegal content. 

Our Payment Services Regulatory team will be monitoring next steps and shall keep you up-to-speed with the latest developments.