The FCA issues Dear CEO letters to banks, building societies and payments firms setting out its expectations on implementing the APP fraud reimbursement requirements

On 7 October 2024, the Financial Conduct Authority (FCA) published two letters respectively to (i) banks and building societies; and (ii) to payments and e-money institutions, by setting out its expectations in relation to the newly introduced authorised push payments (APP) fraud reimbursement framework. Importantly, these Dear CEO letters were issued on the start date of the new UK APP fraud rules that are applicable to payments executed via the Faster Payments System (FPS) and the CHAPS payments system.

In its Dear CEO letters, the FCA have set out their expectations in relation to the new measures aimed to combat fraud and discussed the role of the Consumer Duty. The FCA have also explained their data-led approach to monitoring progress in the implementation of the above requirements by the relevant payment service providers (PSPs). It is clear that the FCA expects firms to consider its Consumer Duty requirements in implementing the reimbursement framework and that it will supervise and monitor how firms do this, alongside the Payment Systems Regulator. 

The FCA also specifically set out in the Dear CEO letter to payment institutions and e-money institutions that these firms must review and adjust their business models and transactions to mitigate against a potential prudential impact of any future APP fraud reimbursement liabilities to their regulatory capital requirements and ongoing liquidity. 

A. Anti-fraud systems and controls

The FCA have urged PSPs to improve their anti-fraud systems and controls both at the onboarding stage and later through adequate ongoing transaction monitoring mechanisms. Robust anti-fraud systems and controls during the onboarding stage are aimed at preventing customers from falling victims to APP fraud, whereas efficient ongoing transaction monitoring systems can assist in the identification of fraudsters and prevent them from receiving payments from victims.

Following the publication of a list with examples of what constitutes good practice on how PSPs can mitigate the risks of APP fraud in 2023, the FCA have continuously been working alongside PSPs to ensure the latter prevent harm to their customers. The FCA have now clarified that it expects from PSPs to:

• have effective governance arrangements, controls and data to detect, manage and prevent fraud;
• regularly review their fraud prevention systems and controls to ensure these remain effective; and
• maintain appropriate customer due diligence (CDD) controls both at an onboarding and ongoing basis to identify and prevent accounts from being used to receive proceeds of fraud or financial crime.

B. Consumer Duty

The FCA have reminded PSPs of their obligation to avoid causing foreseeable harm to consumers. The FCA have provided an example of this by explaining that foreseeable harm would include a consumer becoming victim to a scam due to the PSP’s inadequate systems to detect and prevent scams or the PSP’s failure to effectively monitor scam warning messages presented to consumers.

The FCA have separately reminded PSPs of their obligation to act in good faith by taking appropriate action to rectify the situation where they have identified consumer harm being caused as a result of their actions or inactions. Where this is the case, PSPs must be ready to take the appropriate remedial action, including redress, where appropriate.

Additionally, in-scope firms must ensure that their customers are adequately supported throughout the lifecycle of a product or service, and they are able to submit a complaint, as appropriate. For that reason, the FCA have reminded firms of their obligation to inform their customers of the availability of alternative dispute resolution procedures and the ways to access them. This information must be included in the pre-contractual documentation shared with the payment service users.

Under the Consumer Duty, firms are also required to act to deliver good outcomes for consumers. With that in mind, the FCA have explained to firms that in certain circumstances, where it might be difficult or not immediately obvious for consumers to understand the level of protection offered by the PSP (e.g. because this may vary depending on the type of the payment transaction and whether this qualifies as an intra-firm payment which is not covered under the new APP fraud rules or whether it is routed through FPS or CHAPS, hence benefiting from the APP fraud reimbursement protection), that it expects from PSPs to ensure that their approach in relation to these types of transactions, that do not otherwise benefit from the APP fraud reimbursement protection, is still c0mpliant with their obligations under the Consumer Duty. In particular, the PSPs would be required to contact the FCA to provide an explanation of the steps taken to meet their obligations to produce good outcomes for their customers every time they are planning to provide a lower level of protection for certain types of transactions (e.g. for ‘on us’ or intra-firm payments where both the sending and receiving payment accounts are held with the same firm or group and are therefore executed via an internal channel rather than through an external payment system such as FPS or CHAPS).

C. The regulators’ data-led approach to monitoring progress

The FCA and the PSR will jointly use data arising from the reimbursement framework to monitor potential conduct breaches and identify inadequate systems and controls to ensure consumers are equipped with effective protections from APP fraud and there no systemic implications to the broader payments ecosystem.

Alongside their efforts under the new rules on APP fraud reimbursement, and following  the recent publication of a Statutory Instrument (SI) that will amend the Payment Services Regulations 2017 (PSRs) by enabling PSPs to delay the processing of a payment transaction by up to four (4) business days following receipt of the payment order where the PSP has reasonable grounds to suspect fraud or dishonesty (‘payment delay legislation’), the regulators will also gather data with an aim to evaluate the payment executing timings. The FCA expects that this approach will enable it to adequately assess the level of any potential friction that might be caused in the payments ecosystem following the adoption of the new rules and gather evidence on the values and volumes of delayed payments under the new SI.

Our Payment Services Regulatory team will be monitoring next steps and shall keep you up-to-speed with the latest developments on the mandatory reimbursement framework.