Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On 19 December 2023, the Payment Systems Regulator (PSR) published its final policy statement on fighting authorised push payment (APP) scams alongside three legal instruments that will give effect to the new mandatory reimbursement policy for payment service providers (PSPs). There is also a final Consumer standard of caution exception notice and associated Consumer standard of caution exception guidance. The PSR recognises that the now confirmed October 2024 go-live date “will still be a challenging target for some PSPs" and describes it as "ambitious but feasible".
The PSR has confirmed that the new mandatory reimbursement requirement for victims of APP scams will come into force on 7 October 2024.
Where industry does not consider it can deliver comprehensive reimbursement management systems (RMSs) by October, the PSR expects it to collaborate to develop the minimum RMSs that it considers necessary to implement the reimbursement requirement.
The maximum mandatory reimbursement level, applicable to all in-scope consumers, has also been confirmed as £415,000 for each single APP scam case (ie the same as the Financial Ombudsman Scheme's (FOS) current award limit for a single complaint). Recognising the 'particularly high level' of industry feedback on the limit, the PSR will monitor the incidence and impact of high value APP scams over the next ten months before the start date and may consult on revising the level ahead of October if there is convincing evidence to do so.
Key changes from the previously published proposals include:
Stop the clock: Under the Specific Requirement imposed on Pay.UK, the grounds on which a sending PSP can ‘stop the clock’ have been amended to allow it to do so when contacting the receiving PSP to gather evidence to inform their assessment of reported APP scam cases. The 35-business day timescale within which the sending PSP must make a decision on whether to reimburse an APP scam case under the policy has also been clarified. The sending PSP must reach a decision after 35 business days, regardless of how many times (and for how long) ‘stop the clock’ is used.
Responding to information requests: Also under the Specific Requirement on Pay.UK, the PSR has required Pay.UK to include an obligation in the reimbursement rules for the receiving PSP to respond to the sending PSP’s information requests. This ensures that a receiving PSP provides information promptly when requested by a sending PSP using ‘stop the clock’ to investigate an APP scam claim.
Assessment outcome by sending PSP is final: A new provision in the Specific Requirement on Pay.UK requires the reimbursement rules to clarify that the assessment outcome by the sending PSP is final. Any subsequent differing outcome (by a court or an alternative dispute resolution scheme, such as the FOS) will not be treated as a reimbursement under the policy and will not incur any apportioning of liability under the policy. Therefore unless otherwise specified in the dispute decision, the sending PSP will be liable for the full reimbursement amount if they have decided not to reimburse the consumer, and the decision is overturned.
All indirect access providers (IAPs) must provide PSR with details of indirect PSPs: See 'What's next' below for more on this addition to the Specific Direction given to all in-scope PSPs.
Consumer standard of caution exception changes: There are several amendments to the proposals outlined in the PSR's August 2023 consultation, including that when assessing whether a consumer has been grossly negligent, PSPs may now consider whether a consumer received tailored, specific interventions from a competent national authority, such as the police, before executing a payment order. Other relevant policy changes and clarifications are summarised in Table 1 of the policy statement. See also 'What do firms need to be thinking about?' below for more on the tailored, specific interventions point.
Read on for a more detailed look at the PSR's final policy statement and legal instruments.
The PSR's December 2023 publication of its final policy statement and three implementing legal instruments follows its September 2022 consultation paper on the proposal, subsequent policy statement in June 2023 and later consultations on the proposed reimbursement start date, draft legal instruments, value of the excess and maximum reimbursement level, and the consumer standard of caution.
The December 2023 final policy statement was accompanied by publication of the PSR's Consumer standard of caution exception notice and associated Consumer standard of caution exception guidance, as well as a summary of views that were received on the four later consultations.
The PSR has made changes and clarifications to all three legal instruments, including both substantive policy changes and definitional changes in the terms used. The contents of the changes can be found in Table 3 on pages 13 to 17 of the policy statement.
As an overview of key elements of the final legal instruments:
Specific Requirement 1 is imposed on Pay.UK and requires it to create the reimbursement rules through amending the Faster Payment rules by 7 June 2024, to include:
The reimbursement requirement and its scope.
Sharing the cost of reimbursement.
The time limit to reimburse victims.
The obligation of the sending PSPs to notify the receiving PSPs that an APP scam has happened.
The allocation of retrieved (‘repatriated’) scam funds between PSPs.
‘Stop the clock’ provisions.
The ability to charge a claim excess.
The ability to impose a maximum level of reimbursement.
A time limit for victims to claim.
There will also be accompanying operational guidance to the final rules.
Changes from the draft include the addition of a provision for the reimbursement rules to clarify that the assessment outcome by the sending PSP is final. Any subsequent differing outcome (by a court or an alternative dispute resolution scheme, such as the FOS) will not be treated as a reimbursement under the policy and will not incur any apportioning of liability under the policy. The PSR explains that this means that, unless otherwise specified in the dispute decision, the sending PSP will be liable for the full reimbursement amount if they have decided not to reimburse the consumer, and the decision is overturned.
Specific Direction 19 is addressed to Pay.UK and directs it to do the following:
On the compliance monitoring regime, the PSR intends to consult on directing PSPs to comply with the regime and report data to Pay.UK. It will consult on this direction once Pay.UK has drafted its compliance monitoring proposals. It anticipates this will be in spring 2024.
Specific Direction 20 is addressed to all in-scope PSPs and sets out the reimbursement requirement, its scope, the obligation on all directed PSPs to comply with the reimbursement rules, and a requirement on indirect access providers (IAPs) to provide information about their indirect PSP customers (see further below). In-scope PSPs are all PSPs participating in the Faster Payments Scheme that provide relevant accounts. A 'relevant account' for these purposes means an account that is provided to a service user, is held in the UK and can send or receive payments using the Faster Payments Scheme, but excludes accounts provided by credit unions, municipal banks and national savings banks.
The PSR opted for a specific direction, as opposed to the general direction it consulted on, as a result of feedback seeking clarity on which PSPs are in scope. The change specific direction is designed to more clearly define the in-scope PSPs, and to provide a clear set of criteria that can be practically applied. According to the PSR, this reduces confusion around the scope and obligations of payment initiation service providers (PISPs), electronic money institutions (EMIs), and other non-bank PSP arrangements.
Other changes include removal of the obligation on IAPs to pass on the information about indirect PSPs’ obligations under the reimbursement policy, but addition of an obligation for all IAPs to provide the PSR annually with a list of indirect PSPs to whom they provide access to Faster Payments, starting from 31 March 2024. By 30 April 2024, and monthly thereafter, all IAPs must provide it with an update containing any changes to the list. The PSR may, in guidance, specify the format and content of the list. If so, it will consult on this in early 2024. The PSR acknowledges that it currently collects similar data on indirect PSPs under its access to payments systems work. It clarifies that PSPs already reporting to it under access to payments systems information requests can combine the report with the obligation set out under this specific direction.
The requirement for directed PSPs to report data to Pay.UK has also been removed. As mentioned under 'Specific Direction 19' above, the PSR plans to consult on a further direction which will direct in-scope PSPs to report data under that regime to Pay.UK.
Following pushback from industry on the start date of 2 April 2024 which was proposed in the June 2023 policy statement, the PSR subsequently consulted on a 7 October 2024 start date. The PSR has now confirmed that the APP reimbursement policy will take effect from 7 October 2024, which it describes as “an ambitious but feasible date for industry to implement the reimbursement requirement.”
The PSR acknowledges that it received responses from industry saying that PSPs would struggle to plan or operationalise the reimbursement requirement until Pay.UK has published the final reimbursement rules (now required to be published by 7 June 2024). Despite this, the PSR points to the previously published draft rules, and the fact that Pay.UK intends to make a near-final version of the draft rules available as early as possible, as factors which give the industry sufficient clarity to already be planning for implementation.
The PSR states that it expects the industry’s preparations for the reimbursement requirement to “gather momentum” and “will continue to monitor Pay.UK’s and PSPs’ progress towards implementation throughout 2024.”
The PSR recognises that comprehensive reimbursement management systems (RMSs) may not be available, or required, for all PSPs to adopt by October. Where industry does not consider it can deliver comprehensive RMSs by the start date, the PSR expects it to collaborate to develop the minimum RMSs that it considers necessary to implement the reimbursement requirement. In the medium term, the PSR anticipates that industry may develop more comprehensive RMSs, and even a reimbursement management platform (RMP) which integrates multiple RMSs into a single platform. It emphasises that it will be largely for PSPs and Pay.UK to decide the most efficient means of meeting the reimbursement requirement, describing cross-industry collaboration as "essential" to successful implementation. With this in mind, it will set up a clarifications process in Q1 2024 to encourage a consistent approach to implementation across industry. It is also working with Pay.UK to ensure industry can see Pay.UK's implementation delivery plans in good time and that these plans are being discussed in the industry workshops being held by Pay.UK.
The PSR has confirmed that the consumer standard of caution exception will consist of:
Where a PSP can prove that a consumer has not met one or more of the standards through gross negligence (taken to mean a “significant degree of carelessness” and a higher standard than negligence under common law), they will not be required to reimburse the consumer. PSPs are not allowed to rely on this exception where the consumer is vulnerable, and this had a material impact on their ability to protect themselves from the scam (paragraph 1.6 of the Consumer standard of caution exception notice). Rather unhelpfully, this materiality qualification in the notice is not explicitly elaborated on in the accompanying Consumer standard of caution exception guidance. However, when setting out a definition of 'vulnerable consumer' for the purposes of the policy statement (Chapter 2), the PSR states that "PSPs should evaluate each customer’s circumstances on a case-by-case basis to help determine the extent to which their characteristics of vulnerability, whether temporary or enduring, led them to be defrauded, and therefore whether they meet the definition of vulnerability". Also, the same qualification applies to the vulnerable customer exemption to the optional claims excess. Here, the PSR has clarified in the policy statement that the vulnerable customer exemption is not a blanket one and PSPs should carry out a case-by-case assessment (see further 'Optional excess that PSPs may levy' below). This echoes the wording that was previously applied to the PSR's views on the potential impacts of the new reimbursement requirement on vulnerable customers in general in the June 2023 policy statement (see our previous Engage article 'APP fraud: UK PSR consults on implementing instruments for mandatory reimbursement requirement').
Failure to meet one of the above four requirements is not, of itself, sufficient reason for a PSP to refuse reimbursement. The PSP needs to look at the reason why the consumer did not meet the requirement, in order to determine whether the consumer was grossly negligent. For example, in relation to the requirement to have regard to interventions, the PSR's Consumer standard of caution exception guidance sets out a non-exhaustive list of factors that should be considered, including the complexity of the scam. The onus will fall on the PSP to prove a consumer has behaved with gross negligence.
The PSR has set out a summary of how it has amended the consumer standard of caution exception proposals outlined in its August 2023 consultation at page 9 of the policy statement, which it states should be read in conjunction with its Consumer standard of caution exception notice and associated Consumer standard of caution exception guidance. The amendments include:
In Chapter 5 of the policy statement, the PSR also flags the change of wording in relation to its previous proposal that consumers must have regard to tailored, specific warnings raised by their PSP before an APP is executed. In response to feedback, it has adjusted the wording to enable PSPs to consider whether or not the consumer had regard to an intervention or failed to do so with gross negligence. The PSR explains that the word ‘intervention’ makes clear that in addition to making consumers aware of the risk of proceeding with a payment, PSPs can be expected to pause and potentially reject a payment instruction where appropriate. However, it adds that where a PSP personally engages with a consumer to help assess the trustworthiness of a prospective payment, this does not mean the PSP is able to transfer responsibility for assessing transaction risk entirely onto the consumer. The PSR also comments that the updated wording provides a "choice of evidentiary burdens for PSPs to meet when making interventions, noting that consumers will understandably place less weight on a weak intervention than a strong one".
The PSR has confirmed that:
In framing the effect of the excess, the PSR points to UK Finance data showing that if a full excess is charged, then 32% of cases would receive no reimbursement but that these cases would represent less than 1% of the total value of APP fraud cases. The PSR has considered the decision on the value of an excess as one which is “finely balanced” and states that it is committed to reviewing the excess and the impact this has on the reporting of low value APP scams.
The PSR has also confirmed that, in line with its June 2023 policy statement, vulnerable customers will be exempt from any excess a sending PSP chooses to apply. However, the PSR states that this is not a blanket exemption: in determining whether a consumer falls under the vulnerability exemption, PSPs should carry out a case-by-case assessment to understand how the consumer’s vulnerability led to them being defrauded. The PSR expects PSPs to broaden their assessment of vulnerability to consider the financial impact of levying an excess on consumers with low financial resilience, and exempt consumers from the excess where its application will lead to financial stress. Firms should ensure that they are meeting the expectations of the FCA’s Guidance for firms on the fair treatment of vulnerable customers and the Consumer Duty when engaging with consumers to assess vulnerability.
The PSR has confirmed that the maximum mandatory reimbursement level, applicable to all in-scope consumers, will be set at £415,000 for each single APP scam case and:
The PSR considered that a level of £415,000 was appropriate, in part, as any lower limit would sit below the FOS’s current award limit for a single complaint of £415,000. Having a limit below this could prompt customers to complain to the FOS for the difference between the APP scam cap and the FOS’s limit and lead to uncertainty for consumers and PSPs.
The PSR also opines that firms can take a number of steps - including enhanced KYC checks, strengthened transaction-monitoring systems, and stopping or freezing payments that PSPs consider to be suspicious for further investigation - to limit their exposure to high value claims ahead of the start date. The PSR also suggests that the high limit will encourage PSPs to improve their fraud protections. Note also the on-going Pay.UK/UK Finance work on Enhanced Fraud Data (see 'Next steps' below).
The Bank of England has announced its intention that a comparable model to the PSR's Faster Payments rules on mandatory reimbursement should apply to CHAPS payments. The PSR has passed on relevant feedback from its August 2023 consultation on the excess and maximum reimbursement level for Faster Payments and CHAPS to the Bank to take into account when drafting the CHAPS scheme rules.
The PSR is considering giving a specific direction to CHAPS participants to support implementation of the comparable model for CHAPS (mirroring, where possible, the direction on Faster Payments PSPs). If it decides to do so, it expects to consult on the specific direction by the end of Q1 2024.
The PSR will set up a clarifications process in Q1 2024 to encourage a consistent approach to implementation across industry.
All indirect access providers (IAPs) must provide the PSR annually with a list of indirect PSPs to whom they provide access to Faster Payments, starting from 31 March 2024. By 30 April 2024, and monthly thereafter, all IAPs must also provide the PSR with an update containing any changes to the list. The PSR may, in guidance, specify the format and content of the list. If so, it will consult on this in early 2024.
As mentioned above, the PSR is considering giving a specific direction to CHAPS participants to support implementation of the comparable model for CHAPS. If so, it would plan to consult on the specific direction by the end of Q1 2024.
Pay.UK is required to create the reimbursement rules through amending the Faster Payment rules by 7 June 2024. It must also provide proposals for an effective compliance monitoring regime for all requirements across all directed PSPs (including indirect participants) to the PSR by 5 April 2024, with the final regime to be published by 7 June 2024. The compliance monitoring regime must then come into force alongside the reimbursement requirement on 7 October 2024. The PSR intends to consult on directing PSPs to comply with the regime and report data to Pay.UK. It will consult on this direction once Pay.UK has drafted its compliance monitoring proposals. It anticipates this will be in spring 2024.
Also in spring 2024, the PSR will consult on its approach to evaluating the effectiveness of the new mandatory reimbursement policy.
The PSR will monitor the incidence and impact of high value APP scams over the next ten months before the start date and may consult on revising the maximum mandatory reimbursement level of £415,000 ahead of October if there is convincing evidence to do so.
The new mandatory reimbursement requirement for victims of APP scams will come into force on 7 October 2024. The PSR recognises that the timescale “will still be a challenging target for some PSPs, but the protection of APP scams victims must be prioritised.”
As there are factors limiting Pay.UK’s ability to monitor and enforce compliance with the reimbursement rules and the PSR is also responsible for ensuring compliance with its own directions, it will support Pay.UK in enforcing the reimbursement policy. The PSR will also be responsible for enforcing compliance of directed indirect PSPs, as Pay.UK’s enforcement remit currently only extends to direct PSPs.
HM Treasury has committed to supporting PSPs' fraud prevention efforts by amending the Payment Services Regulations 2017 to allow PSPs to delay the processing of a payment when there is a reasonable suspicion that the payment is fraudulent. The draft legislation was expected by the end of 2023 but is still awaited.
Balanced scorecard of APP scam data: The PSR will collect the 2023 cycle of APP scam data in February 2024 and publish it in July 2024.
Confirmation of Payee (CoP): In October 2022 the PSR directed about 400 PSPs to implement a system to offer CoP to their customers. The PSR's October 2022 direction required Group 1 PSPs to implement a CoP system by 31 October 2023. Almost all Group 1 PSPs complied by their deadline and the PSR is working with delayed parties to ensure they implement CoP as soon as possible. Group 2 firms are required to comply by 31 October 2024. These firms should already be preparing to onboard.
Enhanced Fraud Data (EFD): The PSR has tasked industry with developing a data- and intelligence-sharing tool to facilitate improved risk detection and fraud prevention, eg by stopping or delaying high-risk payments. Pay.UK, with the support of UK Finance, is now taking forward a project to deliver EFD. Pay.UK has consulted on the first iteration of data standards to support this information sharing and is working towards building an application programming interface (API) solution through which standardised customer data will be sent. The PSR expects PSPs to start implementing aspects of the system as soon as possible. The PSR is monitoring progress and considering whether it needs to take further action, including using its statutory powers to require implementation.
Scam origination: The PSR will work with industry to consider how it can collect data showing where APP scams originate. It makes the point that publication of this data can raise awareness of the platforms, such as social media and telecoms firms, at the highest risk of being targeted by fraudsters.
If you would like to discuss any aspect of the new reimbursement requirement or the PSR's wider approach to tackling APP scams, please get in touch with one of the people listed above or your usual Hogan Lovells contact.
Authored byRoger Tym and Virginia Montgomery.