The UK is grappling with the notoriously complex challenge of reducing Authorised Push Payment (APP) fraud, where a scammer tricks someone into sending a payment to an account outside of their control. These insidious scams drained £485.2 million from UK individuals and businesses during 2022 alone .

UK Finance’s Annual Fraud report for 2023 found that 78% of the 207,372 cases of APP fraud during 2022 were driven by the abuse of online platforms used by criminals to scam their victims.

The UK’s Payment Systems Regulator (PSR) has set out proposals which will require payment service providers (PSPs) to reimburse losses sustained by users as a result of APP fraud. Determining which cases are reimbursed has become a core point of discussion in the current consultation process, with the specific requirements for exceptions to reimbursement yet to be made clear.

A call for clarification around the ‘vulnerable customer’ exception has been raised as a key concern to be addressed by the PSR.

In conversation with Finextra, Jenny Stainsby, partner and global head of the financial services regulatory practice at Herbert Smith Freehills, explained the mixed signals being given by the PSR in its recent guidance.

The PSR’s June 2023 Policy Statement on APP fraud outlines an exception to the proposed reimbursement model, where PSPs would not be required to reimburse customers who failed to exercise the ‘customer standard of caution’ for APP fraud claims. The detailed threshold or criteria for this standard has not yet been published, however, this phrasing is consistent with the regulatory principle that consumers should take responsibility for their decisions [FSMA 2000 3B(c)].

“I’m very interested to see how they [the PSR] are going to interpret this, as it remains unclearwhat the expectation of a customer in those circumstances ought to be. We’re waiting with bated breath for this guidance later in the year.”

Stainsby says that the PSR is expected to outline a standard of gross negligence, whereby, if the customer has not exercised this standard of caution, they will not be reimbursed.

The PSR’s July consultation on APP fraud states that an exception to the customer standard of caution will apply to vulnerable customers who fall victim to APP fraud. Frustratingly, the phrasing used to describe this exception is inconsistent with that used in the PSR’s previous June Policy Statement, and seems to imply that a blanket approach will be adopted for all vulnerable consumers.

The relevant provision in the PSR’s June Policy Statement reads:

“PSPs should evaluate each customer’s circumstances on a case-by-case basis to help determine the extent to which their characteristics of vulnerability, whether temporary or enduring, led them to be defrauded, and therefore whether they meet the definition of vulnerability […] This is not a blanket exception for all customers who exhibit any characteristics of vulnerability.”

The provision in the PSR’s July Consultation Paper reads:

“PSPs will not be required to reimburse any APP scam payments where the consumer standard of care exception applies, unless the victim was a vulnerable consumer at the time the reimbursable APP scam payments were made.”

Stainsby explains that the important nuance set out in the June paper has not been included in the PSR’s Consultation Paper, creating a level of inconsistency that should be a cause of great concern for the over 1,500 PSPs who will be impacted by the incoming rules.

While Stainsby notes that the exception to the exception will and should protect vulnerable consumers who should not be held to the same expectation under the consumer standard of care, the PSR’s proposals do not refer to the apparently intended correlation betweenthe characteristics of a vulnerable consumer and the fraud for the purposes of meeting the exception.

If, for instance, the PSR were to consider 48% of UK adults to be vulnerable or show characteristics of vulnerability (per the FCA’s 2020 Financial Lives Survey), this could mean that a very high proportion of account holders would be exempt from exercising the consumer standard of caution. Given the preliminary findings for the FCA's 2023 Financial Lives Survey due to be published this summer, it is very possible that this figure could be even greater than the 48% cited in 2020. PSPs would be responsible for reimbursing APP fraud instances for this very high number of customers.

When asked for a response to this inconsistency flagged between the two publications, a PSR representative provided the following comments:

“Our position on tackling APP fraud will mean more victims than ever before will be reimbursed; prompting more action across the payments ecosystem to prevent these frauds from happening in the first place.

“We are clear that any exceptions to reimbursement, including gross negligence, are a very high bar which we expect will apply in only a small minority of cases and never where the victim is a vulnerable customer. In line with the FCA’s definition of vulnerability, banks should determine whether a customer’s characteristics of vulnerability led to them to be defrauded.

“We are currently consulting on the proposed legal instruments to put our reimbursement requirements in place. We will carefully consider all feedback received before publishing the final legal instruments in December 2023.”

Raising broader concerns with the incoming reimbursement rules, Stainsby posits that the fact that banks and PSPs will be “on the hook” to reimburse cases of fraud is not necessarily fair, given that, according to the UK Finance report, 78% of APP fraud originates online and a further 18% originates in telecoms.

“The vast majority of this fraud is starting outside of financial institutions, yet, the position remains (and will be increased further by the PSR’s incoming requirements in 2024), that liability remains with the financial institution. I think that whole question of fairness is a very big issue and isn’t being addressed by the proposals that are in place. Why is this the responsibility solely sitting on financial institutions when there are other players that are also part of the ecosystem who ought to be part of this discussion.”

This position squares with another concern observed by Stainsby, around the UK Financial Ombudsman Service (FOS)’s recent report that its uphold rate for complaints customers of the 10 firms who are signatories to the Contingent Reimbursement Model (CRM) Code is higher than those from non-signatories.

“The figures showed that the Ombudsman was upholding more complaints against CRM signatories than it was against firms that hadn't signed up to the to the voluntary charter. I find that really worrying. Its reasoning was that the signatories had self-imposed a higher standard on themselves, which the Ombudsman was then using to penalise banks which had voluntarily opted-in.

“Those banks were effectively penalised for having put in place a process that was intended to be beneficial to their customers. This is worrying in the context of, this wider scheme, and firms should really engage with the Ombudsman to agree what those expectations are. Firms don’t want to be making decisions which the Ombudsman then reverses.”

Stainsby’s concerns are perhaps proven in the PSR’s response above, as while the comments do confirm that a vulnerable customer who is the victim of APP fraud will never be exempt from reimbursement, guidance which requires “banks to determine whether a customer’s characteristics of vulnerability led to them to be defrauded,” leaves the position far from clear for customers, firms and indeed the Ombudsman.

Last month, the Payments Association wrote to the UK government warning of the “unintended consequences” of new policies designed to reduce Authorised Push Payments (APP) fraud. While welcoming some aspects of the PSR’s new plan, the Payments Association, said that two policies have potential unintended consequences, such as an increase of fraud, the risk of increasing financial exclusion, and a higher level of payments friction.