PSR consultation (CP22/5) Measure One, Metric C process: revised approach Innovate Finance response
About Innovate Finance
Innovate Finance is the independent industry body that represents and advances the global FinTech community in the UK. Innovate Finance’s mission is to accelerate the UK's leading role in the ﬁnancial services sector by directly supporting the next generation of technology-led innovators.
The UK FinTech sector encompasses businesses from seed-stage start-ups to global ﬁnancial institutions, illustrating the change that is occurring across the ﬁnancial services industry. Since its inception in the era following the Global Financial Crisis of 2008, FinTech has been synonymous with delivering transparency, innovation and inclusivity to ﬁnancial services. As well as creating new businesses and new jobs, it has fundamentally changed the way in which consumers and businesses are able to access ﬁnance.
Innovate Finance welcomes the opportunity to respond to the PSR’s re-consultation on Measure One Metric C (CP22/5). At a high-level, we recommend that the PSR:
- Considers leveraging existing fraud reporting data to streamline the Metric C process;
- Conﬁrms and clariﬁes its approach to the ranking of ﬁrms in Metric C comparison ‘scorecards’ and avoids an ‘either/or’ approach to absolute value and rate of fraud, and considers an approach that ranks Payment Service Providers (PSPs) according to greatest proportion of mules-to-account ratio;
- Provides greater clarity in relation to the data validation process;
- Convenes a technical working group made up of payments industry subject matter experts and legal and other alternative dispute resolution professionals to explore how to operationalise a suitable dispute resolution model that can be introduced in the medium term, in the context of Authorised Push Payment (APP) fraud;
- Reconsiders the reporting period and ﬁrst publication date, with a view to aligning the timing with mandatory reimbursement; and
- Revisits its cost-beneﬁt analysis, which our members consider does not reﬂect the impacts for new market entrants and existing start-up and scale-up members, and the wider implications for competition, innovation and the international attractiveness of the UK as a place to start and scale a FinTech business.
At the end of our response, we also ﬂag up the challenges posed by the short ﬁve-week consultation period, which coincides with an extremely high volume of other regulatory consultation and discussion papers that are running concurrently.
We would be pleased to discuss our response in more detail with PSR colleagues and/or facilitate discussions with our members and the wider FinTech ecosystem.
1. Do you have any comments on the proposed new process for collecting Metric C data which we set out in Chapter 4?
The PSR should consider leveraging existing fraud reporting data to streamline the Metric C process
We note that the Payment Services Regulations 2017 (PSRs 2017) requires PSPs to report extensive fraud information to the FCA. Fraud reporting falls under SUP 16.13.7D with the full GABRIEL regulatory reporting form provided in Annex 27ED, supplemented by an SUP16 Annex 27F Note instructions page.
All PSPs, in their capacity as the payer’s PSP, must submit this fraud report every six months. The fraud reporting information required in the template is extensive, containing over 200 individual ﬁelds of various metrics relating to customer fraud incidents and losses.
The overlapping requirements are burdensome for small PSPs, and we would urge the PSR to consider how it could utilise data from the existing reporting framework under the PSRs 2017 in order to streamline the Metric C process.
The PSR must clarify and confirm its methodology for determining which PSPs are captured by Metric C comparisons, avoiding an ‘either/or’ approach to absolute value and rates of fraud
We note that the PSR's rationale for the publication of Metric C data is to aid customers' (a layperson audience) understanding of the performance of PSPs in tackling APP scams.
Our members are cognisant that there is a need to present the Metric C data in the most readily accessible and understandable form for consumers, recognising that varying levels of ﬁnancial literacy and characteristics of vulnerability within the UK's consumer population will result in some individuals ﬁnding it challenging to interrogate and draw appropriate conclusions and comparisons from the data.
In the absence of broader contextual explanations being provided to consumers alongside the Metric C data points, taking an 'either/or' approach and presenting only one data point per ﬁrm (an absolute value or rate of fraud) does not provide the basis for fair or accurate comparisons of PSPs' performance. Each approach will produce an equally misleading picture. Essentially, an either/or approach to absolute terms or rate of fraud in ranking ﬁrms would be prejudicial to either larger PSPs which are mainly incumbent banks, or smaller PSPs which are mostly FinTech ﬁrms.
With this in mind, we recommend that the PSR presents both the absolute values and the rate of fraud to the public, rather than take an either/or approach. In terms of ranking, our members recommend that the PSR takes a proportionate approach, where PSPs are then ranked
according to the greatest proportion of mules-to-account ratio. Doing so will ensure that rankings do not misleadingly penalise large PSPs or small PSPs without context because the data will illustrate which PSP is actually ‘riskier’ to send funds to and is more susceptible to mules. Our members believe that this approach might better fulﬁl the PSR’s aim to educate consumers about which PSP is succeeding to tackle and address APP scams.
Our members remain concerned about the 'cherry picking' and misrepresentation of data by the media and others. Therefore, we would welcome more information from the PSR about the tools (referenced at paragraph 4.39) that are being developed for use by comparison websites and media/journalists, amongst others. One unintended consequence of the publication of these metrics and any sensationalist media coverage may be that it knocks consumers' conﬁdence in FinTechs and the payments and banking sector as a whole.
Further, we would welcome more information about the learnings that the PSR has taken on board from any end-user testing of the Measure One disclosures (and any other ﬁnancial services consumer-facing disclosure regimes), particularly the ﬁndings in connection to consumers with characteristics of vulnerability.
Reﬂecting feedback from industry, we would urge the PSR to clarify and conﬁrm its approach and methodology for determining which PSPs are included in published Metric C comparisons. Given the materiality of this data to consumers, individual ﬁrms and the industry’s reputation, ‘ﬂexibility’ should not be an option. Instead, we recommend that this methodology should remain stable for a number of reporting cycles to guarantee consistency, minimise confusion and provide certainty to businesses and consumers over the medium term.
Data validation process
We recognise that the PSR has amended its original timelines and process for data validation between sending and receiving PSPs; however, we remain concerned that the approach to data validation does not take into account real-world practicalities and will have unintended consequences for small PSPs.
Given the need to mitigate reputational risk, FinTech receiving PSPs do not really have an ‘option’ as to whether or not to request from sending PSPs a breakdown of data and supporting evidence. As such, with the expected high volume and complexity of cases that receiving PSPs will be sent, our members disagree with the view that giving receiving PSPs one month (detailed at paragraph 4.28) to review the data provided by sending PSPs and to request a revision will allow suﬃcient time for receiving PSPs to analyse the data and collate the relevant evidence to support their request.
Our members would also welcome greater clarity from the PSR as to what and how evidence can realistically be shared between PSPs as part of this data validation process. Members have ﬂagged up data protection considerations, given that ﬁrms will likely be manually transferring customer data on a bilateral basis and not through, for example, a secure digital platform and API integration.
Our members would also welcome greater certainty about the evidential threshold and basis on which sending PSPs can choose to reject receiving PSPs request for revision of the data. Our members are concerned that the data validation system may become liable to abuse and ‘weaponised’ — i.e. where sending PSPs may only revise data if a receiving PSP commences a more formal dispute resolution process (e.g. legal action), which small PSPs could not aﬀord to pursue at scale.
Our members anticipate that there will be a signiﬁcant volume of disputes in the context of Measure One as well as Measure Three (see above for areas of tension that may result from the data validation process, for example).
Unlike incumbents, our members could not aﬀord a model of dispute resolution that is overly cumbersome and involves lengthy bilateral negotiation, mediation, or legal challenge in each and every case. As such, our members would urge the PSR to convene a technical working group made up of payments industry subject matter experts and legal and other alternative dispute resolution professionals to explore how to operationalise a suitable dispute resolution model that can be introduced in the medium term. We would urge the technical working group to consider the learnings from the FOS alternative dispute resolution regime and the Centre for Eﬀective Dispute Resolution as it develops an appropriate model to apply in the context of APP scams.
Reporting and publication of Metric C should align with mandatory reimbursement timelines
We would recommend that the PSR considers aligning the mandatory reimbursement and Metric C publication timelines, so that the regulator and consumers have a clearer understanding of the eﬀectiveness of mandatory reimbursement. Alternatively, if the PSR is not minded to synchronise the timelines, our members would request that the regulator drops the requirement to report on and publish H1 2022 data.
Our members wish to ﬂag up that the backdated reporting of 2022 APP scam data, in relation to receiving PSPs, was not expressly proposed in CP21/10. As such, this current re-consultation will be the ﬁrst awareness that nearly all receiving PSPs will have that backdated reporting is in scope. Our members consider that backdating data before mandatory reimbursement proposals take eﬀect seems patently unfair. Additionally, while nearly all Directed PSPs were already subject to reimbursement requirements under the Contingent Reimbursement Model (CRM) Code, nearly all receiving PSPs were not. Therefore, the data will have a bias against receiving PSPs (i.e. without this incentive, receiving PSPs are expected to appear to have an overall poorer performance than the Directed PSPs). APP scam data representing both Directed and receiving PSPs will show a level playing ﬁeld only when both are subject to mandatory reimbursement obligations.
Further, our members queried the utility of providing H1 2022 data, given how out of date this will be by the time it is published. This is not in a bid to bury bad news, in fact UK Finance1 reported that APP fraud fell by 17% from £305.1m in H1 2021 to £249.1m in H1 2022. At the same time, the amount of money returned to victims of APP fraud rose from £125.8m to
£140.1m in H1 2022 which represents an increase of 11%.
If the PSR is not minded to align the mandatory reimbursement obligation timelines with Metric C reporting, our members would strongly urge the PSR to consider amending the reporting requirements, so that PSPs report data from the period H2 2022 onwards. This would also reduce some of the burden on FinTechs that are expected, as proposals currently stand, to prepare two half year returns (H1 and H2 2022) in time for the ﬁrst publication date in October 2023.
Reporting relating to indirect PSPs
Our members note that step 7 in the PSR’s Metric C process includes an option for receiving PSPs who receive funds on behalf of indirect PSPs to voluntarily provide a breakdown of their results.
Our members are broadly supportive of the proposals as it will provide necessary transparency as to the PSPs that are responsible for managing APP fraud. However, members ﬂagged up that industry does not yet have a common approach or solution for identifying ﬁrms that operate under e.g. a clearing ﬁrm’s bank and sort code via the EISCD (extended industry sort code directory). Transparency in terms of the way ﬁrms approach the disaggregation process will therefore be important, and any guidance from the PSR would be welcome in this regard.
Indirect Access Providers also ﬂagged that transparency and data in relation to their indirect PSPs’ fraud rates is more important for PSR and FCA regulatory supervision and enforcement2 purposes than for public consumption.
Cost-benefit analysis does not accurately reflect the costs that will be borne by FinTechs
We strongly disagree with the PSR’s conclusion that costs for ﬁrms will now be reduced owing to the proposed modiﬁcations to the Metric C process.
Our FinTech members have ﬂagged that there are signiﬁcant costs associated with the Measure One reporting regime. This includes the need to secure additional headcount in FraudOps reporting and data validation teams as well as legal teams to manage the dispute resolution process. There are also currently unquantiﬁable costs associated with the reputational damage should the Measure One reporting outputs be misinterpreted or misrepresented by the media and consumers.
1 UK Finance, 2022 Half Year Fraud Update, 2022.
2 In that failing to manage APP and other forms of fraud is a breach of FCA SYSC (systems and controls) rules (amongst others).
The lack of certainty will also mean ﬁrms struggle to calculate and disclose their contingent liabilities as required under UK and international accounting standards. We anticipate that this will pose diﬃculties for start-up FinTechs wishing to raise capital and go through funding rounds with private investors, as well as scale-up FinTechs who may be considering an Initial Public Oﬀering.
Overall, the revised cost-beneﬁt is not robust and does not provide quantitative impacts of the proposals alongside a detailed methodology. The current assessment does not capture the impacts for new market entrants and existing start-up and scale-up members, and the wider implications for competition, innovation and the international attractiveness of the UK as a place to start and scale a FinTech business.
Challenges posed by the five-week consultation period
Our start-up and scale-up FinTech members have ﬂagged up the diﬃculty in responding to this consultation given the extremely short time period allocated.
The ﬁve-week consultation period cuts across Jewish and Christian religious holidays (problematic from a Diversity, Equity and Inclusion standpoint with many taking leave to observe the holidays) as well as the New Year period, so in practice ﬁve weeks is reduced to around two working weeks.
Moreover, the PSR’s consultation period coincides with an extremely high volume of other regulatory consultation and discussion papers that are running concurrently. This includes but is not limited to papers on the following topics: Basel 3.1 (CP16/22); Operational Resilience and critical third parties (DP3/22); the competition impacts of BigTech in retail ﬁnancial services (DP22/5); and Artiﬁcial Intelligence and Machine Learning (DP5/22).
We also note that the regulatory initiatives grid (due to have been published in November 2022)
— which was created with the intention to give industry a forward look of regulatory policy changes and assist with workload planning associated with regulatory change — will not be published until January 2023.
Many of our start-up and scale-up members’ public policy and regulatory aﬀairs teams are a ‘one-person band’ with limited capacity. So, there is a risk that the voice of the FinTech community is not represented in these important discussions referenced above. We would urge the PSR and other policy makers to give consideration to the design and timing of future consultations, so that they allow a diverse range of stakeholders to feedback views.