PSR Consultation Paper ‘Authorised push payment scams: Requiring Reimbursement’ (CP22/4) Innovate Finance response
About Innovate Finance
Innovate Finance is the independent industry body that represents and advances the global FinTech community in the UK. Innovate Finance's mission is to accelerate the UK's leading role in the financial services sector by directly supporting the next generation of technology-led innovators.
The UK FinTech sector encompasses businesses from seed-stage start-ups to global financial institutions, illustrating the change that is occurring across the financial services industry. Since its inception following the Global Financial Crisis of 2008, FinTech has been synonymous with delivering transparency, innovation, and inclusivity to financial services. As well as creating new businesses and new jobs, it has fundamentally changed the way in which consumers and businesses are able to access finance.
Introduction and key points
Innovate Finance welcomes the opportunity to respond to the Payment Systems Regulator's ("PSR") Consultation Paper ("CP22/4") which sets out proposals that will require Payment Service Providers ("PSPs") to provide mandatory reimbursement to consumers who lose money to Authorised Push Payment ("APP") scams. Innovate Finance recognises that APP fraud presents a significant and growing challenge for the payments industry, and that it is important for consumers to be adequately protected in the face of increasingly sophisticated APP scams. Ultimately, consumer trust and safety is paramount if innovation and competition is to flourish in the payments sector.
Our members support the PSR’s intended aim of providing a fair level of protection to consumers who fall victim to APP scams, and they welcome the introduction of a consistent approach to consumer protection across the industry. However, by creating an unfunded and uncapped mandatory reimbursement obligation with an extremely high bar for exceptions, our members are concerned that the liability regime will lead to a number of unintended consequences that will be detrimental to consumers and PSPs. In particular, our members are extremely concerned about the potentially devastating impacts on the FinTech sector and the repercussions for innovation and competition in the payments market, as well as the international competitiveness of the UK.
The PSR’s mandatory reimbursement proposals are the first of its kind in the world. Hence, a careful, iterative roll out is necessary in order to ensure the UK remains the most attractive place in the world to start and scale a FinTech business. A balance must be struck so that consumers are protected from losing life-changing sums of money while innovation in digital payments can continue to grow with appropriate incentives being applied to all participants in the digital economy in order to reduce fraud.
In reviewing the consultation paper and producing our response, we have consulted with a range of Innovate Finance members that provide payment services, including neobanks, and others who are indirectly impacted or may fall within the scope of this liability framework in the future.
Innovate Finance would be pleased to discuss this response in more detail with the PSR and/or facilitate discussions directly with our members.
Consultation Paper questions and responses
Question 1: Do you have views on the impact of our proposals on consumers?
We outline views on:
- Reimbursement levels and what more can be done to reduce the amount of consumers falling victim to APP scams in the first place; and
- Impact on consumers’ user experience as a result of the PSR’s proposals.
Reimbursement levels and what more can be done to tackle APP fraud at source
The APP scam landscape is complex. Both the PSR and the Lending Standards Board (“LSB”) agree that there are eight types of APP scams; each with different characteristics, typologies and refund rates. Our members recognise the significant impact (not only financial) of these APP scams on victims. Our members are supportive of providing a fair level of protection for consumers who, notwithstanding reasonable steps to protect themselves, fall victim to APP scams, and they welcome the introduction of a consistent approach to consumer protection across the payments industry.
We expect that the liability model will lead to a material uptick in reimbursement levels (we unpack the ramifications of this for the FinTech sector in more detail, below). But the PSR’s liability framework has remediation rather than prevention at its core, as we argued in our response to CP21/10. So, APP fraud victims will in most cases receive reimbursement; however, our members do not consider that this will actually reduce the amount of people falling victim to APP scams in the first place, and believe that an uncapped, near strict-liability regime is likely to increase APP fraud volumes by creating moral hazard and providing an incentive for first-party fraud.
Collectively, FinTechs and incumbents have invested billions in financial crime systems and strategies in order to tackle all types of fraud at source, but APP scammers are sophisticated and they are exploiting weaknesses outside of PSPs’ control to trick consumers. The FinTech and wider banking sector recognises that more can be done to enhance their financial crime controls, systems and strategies; however, in order to truly reduce the number of victims of APP scams, there needs to be a joined-up, public-private sector approach to tackling APP fraud at source. The recent report from the National Audit Office regarding the Government’s progress in combating fraud underlines the need for a joined-up, public-private sector approach to be developed at pace.
Our members urge the PSR to engage with counterparts in the Home Office, Financial Conduct Authority (“FCA”), law enforcement and industry to help shape a future fraud prevention strategy. Our members stand ready to support the PSR in any way they can.
Lastly, we wish to stress the essential role of the Online Safety Bill in the wider context of addressing APP fraud at source. The Bill is intended to introduce a world leading regulatory framework to hold tech and TelCo companies responsible for scams that originate via their platforms. There is no formal accountability or liability today for these firms in enabling fraud conducted over the payment systems. These platforms hold critical data that our members are unable to access to detect and prevent APP fraud at source. With this in mind, we are continuing our advocacy efforts to ensure the Bill is passed as soon as possible. To mitigate the financial impact of the PSR’s new liability regime, its implementation should be synchronised with the implementation of the critical controls and obligations created by the Online Safety Bill.
Impact on user experience as a result of the PSR’s proposals
This partially defeats the purpose of the Faster Payments Service (“FPS”) – widely regarded as a UK success story – which was introduced in 2008 to help enable mobile, internet, telephone and standing order payments to move quickly and securely with real-time transfers between UK bank accounts, 24 hours a day.
There is also a risk that the mandatory reimbursement proposals could incentivise some PSPs to apply increasingly stringent criteria when deciding whether or not to allow a customer, or a class of customers, to obtain payment services, thereby undermining financial inclusion for some consumers. This would be a patently unacceptable outcome, at odds with UK financial services regulators and the Government's efforts to boost financial inclusion.
Question 2: Do you have views on the impact of our proposals on PSPs?
Our members are extremely concerned that the introduction of an unfunded, uncapped liability regime could potentially have a devastating and disproportionate impact on prospective market entrants and existing start-up and scale-up firms in the payments ecosystem.
Below, we outline:
- Issues with the PSR’s cost-benefit analysis;
- The impacts that these proposals will have on our members and wider FinTech ecosystem in the UK; and
- An approach to implementation that the PSR may wish to consider, which we believe may go some way to avoid unintended consequences of the proposals for new market entrants and existing start-up and scale-up firms operating in the UK.
The PSR’s mandatory reimbursement proposals are the first of its kind in the world. With this in mind, the PSR’s cost-benefit analysis is not sufficiently robust in terms of assessing and articulating the impact of mandatory reimbursement proposals for start-up and scale-up PSPs which constitute the vast majority of PSP firms in the UK market. The CRM Code applies to only 10 PSPs, yet there are around 40 Faster Payments Indirect Access Providers and 1500 indirect access firms. Costs for all firms that are not already CRM Code subscribers extend well beyond new reimbursement burdens and will present a barrier to entry and significant revenue threat to the majority of small- and medium-sized PSPs.
Without providing specific figures or its methodology, the PSR notes that increased costs for PSPs are an intended impact of its proposals, and the PSR considers that the way in which PSPs can stem rising costs is by investing further in financial crime systems and controls.
We challenge this argument. No one disagrees with the principle that having robust and effective financial crime systems and controls should be a precondition for all actors operating within the UK payments sector, and we recognise more can and should be done to enhance financial crime systems, controls and strategies across the financial services sector. However, FinTechs and incumbents investing more time, money and other resources in their financial crime systems, controls and strategies will never address APP scams at source, which means PSPs are likely to see costs increase annually as a result.
The PSR’s own argument is undermined by the outcomes from its recent joint TechSprint with the FCA on APP scams. The TechSprint highlighted that PSPs cannot solve the issue at source or in isolation, and one of the most effective ways in which to tackle the fraud at source is to have real-time data sharing that leverages data from across the financial services, tech and TelCo sectors. This real-time data sharing framework, as well as an obligation on social media and tech firms to actively manage fraud risks, should be an important part of any public-private sector approach to tackling financial crime, which we call for as part of our response to Question 1.
Impacts for our members and wider UK FinTech ecosystem
FinTechs are a positive source of disruption within the payments sector, providing payment services to the underserved or unbanked and solving consumer problems like making it easier to split bills between friends and reducing the cost of spending using your debit card on holiday. Consumers up and down the country benefit from innovation and competition in the sector.
The ramifications of the PSR’s proposals for the FinTech ecosystem cannot be underestimated: they pose a material barrier to entry and adversely impact existing start-ups and scale ups' ability to remain economically viable in the UK market.
- Costs associated with operational readiness for compliance with the new liability framework and estimated costs of mandatory reimbursement;
- Impact on edge cases that do not neatly fall within the liability framework; and
- Potential supervisory interventions as a result of slowing FPS payments or temporarily freezing consumer accounts to detect and investigate potential fraud.
Costs associated with operational readiness to ensure compliance with the new liability framework and estimated costs of mandatory reimbursement
To prepare for the implementation of the PSR’s proposals, our members must set aside funds for accruals, new collections and disbursement systems, new data monitoring and alert systems, investigations and dispute staff, and (for some of our members) likely increased capital requirements.
In our response to CP21/10, we noted that mandatory reimbursement costs alone are estimated to be the equivalent of wiping — at a minimum — a tenth of PSPs' revenue, according to data points drawn from our members and the wider FinTech ecosystem. If the PSR chooses to proceed with implementing its proposals without any upper threshold being introduced (please see our response to Question 9), firms will face uncapped liability costs. These costs will only rise exponentially in the event that the liability model is extended from FPS to the Clearing House Automated Payment System (“CHAPS”).
While incumbents may be able to absorb the costs associated with mandatory reimbursement, data reporting, and an uptick in Financial Ombudsman Service (“FOS”) cases, whether by cross-subsidisation or other means, they are a heavy burden on existing FinTechs and introduce real barriers to prospective market entrants.
Competition is raised as an issue at paragraph 1.22 of CP22/4, which cites respondent firms' concerns that mandatory reimbursement would be expensive to implement and operate as a barrier to entering the market. However, it is not addressed in the response from the PSR. We believe that the current proposals are likely to lead to a substantial withdrawal of PSP firms from the UK market.
Impact on edge cases that do not neatly fall within the liability framework
The UK is one of the world’s leaders in Open Banking — in January of this year, Open Banking passed the 5 million users mark with more than 7 million successful payments made last month. Innovation within the Open Banking space is a key focus for the Strategic Working Group (“SWG”), which provides the Joint Regulatory Oversight Committee (“JROC”) with constructive challenge as it supports the Open Banking Implementation Entity (“OBIE”) transition to a future entity focused on ‘Open Banking plus’.
Payment Initiation Services (“PIS”) are emerging as a competitive, cost-effective alternative to traditional card-based payments for consumers and businesses, and we have highlighted the benefits to SWG in our responses to the payments, data, and ecosystem sprints (see more below in response to Question 3).
The PSR’s proposed liability regime for FPS will likely increase costs (such as costs of managing disputes and FOS escalations) for sending and receiving banks. These costs will be passed on to merchants in the form of charges for receiving Faster Payments. This will make Open Banking an unattractive option for merchants because the costs to receive Faster Payments via Open banking will be greater than the cost to receive card payments. Account Servicing Payment Service Providers (“ASPSPs”) may even consider introducing charges to consumers for sending or receiving Faster Payments (as is common practice in the EU), which would further disadvantage Open Banking payments.
In addition, the PSR’s liability model for FPS will likely exacerbate the problems in relation to de-risking and transaction limits in the Open Banking space. Based on our members’ experience, we know that firms offering Open Banking related products and services already struggle with incumbent banks arbitrarily limiting and blocking Open Banking payments. Our members are concerned that the new liability regime for FPS will lead to further limiting and blocking of Open Banking payments by banks and make Open Banking untenable as a payment option (removing a credible alternative to cards).
We recognise that supporting the development of Open Banking is a core part of the PSR’s five-year strategy, and we would urge the PSR to consider a phased and iterative roll-out of the liability scheme to PIS, or risk snuffing out emerging business models before the market can reach maturity.
By affording a longer lead time to PIS firms before they are brought within the scope of the liability framework, it will allow industry and the SWG to develop a suitable purchase protection scheme for these payments. Open Banking payments are inherently safe by design, so any proposals should be risk-based and create the correct incentives for all parties involved in the payments chain.
If we are to look at the counterfactual — i.e. the PSR does not regard PIS to be an edge case and it is brought within the scope of the FPS liability framework from the outset — then we predict that a number of businesses will exit the UK market, which will be to the detriment of consumers and businesses.
Supervisory interventions if firms slow FPS payments and / or temporarily freezes consumer accounts
There is a potential misalignment of expectations on the part of the PSR and FCA. Based on our members’ interactions with their FCA supervisors, they understand that there could be supervisory interventions if a PSP slows FPS payments or temporarily freezes certain consumer accounts in a bid to detect and investigate fraud.
We would urge the PSR and FCA to collaborate and share with industry what ‘good looks like’ in terms of PSPs’ interventions to detect and prevent fraud in this context.
Suggested approach to implementation that may avoid unintended consequences
A balance must be struck between protecting consumers from losing life-changing sums of money, incentivising innovation and competition in the payments sector, and introducing the right incentives on all participants in the digital economy to reduce fraud.
Our members recommend:
- An increase to the minimum threshold (from £100 to £250), so PSPs can focus on protecting consumers from losing life-changing sums of money.
- The introduction of an upper threshold cap of no less than £30,000, so that all consumer protection reimbursement for fraud is consistent across payment types. This would provide multiple benefits: resonant with consumers, a proportionate regime for the vast majority of small- and medium-sized PSPs and would not provide an incentive for first-party fraud to be directed at the payment systems. However, the PSR should validate any caps with analysis based on existing CRM Code fraud reporting.
- The PSR should look to apply the FPS liability framework to edge cases such as PISPs in the medium- to long-term and not from the outset, so as to not inadvertently stifle innovation and emerging business models which are the focus of its own five-year strategy as well as the future entity overseeing ‘Open Banking plus’ in the UK.
- The timing of the entry into force of the PSR’s liability model should be aligned with the entry into force of the Online Safety Bill, which will introduce incentives on other players within the digital economy (social media and TelCo firms) to reduce fraud. The PSR should also consider staggering the roll out of its liability regime, focusing first on CMA9, then gradually rolling out across the sector.
- As mentioned in our response to CP21/10, the PSR should collaborate with industry to pilot the data reporting measures and robustly analyse the impacts before mandatory reimbursement requirements come into play. A pilot would provide the regulator and industry time to spot any adverse effects, and pause the data sharing (or consider alternative approaches, such as aggregated data sharing) to remediate the unintended consequences of placing this data in the public domain.
- The PSR should collaborate with relevant counterparts in the FCA, Home Office, law enforcement and other relevant bodies and industry to shape a joined-up, public-private sector approach to tackling fraud in the UK.
While beyond the scope of this paper and the PSR’s remit, we will be calling on the Government, as part of its post-Brexit review of legislation and regulation, to focus on payments. Specifically, we wish to see a removal of the ‘blocks’ in the Payment Services Regulation 2017 that hinder sending and receiving PSPs from stopping payments where they suspect APP (or other) fraud and for authorised payments liability be set out in legislation.
Question 3: Do you have views on the scope we propose for our requirements on reimbursement?
The current proposed liability model for Faster Payments poses a material threat to Payment Initiation Service Providers’ (“PISPs”) business models. We urge the PSR to consider an iterative roll out of the liability model — temporarily excluding PISPs from the scope of liability in the short-term — as this will afford the industry and regulators time to develop a tailored and sustainable purchase protection model, while allowing PIS to continue to grow and scale.
PIS deliver value in a number of ways for UK consumers and businesses — perhaps most importantly, PIS offers businesses, particularly small businesses, a competitive alternative to expensive card payments.
In order to compete with card payments, these providers must offer a reliable service to their merchants, who are relying on them to facilitate payments. The proposed liability model places a significant incentive in the system for account providers in the UK to introduce friction into the payment flow to protect their consumers and reduce the need for reimbursement for even low-value payments. This friction will likely take the form of additional ‘pop up’ warnings and/or verification steps for consumers when authenticating payments. This additional friction will undermine the user experience and success rates for payments initiated by PISPs. Further, it would also be at odds with the PSR’s objective of encouraging account-to-account retail payments.
There are many technical solutions for introducing purchase protection for PIS payments in the event that goods/services are not provided, or as described in an e-commerce environment. There is currently ongoing work in the SWG, feeding into the JROC on Open Banking, to consider how best to create multilateral agreements like those present under the card schemes to govern consumer protections in the event that goods and services are not provided or as described.
Finally, we do not believe that it is necessary or proportionate to extend the liability regime to CHAPS. The consultation notes that less than 0.01% of APP fraud is conducted via Faster Payments. This low rate is expected to drop substantially as consumer payments migrate from CHAPS to FPS in light of the FPS increase from £250,000 to £1,000,000. While CRM Code firms are liable today for APP fraud conducted through CHAPS, liability for a high-value payment would not be proportionate for the size and scale of most non-CRM Code firms.
Question 4. Do you have comments on our proposals:
• that there should be a consumer caution exception to mandatory reimbursement
• to use gross negligence as the consumer caution exception
• not to provide additional guidance on gross negligence?
There should be a consumer caution exception to mandatory reimbursement
We consider that a consumer caution exception to mandatory reimbursement should be included. We take the view that including this exception would mitigate the moral hazard of removing any risk to the consumer of proceeding with a potentially fraudulent transaction without taking any precautionary steps.
The consultation paper notes that TSB has not identified evidence of customers exercising less care or caution as a result of its fraud refund guarantee. However, the PSR accepts that it has limited evidence, so no conclusions can be drawn about how the reimbursement policy has changed consumer attitudes to risk. Hence, the PSR is right to conclude that the risk that consumers may exercise less caution if they know that they may be refunded cannot be ruled out.
"Consumer caution" is not clearly defined in the consultation paper, it merely describes that a consumer must exhibit "gross negligence" (paragraph 4.23), which will be set at a "high bar, higher than in the CRM Code".
We call on the PSR to set the standard for "consumer caution" at the same level as that described in R2(1) of the CRM code. This is a standard that distributes responsibility fairly between the consumer and PSP, and ensures consistency for signatories to the Code and their customers. The CRM Code provides four circumstances in which a consumer does not have to be reimbursed which, taken together, should form the basis of the consumer caution exception. These situations are:
- The Customer ignored Effective Warnings, given by a Firm in compliance with SF1(2), by failing to take appropriate action in response to such an Effective Warning given in any of the following:
(i) when setting up a new payee;
(ii) when amending an existing payee; and/ or
(iii) immediately before making the payment.
"Effective Warnings" must be (i) clear and understandable, (ii) delivered at an appropriate time (e.g. when setting up a new payee), (iii) risk-based and tailored to the type of fraud where possible, and (iv) enable the customer to understand the actions they need to take to address the risk. This ensures the customer is made properly aware of the situation, and so any decision to proceed is an informed one and it is fair for the customer to bear the risk.
What constitutes an Effective Warning should be set by reference to the proportion of customers who either do not proceed, or only proceed after making further checks, after receiving a message (or series of messages). This would mean that any series of warnings that a PSP can demonstrate lead to, for example, 99% of customers not proceeding with that transaction without making further checks would constitute an Effective Warning.
- The Customer did not take appropriate actions following a clear negative Confirmation of Payee result. R2(1)(b) can only be relied on where the Firm has fully complied with SF1(3) or SF2(2), and actions would, in the circumstances, have been effective in preventing the APP scam;
The Confirmation of Payee system must provide the customer with sufficient and adequately clear information, including what their options are, to enable them to make an informed decision as to whether to proceed. If a well-informed customer decides to proceed, it is fair for them to bear the risk of their decision.
- In all the circumstances at the time of the payment, in particular the characteristics of the Customer and the complexity and sophistication of the APP scam, the Customer made the payment without a reasonable basis for believing that:
(i) the payee was the person the Customer was expecting to pay;
(ii) the payment was for genuine goods or services; and/or
(iii) the person or business with whom they transacted was legitimate.
This sets out the moral hazard issue that PSPs are concerned about. Where a customer does have reason to think that they are sending their money to the intended recipient, they should bear the risk of their actions. Having a higher bar would require PSPs to reimburse customers who had acted in an unreasonable manner, which is an unfair distribution of risk as customers will have no incentive to take reasonable care. Not only would this give PSPs an unfairly high level of exposure, but it would likely increase the number of instances of fraud.
- Where the Customer is a Micro-enterprise or Charity, it did not follow its own internal procedures for approval of payments, and those procedures would have been effective in preventing the APP scam.
Where procedures have not been followed, the risk should fall on those who deviated from the process unless they were unable to follow the process, despite making all reasonable efforts to do so.
In addition to the four exemptions listed above, there should also be two further exemptions:
- The first is an exemption when the customer has been the victim of multiple similar scams and has received education from the PSP. In such a case, the customer has been given multiple warnings and received a detailed explanation of the nature of the APP scam they are falling victim to, meaning that unless they have characteristics of vulnerability, they are exhibiting “gross negligence”.
- The second is an exemption where the customer has lied during their risk-assessment process. A customer who lies is clearly not exhibiting caution as they are attempting to hide their level of risk. As a result, the PSP, through no fault of its own, could not tailor the risk warnings to the level the customer required.
Using gross negligence as the consumer caution exception
As explained above, we recommend that the CRM code standard set out at R2(1) be used as the consumer caution exception. Should gross negligence be a higher standard than this, it should not be used, for the reasons set out above.
Additional guidance on gross negligence
Our members are concerned that the lack of additional guidance on “gross negligence” presents a significant problem for both PSPs and customers. The current guidance is extremely vague. It has been described by the FCA as "a very significant degree of carelessness" and by the FOS as "more than just being careless or negligent" and "an ever-changing state of play". Failing to provide further guidance would be detrimental to all parties concerned — customers and PSPs would be uncertain of where they stand, likely leading to hopeless claims being pursued and good claims not being made. Further, having to go through the courts or FOS imposes time and financial costs on the contesting parties to achieve a ruling that provides the same information as that which the FOS could provide when the liability framework comes into force. We consider that publishing further guidance would avoid these unnecessary negative consequences.
We take the view that more guidance from the regulators would promote certainty and consistency amongst firms. We do not consider that a full definition of gross negligence is required from the regulator, but a list of situations in which a customer should be classified as being grossly negligent, would make the position much clearer for consumers and firms, whilst allowing the regulators to retain the flexibility to adapt their approach to developments in this space.
Question 5. Do you have comments on our proposal to require reimbursement of vulnerable consumers even if they acted with gross negligence?
More clarity is needed over what constitutes a “vulnerable customer” (see Question 6), and what constitutes “gross negligence” (see Question 4) to answer this definitively.
Should these terms have acceptable definitions and adequate carve outs, we would consider a requirement to reimburse vulnerable customers who acted with gross negligence to be unacceptable.
Question 6. Do you have comments on our proposal to use the FCA’s definition of vulnerable customer?
We recommend that the PSR applies the APP fraud specific definition of vulnerability provided by the CRM Code, noting that this does not invalidate the spirit of the wider FCA definition. Alternatively, we urge the PSR to acknowledge that the industry may follow the higher standard CRM Code definition by way of market practice.
The FCA defines vulnerable customers as those who “due to their personal circumstances” are “especially susceptible to harm”. This is a useful guiding principle for firms’ activities as a whole, which is the aim of the definition in the first place. However, this definition creates a one-dimensional, blanket tag that a customer is vulnerable due to their general characteristics rather than how those characteristics interact with the situation at hand. In the context of APP scams, this risks harming both consumers and firms.
By contrast, the definition used by the CRM Code is clearer to our members for it emphasises the circumstances of a potentially vulnerable customer “at the time of becoming victim of an APP scam” and “against that particular APP scam, to the extent of the impact they suffered”. Our members consider that this definition allows for more flexibility in the identification of vulnerable consumers because it implies a case-by-case analysis. It also allows room for customers to be considered vulnerable in some, but perhaps not all, situations.
Innovate Finance agrees that the FCA standard should continue to apply to the industry as a whole, but in the specific case of APP fraud, our members’ experience has led to the opinion that a more specific definition (as used by the CRM Code) is preferable. Our members consider that it will give customers with vulnerable characteristics an increased capacity of self-determination, and ultimately respect and equal opportunity. As the FCA acknowledges in its Guidance for firms on the fair treatment of vulnerable customers, consumers may not want the label ‘vulnerable’ applied to them.
While the FCA refers to customers as being vulnerable throughout the Guidance, it also suggests that firms not use this label in their interactions with consumers. In the context of this consultation, Innovate Finance considers that simply applying the FCA’s general definition of vulnerability will create archetypes of vulnerable customers, taking away customers’ ability to define themselves, as well as firms’ ability to accurately analyse each case of APP fraud.
We further consider that the CRM Code definition encompasses the wider FCA definition, but because it is crafted with APP scams in mind, it allows firms to gather more accurate data in relation to specific characteristics of vulnerability in the APP context. In the long term, this will help create a wider data pool for the FCA definition of vulnerability, while enabling firms to respond to APP scams more accurately.
Question 7. Do you have comments on our proposals that:
- sending PSPs should be allowed to apply a modest fixed ‘excess’ to reimbursement
- Any ‘excess’ should be set at no more than £35
- PSPs should be able to exempt vulnerable consumers from any ‘excess’ they apply?
We support the proposal to allow sending PSPs to apply a fixed ‘excess’ to reimbursement. We also welcome the proposal to allow PSPs the discretion to exempt vulnerable consumers from the ‘excess’ they apply. Nonetheless, in the context of APP fraud we do not consider that £35 is a meaningful amount.
From a consumer perspective, £35 is a modest amount that is unlikely to persuade consumers to more carefully consider the payments they initiate. In particular where the payment exceeds a nominal sum, consumers may see a maximum deduction of £35 as an expendable risk. We believe that an ‘excess’ has the potential to deter customers from initiating certain suspicious transactions, but only where the total amount of the ‘excess’ will be noticeable. We note that customers are used to paying excesses that are proportional to the amount claimed. For example, we are aware that the excess for building insurance cover will generally be higher for high value properties than for low value ones. If the ‘excess’ is also meant to reflect the cost that PSPs undertake in retrieving refunds for consumers, £35 insufficiently covers those costs.
There is currently no industry standard in relation to when and to what extent the £35 deduction in Regulation 77 of the Payment Services Regulations 2017 (“PSRs 2017”) is applied. This is largely left up to market practice, yet no significant market practice has developed, and we are concerned that a similar confusion and added level of complexity would occur in the case of APP fraud.
Consequently, we urge the PSR not to mandate an upper limit for this ‘excess’ and allow the industry to set a standard.
Question 8. Do you have comments on our proposal that:
- sending PSPs should be allowed to set a minimum claim threshold
- any threshold should be set at no more than £100
- PSPs should be able to exempt vulnerable customers from any threshold they set?
Innovate Finance supports the proposal to allow sending PSPs to set a minimum claim threshold. We also welcome the proposal to allow PSPs the discretion to exempt vulnerable consumers from this minimum claim threshold.
With regards to the minimum threshold being set at no more than £100, we echo our response to Question 7 above. Data points drawn from our membership base and the wider FinTech ecosystem have highlighted that APP scams tend to amount to at least £250. In this context, a £100 threshold is not sufficiently impactful, and we would urge the PSR to consider an uplift of the minimum claim threshold to £250. We would also recommend that this minimum claim threshold amount is reviewed at least every two years in line with inflation and data points from the payments industry on the average APP fraud claim value.
The introduction of an impactful minimum claim threshold is absolutely crucial if the PSR is not minded to introduce a customer caution exemption. The role of customer caution differs across all scam types, and our members acknowledge that customer caution will not necessarily play a role in sophisticated scams involving complex social engineering. However, based on our members’ experience, a large proportion of APP fraud relates to low-value purchase scams, the vast majority of which originates and is driven from social media. On the whole, these are edge cases when considering what the CRM code was set up to detect, prevent and protect consumers from. The role of the customer in low-value purchase scams is key; therefore, a clear incentive placed upon consumers to reasonably assess the veracity of the peer or business they are paying is helpful in the prevention of this type of scam. If the PSR does not intend to create a customer caution exemption, the de minimis threshold must be significantly robust to promote caution in these scenarios.
Question 9. Do you have comments on our proposal not to have a maximum threshold?
We call for the introduction of a maximum threshold — without this, our members potentially face unlimited liability. Our members have suggested the upper threshold should be no less than £30,000.
Unlimited levels of liability pose a significant risk to early stage, venture capitalist funded and pre-profit businesses that do not have the financial resilience to reimburse significant sums, resulting in a significant barrier to entry, the withdrawal of many PSPs from the UK market, and in other cases immediate insolvency that would have ramifications through the payments ecosystem. We believe that an unfunded and uncapped liability scheme is an unrealistic and unreasonable burden for the majority of PSP market participants.
The lack of certainty will also mean firms struggle to calculate and disclose their contingent liabilities as required under UK and international accounting standards. We anticipate that this will pose difficulties for start-up FinTechs wishing to raise capital and go through funding rounds with private investors, as well as scale-up FinTechs who may be considering an Initial Public Offering. Additionally, for new and existing challenger banks, this also likely will require additional Pillar 2 capital requirements.
Question 10. Do you have comments on our proposals that:
• sending PSPs should be allowed to set a time-limit for claims for mandatory reimbursement
• any time-limit should be set at no less than 13 months?
Sending PSPs should be allowed to set a time-limit for claims for mandatory reimbursement
We agree that sending PSPs should be allowed to set a time-limit for mandatory reimbursement. Time-limiting claims allows PSPs to operate with greater levels of financial certainty.
Time limits should be set at no less than 13 months
Our members are supportive of a 13-month time limit. We would urge the PSR to make it clear that there should be no retrospective application of the time limit, i.e. claims for reimbursement can only be made from any date on or after the PSR’s liability model enters into effect.
Our members consider a 13-month time limit strikes the correct balance between offering appropriate protection for consumers (recognising that some APP scam typologies such as investment and romance scams may take place over an extended period of time) and providing PSPs with certainty.
Question 11. Do you have comments on our proposals that:
• the sending PSP is responsible for reimbursing the consumer
• reimbursement should be as soon as possible, and no later than 48 hours after a claim is made, unless the PSP can evidence suspicions of first-party fraud or gross negligence?
Innovate Finance agrees with structuring reimbursement in this way.
However, our members are concerned that 48 hours is insufficient time to make preliminary investigations into whether there has been first-party fraud or gross negligence. The need for investigation into the possibility of fraud or gross negligence is acknowledged in the exemption to the 48-hour time limit. However, we consider that the exemption is rendered largely ineffective by the short window within which to conduct such investigations. As such, the proposed time limit would mean PSPs are faced with a choice between not conducting robust investigations, meaning instances of first-party fraud could go undetected, or breaching the 48-hour time limit.
The 48-hour threshold appears to be proposed because it brings APP reimbursement in line with that timeframe used for unauthorised payments. However, given the time required for adequate investigation, usually involving requests for information with third parties and other external processes and discovery requirements, we therefore consider that it makes more sense to bring the PSRs 2017 in line with the CRM Code. Under R3(1), firms should decide whether to reimburse a customer within 15 business days of the APP scam being reported. Additionally, DISP 1.6.2AR gives respondents to EMD and PSD complaints 15 business days to send a final response.
Consequently, we recommend that PSPs are given at least 15 business days to make preliminary investigations before deciding whether there is sufficient evidence to extend the time for investigation further — our members’ experience indicates that a full investigation takes 30 to 35 days, on average.
This would give practical effect to paragraph 1.18 and prevent fraud being perpetrated against PSPs by enabling them to investigate reimbursement claims before paying out.
Further, the industry would also welcome guidance from the PSR as to the approach to be taken where individuals refuse to cooperate as part of a PSP’s investigation.
Question 12. What standard of evidence for gross negligence or first-party fraud would be sufficient to enable a PSP to take more time to investigate, and how long should the PSP have to investigate in those circumstances?
Appropriate standard for gross negligence or first-party fraud
The appropriate standard for gross negligence or first-party fraud will depend on the length of time afforded to PSPs to conduct preliminary investigations before being required to reimburse customers. If PSPs are afforded more time to conduct the initial investigation, then a higher standard could be applied.
This further underlines why the 48-hour timeframe for reimbursement is not appropriate. Increasing it would benefit all parties because PSPs would be able to conduct more thorough investigations, meaning there would be more certainty that fraud is not being perpetrated. And many customers will receive their reimbursement sooner because their claims will not reach the higher evidence threshold, meaning they receive their reimbursement after the initial period, rather than after a full 35-day investigation.
How long should the PSP have to investigate?
Innovate Finance is of the view that where evidence of gross negligence or first-party fraud is found, the whole process from the receipt of the APP scam claim through to the PSPs final decision should be 35 days (in line with the CRM Code). Therefore, we call on the PSR to set the time for investigation at 35 days minus the time allowed for a preliminary investigation.
This would still be a fast resolution process. Under DISP 1.6.7, firms have eight weeks to address complaints, and the PSR has 20 working days to review complaints made against it.
Question 13. Do you have comments on our proposal for a 50:50 default allocation of reimbursement costs between sending and receiving PSPs?
Our members understand why the PSR proposed a 50:50 default allocation of reimbursement costs as an initial starting point, but we would urge the PSR to better tailor the allocation of liability and reimbursement costs (please see our response to Question 14).
Question 14. Do you have views on our proposal that PSPs are able to choose to depart from the 50:50 default allocation by negotiation, mediation or dispute resolution based on a designated set of more tailored allocation criteria?
We outline views on:
- Proposed approaches to create a more tailored allocation criteria; and
- Dispute resolution.
Tailored allocation criteria to support a departure from a 50:50 default allocation of reimbursement costs
After the entry into effect of the Online Safety Bill, which should place additional incentives on the tech platforms and TelCo sector to address fraud that originates via their sectors, our members are broadly supportive of an approach being developed and piloted that links liability to the effectiveness of an institution's anti-fraud performance.
Working with industry, a set of key performance indicators could be developed that evidences effectiveness of firms’ anti-fraud measures. This approach could be modelled on the approach taken to the revised Payment Services Directive (“PSD2”) transaction risk analysis thresholds for exemption. This could be one way to incentivise each institution to evolve its protections, which will be necessary as scammers react and evolve their attacks. If firms defeat XX% of attacks then their liability allocation could progressively fall to zero.
Alternatively, the PSR could look to leverage the data it is collecting as part of its Measure One proposals (publishing APP scam data). The PSR currently plans to make the largest 12 banks in the UK publish their APP scam rates every 6 months starting next year: this could be extended in time to cover all PSPs (much like the roll out of Confirmation of Payee). Based on the published scam data of all PSPs, the PSR could provide a risk score to each PSP on a 1 to 10 scale, based on the amount of APP scams seen as a percentage of total transaction volume. This score would then determine the default allocation between PSPs for the following 6 months, until the next reporting period.
If the PSR is not minded to explore these approaches, our members would reiterate that any tailored allocation criteria would have to be crystal clear and not be open to a high degree of interpretation (which would feed into issues surrounding dispute resolution).
Our members are aligned that — unlike incumbents — they could not afford a model of dispute resolution that is overly cumbersome and involves lengthy bilateral negotiation, mediation, or legal challenge in each and every case in order to secure a departure from the 50:50 default allocation.
Whichever model of dispute resolution is adopted, our members would welcome a process that is automated, so that the process is as cost and time efficient as possible in order to maintain a level playing field between FinTechs and incumbents.
Our members would urge the PSR to convene a technical working group made up of payments industry subject matter experts and legal and other alternative dispute resolution professionals to explore how to operationalise a suitable dispute resolution model that can be introduced in the medium term. We would urge the technical working group to consider the learnings from the FOS alternative dispute resolution regime and the Centre for Effective Dispute Resolution as it develops an appropriate model to apply in the context of FPS liability.
Question 15. Do you have views on how scheme rules could implement our proposed 50:50 default allocation to multi-generational scams?
Our members recognise the complexities inherent in multi-generation scams, which makes it difficult for PSPs caught in this chain to detect and investigate cases of APP fraud. While recognising this is an imperfect solution, our members suggest that liability could fall on the last sending and receiving PSPs in the chain.
This leaves unanswered a number of questions and we suggest that the PSR may wish to convene technical working groups with industry subject matter experts to explore further the issues surrounding multi-generational scams. We would be happy to support the PSR as it explores cases that fall inside and outside the scope of the FPS, including transfers to crypto wallets, for example.
Question 16. Do you have comments on our proposal for a 50:50 default allocation of repatriated funds between sending and receiving PSPs?
Please see our response to Question 14. We would welcome the development and piloting of a more tailored approach to allocation of liability; this approach could also lend itself to allocation of repatriated funds.
Question 17. Do you have views on the scope we propose for rules on allocating the costs of mandatory reimbursement?
We have no objection to the proposed scope.
Question 18. Do you have views on our long-term vision, and our rationale for the PSO being the rule-setter responsible for mitigating fraud?
Our members do not agree that the payment system operator (“PSO”), in the long term, is the appropriate body to undertake the role of making, maintaining, refining, monitoring, and enforcing compliance with, comprehensive scheme rules that address fraud risks in the system.
As mentioned in response to Question 2, we will be calling for the government to undertake a review of payments legislation and regulation as part of its wider post-Brexit review of the UK’s statute and regulatory rule books. As part of this, we wish to see the liability framework for FPS be set out fully in legislation rather than scheme rules with clear roles for the FCA, PSR and Pay.UK.
The role of Pay.UK should not become quasi-regulatory in nature and monitoring and enforcing compliance should sit with the PSPs’ supervisory teams at the FCA.
If the PSR is minded to lean on Pay.UK in the short term, we would welcome early sight of a clear plan as to how Pay.UK will recruit and upskill staff to deal with these new responsibilities.
Question 19. Do you have comments on the minimum initial set of Faster Payments scheme rules needed to implement our mandatory reimbursement proposals?
Question 20. Do you have views on how we should exercise our powers under FSBRA to implement our requirements?
Question 21. Do you have views on how we propose that allocation criteria and dispute resolution arrangements are developed and implemented?
Please see our responses to Questions 14 and 16.
Question 22. Do you have comments on our preferred short-term implementation approach of requiring Pay.UK to implement an effective compliance monitoring regime, including a reporting requirement on PSPs?
Please see our response to Question 18.
Question 23. Do you have views on the costs and benefits of Pay.UK implementing a real-time compliance monitoring system and when it could be introduced?
Please see our response to Question 18. We consider that compliance and monitoring should sit with PSPs’ supervisory teams at the FCA.
Question 24. Do you have views on the best option for short-term enforcement arrangements?
Please see our response to Question 18.
Question 25. Do you have views on the best way to apply the rules on reimbursement to indirect participants?
With regard to indirect clearing firm liability, we consider that the legal obligation rests on each account owning payment services provider (ASPSP) firm. The PSR is proposing for clearing banks to take the liability for their clearing customers. If clearing banks are forced to take on credit risk for their indirect clearing customers, the clearing banks will be required to substantially increase their risk and credit requirements for indirect clearing and this will lead to the loss of access to clearing for many PSPs reducing competition and innovation in UK markets.
In turn, the reduction of PSPs eligible to meet clearing firm risk and credit requirements will have a disproportionate commercial impact on FinTech clearing banks and firms that compete against incumbent clearing firms. One of our members was the first new clearing bank in 250 years, after which four other new clearing banks have obtained access to Faster Payments. The PSR’s Access Report in paragraph 4.12 states that “The new-entrant Indirect Access Providers [IAPs] continued to take on many customers, including smaller PSPs and small money remitters, which historically had the most difficulty gaining access.” As such, new clearing firms service new and innovative PSP business and would likely sustain a higher loss of business than the four incumbent high street clearing banks.
Question 26. If it was necessary for us to give a direction, what are your views on whether we should direct indirect PSPs or IAPs?
In the case where the sending firm is acting as an Indirect Access Provider, the payment will be initiated by the Indirect PSP. In this case, the sending firm does not hold the bank/customer relationship and so cannot be held responsible for the Indirect PSP’s compliance with reimbursement of the Indirect PSP’s customer. We therefore recommend that the PSR issues a Special Direction to indirect PSPs and IAPs to clarify where the legal obligation rests.
Question 27. Do you have comments on our cost benefit analysis at Annex 2 or any additional evidence relevant to the analysis?
Please see our response to Question 2, which has comments on the cost-benefit analysis.
Question 28. Do you have any other comments on the proposals in this consultation?