In Today’s Fraud Environment, You Can’t Say Scams without Saying Liability Shift; the Ongoing Story…

In the recent blog “Payment Systems Regulator (PSR) Responds to Increasing APP Fraud with Mandatory Reimbursement Proposal for Fraud Victims”, we discussed the changes to regulation for fraud liability in the U.K. and diffusion of regulation to new countries. Financial institutions not only have to contend with the harsh realities of customer attrition following fraud events, but also navigate the treacherous regulatory waters of who will bear the ultimate liability. With regulatory bodies opining on the financial institution’s responsibility and position in the aftermath of a fraud, the stakes are high as the ramifications of their opinions can create a dangerous ripple effect for future cases. 

Around the globe, shift of liability is firmly in the spotlight. Consumers continue to get scammed at an alarming rate, consumer outcries are being heard by lawmakers and regulators. Watchful eyes are all over reimbursement policies. 

In the Greek banking government legislation, there are concrete discussions to amend the limitation of the payer’s liability for unauthorized payment operations, aiming to make the FIs liable for fraud losses in amounts above 1,000 Euros. But the regulator and banking sector are having a heated discussion on the scope of liability itself. Today, banks aren’t liable, but questions were raised about if the amendment should only cover Account Take Over (ATO) or be extended to cover Authorized Push Payment (APP) fraud. 

Whatever the final form would be, the end result for the Greek banking sector is the same: increased liability for fraud losses. And with the growing trend of APP fraud worldwide, and particularly in the U.K., who is ultimately responsible for fraud losses has huge impact on revenue. 

The growing threat of scams has been a cause for concern for both lawmakers and regulators globally. The issue has become so prevalent that many countries are now closely monitoring the actions of the U.K., who have been at the forefront of implementing policies and reimbursement practices to help consumers recover losses resulting from scams. These measures aim to provide a much-needed safety net for victims, and to prevent these types of crimes from happening in the first place. The U.K. is seen as a leader in this area and many countries are now following their lead in taking steps to better protect consumers from scams. The hope is that by collaborating and sharing best practices, the global fight against scams can be won, and consumers can be empowered to feel more secure in the digital world. 

In the U.K., the Payment Systems Regulator (PSR) plans to implement a more comprehensive shift to banks for APP fraud scam losses by end of 2023. Consequently, the PSR is pressing for a shared bank liability scheme that requires sending and receiving banks to reimburse victims of APP fraud scams.  However, a potentially precedent-setting legal case to be heard this month by the Supreme Court of the U.K. precedes those plans. The case includes a retail banking consumer and large Tier 1 bank, at the root of it is a central question:

What happens if a bank is subject to the Quincecare Duty where a customer authorizes a payment to a fraudster’s account not realizing they’re victims of push payment fraud?

The Quincecare Duty, as described by the U.K.’s High Court of Justice, states that a bank owns an implied duty to exercise reasonable care and skill with executing customers’ instructions and it includes not executing payment instructions if there are reasonable grounds (although not necessarily proof) for believing they [the customers’ instructions] are an attempt to misappropriate funds.[1] 

We suspect (and this is not legal opinion) that the forthcoming decision in this case might accelerate the APP fraud liability shift to banks well beyond the common practice of Contingent Reimbursement Model (CRM) in the U.K. today. If that happens, we predict it will drastically cut how much time banks will have to plan and manage for this significant fraud loss risk.

The crux of regulation and where liability will land falls into three categories: 

1. Unauthorized and unintended: A consumer’s funds are fraudulently stolen without involvement or knowledge—Reimbursement required
2. Authorized but fraudulently induced: Consumer is contacted by a party portraying to be a representative of a financial institution, and is convinced to send funds or manipulated into providing authentication credentials—Reimbursement in debate
3. Authorized and intended: Consumer believes they were purchasing goods or services, only to never receive the fulfillment of the purchase, and by that the consumer realizes they were scammed—Reimbursement in debate in many jurisdictions
   1. In the UK – this would be considered authorized push payment (APP) and could be eligible for CRM

To avoid being caught in the crosshairs of financial and legal consequences, and to prevent a further decline in customer trust and loyalty, FIs must be vigilant in adhering to regulatory requirements and fortifying their adaptive fraud controls. It’s imperative that they stay ahead of the curve by staying informed on the ever-changing regulatory landscape and taking proactive steps to minimize the risks of fraud and protect the interests of their customers.

NICE Actimize will continue to track liability shift regulations worldwide, so check back for updates and predictions.

In light of shifting liability and regulatory changes, you might be strategizing on adding controls such as AI to mitigate risk and maintain compliance.

Contact us for guidance on building a new Target Operating Model that’s fit for the new fraud liability landscape.

[1] Stephenson Harwood: The Quincecare duty: what do banks need to know? (2021).