Payment Systems Regulator (PSR) Responds to Increasing APP Fraud with Mandatory Reimbursement Proposal for Fraud Victims

In the U.K. last year, authorised push payments (APP) fraud reached £583 million ($706 million), a 39% increase from 2020.^[1]

APP fraud represents the most significant fraud threat in Britain and accounted for more than half of the £1.3 billion in losses due to scams in 2021.^[2] The pandemic-prompted shift to online platforms is one of the main contributors to the surge in APP fraud. With a range of tactics that include investment scams, romance scams, malicious ads on social media, and purchase scams, APP fraud continues to inflict devastating consequences.

APP fraud has gained notoriety for the complexity of the social engineering schemes that are typically linked to these scams. Attacks often involve impersonation and emotional manipulation to deceive victims into making real-time payments to criminals. For example, a fraudster might target a victim on a dating app, then patiently win their victim’s trust until they’re eventually tricked into making a large bank transfer or peer-to-peer (P2P) payment.

Presently, only 46% of APP scam losses are compensated to victims, though this is likely a conservative estimate, as a significant number of cases are never reported due to the stigma associated with some of these scams.^[3]

Compared to 2020, remote banking payments processed through Faster Payments grew by 23% and reached 3.6 billion payments.^[4] As momentum towards faster and real-time payments continues to grow, payments fraud and the cost of fraud to FIs will become a  more challenging threat.

The Payment Systems Regulatory (PSR) has responded to the unparalleled surge of APP fraud with a proposal to combat payment scams and make victims whole with reimbursement from payment service providers (PSPs). Once it goes into force, this will be a monumental driver for radical change to the anti-fincrime and compliance landscape in the U.K., and we anticipate this to send regulatory shock wave felt on a global scale. If we take a historical view at the effect of the new mandates within the U.K., then it’s fairly reasonable to assume that these regulations will be globally adopted; traditionally the U.K. and E.U. have been innovators and early adopters in both payments modernisation and regulation.

When viewing the U.K., as a regulatory “testing ground,” it’s likely that we’ll see similar progress soon made outside of these regions. As a result of a recent supreme court ruling on a phishing (social engineering) case in Sweden, Swedish banks are examining their position regarding the impact of liability change and subsequent exposure to social engineering. In Australia, the federal government made a pledge to bring in industry codes to protect consumers against scams. This is a trend that we will continue to see as the shift of liability wave flows across the globe.

Key Takeaways of the New PSR Proposal

The PSR’s proposal intends to incentivise and align FIs and PSPs with their customers’ interests more tightly, by taking a more aggressive action to mitigate scams and ensure fraud victims get their funds back.

Though numerous financial institutions have been vigilant in amplifying customer education awareness programs and adopting analytics to identify suspicious behaviors, customer risk exposure persists. Right now, the overall degree of reimbursement under the Contingent Reimbursement Model (CRM) Code remains under 50%, with participation entirely voluntary. Compensation for victims of APP fraud thus far has been guided by individual banks, which is what the PSR aims to change. CRM was released in 2018 for public comment and placed in force a year later; if we use this as a benchmark, we’re looking at a complete shift of liability for APP fraud in late 2023 or early 2024.

The PSR’s new proposal focuses on acutely limiting the ability for fraudsters and scammers to operate within the U.K. banking system. Per the PSR, key takeaways of the new proposal include:

• To prevent APP scams by recognising potentially fraudulent payments before they’re sent and ensure fraudsters don’t receive any payments in U.K. bank accounts.
• Mandatory reimbursement unless the customer is complicit or grossly negligent.
• PSPs will be required to reimburse victims of APP scams, and victims must be reimbursed quickly (within 48 hours) by the sending PSP.
• Reimbursement claims must be submitted within 13 months and may have a minimum threshold of up to £100.
• The costs of reimbursement will be equally allocated between the sending and receiving PSPs.
• PSPs cannot restrict payment services to those customers perceived as being more vulnerable to APP fraud. 

We expect all banks will be impacted by the changes to some extent, hitting hardest those institutions with problematic onboarding that might have more mules than their population share. Mule account detection using new account fraud and early account monitoring solutions powered by advanced analytics will be essential to keeping out the bad actors.

Many FIs request that NICE Actimize help them understand their exposure to scenarios where they would be liable to APP fraud, as well as mule detection capabilities to mitigate their exposure to additional fraud loss and reputational damage.

Build a Proactive Response to the Forthcoming PSR Mandate

As far as the new PSR mandate goes, PSPs have a very brief window to respond to the new regulatory requirements. The new rule will be introduced following parliament’s expansion of PSR’s powers, which is likely to occur in early 2023. Implementation is expected no later than 2024. 

PSPs must prepare themselves and improve their approach to enterprise fraud management (EFM) to secure payment channels without sacrificing customer experience. 

 Financial institutions need to:

• Have an overarching, holistic view of the customer across all channels and payment types
• Bring in more high-quality data to improve decision making
• Layer in real-time device identification and profiling, including inbound payment profiling
• Add behavioural analytics to identify abnormal behaviours and activity
• Monitor all customer related events via more accurate models
• Execute customer education program campaigns about social engineering and phishing schemes
• Improve fraud analyst efficiency with smarter automation and faster, more accurate decisioning
• Reduce customer friction by leveraging a risk-based approach based on risk levels, enabled by data and analytics
• Participate in industry-wide fraud reduction initiatives such as the proven Confirmation Of Payee (COP) in the U.K. 

True Story of Layered Fraud Prevention in Action

A recent case study involving a top 40 European financial institution with a retail and commercial focus illustrates how NICE Actimize helps organizations fight complex fraud typologies and sophisticated social engineering scams, like APP fraud.

Despite cutting-edge point solutions, social engineering scam tactics were evolving so rapidly that the organisation was struggling to fight back. Workloads and operational pressures were unrelenting.

To address this challenge, a robust combination of machine learning, artificial intelligence, and data intelligence was deployed. This enabled the financial institution to take advantage of a contextual, 360° view of customer risk to:

• Identify customers at potential risk of scams and intercede early.
• Address increases in money mules who open accounts and provide access to fraudsters.
• Reduce false positive rates with transaction-intensive modeling, like mobile device and web intelligence.
• Use machine learning models trained to identify specific social engineering scams.
• Develop purpose-built machine learning models to address diverse fraud typologies. 

As the already high-pressure regulatory environment heats up under the new PSR mandate, financial institutions must act quickly to strengthen their fraud controls and accelerate adoption of intelligent end-to-end fraud prevention solutions.

NICE Actimize partners with financial institutions to protect them and their customers from sophisticated APP fraud mechanisms. Find out more.

^[1] U.K. Finance. (2022, August) Annual fraud report 2022: the definitive overview of payment industry fraud in 2021. www.ukfinance.org.uk https://www.ukfinance.org.uk/policy-and-guidance/reports-and-publications/annual-fraud-report-2022

^[2] PYMNTS. (2022, July 5). UK Banks Held to Higher Standards as APP Fraud Skyrockets. www.pymnts.com https://www.pymnts.com/news/security-and-risk/2022/uk-banks-held-to-higher-standards-as-app-fraud-skyrockets/

^[3] Payment Systems Regulator. (2022, September). Authorised push payment (APP) scams: requiring reimbursement.

^[4] U.K. Finance. (2022, August). UK payments market summary 2022. www.ukfinance.org.uk https://www.ukfinance.org.uk/system/files/2022-08/UKF%20Payment%20Markets%20Summary%202022.pdf