• Adam Gable, Senior Product Director at Temenos


• 23.10.2024 12:30 pm
#APPFraud #UKPolicy

In the UK, authorised push payment (APP) fraud losses amounted to £459.7m in 2023. In reality, the cost is higher. Beyond the victim’s losses, there are the costs to the company in chargebacks, administration, mitigation, brand reputation and future sales.

The UK has been at the forefront of grappling with the challenges of push payment fraud. Regulators here introduced the ‘Contingent Reimbursement Model (CRM) Code’ in 2019, and the ‘Confirmation of Payee’ rules in 2020, both of which have been a critical measure to prevent APP.

Additionally (or consequently), the UK has been a hotbed of fintechs that specialise in powerful AI fraud mitigation products; and open banking initiatives that allow these to be easily integrated into payment flows.

And progress has been made. In 2023, the 10 UK banks processing the most push payments saw a significant decrease in the value of successful APP scams, down from £244 per million in 2022 to £183 per million. 

But that figure is still too high. 

Fortifying the defences

The UK is taking another step forward with the launch of the APP Fraud Reimbursement Policy. For the first time it mandates that banks and Payment Service Providers (PSPs) must refund payers (individuals and businesses) who are the victims of a payment scam. 

Overall this is a positive move. Until now, reimbursements have been largely at the will of the bank, which has created inconsistencies and confusion for the victims of APP fraud, right at a time when they need help the most. In 2023, the UK banks with the highest payment volumes only paid out in full on 80% of APP fraud cases. This represented only 64% of the monetary value of all losses. This also, by inference, can place the burden of proof on the victim to fight their corner, adding to a customer’s anxiety.

Another positive of the new policy is the shift in liability for the loss from solely the payer’s PSP or bank, to it being shared with the receiving party in the transaction. This will encourage payment providers to not only monitor payments going out, but equally money coming in. 

This need to collaborate on fraud between acquiring and issuing banks should lead to sector-wide improvements in fraud detection and management.

Pay UK, the body that will oversee implementation of the new policy, has also thought about the practicalities. A newly designed ‘Reimbursement Claims Management System’ will allow banks to easily report potential fraud. This centralised system should also provide nationwide data that can help the sector better understand (and so further mitigate) payment fraud, including the details of bad actors and their accounts.

Not the end of the journey

But there are also some concerns with the new policy.

It only covers payments made through the Faster Payments system. So it is by no means a whole sector solution. Other APP methods - Chaps, BACs, and international payment schemes such as SEPA - are not covered. 

Also, where a transaction involves a PISP (Payment Initiation Service Provider), the regulation only applies to those that access and hold funds from the payer. It does not cover PISPs whose involvement does not extend to a full PSP. This presents a possible weakness in the payment chain; and potentially a growing one as the extension of open banking fuels more PISP-enabled payments. 

Another area of concern is the refund limit of £85k, when Faster Payments allows for transactions up to £1m. In reality, that is probably not going to be an issue. The average payment value going through the Faster Payments systems was £841.82 in July 2024. But that is because larger payment volumes tend to go through Chaps (which is not covered).

Someone’s missing

Perhaps one of the biggest flaws of the new policy is what has been left out. Banks and PSPs are only one element of a payments scam. They often originate online or on the phone. The UK Finance Annual Fraud report 2024 states that “in 2023 about 76% of APP fraud cases originated from online sources and another 16% from telecommunications”. So digital, social media, and telecommunications companies have just as much (if not more) to do to mitigate against payment fraud. 

The UK Online Fraud Charter, signed by 11 of the major tech and social media firms, was a start. And initiatives such as Meta’s Fraud Intelligence Reciprocal Exchange (FIRE) show what can be achieved when big tech and banks collaborate on this issue. 

But what’s really needed is a Parliamentary bill with legal clout, not simply a voluntary charter that can be wriggled out of, or a loose commitment to sharing data, a plan which has already come under fire. While the payments industry and regulators should be applauded for taking the lead with the new policy, it risks letting other parties off the hook.

Who’s to blame?

There is also a question of culpability. The policy states that banks and PSPs must reimburse victims within five days, if they are found to be at fault. But ‘fault’ can be open to interpretation, and so worth defending against. If only one party is liable, they must assume the full refund. If the customer is found to be also at fault, all three parties must share the cost. If no liability can be admitted or proved by any parties, compensation is paid from a pooling fund to which all members contribute. 

While claims that need to be investigated have an extension to 35 days for repayment, it is questionable if that gives enough time to collect and analyse all the evidence; or what happens if the ‘guilty’ party wishes to contest the outcome.

By not provisioning enough time to fully investigate a potential scam, it leaves the scheme open to malicious actors manipulating it for profit. It is also unclear about the actual mechanics of how a reported fraud will be investigated; and how (if) banks and PSPs can reclaim refunds that have been incorrectly paid out.  

While these concerns are worth considering further, the priority right now is for banks and PSPs to be ready for the policy. Many of the deadlines have already passed, or expire soon.

Tech readiness

In parallel, banks and PSPs need to ensure their payment fraud management software is fit for purpose; and that it remains so, because these new obligations are not going away.

So what should they be prioritising?

A renewed emphasis on Know Your Customer (KYC) and Anti Money Laundering (AML) capabilities is critical for identifying money mules supporting fraudsters, scammers and other malicious actors. While many banks and PSPs will already have cutting edge solutions for these, what increasingly matters is the mode of deployment. The objective must be to achieve a 360 degree view of customers across the financial institution, and identify unusual behavior and transaction patterns that indicate potential fraud. This speaks to a single platform, where KYC, AML and continuous Customer Risk Assessments (CRA) are not standalone products but natively integrated within an end-to-end, common architecture. 

This logic can also be applied to deploying fraud detection tools. It is more efficient to infuse AI across a platform of solutions, rather than an adjunct to them. Amongst other benefits, it enables automations in detection, decision-making, and data sharing. This gives banks both less to manage manually, and more control to configure fraud parameters and event triggers. 

Explainability - the capacity for banks to understand the decisions taken by their AI - should also be a high priority. Explainable AI not only helps a bank to improve system decisions, but can also provide evidence that can be used in a reimbursement investigation. 

Generative AI should also be an important fraud defence. It can empower payment providers to extract intelligence from data using free text, and quickly catalogue information, such as financial crime alerts, emerging scams, or vulnerable cohorts. This exercise can be hugely worthwhile, but would take humans hours or longer to perform manually. Generative AI can also uncover performance insights, and identify the potential for productivity gains in the fraud management function.

The big prize

While not perfect, the UK’s new APP Fraud Reimbursement Policy marks a significant step forward in protecting victims of push fraud. It also signals to other nations’ banks and regulators how they can approach fraud, in order to make their markets more favourable for customers and businesses alike. 

But for the policy to have its desired impact, banks and PSPs will need to review, and probably strengthen, their fraud management software. While advanced AI-driven solutions are key to that, they must be seen in the context of the wider technology stack. The emphasis must be on deployment models that maximise automations and productivity; and solutions that can be implemented in the easiest and quickest way. 

The prize goes well beyond regulatory compliance. Banks and PSPs that grow their reputation for responsible payments can also grow their customer base, payment volumes, and ultimately their profits.