Push Payment Fraud: Update Spring 2018Print publication
On 7 November 2017, the Payment Systems Regulator (PSR) issued a consultation paper in relation to ‘authorised push payments’ , which considered how financial institutions deal with push payment fraud, as well as how customers are compensated once a fraud has taken place. (The paper referred to all ‘payment service providers’, who enable the transfer of funds using a payment system. On the basis that most individual and commercial customers will have a bank account, we will refer to ‘banks’ in this note. Our comments will apply generally, however, to all payment service providers.)
What are push payments?
Payments are described as ‘push payments’ when the payer obtains the payee’s account details and instructs their bank to send (or push) money to it. The opposite ‘pull payment’ is where the payer provides the payee with the relevant account details, and the payee is authorised to take (or pull) funds from the payer’s bank account.
A push payment fraud will therefore involve the fraudster somehow persuading the consumer to organise a transfer from the consumer’s account to the fraudster’s account. Examples could include:
- a fraudster who poses as a solicitor and asks the consumer to transfer deposit monies for a property transaction
- a fraudster who poses as a builder to receive a large cash transfer
- a fraudster who impersonates a consumer’s friend in order to persuade them to transfer a sum of money.
In most cases, the customer will notify the bank only after the payment has been made, by which time the fraudster will have made off with the funds by transferring them out of the offending bank account and possibly out of the country. These types of frauds are being increasingly reported in the mainstream press, as well as the financial services industry’s perceived inconsistent treatment of such frauds, with some banks admitting fault for allowing the fraud and reimbursing the victim; while others do not.
UK Finance have published data on this growing problem , citing that there were 19,370 cases in the first six months of 2017, with over £101.2 million being sent by customers (both individuals and business) who had been tricked into authorising a payment. Around 88 per cent of those payments were made by individuals, losing on average £3,000; with the remainder being made by businesses who lost on average £21,500 per case.
The figures indicate that almost a quarter of those losses (£25.2 million) were returned by financial providers, but there are now calls for changes to legislation and/or to the regulatory framework, so that banks are required to do more.
A ‘super-complaint’ was submitted by the consumer action group Which? to the PSR in September 2016 entitled ‘Consumer safeguards in the market for push payments’ . Which? argued that consumers do not receive sufficient protection from this type of fraud, compared to the protections in place for other types of fraud (for example credit card and direct debit frauds). Which? suggested that where such frauds have taken place, legislation or regulation should be changed so that:
- provided a customer had not been fraudulent or grossly negligent, the customer is reimbursed by the bank (even where no fault is attributed to the bank)
- the consumer is only protected in circumstances where the bank has been adjudged to have fallen short in some way, for example in cases where the bank has not put in place proper arrangements for managing the risks associated with fraudulent payees.
On 28 February 2018 the PSR announced the outcome of its consultation, confirming that it will proceed with plans to better protect victims of push payment scams.
The PSR believes that banks have a role to play in preventing such scams, and that having no responsibility to reimburse customers provides weak incentive for banks to take responsibility for doing so. The PSR will therefore implement a scheme that makes reimbursement contingent on the actions of the banks both sending and receiving the funds when a push payment scam occurs.
As from March 2018, the PSR has established a dedicated steering group, comprised of industry and consumer representatives, to ensure that the contingent scheme is designed in the best way to minimise fraud and to protect victims. In addition, as from September this year, a new industry code will also be implemented, which the Financial Ombudsman Service (FOS) can take into account when determining customer complaints about push payment fraud.
The PSR has confirmed that the steering group must have regard to simplicity, transparency and the cost, benefits and impact of the contingent scheme, and that the scheme must be underpinned by the following core principles:
- Incentives for those with the ability to effectively prevent push payment scams and reduce their impact.
- Consistency of outcomes for parties with the same circumstances.
- Leverage of existing and future initiatives that are likely to be effective at preventing and helping respond to push payment fraud.
- Adoption by all banks that have an element of control over preventing and responding to push payment scams.
- No contingency on the recovery of funds.
- No adverse impact on banks’ ability to make goodwill payments.
- No adverse impact on commercial development of further consumer protections.
- The scheme should be developed in such a way that it is capable of becoming part of the relevant considerations that FOS can take into account when determining outcomes of a consumer complaint about push payment fraud.
UK Finance has also drafted a set of best practice standards that banks should follow when responding to reported push payment scams , which are:
- Banks will have 24-hour, 7-day dedicated staff trained in scam management to deal with and process APP scam complaints.
- The customer will only have to deal with their own bank or account provider. The victim’s bank will act as the intermediary between the victim and the beneficiary bank, and will be the victim’s sole point of contact.
- Banks have agreed on a set of necessary information, to be collated by the victim’s bank following [push payment] scam complaints.
- The victim’s bank will collate and provide this information to the beneficiary bank and the latter will proceed with its investigation into the alleged scam.
- The beneficiary bank will conduct an investigation, recover funds where possible and appropriate, and return funds to the victim if it can.
- The banks will also collaborate more widely with each other on information to support investigations and protect victims.
Retail banks offering push payment services have agreed to implement these standards by the third quarter of 2018.
UK Finance are also seeking to take various further measures, including:
- Improving consumer education and awareness, which has begun with the national campaign Take Five to Stop Fraud.
- Putting in place a data-sharing agreement between member banks to set out on what basis information is shared and the processes that will be followed.
- Publish first draft of guidelines for banks when verifying the identity a user’s identity (by June 2018).
- Developing standards and rules so that banks can share “Know Your Client” (KYC) data, giving businesses quicker access to more robust data (late 2018).
- Confirming that the payee name matches the name on the account before a payment is sent, introduced as part of new payment systems being implemented in 2021.
- The Joint Fraud Taskforce is also working on a funds repatriation scheme, to be introduced in a phased approach over 2 or 3 years, so that stolen money can be tracked across payment systems, frozen, then returned to the victim of the crime.
There is no doubt that tackling push payment fraud is a top priority for financial institutions, consumer groups, industry representatives and regulators alike. It will now be even more incumbent on banks to ensure that they have taken steps to address push payment fraud.
As yet there is no consensus on exactly the measures that banks will be expected to take to prevent push payment scams and reduce their impact, but these could involve increased consumer education and awareness; the collection and publication of scam statistics; complying with best practice standards (including those proposed by UK Finance); increased transaction data analytics; and further Know Your Customer (KYC) requirements.
If you would like any further advice or assistance in relation to push payment fraud or any other lender services issues, please do not hesitate to contact Louise Power, Rachel Elgar or any member of Walker Morris’ Banking Litigation team.
 https://www.ukfinance.org.uk/authorised-transfer-scams-data-h12017/ in Notes to Editor