Push Payment Fraud

6th December 2017

On 7 November 2017, the Payment Systems Regulator (PSR) issued a consultation paper in relation to ‘authorised push payments’ [1], which will affect how financial institutions prevent push payment fraud, as well as how customers are compensated once a fraud has taken place.  (The paper refers to all ‘payment service providers’, who enable the transfer of funds using a payment system.  On the basis that most individual and commercial customers will have a bank account, we will refer to ‘banks’ in this note.  Our comments will apply generally, however, to all payment service providers.)

What are push payments?

Payments are described as ‘push payments’ when the payer obtains the payee’s account details and instructs their bank to send (or push) money to it. The opposite ‘pull payment’ is where the payer provides the payee with the relevant account details, and the payee is authorised to take (or pull) funds from the payer’s bank account.
A push payment fraud will therefore involve the fraudster somehow persuading the consumer to organise a transfer from the consumer’s account to the fraudster’s account. Examples could include:

• A fraudster who poses as a solicitor and asks the consumer to transfer deposit monies for a property transaction;
• A fraudster who poses as a builder to receive a large cash transfer; or
• A fraudster who impersonates a consumer’s friend in order to persuade them to transfer a sum of money.

In most cases, the customer will notify the bank only after the payment has been made, by which time the fraudster will have made off with the funds by transferring them out of the offending bank account and possibly out of the country.  These types of frauds are being increasingly reported in the mainstream press, as well as the financial services industry’s perceived inconsistent treatment of such frauds, with some banks admitting fault for allowing the fraud and reimbursing the victim; while others do not.

UK Finance have recently published data on this growing problem [2], citing that there were 19,370 cases in the first six months of 2017, with over £101.2 million being sent by customers (both individuals and business) who had been tricked into authorising a payment.  Around 88 per cent of those payments were made by individuals, losing on average £3,000; with the remainder being made by businesses who lost on average £21,500 per case.

The figures indicate that almost a quarter of those losses (£25.2 million) were returned by financial providers, but there are now calls for changes to legislation and/or to the regulatory framework, so that banks are required to do more.

Which? super-complaint

A ‘super-complaint’ was submitted by the consumer action group Which? to the PSR in September 2016 entitled ‘Consumer safeguards in the market for push payments’ [3].  Which? argued that consumers do not receive sufficient protection from this type of fraud, compared to the protections in place for other types of fraud (for example credit card and direct debit frauds). Which? suggested that where such frauds have taken place, legislation or regulation should be changed so that:

• Provided a customer had not been fraudulent or grossly negligent, the customer is reimbursed by the bank (even where no fault is attributed to the bank); or
• The consumer is only protected in circumstances where the bank has been adjudged to have fallen short in some way, for example in cases where the bank has not put in place proper arrangements for managing the risks associated with fraudulent payees.

PSR response

The PSR responded to Which?’s complaint in December 2016 [4] and the latest paper is a report of the work that has been done since that date, as well as timelines for implementation of further measures.

UK Finance has also drafted a set of best practice standards that banks should follow when responding to reported push payment scams [5], which are:

• Banks will have 24-hour, 7-day dedicated staff trained in scam management to deal with and process APP scam complaints.
• The customer will only have to deal with their own bank or account provider. The victim’s bank will act as the intermediary between the victim and the beneficiary bank, and will be the victim’s sole point of contact.
• Banks have agreed on a set of necessary information, to be collated by the victim’s bank following [push payment] scam complaints.
• The victim’s bank will collate and provide this information to the beneficiary bank and the latter will proceed with its investigation into the alleged scam.
• The beneficiary bank will conduct an investigation, recover funds where possible and appropriate, and return funds to the victim if it can.
• The banks will also collaborate more widely with each other on information to support investigations and protect victims.

Retail banks offering push payment services have agreed to implement these standards by the third quarter of 2018.

UK Finance are also seeking to take various further measures, including:

• Improving consumer education and awareness, which has begun with the national campaign Take Five to Stop Fraud.
• Putting in place a data-sharing agreement between member banks to set out on what basis information is shared and the processes that will be followed.
• Publish first draft of guidelines for banks when verifying the identity a user’s identity (by June 2018).
• Developing standards and rules so that banks can share “Know Your Client” (KYC) data, giving businesses quicker access to more robust data (late 2018).
• Confirming that the payee name matches the name on the account before a payment is sent, introduced as part of new payment systems being implemented in 2021.
• The Joint Fraud Taskforce is also working on a funds repatriation scheme, to be introduced in a phased approach over 2 or 3 years, so that stolen money can be tracked across payment systems, frozen, then returned to the victim of the crime.

Consultation

The main subject of the PSR’s response is a consultation on the suggested ‘contingent reimbursement’ scheme. The PSR believes that banks have a role to play in preventing such scams, and that having no responsibility to reimburse customers provides weak incentives for banks to take responsibility for doing so.  A model has therefore been proposed that makes reimbursement contingent on the actions of the banks both sending and receiving the funds when a push payment scam occurs.  (The scheme could introduce eligibility criteria for reimbursement that may include, for example, whether the victim’s bank had warned the victim about the transaction.)

The PSR has suggested that a contingent reimbursement model should be introduced by the end of September 2018, and that UK Finance is best placed to develop and implement such a model.

The introduction of a reimbursement model would not prevent individual consumers bringing court action against a bank if they felt that the bank had failed to take steps to prevent their losses.

The PSR’s consultation is open until 5 pm on 12 January 2018.

WM Comment

Current indications from the PSR are that it does not intend to compel banks to compensate victims of push payment scams, but believes a contingent reimbursement model is appropriate. If such a scheme is implemented, it will be even more incumbent upon banks (and all financial institutions/payment service providers) to ensure that they have taken steps to prevent push payment scams taking place.

_______________________________________

[1] https://www.psr.org.uk/sites/default/files/media/PDF/PSR-APP-Scams-report-consultation_1.pdf
[2] https://www.ukfinance.org.uk/authorised-transfer-scams-data-h12017/
[3] https://www.psr.org.uk/sites/default/files/media/PDF/which-super-complaint-sep-2016.pdf
[4] https://www.psr.org.uk/sites/default/files/media/PDF/PSR-Which-super-complaint-response-December-2016_0.pdf
[5] https://www.ukfinance.org.uk/authorised-transfer-scams-data-h12017/