London August 21 2024: Hundreds of financial firms are struggling to comply with a new UK regime designed to rein in online payment scams before an Oct. 7 deadline after one of the worst summers for fraud.
The incoming rules from the Payment Systems Regulator require all British banks, fintechs, and payment companies to refund fraud victims within five days. But many firms aren’t prepared for a key system underpinning the settlement framework, people familiar with the matter said.
Some in the industry say they haven’t been given sufficient time to adjust, with many frustrated at the consultation process and balking at the final policies, including a hefty ceiling on refunds. The “entire process has been sclerotic and ambiguous,” according to Charles McManus, the chief executive officer of ClearBank.
The regulator disagrees. “We have extensively consulted on these measures for over two years and continue to engage closely with industry to ensure timely and effective implementation,” Kate Fitzgerald, head of policy at the watchdog said in an email, adding that in the longer term, they’d like to see firms migrate to the new arrangement, for which they had until Tuesday to register.
Other changes in the new system: Liability that earlier solely rested on the originating party will now be split equally between institutions sending and receiving the fraudulent payment, with the maximum reimbursement set at £415,000 ($540,330). In order to reject a claim, the onus will be on the bank or payments firm to prove gross negligence by the customer.
Nearly everyone recognizes that something needs to be done about the surge in so-called authorized push payment (APP) scams, in which criminals trick people into sending money to an account outside their control.
In the UK alone, millions of consumers have been dogged by scammers using these tactics, with losses mounting to £460 million last year. This summer has been particularly bad, with lenders issuing repeated warnings to customers that fraudsters have found more excuses to prey on them. Take the recent concerts by Taylor Swift in London’s Wembley Stadium. Lloyds Banking Group Plc warned that more than 600 of its customers reported being scammed by fraudsters promising they had tickets to the shows, with each consumer losing about £332.
But what no one agrees on is how to fix the problem.
“We want genuine victims of crime to be reimbursed,” said Ben Donaldson, managing director for economic crime at industry lobby group UK Finance. “The problem with the way that it’s been approached is that prioritizing reimbursement over crime prevention could actually make the problem worse. And I think there’ll be an increase in fraud.”
While regulators elsewhere in Europe have been seeking common ground with banks over victim compensation and grappling with issues such as the role of Big Tech and how to define gross negligence, this is the first time ever a framework that could serve as a blueprint globally is being attempted. The PSR says its approach incentivizes lenders and other payment firms to prevent such crimes from happening in the first place while ensuring victims are protected in a consistent manner.
Some of the most vocal critics have been parties that typically receive more payments deemed fraudulent for every million pounds of transaction. That’s because under the earlier system, the receiving firms weren’t required to pay any refund, but that’s now changing with 50% set to come out of their pockets.
Some say the proposed refund amount would crimp innovation and push early-stage businesses over the edge. Finance executives also warn of unintended consequences, saying consumers are more likely to act recklessly knowing any losses would be covered, leading to more fraud.
Attempts to stamp out these scams is like playing Whac-a-Mole, according to Natalie Kelly, chief risk officer for Visa Inc.’s Europe operations. Nine of 10 internet users have encountered online scams, the British government says.
Even some of the Wall Street titans have come under scrutiny. For instance, the US Consumer Financial Protection Bureau is investigating how JPMorgan Chase & Co., Bank of America Corp. and Wells Fargo & Co. are handling and protecting victims on their Zelle payments network after Senate Democrats faulted them for not doing enough.
Across the six leading real-time payment markets of the US, UK, India, Brazil, Australia and the United Arab Emirates, losses from APP scams are set to reach almost $8 billion by 2028, representing a compounded annual growth rate of 12% between 2023 and 2028, according to a joint report by Miami-based global payments software maker ACI Worldwide Inc., and GlobalData.
Yet the backlash against the PSR initiative has been severe in the UK.
The strong lobbying by the industry, especially against the perceived risk of moral hazard and the proposed refund limit, garnered enough support from the previous government that it ultimately saw the PSR’s former head Chris Hemsley resign at the start of June.
Just like bigger financial institutions, digital challengers like ClearBank and Revolut Ltd. are among those pushing for Big Tech to share part of the burden, as they say most frauds originate on social media platforms. Revolut’s UK CEO Francesca Carlesi said her company is preparing for the new regime “but we want to also make sure less and less people in the UK are impacted by fraud.”
Gross Negligence
Tony Craddock, director general of the Payments Association, has been lobbying for a delay in the rollout of the new rules. He said that no assessment has been done on actual costs and flagged the lack of clarity on how “gross negligence” is determined — a key concern many say could undermine the effectiveness of any regime as payment firms usually use this as grounds for rejecting reimbursement appeals.
Some have flagged practical difficulties with the UK’s plan.
The payments industry says that Pay.UK — the organization that’s setting up the communication infrastructure between sending and receiving banks to settle reimbursements — won’t have on-boarded all of the roughly 1,500 banks and firms by the Oct. 7 deadline, which means some settlements may have to be done manually. In the meantime, the old and the new systems will work in tandem, some of the people said.
As of mid-August, there’d been one demo but no test runs, those people said, asking not to be identified discussing non-public information. As a result, UK Finance and other players have been working on a back-up for the past eight months to make sure firms can comply.
A representative for Pay.UK said its system is ready and “will have full functionality for in-scope payment service providers who require it by the October deadline.” The organization is currently focusing on getting on board the hundreds of firms with a history of fraud experiences.
The PSR said it’s interested in understanding how firms are progressing with its requirements and it’s awaiting feedback to a questionnaire it had sent recently.
Voluntary Refunds
To be sure, banks provided little in the way of protections until about five years ago for customers who were, or were at risk of becoming, victims of scams. Since 2019, the 10 largest UK banks and their units — including Barclays Plc, Lloyds, HSBC Holdings Plc and NatWest Group Plc — have voluntarily signed up to the Contingent Reimbursement Model Code under the Lending Standards Board. Even some smaller firms, though not part of the code, have been refunding voluntarily.
Since the launch of the code, the reimbursement rate has more than tripled, which was “quite a sea-change,” according to Emma Lovell, who heads the program. Firms that abide by the code have taken action to improve their fraud prevention systems, prompting scammers to target those that don’t, she added.
In 2023, 67% of money lost to scams was reimbursed, though the rates have varied widely among banks, with some agreeing to refund almost 90% of victims and others under 10%, according to the payments watchdog. TSB Bank Plc was most likely to refund victims, while Ireland’s AIB Group Plc paid the least.
But the code hasn’t had much success in containing APP fraud cases, which UK Finance says rose 12% last year. LexisNexis Risk Solutions found the country’s financial services sector was spending about £515,000 per day fighting fraud, and warned “we’re no more effective now than we’ve ever been, although there are no definitive measures.”
Once the regulator’s new mandatory regime is in place, the voluntary CRM code will no longer be effective.
After over a decade in the making, the PSR became fully operational in 2015, regulating payment systems like Bacs, Visa and Mastercard Inc. It acquired a higher profile after the government stepped up controls on financial crimes with Russian ties following Moscow’s invasion of Ukraine in early 2022, and the watchdog was tasked with tackling APP fraud.
The success of the new system is key to restoring victims’ faith in institutions, and all need to lift their game, LSB’s Lovell said. But questions still remain around the hundreds of smaller firms who aren’t ready, said Sara Cass, chief compliance officer at IFX Payments.
“Fraudsters will be ready for Oct. 7, but I don’t think the industry will,” Cass said.