Financial crime never stands still. Lawmakers and regulators face a constant battle to protect its victims. Where possible, prevention is of course better than cure. But, where crime has caused loss, it's important to take steps to reimburse those who have suffered.

Much of 2023 has been taken up with two particular initiatives – putting reimbursement of victims of authorised push payment (APP) fraud on a formal and mandatory basis, and putting responsibilities on businesses to take steps to prevent fraud.

In this article, originally written for Compliance Monitor,  Emma Radmore, Legal Director at Womble Bond Dickinson looks at what's been going on.

APP fraud reimbursement: PSR's new powers and plans

APP scams are widespread, and come in several variants. Broadly, they will either be "malicious payee" scams, where the victim is tricked into buying goods that have never existed or which they never receive, or "malicious redirection" scams where, for example, a fraudster impersonates someone else to persuade the victim to make a transfer. Common scam variants include safe account scams, romance scams (which also often result in identity theft), purchase scams and invoice scams.

The Payment Systems Regulator (PSR) reported that £485m was lost to this type of scam in 2022. It spearheaded the creation in 2019 of the currently voluntary Contingent Reimbursement Model (CRM) Code. Under the Code, the 10 signatory banks and building societies agree to reimburse any customers who are consumers, micro-businesses (which employ no more than 20 people and who have an annual turnover or balance sheet of no more than €2 million) or small charities (with an income of under £1 million) who have been victims of APP scams within the UK and have acted appropriately when making transfers from their payment accounts.

Until recently, the PSR did not have the power to require payment service providers (PSPs) to reimburse scam victims. The Financial Services and Markets Act 2023, which got its Royal Assent in June, has given it that power. In anticipation of this, PSR had already consulted on what its new rules would say, and swiftly moved to consult on how to bring the new requirement into force.

What will the new rules do?

The new rules:

  • Will set a base requirement on all PSPs to reimburse all in-scope customers who fall victim to APP fraud within five business days with limited exceptions
  • Will mean that sending and receiving firms will split the costs of reimbursement 50:50
  • Will give extra protection to vulnerable customers, and
  • Will set clearer guidance for industry, including on paying a claim excess and maximum level of reimbursement, with a further PSR consultation on these due later this year.

PSR has consulted on three draft instruments set to implement the rules, including making changes enable reimbursement to operate for all payments made over the Faster Payments System (FPS) and for its operator (Pay.UK) to have an effective monitoring regime for measuring whether payment firms are consistently complying with reimbursement requirements. It will also give a general direction to require all payment firms to reimburse victims of APP fraud.

What's in scope?

All payments made over FPS where a payment order results from fraud or dishonesty, and the customer has been deceived into authorising its PSP to send money to an account controlled by another person. This will include where the customer intended to pay someone, but not the recipient, and where the customer did intend to pay the recipient but was deceived as to the reason. It will cover consumers, micro-enterprises and small charities like the CRM Code.

What's not in scope?

Initially, at least, the requirement will not cover payments across any other payment systems – although the Bank of England is keen to bring CHAPS payments which are eligible within scope as soon as possible, and BACs payments are also under consideration. But international payments are not covered and nor are payments made for unlawful purposes (including where the customer has acted fraudulently). 

What are the exceptions?

There will be an important exception, which will exclude what would otherwise be an in-scope reimbursement and which will apply in cases where the customer has acted with gross negligence (otherwise known as the "standard of caution").

The PSR proposes that the standard of caution should consist of three things:

  • A requirement for consumers to have regard to specific, directed warnings given by their bank, which make clear the intended recipient is likely to be a fraudster. But banks will also have to take into consideration the complexity of the scam, including any social engineering consumers may have faced
  • A prompt reporting requirement, meaning that a victim of an APP scam should notify their bank promptly and always not more than 13 months after the last fraudulent payment was made, and
  • An information sharing requirement, where consumers should respond to any reasonable and proportionate requests for information from their bank to help the bank to assess a reimbursement claim, or to determine if a customer is vulnerable.

If the consumer has been grossly negligent in not meeting one or more of these requirements, then they may not be reimbursed. But the PSR has stressed that this is a very high bar, and is likely only very rarely to apply - and it will never apply where a victim’s vulnerability is a factor in them being defrauded.

Excesses and maximum payments

Sending banks will have the option to apply a claim excess except where the consumer is vulnerable. There will be no minimum threshold for excesses, but there will be a maximum limit. The PSR has consulted on whether this should be a fixed amount (similar to insurance claims excesses), a percentage of the reimbursement claim amount, or a percentage up to a cap which would be set regardless of the amount of the reimbursement claim. It does not want to discourage lower claim amounts by setting a fixed minimum, but proportionate excesses will be harder for consumers to understand.

It is also likely that the maximum level for reimbursement will match the current Financial Ombudsman Service maximum award limit of £415,000 per claim, which around 98% of APP fraud falls within.

When will the changes take effect?

The PSR had hoped to implement all the changes by April 2024, but following feedback that firms could not be ready for then the date has shifted to October 2024.

Alongside these changes, the PSR wants to increase the use of Confirmation of Payee (CoP), which already covers around 90% of transactions, so that it will cover almost all payments made by FPS and CHAPS.

Failure to prevent fraud and corporate liability

The Economic Crime and Corporate Transparency Act 2023 finally got its Royal Assent at the end of October. One of the main reasons for the slow progress was a heated debate between the Commons and the Lords over a new "failure to prevent fraud" offence. This proposal was not in the original Bill but was included later following political pressure, and was originally proposed as an offence of "failure to prevent fraud, false accounting or money laundering". The offence would work in a similar manner to the Bribery Act "failure to prevent" offence, would give businesses a defence of having in place "reasonable procedures", and would not be committed at all if the conduct was designed to be harmful to the organisation rather than to benefit it. The proposal was widely cast, seeking also to create individual criminal liability for senior managers who took, failed to take, agreed to, or failed to prevent, action in circumstances where they were aware of a risk that a range of economic crime offences could result.

But the Government significantly narrowed the scope of the proposals. In particular, the coverage was cut back to cover only fraud and false accounting. The Government consistently claimed that it was not necessary to create an offence relating to money laundering as the existing money laundering prevention regime was already adequate – completely ignoring that the key requirements relevant to prevention of money laundering apply only to those within the defined "regulated sector".

The proposal was subject to a lengthy "ping pong" between the Houses as the Government in the Commons insisted that the offence must apply to large companies only. Its reasoning was that there would be disproportionate cost burdens on SMEs in complying with it, but it could not provide any other credible reasoning for differentiating between it and the Bribery Act offence. The Lords fought hard for a wider application of the offence, first proposing an exemption only for micro-organisations, and then offering to compromise by exempting other smaller businesses. Eventually, however, and under threat of the entire Bill failing, the Lords gave up the fight, recognising that some offence was better than none at all, even though it will actually only apply to at most 1% of companies.

Now there is a worry that SMEs will in fact be disadvantaged because they cannot have the benefit of the "reasonable procedures" defence. The Government was adamant they did not need it. Its stance is that it is easier to identify who is responsible for a fraud in smaller companies, so the introduction of the offence, together with a reform of the outdated "identification doctrine", which will make it easier to prosecute a company for an offence where key senior management have enabled it, will actually bring the playing field level. The old doctrine made it hard to attribute offences to large organisations, because there had to be proof of the organisation's "directing mind and will". The larger the organisation, the harder it was to work out whether it had been the "directing mind and will" that had committed the offence. The Act now says that if any "senior manager" of an organisation, acting within the actual or apparent scope of their authority commits any of a number of listed economic crime offences, then the organisation will also be guilty of the offence.

While the final law falls short of what many wanted, it is at least a start, and the Government has said it will keep all thresholds under review.

What's next?

It looks like all these changes will take effect during 2024. Before then, the PSR needs to finalise all the details of the APP fraud reimbursement arrangements following its consultations, and the Government needs to publish guidance on "reasonable procedures" as a defence for the failure to prevent fraud offence. Organisations affected by either, or both, these key changes should be planning now for implementation.

This article is for general information only and reflects the position at the date of publication. It does not constitute legal advice.