This is the text of Chris Hemsley's speech at the Fraud Leaders' Summit on 28 February 2024 as drafted and may differ from the delivered version.
Good morning. I’m Chris Hemsley, Managing Director of the Payment Systems Regulator and I’m pleased to join you today to talk about tackling APP scams through the new requirements we’re bringing in later this year.
I would imagine each of us in this room has made a payment using the Faster Payment Systems (or ‘FPS’) – whether we realised it or not. Internet banking apps now allow us to rapidly send payments to one another, and pay for goods and services from any location with an internet connection – through so-called Authorised Push Payments. FPS enables commerce to take place between private individuals, businesses and charities, and cash or cheque. It has helped spur growth and innovation throughout our economy and supports competition and choice.
But its ubiquity has also led to FPS becoming a victim of its own success. Because both the speed and convenience which enables these payments to be processed has also resulted in it becoming a prime target for fraudsters.
FPS was not designed with fraud prevention in mind – it lacked some basic measures to protect people. We have since taken steps to build some of this in – such as now checking account numbers against names and voluntary measures to protect victims. But more action is needed.
We all know that APP scams have become one of the most common types of fraud globally. In the UK, almost half a billion pounds is lost every year to frauds of this type, impacting around 200,000 victims such as those purchasing houses who lose deposits, or pensioners losing life-savings after being tricked into believing they are making good investments. Its costs, direct and indirect, are felt across the UK. It is no exaggeration to say frauds of this nature ruin lives and livelihoods.
So, it is right that tackling this problem has been a significant focus for the PSR.
At its simplest, our goal is to prevent as much of this fraud as we can from arising in the first place. Changing our systems, use of data and rules so that we try to design out fraud. Making sure everyone has an incentive to act to make it harder for criminals to use FPS successfully. But we also, of course, need to protect people from the fraud that does happen and will – sadly – continue to happen.
Measures have already been implemented, such as through the delivery of the name-checking service, Confirmation of Payee. A voluntary industry code was set up and gave broad guidelines to signatory firms on how they should respond to victims. Enhanced reporting has allowed us to focus our attention on the disparities between different payment firms and consumer experience. And through working with the Treasury, last year, in the form of the Financial Services and Markets Act 2023, regulatory barriers that had previously prevented us from taking further action were removed. This meant we could make it a requirement that victims of these crimes should be reimbursed by their payment firm.
In December last year, we published our final position on how we would implement this requirement.
In short, from 7 October of this year, individuals, smaller charities, and microbusinesses can expect that, in most circumstances, their payment service provider will reimburse them for losses they incur through APP scams.
Importantly, this substantially changes the incentives to tackle fraud. It introduces sharper incentives to act on payment firms and, for the first time, includes all firms. Not just those that chose voluntarily to do the right thing.
That means all consumers can be guaranteed a consistent minimum level of protection from their PSP.
We also know that for APP scams to succeed, the scammer must be in control of a payment account to receive funds. That is why, for the first time, we are equally apportioning the costs of reimbursing APP scams between sending and receiving payment firms.
This will mean receiving firms have a financial incentive to prevent scammers opening accounts with them in the first place and to close suspicious accounts much more quickly than has happened to date.
These financial incentives will act on top of the new reputational incentives that we have also put in place.
I’m referring here to the APP fraud performance data that we published last year and which highlighted the variances between PSPs in both preventing APP scams and how they responded to victims.
This report also serves to highlight the scale of the benefits we are going after. If all PSPs were operating at the standards of the better performing firms, between £70m and £120m of fraud could have been prevented.
These are significant changes.
And I recognise the impact on many of you in this room. To operationalise this policy in time for October will require a lot of effort, from industry, and Pay.UK as the Scheme Operator. We at the PSR stand ready to provide support in making this policy a reality.
This will include our being crystal clear what our reimbursement policy requires, and what it does not. Our policy does not encompass trade disputes which will, as now, need to be resolved between the parties to the transaction, if need be, by recourse to the courts.
It also does not cover large business payments – something I have heard concerns about – which are definitely out of scope.
But the final thing to say recognises that consumers also play a part. They too need to act carefully when making payments because if a PSP can demonstrate that someone has acted with gross negligence, then there is no requirement for reimbursement. However, the threshold to meet this is high, and is in line with the FCA’s definition of gross negligence.
Getting ready
There are now just over seven months until these requirements come into force. That means every payment firm should be working to ready itself because, put frankly, nobody can opt out.
This is an ambitious approach to tackling fraud. It will require technological developments to allow the enhanced data sharing that will detect and prevent fraud while also providing transparency to consumers.
We know there is a lot to do, and we want these incentives and protections in place for consumers to be delivered as quickly as possible. But we are also realistic about the need to deliver these changes with systems that support them effectively. I know that industry has been working hard to deliver these critical systems and processes.
But the work must continue. Firms must absolutely prioritise the delivery of these systems, the implementation of effective processes and teams who know what is required. Part of this will see firms reassessing their fraud risk management to make sure it is fit for purpose or updating these risk appetites through reassessing their transaction limits.
This also means being able to identify suspicious payments before they are made, including, if need be, intervening in the payment journey to alert customers before they try and execute a payment. It also means having effective fraud prevention measures in place to prevent scammers from taking control of receiving accounts.
So to all firms, I’d say engage as much as you can with Pay.UK in the design and development of the infrastructure which will help exchange information between payment firms. This process will be crucial in helping firms efficiently exchange information, settle liabilities, and highlight the existence of suspected scam accounts and payments.
The Future
Our APP reimbursement policy is world leading, but that means we must also be careful to ensure it is having the desired effects. We have committed to reviewing its effectiveness and we’ll be looking at the different incentives, the impacts of any excess deductible, and the consumer standard of caution.
Fraud will continue to adapt, so it is only right that we keep an eye on the policy itself.
We have already seen that AI, particularly generative AI, has greatly expanded the scope for criminals to commit frauds in ways that it is increasingly difficult for customers to detect. But while that may be the case, we will also be able to see AI continue to be used to help payment firms better identify fraudulent payments before they occur, and identify fraudulent accounts before they are able to receive funds.
Better data, and better analytics, are the best shield a payment firm can invest in to mitigate their exposure to APP scams. And for us, we will continue our work on data transparency to identify which firms are succeeding and which firms need to improve in preventing APP scams from occurring.
Tackling and preventing fraud is one of the most significant and pressing challenges facing governments across the globe. I have every confidence that the PSR, working with many of you in this room, can continue to work towards significantly reducing the amount of fraud from the payments landscape for the benefit of everyone who makes payments.
Thank you.