News

APP fraud mandatory reimbursement: UK PSR consults on ‘key’ compliance and monitoring requirements

Image
Image

On 17 April 2024, the Payment Systems Regulator (PSR) published a consultation on the data and information that payment service providers (PSPs) will be required to provide to Pay.UK to enable it to monitor effectively compliance with the new Faster Payments Scheme (FPS) reimbursement rules for APP fraud. The requirements will also enable the PSR to monitor compliance with its directions and requirements in relation to the new regime. As indicated in its December 2023 policy statement, the PSR emphasises that the proposed data and information requirements are ‘key’ for implementation. It describes its approach to setting them as ‘pragmatic’, ‘phased’ and aimed at supporting ‘effective and timely implementation’.

Key takeaways

  • The PSR is consulting on the data and information that PSPs will be required to provide to Pay.UK to enable it to effectively monitor compliance with the new FPS reimbursement rules for APP fraud.
  • While these obligations will be included as amendments to the legal instruments which the PSR has published previously, the PSR stresses that it is not making changes to any aspects of its implementing legal instruments that have already been finalised. However, some proposed amendments clarify areas of importance in the existing requirements (see for example the final key takeaway below on two proposed amendments to Specific Requirement 1).
  • The data and information that PSPs must collate, retain and provide to Pay.UK will be set out in a separate document, ‘Faster Payments APP scams: compliance data reporting standards’ (CDRS) (Annex 1 to the consultation).
  • In-scope PSPs (direct and indirect) will be required to register with Pay.UK by 20 August 2024. This means providing specific information to Pay.UK to facilitate onboarding to Pay.UK’s reimbursement claim management system (RCMS).
  • The proposed data and information requirements will be introduced in a phased manner from 7 October 2024. Initially, in-scope PSPs will be required to collate and retain all data specified in the CDRS and report to Pay.UK monthly on a limited set of this data through a manual process (‘reporting standard A’).
  • From 1 May 2025, PSPs will be required to report all data specified in the CDRS via Pay.UK’s RCMS (‘reporting standard B’), although PSPs may voluntarily make reporting standard B data available to Pay.UK before 1 May 2025.
  • Any consumer issue that may potentially be within the scope of the FPS APP scams reimbursement requirement must be collated, retained and provided to Pay.UK. The PSR is not proposing to require PSPs to report consumer issues which are ‘unambiguously’ not in scope of the reimbursement requirement to Pay.UK (eg where the transaction(s) were not sent to and from a UK account or were not made by Faster Payments).
  • Given the risk of incorrect categorisation, the PSR is encouraging firms to maintain records of decisions taken at the transaction-level when issues are reported as part of their systems and controls to allow them to demonstrate appropriate governance. It may take further action post-implementation if it sees this risk crystallising.
  • The PSR seeks views on two options to clarify that consumers have the right to reimbursement in accordance with the reimbursement rules:
    • Option 1: An amendment to Specific Direction 20 (SD20) to require PSPs to amend their contractual terms and conditions with the consumer, to include a provision that a PSP would reimburse their consumers in line with the reimbursement requirement and rules.
    • Option 2: An amendment to SD20 (as currently drafted in Annex 3 to the consultation) to make it explicit that if a sending PSP fails to reimburse a consumer as required by the reimbursement requirement and rules, the consumer will have a right to enforce the FPS reimbursement requirement and rules and recover the outstanding amount from their sending PSP in the civil courts.
  • There would also be an additional amendment to SD20 to ensure that all consumers are made aware of their rights under the FPS APP scams reimbursement requirement and rules. For existing customers, this will have to be done by 7 October 2024. For new customers, it will have to be done at the latest by the time the PSP provides the new customer with their services.
  • The PSR also proposes amendments to Specific Requirement 1 (SR1) to make it clear that:
    • a sending PSP may only close an FPS APP scam claim after it has undertaken an assessment as to whether it includes any reimbursable APP scam payments. If a sending PSP chooses to reimburse a claim before completing the assessment, and then subsequently assesses that the claim did not include any reimbursable APP scam payments, this would be regarded as voluntary reimbursement for the purposes of SR1, and no receiving PSP would be required to contribute to the cost of reimbursement.
    • Where an APP scam claim involves more than one receiving PSP, each PSP may only deduct, from their reimbursable contribution, a proportion of 50% of the maximum claim excess amount which reflects the receiving PSP’s overall liability. This is so that each receiving PSP is not individually able to deduct the full 50% of the maximum claim excess and may otherwise have meant that in some situations sending PSPs would not receive a significant contribution to the costs of reimbursement.

What do firms need to be thinking about?

  • The PSR describes it as ‘crucial’ that PSPs continue work already in progress to prepare and ensure they are ready to implement the FPS reimbursement requirements from 7 October 2024.
  • With its RCMS proposals, the PSR has taken on board previous feedback from firms that highlighted the challenges involved in PSPs of different sizes being able to communicate effectively within the timescales required for reimbursement, the risks of using non-secure systems to handle data, and the need for a single claim management system to handle both claim management and compliance monitoring. However, use of the RCMS will present an additional direct cost for firms – on top of the extra administrative and resource costs involved in implementing the new reimbursement regime and the liabilities which may be incurred under the regime – which may be a concern for smaller PSPs in particular. The PSR mentions that Pay.UK is considering pricing structures and assessing options to ensure it adopts a ‘fair and proportionate approach’, but this will be an area to keep an eye on.
  • In light of Consumer Duty, PSPs will want to consider making amendments to their contractual terms to reflect that a consumer may obtain reimbursement for an APP scam, whether or not the PSR introduces a specific obligation on PSPs to do this. PSPs should be considering this now so that they are ready for implementation of the new reimbursement rules on 7 October 2024.
  • In-scope PSPs should also be mindful of the proposed amendments to SR1 aimed at clarifying when an FPS APP scam claim can be closed. Sending PSPs will need to be careful to avoid leaving themselves out of pocket if they reimburse a claim before completing their assessment of whether it includes any reimbursable APP scam payments.

What’s next?

  • The consultation closes at 5pm on 28 May 2024. The PSR makes it clear that, as it plans to finalise the legal instruments in July 2024 ahead of the policy start date, this is a hard deadline ie stakeholders should not expect to be granted requests for extensions.
  • Pay.UK has submitted its compliance monitoring regime to the PSR for review. Subject to the PSR’s approval, the regime will be published by Pay.UK on its website no later than 7 June 2024.
  • Under Specific Requirement 1, Pay.UK is required to put the FPS reimbursement requirement into the FPS rules. Pay.UK is required to publish those FPS reimbursement rules on its website by 7 June 2024.
  • PSPs must ensure they have registered with Pay.UK by 20 August 2024 so that they can be onboarded to the RCMS.
  • In Q2 2024, the PSR is planning to consult on reimbursement rules for participants in the CHAPS payment system, mirroring, where possible, the direction on Faster Payments PSPs. The PSR’s final decision and any necessary direction that might be given will be published in Q3 2024. See the PSR’s latest Work Plan, which also indicates that the implementation date for the equivalent CHAPS reimbursement requirement will be the same as that for FPS – 7 October 2024.

Read on for a more detailed look at the PSR's consultation proposals.

Background

The PSR's December 2023 publication of its final policy statement and three implementing legal instruments (Specific Requirement 1 (SR1), Specific Direction 19 (SD19) and Specific Direction 20 (SD20)) followed its September 2022 consultation paper on the proposal, subsequent policy statement in June 2023 and later consultations on the proposed reimbursement start date, draft legal instruments, value of the excess and maximum reimbursement level, and the consumer standard of caution

The December 2023 final policy statement was accompanied by publication of the PSR's Consumer standard of caution exception notice and associated Consumer standard of caution exception guidance, as well as a summary of views that were received on the four later consultations.

For more on the December 2023 publications, take a look at our Engage article 'APP fraud mandatory reimbursement: UK PSR publishes final policy for 7 October 2024 go live date'.

Pay.UK, as the operator of Faster Payments, will be responsible for monitoring all directed PSPs’ compliance with the FPS reimbursement rules.

Pay.UK has been developing its compliance monitoring regime in consultation with industry and the PSR. As required by SD19, it has now submitted its regime to the PSR for review, which the PSR will assess using the ‘confidence objectives’ set out in its February 2024 letter to Pay.UK. Subject to the PSR’s approval, the regime will be published by Pay.UK on its website no later than 7 June 2024.

Pay.UK is proposing to make a number of changes to the rules which will implement the reimbursement requirements. These changes will place obligations on PSPs to provide data and information in the manner and form it requires. This will underpin Pay.UK’s monitoring regime.

To ensure consistency of the compliance regime for the FPS reimbursement rules across all direct and indirect FPS participants - and in line with the approach taken to implementing other aspects of the reimbursement policy - the PSR is adding reporting obligations to its three existing FPS APP scams legal instruments (SR1, SD19 and SD20). It stresses that it is not making changes to any aspects of those instruments that have already been finalised.

What are the key consultation proposals?

The key consultation proposals will be implemented through changes to SD20 (a draft updated “tracked changes” version of which is in Annex 3 to the consultation paper) which contains the FPS APP scams reimbursement requirement and directs in-scope PSPs to comply with the FPS reimbursement rules. They are as follows:

Requiring all PSPs (direct and indirect) to register with Pay.UK

PSPs will be required to register with Pay.UK by 20 August 2024. This means providing specific information to Pay.UK to facilitate a PSP’s onboarding to Pay.UK’s RCMS.

Registration will enable delivery of a directory function from 7 October 2024. This will allow a sending PSP to find contact details for a receiving PSP so that they can communicate regarding FPS APP scam claims. It will also support Pay.UK to phase effectively the onboarding of all PSPs to the RCMS by 1 May 2025. PSPs that are new entrants to the FPS and provide relevant accounts at any date after the PSR direction is given, and while it continues in force, must register with Pay.UK before sending or receiving live transactions using Faster Payments.

Requiring all PSPs (direct and indirect) to comply with the FPS RCMS rule

PSPs will be required to comply with a new FPS rule which will require them to use Pay.UK’s RCMS. This will make sure that both direct and indirect PSPs are brought in scope of the FPS RCMS rule. PSPs will use the RCMS to:

  • manage FPS APP scam claims;
  • communicate about FPS APP scam claims;
  • apportion liabilities between the sending and receiving PSP; and
  • comply with the data collation, retention and provision obligations in respect of the FPS reimbursement requirement.
Date for compliance with the FPS RCMS rule

PSPs will be required to comply with the FPS RCMS rule by 1 May 2025.

Data reporting requirements

The data and information that PSPs must collate, retain and provide to Pay.UK will be set out in a separate document, ‘Faster Payments APP scams: compliance data reporting standards’ (CDRS). SD20 will require PSPs to comply with the CDRS. A draft CDRS is contained in Annex 1 of the consultation paper.

Reporting standard A - applicable from 7 October 2024

Under reporting standard A, PSPs will be required to:

  • collate and retain all data specified in the CDRS; and
  • report monthly on a limited set of this data to give Pay.UK oversight of core compliance metrics (eg timeframes for reimbursement, and how many victims are assessed as vulnerable). The reporting will be done manually by the sending PSP and will be reported at aggregate level.

Any of the data PSPs collate and retain must be provided to Pay.UK or the PSR on request.

Reporting standard B - applicable from 1 May 2025 when it supersedes reporting standard A

Under reporting standard B, PSPs will be required to report all data specified in the CDRS using Pay.UK’s RCMS. The aim is to give Pay.UK holistic oversight of PSP compliance across all metrics. The PSR’s intention is that this additional data will give further context to the compliance data in reporting standard A on areas such as the reasons for the application of the consumer standard of caution exception and the reasons for claims being rejected as not reimbursable. PSPs may voluntarily make reporting standard B data available to Pay.UK before 1 May 2025.

Information and record-keeping provisions

PSPs will be required to assure themselves, in the manner required by Pay.UK and set out in its FPS rules, of the accuracy and quality of the reported data. PSPs will also be required to provide timely responses to reasonable requests for data and/or information from Pay.UK, and to comply with record-keeping obligations and store data and information on secure systems for five years.

The PSR has proposed a retention period of five years (to align with FCA record-keeping requirements in a number of areas) for all data and information specified in the CDRS and other information relevant to an FPS APP scam claim.

Table 2 at paragraph 5.5 of the consultation sets out examples of the types of information that may be considered ‘reasonable requests for information’ from Pay.UK, subject to appropriate scoping of any such request.

Data reporting principles – scope of claims reported

Any consumer issue that may potentially be within the scope of the FPS APP scams reimbursement requirement must be collated, retained and provided to Pay.UK. The PSR is not proposing to require PSPs to report consumer issues which are ‘unambiguously’ not in scope of the reimbursement requirement to Pay.UK (eg where a consumer has purchased a product and accidentally received the incorrect item from the retailer, where the transaction(s) were not sent to and from a UK account or where the transaction was not made by Faster Payments).

Given the risk of incorrect categorisation, the PSR is encouraging firms to maintain records of decisions taken at the triage stage as part of their systems and controls to allow them to demonstrate appropriate governance. This would include keeping the decision-making process under review as firms implement the requirements. The PSR may issue a further consultation on extending the obligation to maintain records and reporting on how firms are implementing the initial triage stage, and/or take more targeted intervention if it identifies the above risk crystallising post-implementation.

Contingency arrangements (eg due to planned maintenance or PSP or Pay.UK technical issues)

The reporting requirements will vary depending on the period for which the RCMS is unavailable. If it is unavailable for 30 days or more, reporting standard A applies. If it is unavailable for less than 30 days, reporting must be undertaken by PSPs using the method that Pay.UK specifies in its FPS rules. If a PSP is unable to access the RCMS (but has not been informed by Pay.UK that the RCMS is unavailable), they must contact Pay.UK by the means specified by Pay.UK, to establish and seek to resolve the cause of the issue and by what means they must comply with the requirements in SD20.

Process for amending the CDRS

If the PSR decides to change the CDRS, it will publish a notice setting out the changes on its website. Any changes will come into effect no sooner than 30 days following publication of the notice. Where proposed changes are material, the PSR will follow standard procedures and consult on them, as required. The PSR would also expect Pay.UK to cascade the proposed changes to FPS participants, eg via the RCMS.

Complex cases

The PSR will be working with Pay.UK over the coming months to develop a process for dealing with any complex FPS APP scam claims that a PSP may be unable to resolve within the required timeframes, and which may therefore present as a potential compliance issue in the data and information that PSPs provide to Pay.UK. In the meantime, the PSR welcomes stakeholder input on this issue as part of the current consultation.

Application to CHAPS

The PSR confirms that the Bank of England (BoE) is planning to align the data standard for its CHAPS reimbursement requirement with that of the FPS reimbursement requirement. The intention is to streamline the data and information that in-scope PSPs will need to collate and retain for both FPS and CHAPS APP scam claims. The PSR plans to create a separate CDRS for CHAPS based on the data standard the BoE creates, which will mirror that of Pay.UK. It also intends to underpin it with a specific direction. The PSR is planning to consult on the specific direction for CHAPS in due course (see ‘What’s next?’ below) and publish the BoE’s draft data standard and CHAPS reimbursement rules alongside that consultation.

Data and information sharing by Pay.UK and the PSR

Data and information collected by Pay.UK will regularly be shared with the PSR to enable the PSR to monitor compliance with its Faster Payments APP scams directions and to ensure effective implementation.

The PSR may also use this data and information to support it in fulfilling its regulatory functions. This includes publishing it in public reports which address issues concerning Faster Payments APP scams and to increase transparency about PSP performance in respect of the reimbursement requirement. It may also share data and information with relevant parties, eg other regulators.

What other changes are proposed?

The consultation also proposes amendments to:

  • SD19 (see Annex 2 for a “tracked changes” version). The changes include limitations on how Pay.UK can use the information it receives as part of compliance monitoring and an obligation on Pay.UK to notify PSPs and the PSR if the RCMS is unavailable. Table 4 at paragraph 6.21 provides an overview of the proposed amendments; and
  • SR1 as follows (see Annex 4 for a “tracked changes” version):
    • Clarifying the ‘rule change notification requirement’: Here the circumstances in which Pay.UK is required to notify the PSR of proposed changes to its rules would be limited to changes to the FPS reimbursement rules, the FPS RCMS rule and the FPS consumer rights rules.
    • Clarifying the PSR’s expectation on a consumer’s right to reimbursement under the rules: The PSR wants to amend SR1 to make it clear that PSPs’ compliance with the reimbursement requirement and rules is ancillary to the execution of payment transactions.

It also seeks views on two options to clarify that consumers have the right to reimbursement under the requirement and rules, either of which will involve an amendment to SD20:

      • Option 1: An amendment to SD20 to require PSPs to amend their contractual terms and conditions with the consumer, to include a provision that a PSP would reimburse their consumers in line with the reimbursement requirement and rules.
      • Option 2: An amendment to SD20 (as currently drafted in Annex 3) to make it explicit that if a sending PSP fails to reimburse a consumer as required by the reimbursement requirement and rules, the consumer will have a right to enforce the FPS reimbursement requirement and rules and recover the outstanding amount from their sending PSP in the civil courts.

There will also be an additional amendment to SD20 to ensure that all consumers are made aware of their rights under the FPS APP scams reimbursement requirement and rules.  For existing customers, this will have to be done by 7 October 2024. For new customers, it will have to be done at the latest by the time the PSP provides the new customer with their services.

The PSR expects PSPs to notify consumers of their rights in line with how they would notify them of changes to any other service. It also highlights that PSPs should continue to have regard to their obligations under the Consumer Duty.

    • Clarifying when an FPS APP scam claim can be closed: Amendments are proposed to SR1 to make it clear that a sending PSP may only close an FPS APP scam claim having undertaken an assessment as to whether it includes any reimbursable APP scam payments. If a sending PSP chooses to reimburse a claim before completing the assessment, and then subsequently assesses that the claim did not include any reimbursable APP scam payments, this would be regarded as voluntary reimbursement for the purposes of SR1, and so a receiving PSP would not be required to contribute to the cost of reimbursement.
    • Clarifying the policy intent where an FPS APP scam claim involves multiple receiving PSPs: Here, the PSR proposes amendments to SR1 to make it clear that:
      • where there are multiple receiving PSPs in a single FPS APP scam claim, those receiving PSPs may share between them the value of 50% of the maximum claim excess amount; and
      • the share that each receiving PSP may choose to deduct from their specified amount shall be in proportion to their overall liability for the reimbursable portion of the APP scam claim in question. This will be determined through rules set by Pay.UK.

What about future changes to the PSR’s legal instruments?

The PSR also sets out the principles that it proposes to apply if in the future changes are required to the FPS reimbursement rules.

Where changes can be made solely by amending the FPS scheme rules, the PSR envisages that Pay.UK should take the lead role in making those changes. Where changes can’t be made without the PSR amending SR1, SD19, or SD20, the PSR will aim to issue any amendments in the months of April and October in any given year (unless urgent changes are required).

 Next steps

  • The consultation closes at 5pm on 28 May 2024. The PSR makes it clear that, as it plans to finalise the legal instruments in July 2024 ahead of the policy start date, this is a hard deadline ie stakeholders should not expect to be granted requests for extensions.
  • Pay.UK has submitted its compliance monitoring regime to the PSR for review. Subject to the PSR’s approval, the regime will be published by Pay.UK on its website no later than 7 June 2024.
  • Under Specific Requirement 1, Pay.UK is required to put the FPS reimbursement requirement into the FPS rules. Pay.UK is required to publish those FPS reimbursement rules on its website by 7 June 2024.
  • PSPs must ensure they have registered with Pay.UK by 20 August 2024 so that they can be onboarded to the RCMS.
  • In terms of Pay.UK’s longer term role, the PSR expects Pay.UK to establish, maintain and enforce cross-market operational arrangements in a number of areas including APP and account-to-account retail transactions.
  • There is a reminder that the PSR is responsible for monitoring and enforcing compliance with its directions, including the compliance of in-scope indirect Faster Payments participants. Once it has been notified of a potential breach, it will use its regulatory toolkit and powers as it considers appropriate, taking account of its Powers and Procedures Guidance (PPG) and Administrative Priority Framework.
  • The PSR is planning to consult on reimbursement rules for participants in the CHAPS payment system (mirroring, where possible, the direction on PSPs regarding Faster Payments). According to its latest Work Plan (April 2024), the consultation will be published in Q2 2024. The PSR’s final decision and any necessary direction that might be given will be published in Q3 2024. The Work Plan also indicates that the implementation date for the equivalent CHAPS reimbursement requirement will be the same as that for FPS – 7 October 2024. See also ‘Application to CHAPS’ above.
  • HM Treasury has committed to supporting PSPs' fraud prevention efforts by amending the Payment Services Regulations 2017 to allow PSPs to delay the processing of a payment when there is a reasonable suspicion that the payment is fraudulent. The draft legislation was published in March 2024 for technical checks and the review period closed on 12 April 2024. The government intends to lay the legislation before Parliament in summer 2024, subject to Parliamentary time allowing. It intends that the legislation will take effect on 7 October 2024 at the same time as the FPS reimbursement requirement. Take a look at this Engage article for more: ‘APP fraud: UK government publishes draft legislation allowing PSPs to delay payments for fraud concerns’.

If you would like to discuss any aspect of the new reimbursement requirement, please get in touch with one of the people listed above or your usual Hogan Lovells contact.

 

 

Authored by Virginia Montgomery and Stephen Timbrell.

Search

Register now to receive personalized content and more!