For a recap of the consultation proposals which preceded the policy statement, take a look at our Engage article ‘APP fraud mandatory reimbursement: UK PSR consults on ‘key’ compliance and monitoring requirements’.

Key takeaways

• The policy statement confirms:​

  • The requirement for directed PSPs to register with Pay.UK by 20 August 2024: The PSR explains that this is one way in which PSPs will identify themselves as in-scope of the policy to Pay.UK and will help facilitate a shared FPS Reimbursement Directory. This directory will enable PSPs to find one another’s contact details so that they can meet the requirements in the FPS reimbursement rules and the PSR’s policy, and communicate on FPS APP scam claims that they receive. PSPs can find more information about how to register on Pay.UK's website here.

  • The data under reporting standard A that sending PSPs in-scope of the policy are required to retain and report to Pay.UK monthly in respect of transactions they have sent: In recognition that the new regime may ‘create some challenges’ for PSPs, the PSR is not requiring the retention or reporting of all compliance metrics in the Compliance Data Reporting Standard (CDRS). Instead, it has decided to focus on the core compliance metrics under reporting standard A, which allow Pay.UK to effectively monitor compliance from the policy start date of 7 October 2024.

However, all in-scope PSPs are required to comply with the record keeping requirements contained within the CDRS from 7 October 2024, regardless of which reporting standard is in place.

The date by which in-scope PSPs must submit the first report under standard A to Pay.UK has been amended from 2 January 2025 to 6 January 2025 to avoid requiring submission immediately after the holiday period. The data to be contained in that report is unchanged; the report must cover the period 7 October 2024 to 30 November 2024. Likewise for the future reporting dates and contents, meaning that the second report must be submitted on 31 January 2025 and cover the period 1 December 2024 to 31 December 2024.

The PSR has confirmed that Pay.UK must specify the means by which PSPs are required to report data to it under reporting standard A in its rules. Pay.UK will be able to determine a reasonable alternative reporting method where necessary.

• • The reasonable limits that the PSR is placing on Pay.UK in respect of the use and disclosure of the compliance data it receives: The data received by Pay.UK must only be used for it to fulfil its functions under SD19. The PSR has also:

    • confirmed the onwards sharing limitations that it consulted on, with minor amendments in response to the feedback received; and

    • clarified that the limits on Pay.UK in respect of the disclosure of confidential information do not prevent it from disclosing the information that PSPs provide as part of the registration process, as the sharing of such data is necessary for the effective functioning of the FPS Reimbursement Directory.

  • The PSR’s approach to requiring PSPs to inform customers of their rights under the policy: There is some leeway on changing T&Cs, which should be changed as soon as is practical and by no later than 9 April 2025 to include a provision that a PSP would reimburse their consumers in line with the reimbursement requirement and rules. This will allow consumers to enforce their right to reimbursement through the courts, as for any other contractual obligation of the PSP included in their framework contracts.

However, PSPs must notify existing customers of their rights under the reimbursement requirement and rules, and of the upcoming contractual changes, by 7 October 2024. PSPs also have until 7 October 2024 to put arrangements in place to inform new customers of their rights, at the latest by the time those new customers are serviced. The PSR has published additional information to support PSPs in meeting this obligation, in the form of informal guidance setting out suggested content under three categories (scope, exclusions, and what consumers can expect when making a claim), as well as suggestions for other helpful information PSPs may consider providing. While it states that the guidance is not compulsory and that PSPs are free to communicate with their customers in whichever way they think best (bearing in mind their obligations under the FCA Consumer Duty and any other relevant regulatory obligations), there is a reminder that the requirement to inform customers of their rights is a legal one. The PSR is also not ruling out providing formal guidance in the future, if appropriate.

• The changes will be delivered through amendments to the PSR’s FPS APP fraud legal instruments, which have been published in revised form:

  • Specific Requirement 1 (SR1) on Pay.UK

  • Specific Direction 19 (SD19) on Pay.UK

  • Specific Direction 20 (SD20) on payment service providers

• ​The final Compliance Data Reporting Standard (CDRS) has also been published.

• Two requirements still subject to confirmation: In-scope PSPs should note that in light of consultation feedback, the PSR is not currently confirming two further requirements on which it also consulted:

  • its proposal to require all in-scope PSPs to comply with Pay.UK’s FPS rule to use the reimbursement claim management system (RCMS); and
  • whether and when reporting standard B may come into effect, although it has confirmed the data contained within reporting standard B in the CDRS (​so that it’s clear to in-scope PSPs what standard B will contain, should it be brought into effect).

Instead, the PSR intends to consult on these in late 2024. Following consultation, should the PSR require use of the RCMS, it may be possible to bring this requirement into effect by 1 May 2025 (the date by which all direct PSPs are required to comply with Pay.UK’s FPS rule requiring use of the RCMS).​ The PSR will keep timings under review and remains open to considering all available options through this future consultation.​ The PSR encourages PSPs to continue their engagement with Pay.UK and to onboard to the RCMS as early as possible to enable delivery of the FPS Reimbursement Directory, and onto the full-functionality RCMS, if they are satisfied with the arrangements.

• Scope of claims reported: A minor amendment has been made to the CDRS to clarify that only claims that are in scope for assessment must be reported. The PSR emphasises that, even if those claims deemed in scope for reporting are assessed and then deemed as not reimbursable, they must still be included in the data reported to Pay.UK because for such claims it may not have been possible for the PSP to establish whether they are out of scope on the basis of the initial consumer contact. Note that the PSR has published a consultation on draft guidance on distinguishing between APP scam claims and civil disputes – take a look at our Engage article on the consultation here.
• Process for amending CDRS: The process for amending the CDRS after 7 October 2024 has been changed following consultation feedback. Any required amendments will now be consulted on in accordance with the PSR’s Powers and Procedures Guidance, alongside any other proposed changes to the FPS APP scams legal instruments in April or October of any given year (unless urgent changes are required). Changes will be brought into effect no sooner than 90 days after they are confirmed. The PSR will notify PSPs in writing of the date upon which changes will come into effect. The consultation proposal was for consultation only where changes were material. Otherwise, the PSR would just have published a notice of the changes on its website. Any changes would have come into effect no sooner than 30 days following publication of the notice. The final position is therefore likely to be welcomed by in-scope PSPs as it provides more opportunity for review and feedback, as well as more time to implement any required changes.

What’s next and what should firms be thinking about?

• In-scope PSPs need to continue the work already underway to prepare and ensure they are ready to implement the requirements.
• The leeway on changing T&Cs by no later than 9 April 2025 to inform customers of their rights under the reimbursement policy will no doubt be welcomed by PSPs in potentially mitigating some of the cost and operational burden of implementation. But in the meantime PSPs must be ready to notify customers of their rights and the upcoming contractual changes by 7 October 2024. They should review the content suggestions in the additional information on consumer communications provided by the PSR, which is aimed at supporting them in complying with this requirement.

If you would like to discuss this latest PSR policy statement, the additional information on consumer communications or any other aspect of the new APP fraud reimbursement requirement, please get in touch with any of the people listed above or your usual Hogan Lovells contact.

Authored by Virginia Montgomery.