New rules to be introduced by the Payment Systems Regulator will in future make banks and financial services liable for payment scams and consequent reimbursement. Andy Barratt, UK Managing Director at Coalfire, explains more for Lawyer Monthly.
During the first six months of this year, victims of Authorised Push Payment (APP) scams were conned out of a shocking £100 million. These simplistic but sophisticated cons have tricked thousands of customers into unwittingly authorising payments in response to fake emails or persuasive phone calls.
Currently, it is most often the victim – the customer – that picks up the tab and any compensation awarded to them is generally qualified as an act of good will, not an admission of responsibility.
But a new contingent reimbursement model being introduced by the Payment Systems Regulator (PSR) in September 2018 will likely shift the responsibility for preventing APP on to banks and payment services providers. Organisations may be obligated to pay out in circumstances where it can be proved they didn’t have adequate security procedures in place or follow best practice.
Though the exact contents of the model is yet to be ironed out, PSR’s focus on redressing the balance between customer and company emphasises the increasing importance for the financial services sector to have its house in order when it comes to protecting its customers from fraud, particularly online.
Legislatory or voluntary?
Whatever the PSR’s judgement, the resulting regulation will likely take one of two forms.
The Government could legislate, based on recommendations from the PSR, for transactional scam protection, which would be underwritten by the Treasury. This would be much like the protection given to individuals and businesses that hold deposits in banks that fail, who are entitled to compensation of up to £85,000.
The government would, of course, be within its rights to recoup these costs from organisations that authorised the fraudulent payment in the first place.
Alternatively, a voluntary system overseen by the PSR could require member institutions to contribute to a collective insurance pot to protect victims.
Both approaches would likely mean greater costs for banks and payment services providers, intensifying the onus on these firms to demonstrate that their defence against APP is as robust as possible.
Preparing for the reimbursement model
It must be said that many financial institutions, and particularly the big retail banks, are working hard to be good corporate citizens.
But across the sector, particularly among smaller lenders or those with more automated service models, a variety of steps could be put in place with reasonable ease that would make organisations far better able to protect customers from APP and less likely to lose money to compensating them.
In the credit industry, for example, a five-day cooling off period is applied to all credit agreements. This allows time for the source and recipient of any payment to be verified. Similar principles could be introduced to other forms of banking. Even in the case of customer-to-customer transactions such as direct debits, payments over a certain value threshold could be held until their legitimacy is confirmed.
Banks with branch networks can also use the personal contact staff have with customers as a way of verifying the identity of a payor or payee. Staff training and awareness days can be used to teach employees how to spot transactions that may be fraudulent.
Alongside this human element, artificial intelligence will play an increasingly key role in helping businesses to detect fraud.
The reimbursement model will necessitate banks and payment services providers to prove they have robust mechanisms in place to monitor consumer behaviour more meticulously and identify and block suspicious transactions effectively.
AI can be used to detect incongruous payments among many millions of transactions – a needle in a haystack for mere mortals. These suspicious payments can then be paused, with the funds placed in temporary escrow, and the customer contacted to confirm authenticity.
This stops the theft from ever taking place, circumventing the debate over who is liable altogether.
Plan ahead
The contingent reimbursement model may not have the wide-ranging, cross-sector implications of other new regulations such as GDPR and PSD2. But one thing it does have in common with these more talked-about directives is the potential to be financially damaging for the organisations that fall foul of it.
The PSR recognises that there is no single measure that will stop APP scams altogether, but impresses on the financial sector the importance of doing everything it can to guard against this form of fraud.
The sector should stay abreast of new developments concerning the contingent reimbursement model and take steps, some examples of which are highlighted above, to ensure they are ready when the regulation takes its full form next September.