Treasury Sub-Committee on Financial Services Regulations
Oral evidence: Authorised push payment fraud reimbursement scheme, HC 939
Tuesday 13 December 2022
Ordered by the House of Commons to be published on 13 December 2022.
Members present: Harriett Baldwin (Chair); Andrea Leadsom; Anthony Browne; Alison Thewliss.
Questions 1 - 53
Witnesses
I: Abby Thomas, Chief Executive and Chief Ombudsman, Financial Ombudsman Service; Chris Hemsley, Managing Director, Payment Systems Regulator; David Pitt, Chief Executive, Pay.UK.
Witnesses: Abby Thomas, Chris Hemsley and David Pitt.
Q1 Chair: Welcome to this session of the Sub-Committee on Financial Services Regulation for the Treasury Select Committee. I wondered whether our witnesses could introduce themselves for the record.
Abby Thomas: Hello, I am Abby Thomas. I am the CEO and chief ombudsman of the Financial Ombudsman Service.
Chris Hemsley: I am Chris Hemsley, the managing director of the Payment Systems Regulator.
David Pitt: Good morning. I am David Pitt, the CEO of Pay.UK.
Q2 Chair: It is very good to meet you all this morning. This subject is of great interest to our constituents who are victims of push payment fraud. We are particularly keen to hear from you so that we could find out what the solution is and how you are proposing to implement it and end this malign practice. Can I start with you, Chris, in terms of the vision for Pay.UK? Why have you decided to delegate the enforcement of this scheme to Pay.UK?
Chris Hemsley: I would not characterise it as delegating. The way I would describe it is that each of the payment systems has a rulebook. The first line of defence for improving conduct in those systems is to change those rules, get those rules in place and then for the system operator to work to make sure there is compliance with those rules. Then there is always the regulator sitting behind that.
The regulator—the PSR, to be clear—is then sitting there, making sure that the system operator is doing its job properly, and we can use our powers if it is not, and we can intervene more directly against participants of the system if there is a systematic problem or a particular egregious issue that we need to intervene on. I characterise it a bit more as seeing that, over time, we want all payment system operators to maintain their rulebook and make sure that people comply with their rules. Then we are always sitting there with that regulatory toolkit, monitoring, supervising and intervening as appropriate. That is how I would see it, which is why we have chosen the route we have.
Q3 Chair: Pay.UK itself is not a regulator. David, are you happy with receiving this responsibility?
David Pitt: Yes, we are. You are right: we are not a regulator. However, as Chris alluded to, we have rules and standards that we apply to the payment system. We are used to making sure we have compliance with those rules and standards. We have a set out approach, governed and regulated by the Bank of England and the PSR, that we follow to maintain compliance with our rules and standards. We are happy with that approach and support the reimbursement regime.
Q4 Chair: You have quite a lot of other significant projects to deliver. Are you confident that you are going to be able to take on this responsibility and have the right resources to do so?
David Pitt: Yes, we are. With the other projects, we are making sure that we have the correct resource to put in place the reimbursement regime so that it is efficient and effective. We are confident we will have enough resources to complete this.
Q5 Chair: What about the visibility of the fraudulent transactions?
David Pitt: It is really important. We have been working with the PSR on a working basis so far to set out the model that we will follow, collecting the information, gathering the responses from the banks, making sure we can understand the compliance against the regime as set out, and using our rules and standards to make sure we deliver that compliance against the outcome of the consultation that the PSR is working on at present.
Q6 Chair: You feel that you are going to have the resources in time and that you have the right oversight. How are you actually going to enforce, though? The ultimate sanction for you is to switch someone off from the payment system and that seems pretty strong medicine. How are you planning to actually do the enforcement? Are you going to refer that back to the regulator?
David Pitt: As alluded to, we are not a regulator and we have powers to use our rules and standards to maintain compliance. That approach is set out very clearly, where we go through various steps to make sure that we maintain compliance with those rules and standards, for example at an operational level, and then alluding to raising that at risk level, to CEO level, to a board level, following SMR as well. In our current rules and standards, if we have to, we also refer to the regulators to use, ultimately, their powers.
You are right: we do not want to use the ultimate approach, which is to suspend someone or take them off of the payment system. The payment system in the UK is too important for us to achieve that or do that.
Q7 Chair: You will never take anyone off the payment system.
David Pitt: It is not that we will never do that. We never have to because we see the importance of it and go through that process where we maintain and achieve compliance. To answer your question, we are confident that we can do that. We will use the PSR, as the regulator, to enforce if required to, and that is the approach we will take.
Q8 Chair: You feel that you are ready, this is something you welcome, you have the resources and you will be in a position where you can hand over enforcement to the regulator as and when necessary.
David Pitt: Yes, as and when necessary. We require the full clarity coming out of the consultation. We will work closely with the PSR and our customers, the banks and building societies, to make sure we put in place a good recording regime that shows compliance. Where we do not have compliance, we will act on it. Ultimately, as you said, if we have to, we will raise that to the PSR to use its enforcement powers.
Q9 Chair: From the point of view of the regulator, are you agreed on that? It is all harmony between the two of you on this project.
Chris Hemsley: Absolutely, it is even broader than that. As you talked about in your introduction, we are all trying to fix this difficult problem. David’s characterisation there is spot on. To complete that picture, on the assumption that Parliament gives us the Financial Services and Markets Bill powers, we would then have our very broad powers of direction available to the participants of the system and the system operator as well.
If those powers are not complied with, as you expect, there is a series of sanctions that escalate. Ultimately, there is a significant financial penalty for non-compliance of up to 10% of turnover. That is not where we typically would go, but there are significant financial penalties should the escalation that David has described and then the escalation through the regulatory process fail to secure compliance. There is that ultimate sanction.
Q10 Chair: In your consultation response so far, you have listed all the difficulties that you think Pay.UK will face. Are you confident they will have resolved those by the time this system goes live?
Chris Hemsley: I think so. We are being transparent, and looking for help and ideas as well, around the challenges of actually implementing this, which is quite a significant change. We are working through that. We have had a number of meetings between the organisations to go through the detail of how this will work. We still have more to do to get the implementation right, but, sitting here today, I am confident that we will work through those problems.
Q11 Chair: So we have nothing to worry about. This is all going to go completely smoothly and you are happily working with each other on this.
David Pitt: It is important to stress that reimbursement is critical here and we support mandatory reimbursement. We have a process that we are working through with the PSR that we can put in place. I am confident we can have that in place to support mandatory reimbursement, but mandatory reimbursement has to go hand in hand with detection and prevention. We want to eradicate fraud as much as we can across the ecosystem.
We work closely with our customers, the banks and building societies, which put a lot of effort into this, but it is also critical that we think right across the ecosystem, with social media organisations, telephony companies, Government and indeed lawmakers, to make sure that we reduce fraud as much as we can. However, it is critical that reimbursement is effective, so that compensation is there when required.
Chris Hemsley: To build on that, I agree with everything there, but we are going to learn and adapt. That is the other point. We have set out some proposals that we are talking about today. They are a really significant step forward, but criminals and fraudsters are going to adapt their techniques. We are going to learn how customers react and so we need to go into this with the expectation that we are going to learn and build from there. This is a really significant step forward, but we need to keep reviewing what we learn from the reimbursement, and from what criminals are doing and how they are going to manipulate. It will not stay still. We will learn and adapt over time.
Q12 Chair: What I am hearing you say is that it is not going to be perfect on day one. I wondered whether there are things that could be done now, at this stage, to give you greater confidence that it will be closer to perfect on day one.
Chris Hemsley: That is one of the things we are hoping to discover in the consultation. We got the last set of responses on Friday, so we are working through those. There is a bit of a trade-off here. It is quite a substantial change. We are moving from 10 groups of firms to over 1,000 firms that are going to be covered by this, so it is a really substantial change.
Keeping it relatively simple in that first iteration and then building from there is the right way of doing it. We will get better at this. The technology will get better. The information exchange and risk management will get better. The answer to your question is that I do not think there is anything that I would build into that first iteration, but we may learn something during the consultation.
Q13 Andrea Leadsom: Good morning. Thanks very much for coming in. I would like to challenge you over the potential for conflict of interest. Turning first to David, Pay.UK is a company limited by guarantee, so you do not have shareholders. You have guarantors instead. Looking at the list of guarantors, they are all banks or financial services providers. Can you explain to us what a guarantor does, as opposed to a shareholder?
David Pitt: To repeat, you are right: we are an independent, not‑for‑profit company, limited by guarantors. We have 42 guarantors across various industries, including some banks and building societies. One thing that is really important is that that does not impact our independence. The guarantors vote on our resolutions at our AGM, but do not take part in or have any influence on strategic or day-to-day decisions on how we operate and run Pay.UK.
I also mentioned at the start that our governance model has been approved by the Bank of England and, indeed, the PSR. We are supervised by both those regulators, so I do not foresee any conflicts of interest in our approach.
Q14 Andrea Leadsom: You say that you have guarantors from across different industries, but actually it is predominantly banks, financial services and payments businesses from this list of guarantors here. The purpose of your organisation is to monitor and enforce comprehensive payment system rules that protect consumers and prevent fraud from entering the system. Surely, that is an inbuilt conflict of interest.
David Pitt: If you look at what we do today, we deal with 10 billion transactions a year, nearly £8 trillion of moving money. It is critical that we have the ability, through our rules and standards, to enforce compliance today. We do not have any conflicts on that today, making sure that some of those guarantors follow our rules and standards. It is no different to what we are going to do when we get into reimbursement regime. That is why I am confident that there is no conflict.
Q15 Andrea Leadsom: If one of your guarantors—let us say a very powerful one, which is very involved in one of your sectors that you are monitoring and enforcing on—is not happy with how you are enforcing the payment systems rules, and if they were to bring that up at a meeting of guarantors, what happens there?
David Pitt: That is why it is really critical, as I said before, that we are not the regulator. That is where Chris plays his part and the PSR.
Q16 Andrea Leadsom: No, but it is how you are enforcing the rules, is it not?
David Pitt: The PSR sets the direction and then we will put in place rules and standards to make sure that participants on the FPS—faster payment system—comply with those rules and standards. We have an approach today that we use to make sure that there is compliance for, equally, those firms you have just alluded to today. We will use that and put that in place, which is very effective. As we said, if we require enforcement—and we do not want to get to that stage—we will agree and refer to the PSR, as the regulator, to use that regime. That is part of our current process today.
Q17 Andrea Leadsom: If one of your guarantors says, “I do not really like the way you have just enforced against me”, what happens? Do you refer it to the PSR?
David Pitt: The enforcement would be done, if it was regarding any fines or anything like that, by the PSR. However, compliance is done by Pay.UK. We go through a staged approach, as I say, raising it through the right process and governance within those firms to make sure we maintain compliance. That is very effective today, because the payment system is so important to the UK economy but also so important to our customers, the banks and building societies.
Q18 Andrea Leadsom: I hear what you are saying, but these are very live issues, are they not? We have had a raft of fabulous new financial technology businesses. There are lots of new payments businesses and so on. It is highly likely that, given the current situation, the newness of some of them and so on, a few may have problems. If they are both your guarantor and the subject of your rules and protection, it seems like an absolutely inbuilt conflict. It is going to be very difficult for you to simply say, “Right, over to the Payment Systems Regulator”.
You clearly have an interest in the success of your guarantors, as well as being subject to them guaranteeing you, so it is very difficult. Perhaps, Chris Hemsley, you could come in there. Do you think there is a conflict of interest? Are you worried about it?
Chris Hemsley: It is something that we need to keep aware of, but I am confident that we have the protections in place. There is a set of legal directions on a number of companies, including Pay.UK. That includes obligations to operate the systems in users’ interests and avoid conflicts of interest. Both those things are referenced in slightly different contexts. There is that regulatory oversight from day one. That has been there for many years now. We see that in Pay.UK’s governance. There is a board structure with independent directors, so that gives us some comfort.
Ultimately, if that was not working and we were worried about the influence of a large guarantor, which today we are not, our powers are really broad. We could direct changes to Pay.UK’s governance. We could intervene directly against that participant if that was appropriate. There is a system in place today. It is reflected in Pay.UK’s corporate governance. If my view changed and this became an issue, we can do something about it.
Q19 Andrea Leadsom: How does it work? If there is a general concern about a guarantor, I am assuming that there would be all sorts of media about that. Who picks up the baton? Is it you—you sound worried about this—or does Pay.UK say, “We are worried about this”, or do you both do it? Is it going to fall through the gaps? If the guarantor itself says, “I do not really like this; I am not happy for you to be talking to the press, criticising me or challenging me”, what happens?
David Pitt: There is very limited financial guarantor by those parties. We would follow our current set out regime that those parties sign up to as they come on to the faster payment system. We would follow that clearly and robustly all the way through. As I said, within there, if we have any issues, if we are not getting compliance, we are not the regulator and that is where we would refer to the regulators, not just PSR but also FCA.
Q20 Andrea Leadsom: Is that not the problem? You have an issue with enforcement, which is not the same as having an issue with a company going bust, for example. It would be for the PSR, presumably, to think, “Gosh, looks like X company is going bust”. You are only concerned with whether they are meeting your terms of reference and yet they are one of your guarantors.
David Pitt: The guarantors are, as I say, very limited from a financial point of view. They do not have any impact on day-to-day or strategic decisions in the business. They attend and vote on resolutions at our AGM, but we keep those issues separate to the compliance. We are very clear that our role is to protect the robustness and resilience of the payment systems and indeed, as the PSR issues directions, that will also include the reimbursement regime. We will have a very clear approach to managing that, reporting on that and working closely if there is non-compliance. That is why I am confident that there is no conflict.
Chris Hemsley: There are other protections that sit behind that. You were talking about the financial resilience issues there. The Bank of England and the PRA have, fundamentally, the role there—
Q21 Andrea Leadsom: That is lots of people.
Chris Hemsley: They have an economy-wide role to make sure that Pay.UK and the guarantors, because we are talking about big retail banks, are financially robust. That includes Pay.UK. The Bank of England reviews Pay.UK to make sure it is financially robust as well.
In terms of that conduct concern, I would expect Pay.UK—we are talking about it already—to have its monitoring and compliance processes in place, but we also will be monitoring in this space. If we see firms that have lower reimbursement rates, are being too slow to pay out and those kinds of systematic issues, and Pay.UK is not doing something about it, we would expect to investigate, asking questions of both Pay.UK and that participant. It is almost that there are two layers of protection in terms of checking that the participant’s conduct meets the rules.
Chair: You can see why Andrea is highlighting that there is potential for major conflicts of interest, because the guarantors of Pay.UK are, basically, all the big banks. We have had a submission from UK Finance, where many of them will be members, saying how it is concerned about this regime and generally not particularly happy about its implementation. I am sure that we have all heard from individual banks that are also not particularly happy about this.
You have now been asked to implement this. For the record, we are really, genuinely, quite concerned about the conflicts of interest that have been structurally embedded in there. Chris, we are going to have to rely on you, as the regulator, to make sure that these worries that we have are fully addressed. It is you, as the regulator, that we will hold accountable.
Q22 Alison Thewliss: I am looking for a wee bit more clarity about responsibility within the scheme. I wanted to check out with your organisations who would be responsible for sanctioning any payment system provider that is repeatedly failing to reimburse victims in good time, or is systematically challenging its responsibility to pay with its counterpart payment system provider.
Chris Hemsley: There is a useful distinction and your question was spot on. There is this distinction between systematic issues and individual concerns about individual cases, so individual frauds. That distinction means that that is the role of the Financial Ombudsman Service for individual complaints. Customers should go first to their payment firm. If they are not happy, they should go to the Financial Ombudsman Service. That is the case-specific route.
You are absolutely right: if there is a systematic issue—so we, for example, identify that most firms are reimbursing 90% of these cases straight away and there is one firm that is 40%, say—it leaps out and that would go through the process that David was talking about there. We would be escalating the compliance measures. Initially, Pay.UK would be monitoring, hopefully identify that and then start to raise issues about compliance with its rules. Then it would escalate to the PSR for, potentially, much more direct regulatory action and, ultimately, financial penalties. That is the systematic versus the case-specific routes.
Abby Thomas: From our perspective, the first step in the chain is Pay.UK, which would be able to observe if a mandatory reimbursement had not happened for customers. In some cases where that does not take place, the consumer may choose to raise a case to my service, the financial ombudsman.
Should we see that happening in unusually high numbers, our first step would be to bring that back to Chris and David, to say, “We have spotted this trend”. Our primary role, as Chris said, is to look at each case on a case-by-case basis, but we can use our data to spot where regulations perhaps are not being implemented in the manner in which they had been intended. We would be very quick to escalate that back.
Q23 Alison Thewliss: If I am the customer in the middle of that, that all seems like a very lengthy and bureaucratic process to complain to one, wait for somebody else to deal with it and wait for somebody else to go back.
Abby Thomas: Yes, I understand that. From my perspective, I take only those complaints that the banks have failed to resolve. That would be the customer’s first port of call—to be able to complain to their bank. That should be a very quick process, in fact quicker under this new regulation than is currently the case.
David Pitt: From Pay.UK’s perspective, we see ourselves as operationalising the reimbursement regime and, as alluded to, collecting the information on performance against the targets set and the consultation. We are very clear on the performance, whether it is the volume of cases that are settling in the correct time and reimbursing or indeed not, understanding those differences between the banks, building societies and financial institutions, pointing out those differences and driving compliance, so we have a level of consistency. Where we do not and cannot achieve that compliance, as we have alluded to before, we refer back to the regulator to use its powers. It is really important that we are clear on the different roles there, as we have alluded to.
Chris Hemsley: Between our organisations, we need to make sure that all that regulatory framework knits together, but the message for a customer is quite simple: “Go to your payment firm, your bank, and complain. If you are not happy with that response, you can go to the Financial Ombudsman Service”. That message is the same for a payment firm as it is for most other financial products. It is that simple consumer message. Then we, behind the scenes, make sure that the wider compliance and enforcement piece joins up.
Q24 Alison Thewliss: I am hearing that you are all gathering bits of data and talking to each other about what is going on. Who is actually responsible for sanctioning any firm if it is failing to reimburse victims?
David Pitt: First and foremost, I see Pay.UK as moving through the compliance regime. We do not issue fines. We are not the regulator. I see us working with the banks and financial institutions, which, to be really fair, do not want their customers to have to experience this. We work with them today, whether it is the industry body, UK Finance, the customers or the banks, to try to improve detection and prevention.
However, where an APP fraud succeeds, it is important that reimbursement happens. We see ourselves as maintaining compliance with the rules and standards for faster payment system, backing what is set by the PSR, in terms of the regulator, and then, as I said, raising it to the regulator if we see non-compliance.
Chris Hemsley: Ultimately, putting it slightly colloquially, the buck stops with the PSR. Parliament has given us the obligation to protect users of payment systems, so we need to make sure it all works. It is very clear that it is the PSR.
Q25 Alison Thewliss: Do you have the powers you need to take action against a payment system provider that is not complying with the scheme? It is not doing what it should do, letting victims down. Compared to the FOS, which will look at individual cases and take action, can you do something about that?
Chris Hemsley: Not yet, but it is the Financial Services and Markets Bill. Today, we do not have those powers. Today, we have been working around those, making progress within those legislative constraints. We are very happy and pleased with the clauses in the Bill and that will give us the powers we need to take that direct action.
Q26 Alison Thewliss: In terms of the letter that you had sent to the Sub‑Committee, Chris, there are lots of “mays” and “shoulds” around that about the role in the short term and in the longer term. When will that be a bit clearer as to what will actually need to happen here?
Chris Hemsley: It needs to be clear on day one.
Q27 Alison Thewliss: It is not very clear from your letter as to who has responsibility. That makes it very uncertain for people navigating their way through this system.
Chris Hemsley: I apologise for that, because it has not come across sufficiently clearly. We are going through this consultation process, but, ultimately, we need this all to work on day one. We are now working through the detail of what the processes look like with Pay.UK, the link‑up with the FOS and where we need to use our powers. On day one, we need to make sure there are no gaps. Then we will build from there. Once we have that system in place, as I was mentioning before, we will learn, adapt and refine as we go on, but it needs to work from day one.
Q28 Alison Thewliss: Does the Payment Systems Regulator retain overall responsibility to make sure that either the FOS or Pay.UK has the systems in place to identify a specific PSP that is abusing the scheme?
Chris Hemsley: We do not oversee the FOS, but we regulate Pay.UK. The answer to your question is yes. The role of protecting users is one of our three statutory objectives. We need to be comfortable that Pay.UK is doing its job right, the link-up with FOS is working, it is getting the information it needs and the system hangs together. Ultimately, that is the responsibility of the PSR. The FOS has slightly different accountability arrangements.
Abby Thomas: That is right, but there would be no issue with us identifying if customers of one particular firm were referring a lot of cases to us, where they failed to receive mandatory reimbursement. We operate that practice today. One of our duties is to ensure that the financial services institutions are aware of good practices, so we are feeding back that data on a regular basis. We see positive action on behalf of those institutions too in response to the changes we suggest.
Q29 Chair: Chris, you mentioned day one a few times there. Do you have a date in mind that is going to be day one?
Chris Hemsley: We do not yet.
Q30 Chair: There is not a date that you are working to.
Chris Hemsley: We are making sure that we are ready to start that implementation phase as soon as there is Royal Assent. I cannot give you a precise date.
Q31 Chair: You could potentially be ready on the day of Royal Assent.
Chris Hemsley: I need to unpack what I mean by day one. That implementation phase will start with the Royal Assent. We are working now, which is why we have been doing this consultation, to make sure that we have our proposals ready ahead of that Royal Assent, before we have powers. We will then need to do some legal processes, issue some directions, these formal legal instruments, which will lead to Pay.UK changing its rulebook, and then some implementation. That will take some time, so we are looking at towards the end of this year at least before proper day one, where customers experience—
Q32 Chair: Do you mean the end of this calendar year, 2022?
Chris Hemsley: Apologies, we are working towards a planning assumption of Royal Assent in spring 2023 and so most of the implementation would then be finished in 2023, calendar year.
Q33 Chair: Our constituents will not see any change until the end of next year.
Chris Hemsley: Yes. If you are happy, I could write to you to explain how that timing works, because there are a number of stages that we need to go through. We are trying to keep that implementation phase as short and as tight as possible. The regime cannot be switched on the day after Royal Assent. There are these legal instruments that need to be issued. The rules need to be changed. Participants then need to comply. That takes a number of months, unfortunately.
Chair: We would be grateful for your timetable. Thank you.
Q34 Anthony Browne: When this all launches, there will be big razzamatazz in the consumer press and elsewhere about people being more likely to get compensation if they are victims of fraud, but there are lots of exemptions. I am aware that some victims of fraud may not get compensation that they think they are entitled to. One is that there is a limit of £100, is there not? Why would you not compensate people who have £90 of fraud against them? Numerically, that must be quite a big group of people.
Chris Hemsley: It will be by volume. Shall I answer that data question first? Around 25%, so a quarter, of the current frauds are below £100, but it is about 1% of the value of the frauds. The distribution of those frauds is that there is a large volume of smaller frauds that would fall below that threshold.
There are a couple of other observations. The way we have proposed is that it is a minimum obligation on payment firms. There is nothing in our proposal that would stop firms using their sensible discretion.
Q35 Anthony Browne: Yes, but victims of fraud would not be entitled to compensation if the fraud is less than £100.
Chris Hemsley: That is correct. We thought really hard about this. The balance that we have tried to strike in our proposals is to adopt a fairly clear, simple and, frankly, quite high hurdle for conduct—this gross negligence test. We simplify that regime and make it much clearer for customers, moving from what is a description of their obligations under the voluntary code, which is about a page, to this much simpler test.
To keep it balanced, so that there is that appropriate balance between customers and the financial sector, and make sure there is still a bit of caution in the system, we have introduced that ability to have that £100 minimum and a £35 excess. Those are numbers that you see elsewhere in financial services. They are taken from the unauthorised fraud system, where, again, there is an ability to not make a reimbursement for transactions below £100.
Q36 Anthony Browne: I do not understand the argument for having that threshold of £100. Is it just a logistics thing—that it is not worth the administration, as it were, for things that are that little?
Chris Hemsley: This is an area of real, live debate. I have started to make my way through some of the responses we have got and this is a real area of debate—this issue of what we think about how customers will behave.
Q37 Anthony Browne: Obviously banks can compensate if the fraud is less than £100, but I doubt many of them will. The consumer pages will be full of it. I can just see many people who have been defrauded of £90 and, for some reason, are not allowed compensation, but if they are defrauded for £100 they would get compensation.
Chris Hemsley: We try to strike a balance. We have responses from consumer groups, which I think are broadly comfortable, but are making similar points to the ones you are making, and then a number of financial institutions that are making the opposite point. The way we have tried to calibrate that package is to try to make sure that there is still some caution in the system so we do not encourage too much moral hazard.
Q38 Anthony Browne: That is the point of the excess, is it not, partly?
Chris Hemsley: Actually, both of those working together is the way we have calibrated. That minimum transaction and the excess are both intended to simplify the regime, but principally to make sure there is still a degree of customer caution in the system. It is an area we are going to have to look really closely at. It is not quite as simple as this, but we have consumer groups on one side that are broadly supportive, and a number of responses from the industry side saying that we have gone too far and that customers will become reckless at this level of protection.
Q39 Anthony Browne: Abby, the FOS is not constrained by the law. Your judgments are based on what is fair and reasonable under all the circumstances. Do you think that somebody who is a victim of fraud worth £100 getting compensation but somebody who is a victim of fraud for £95 not getting compensation is fair and reasonable? Would your judgments, adjudications, fall within that? You are not constrained by it.
Abby Thomas: We would always be guided by the regulator, particularly where a standard has been set such as this one. Similarly, we have been guided by the regulator with regard to our treatment of unauthorised frauds as well. It is more likely that higher-value frauds tend to come to the Financial Ombudsman Service, possibly because consumers pursue those rather more vigorously.
Q40 Anthony Browne: At the other end of the value chain, the CHAPS is not covered by this new compensation scheme at present. It is just those through faster payments. If someone is buying a house, they normally use the CHAPS scheme, I think. Certainly I had cases where people lost the entire value of their house to impersonation fraud when somebody impersonated their lawyers. I am sure that you have had cases like that. To clarify, you would not be entitled to any compensation, if you lose the entire value of your house through impersonation fraud that is paid through CHAPS.
Chris Hemsley: That is correct in this first phase. Because 97% of the APP fraud that we see is on faster payments, we are focusing initially on faster payments. The legislative change that I was talking about earlier removes the limit on our powers across all payment systems, so it means that we can then think about what to do next.
CHAPS is also operated by the Bank of England, so, as you would expect, we are working closely with the Bank of England on what we are doing in the faster payment system and what is happening in CHAPS. There is no difference in objective. All the authorities here want to reduce this fraud to the lowest level that we can.
Q41 Anthony Browne: I get that. Thinking from our voters’ and constituents’ point of view—as I say, I have had complaints of this—somebody who loses the entire value of their home, which is a life‑changing event, to fraud would not get compensation.
Chris Hemsley: That is correct under these proposals. The current voluntary code includes CHAPS transactions.
Q42 Anthony Browne: That was going to be my second point. In this case, somebody loses the entire value of their house. At the moment, under the voluntary code, they would get compensation, but, under this new scheme, they would not get compensation.
Chris Hemsley: That is correct, but there is nothing to stop the current code signatories from continuing those obligations—that protection for CHAPS. We do not stop that and I would hope that firms would continue to offer that protection.
Q43 Anthony Browne: Is there any indication that they would? David, I know you do not speak for them.
David Pitt: We do speak to them.
Q44 Anthony Browne: I said that you do not speak for them. You obviously speak to them. This is quite a big thing. The biggest type of fraud that is currently covered by the voluntary scheme will not be covered. Do you expect them to continue?
David Pitt: It is probably more appropriate that Chris speaks to that. In our discussions with the banks, our customers, they are very clear that they want to provide support and eradicate fraud. They do not want customers to appreciate this or experience it, but it is probably Chris to speak about CHAPS.
Q45 Anthony Browne: I get all that. That is a big omission. I think that there will be a lot of complaints and anguish because people lose life‑changing amounts of money to fraud through CHAPS. Can I urge you to address that as quickly as possible with the Bank of England? BACS is not covered either, but I am not aware of how much fraud goes over BACS, because that is a payroll thing normally.
Chris Hemsley: Yes, it is more concentrated on business-to-business fraud. I think I am right in saying that it is less than 1% of total fraud. The vast majority is in faster payments. I believe that it is less than one percentage point in BACS. Given I am writing to the Committee, I am happy to share the data that we have available.
Q46 Anthony Browne: The other one is on-us fraud, where the fraudster is at the same bank as the victim of the fraud is at. That does not go through the payment system in the same way. That is not covered either, is it?
Chris Hemsley: That is right. I do not think that there is a gap here, in that the payment systems rules and the Payment Systems Regulator deal with that issue of moving money between institutions. If there is money being moved within a single firm, the Financial Conduct Authority regulates the individual payment firms. The work that they have been bringing forward on treating customers fairly, for example, is one way you would expect that issue to be dealt with.
Given the information that we get, I do not have a particular concern that firms would adopt a lower standard of protection than payments made over payment systems. After all, they would be in a position then of telling their customers, “If you banked with someone else, you would be protected, but if you bank with us you are not”. That combination of the clear customer promise on over 97% of these frauds, backed with the fact that there is a regulator there that makes sure these firms treat their customers fairly, is probably a good level of protection.
Q47 Anthony Browne: It comes back to FOS and the role of FOS question again. If you are at the same bank as the fraudster, at present, unless they are doing gross negligence et cetera, they should get compensation. If they think that they are not getting the compensation they should get, they can go to FOS. If you are at the same bank, if you are following the regulator’s guidelines, they would not be covered by FOS.
Abby Thomas: I would follow the regulator’s guidelines in this instance.
Q48 Anthony Browne: I will pick on Barclays, because I happen to bank with it, but it is a great bank. If somebody at Barclays is a victim of fraud and the fraudster’s account is at Barclays—sorry, Barclays, I am picking you randomly—and Barclays decides that they are not getting compensation because the customer has been grossly negligent or whatever excuse they use, the customer cannot complain to FOS about it.
Abby Thomas: This is quite a technical point on our jurisdiction outside of this particular proposed regulation. If you are comfortable with that, I can ask my office to write and clarify our position.
Q49 Anthony Browne: Can you write to us? It is one of those things that will be a big thing. It will come up. You will get all the consumer pages about it. “Because the fraudster banked with the same bank as I do, I could not get compensation. They were not bound by those rules. I could not go to FOS”. The hard luck stories write themselves, do they not? Could you write to us about how you will deal with that?
Chris Hemsley: All the regulators would have an expectation that, if a firm, a bank, is choosing to offer a lower standard of protection for payment internal to them, they should be telling their customer that. If they are not telling their customer that, there should be an expectation that they should comply with the same rules. You were right to highlight this issue, but it goes back to this point of whether we think that that is a credible strategy for any institution.
Q50 Anthony Browne: I get all that, but here we are talking about a legal process of compensation, which is in the process of becoming law. I am wondering how the law will operate, how lawyers would interpret it and how the ombudsman would interpret it.
Abby Thomas: We should pick up on that point, clarify and come back to you. Currently, today, there is very much a different rulebook for different organisations, depending on whether or not they are participating in the CRM code, so it helps from a clarification perspective.
Q51 Anthony Browne: This mandatory scheme is far better than a voluntary scheme. There is no doubt about that. I am just looking at what holes there are.
The last one is for goods. I totally understand that you do not want the banks to be some automatic compensation scheme for people who get goods that are not quite up to scratch and go to the bank to try to get compensation. The compensation will not apply if you are buying goods from a legitimate seller online, only if it is illegitimate or fraudulent.
Are there not often slightly grey lines in this? For example, if you are paying a large sum of money to a builder who is doing impersonation fraud and actually is not your builder, you will be entitled to compensation. If it is a builder who never intended to do the work, you would not get compensation.
Chris Hemsley: Your description is spot on in terms of what we are trying to get towards. We are not trying to pull all civil disputes or general consumer protection for goods and services into this system. We are not trying to do that. You are absolutely right that, in principle, the distinction is whether they are who they say they are. Are they just a bad builder, which is not great?
Anthony Browne: That is opposed to committing actual impersonation fraud.
Chris Hemsley: Yes, or were they never a builder? You are also absolutely right that it is difficult to distinguish between those two sometimes in individual cases. This is the approach that I prefer at the moment. It is such a significant change that we are proposing here that we try to keep this simple. We accept that there will be some noise, but it will probably be that you are treating it as fraud when it possibly was not in some of these cases. Then we return to this issue and try to get more sophisticated.
My hope—it is a bit stronger than that; I think this is what will happen—is that, when we get the incentives in there and on the receiving end as well, whoever is banking with this building firm or questionable building firm will have a strong incentive to find out whether they are a genuine business and act against that account to try to prevent future fraud. That process of injecting that incentive to prevent will not, arguably, catch the first of those that is in that grey area, but should help us catch the second, which is a huge step forward from where we are today.
Q52 Anthony Browne: My last question is on FOS. You have touched on this earlier, but I am wondering how this will change what you do as the ombudsman. You had, I think, nearly 10,000 complaints of authorised fraud last year, so it is a big volume of work for you. Do you think this will lead to less work or different work?
Abby Thomas: I do, yes. I will give a little context. We had nearly 10,000 complaints on authorised push payment fraud last year. We have seen lower volumes this year, which we attribute to initiatives such as confirmation of payee, our work with the banks to improve the warning system and so on. We see the picture improving from the perspective of those consumers needing to refer a case to us, but recognising the wider context that fraud is a very significant problem in the economy and for consumers.
Based on the experience of the service when previous regulation has been introduced, there is often a bit of a bedding-in period. Chris referred earlier to test and learn. That is what I would expect to see. I would expect to see perhaps a few more cases referred to us initially, as banks and consumers learn what to expect, but, over time, I expect it to continue that positive trend of reducing the number of complaints that come to us.
In the majority of cases, it is simpler and easier for consumers to understand what they should expect. It brings more institutions up to a similar standard to that which the CRM code participants offer today. Overall, it should reduce the numbers of complaints that come to us.
Q53 Chair: I wanted to sum up by saying that consumers have been waiting for something to work for them for a long time. We have had about six years of effectively slowing the process down with the voluntary scheme, which we are now having to move on to put on a statutory footing. We have noted this morning that the precise people who are going to be implementing this are guaranteed by banks that themselves have submitted evidence to us, saying that they are not particularly happy about this development.
At the end of the day, Chris, the buck stops with you and you are going to have to be very vigilant on those conflicts of interest and the incentives in the system to continue to stall this. We will look to you to be very focused on the timeline for delivery next year, because you have stakeholders involved in this, and you have delegated and outsourced, effectively, some of the implementation to an organisation that, potentially, does not have the incentive to put this in place as quickly as possible. Chris, so there is no ambiguity, we are holding you to account on making this all work in a very timely manner for our constituents.
Chris Hemsley: That is very clear, understood and fair.
Chair: Thank you very much for coming in and giving us your evidence.