ECC0032

Written evidence submitted by the Payment Systems Regulator (PSR)

  1.                                                                                                                                                                               The Payment Systems Regulator (PSR) welcomes the Treasury Select Committee’s (TSC) inquiry into economic crime.
  2.                                                                                                                                                                               We would like to take this opportunity to update the TSC on how our work on preventing Authorised Push Payment (APP) fraud and protecting customers from these scams has progressed since our response to the TSC’s November 2019 report on the consumer view of economic crime.

APP scams and the role of the PSR

  1.                                                                                                                                                                               Every time anyone uses a cash machine, transfers money, uses contactless, or gets paid, they use a payment system. Payment systems are always evolving, and the PSR is here to make sure they work well for everyone.
  2.                                                                                                                                                                               One of our aims is to make sure payment systems are operated and developed in a way that considers and promotes the interests of payment system users. In the context of APP scams where someone is tricked into making a payment to a fraudster – we want customers to be confident they will not be defrauded or lose their money when transacting. This requires payment service providers (PSPs), payment system operators, and regulators to continue taking action to prevent fraud, and for customers to understand what is reasonably required of them to protect themselves.
  3.                                                                                                                                                                               APP scams are a growing problem, with losses reaching £208 million in the first half of 2020. This was split between personal (£164 million) and non-personal (£44 million) accounts. These scams can have a devastating impact on victims that goes beyond the financial losses, including through the distress and anxiety of being scammed. APP scams also result in money moving illegally through payment systems, into the hands of criminals.
  4.                                                                                                                                                                               Reflecting this, our approach is to focus on both protecting customers from harm if they fall victim to an APP scam, and preventing these scams from occurring in the first place. This is illustrated by the work we have done on Confirmation of Payee and the Contingent Reimbursement Model (CRM) Code. More generally, we recognise that we all have a part to play in combatting fraud, and work with a number of organisations to manage fraud risks and to improve protections for customers.

Confirmation of Payee

  1.                                                                                                                                                                               Confirmation of Payee (CoP) is a name-checking service aimed at preventing both APP scams and accidentally misdirected payments. It works by checking whether the name of the account that a payer is sending money to matches the name they have entered.
  2.                                                                                                                                                                               On 1 August 2019, we placed a formal regulatory requirement (through Specific Direction 10) on members of the UK’s six largest banking groups, which required them to implement CoP by 31 March 2020. These PSPs are involved in around 90% of Faster Payments and CHAPS transactions. We granted forbearance until 30 June 2020 because of the impact of COVID-19, provided PSPs made sure customers would not be disadvantaged by any delays.
  3.                                                                                                                                                                               The PSPs we directed brought in CoP safely and securely despite the challenges of COVID-19. This was an important milestone in efforts to prevent APP scams and accidentally misdirected payments. Indeed, we estimate that around 130 million accounts now have access to CoP and there are more than a million CoP checks occurring every day.
  4.                                                                                                                                                                           It is also encouraging that several non-directed PSPs have implemented CoP in the last few months, with the number of CoP enabled accounts increasing. We are encouraging all PSPs to implement CoP when the Pay.UK rules and standards apply to their accounts.
  5.                                                                                                                                                                           There are PSPs that cannot bring in CoP at the moment because they are ineligible or because the necessary rules and standards to implement and operate the service do not exist yet.[1] Many of these PSPs operate accounts that route payments using more than a unique sort code and account number. CoP Phase 2 is aimed at these PSPs and will allow them to offer the service. We are engaging with Pay.UK on this to make sure the Phase 2 rules and standards are delivered as soon as possible.

The Contingent Reimbursement Model (CRM) Code

  1.                                                                                                                                                                           Before the CRM Code (‘the Code’) came into force in May 2019, we were in a position where almost all APP scam victims were held liable for losses. In addition to the harm this caused victims, it also resulted in relatively weak incentives to prevent APP scams.
  2.                                                                                                                                                                           Reflecting this, the voluntary agreement by the signatories to the Code was a major step forward, and we welcome the decision of these PSPs to sign up. The Code represented a substantial increase in the protection that their customers were entitled to and set out standards for PSPs to improve fraud prevention and victim care.
  3.                                                                                                                                                                           The Code also seeks to allocate the costs of fraud between customers and PSPs in a way that should improve the incentives to prevent fraud. This is important, as those best placed to prevent APP scams need to have a sufficient incentive to do so. This includes PSPs, where they are well-placed to act, and customers, where it is reasonable to expect them to take steps to prevent fraud.
  4.                                                                                                                                                                           In general, this involves PSPs reimbursing APP scam victims where they have acted appropriately or are vulnerable. Ideally, of course, PSPs would be able to recover funds from fraudsters. As a result, not only are customers better protected if they fall victim, but we have seen an industry-wide shift in focus toward prevention. This shift has been backed by PSR-led initiatives such as CoP.
  5.                                                                                                                                                                           While the Code has improved matters, there is still a lot of work to do, both to increase the coverage of those that are protected, and to improve outcomes for those that are.
  6.                                                                                                                                                                           The nine current signatories[2] cover most payment transactions. However, the Code does not protect customers of non-signatories, which includes a number of smaller PSPs. Some non-signatories have pursued alternative, comprehensive approaches, such as TSB’s Fraud Guarantee. Under the Guarantee, if a customer is an innocent victim of fraud, TSB will refund the money lost from their account.
  7.                                                                                                                                                                           Since it came into force, we have been monitoring outcomes under the Code and our analysis suggests customers are still bearing a significant proportion of APP scam losses. The data we have gathered shows the overall level of fund recovery and reimbursement is around 40 to 45% of APP losses assessed under the Code. 
  8.                                                                                                                                                                           There is also uncertainty about whether several Code signatories will continue to reimburse all customers who have acted appropriately (in the scenario when the PSP involved has also met its obligations under the Code). This has been referred to as the ‘no-blame’ scenario. We want to see PSPs continue to reimburse their customers in such situations, as they otherwise risk exposing customers who have acted appropriately to significant harm.
  9.                                                                                                                                                                           While there is more work to do, the Code has improved outcomes for many customers, and we welcome that the Lending Standards Board is currently reviewing the Code. The review looks at the effectiveness of the Code and its impact on consumers and the industry, one-year post-implementation. This includes, among other areas, looking at whether the Code has met its aims, barriers to new PSPs signing up, areas where the Code could be improved and so-called ‘no-blame’ funding.
  10.                                                                                                                                                                           The Code also sits in the wider context of how to prevent APP scams and fraud more generally. In this respect, we support efforts to bring in other industries that have a role to play, such as telecommunications and social media. These industries could play a significant role in preventing APP scams by working to curtail activity by criminals on their platforms.
  11.                                                                                                                                                                           In light of the outstanding issues, we continue to monitor the outcomes the Code is delivering. We are also currently exploring what further actions we could take to improve APP scam prevention and customer protection for those who do fall victim.
  12.                                                                                                                                                                           As part of this, we are exploring ways to extend protection beyond the current Code signatories (including through changes to payment system rules), and the role that APP scams data and enhanced information sharing might play to help identify and prevent scams. We will keep the Committee informed of our plans in this regard. 
  13.                                                                                                                                                                           At present, we cannot use our formal regulatory powers to pursue some of these measures, as UK law restricts our ability to act (due to obligations originally arising from European law). We are discussing this issue with Government.

November 2020

Annex

Other PSR driven initiatives

While Confirmation of Payee and the Code are key initiatives in our work to prevent economic crime, there are other PSR-driven initiatives aimed at combating economic crime that we allocated to key stakeholders.  

Initiative

Aim

Status

APP scam statistics

Monitor trends in APP scams and the effectiveness of fraud prevention measures.

This is now a BAU activity of UK Finance (UKF). It publishes APP scam statistics every 6 months, including data on scam types, payment types and payment channels.

Consumer education and awareness

Improve consumer awareness and education so consumers can better spot and avoid card fraud, APP scams, online banking fraud and money laundering.[3]

This is now a BAU activity of UKF and its members. UKF engages with the Home Office, Joint Fraud Taskforce and other bodies to deliver awareness campaigns (e.g. Take Five to Stop Fraud).

The UKF Don’t Be Fooled information and toolkit remain the standard for consumer education on money mules.

Financial crime information and data sharing

More effective data sharing between PSPs to make it harder for criminals to open or take over accounts used to perpetrate scams, banking fraud, and money laundering.

This was originally allocated to UKF but is now being taken forward by the Government-led Economic Crime Strategic Board.

Best practice standards for responding to APP scam claims

Better and more consistent PSP response to APP scam claims.

Approximately 85% of the market share of payments accounts are now covered by the standards.

Guidelines for identity verification, authentication and risk assessment

A more consistent and effective approach to identify verification to make it harder for fraudsters to open accounts used to perpetrate scams, banking fraud, and money laundering.

In August 2018, UKF agreed with the British Standards Institute that BSI Publicly Available Specification 499 would provide guidelines for identity verification, authentication, and risk assessment. These guidelines were launched at the UKF Digital Innovation Summit in September 2018.

Trusted KYC data sharing

More efficient sharing of KYC data between PSPs so they can spot fraudsters more easily and stop them opening accounts used to perpetrate scams, banking fraud, and money laundering.

This was originally allocated to UKF. We understand that central government is now pursuing a digital KYC solution.

 


APP scams infographic

As part of our work to educate consumers on APP scams, we produced our APP scams infographic, which explains what APP scams are and how Confirmation of Payee works to prevent them.

 

 

 

 

 


[1] PSPs need access to common rules and standards to send and receive CoP messages.

[2] Barclays Bank UK PLC, Co-operative Bank (The) plc, HSBC Bank plc, Lloyds Banking Group, Metro Bank plc, National Westminster Bank Plc, Nationwide Building Society, Santander UK plc, Starling Bank Limited

[3] In relation to money laundering, this is educating people about the risks of allowing scammers to use their accounts as ‘mule accounts’.