Regular readers of The Treasurer’s online articles may remember that, in early 2017, we highlighted regulatory moves to tackle the scourge of authorised push-payment (APP) scams.
At that point, the Payment Systems Regulator (PSR) was lobbying the banking industry to roll up its collective sleeves and take decisive action against this type of fraud, of which there are two, classic forms:
Requiring little in the way of technology to execute, APP scams prey upon people’s trust, urging targets to greenlight fund transfers either over the phone, or in person at their local banks. As well as stinging private individuals, these scams have hit firms by taking advantage of staff in corporate finance departments.
In making its call for action, the PSR was itself acting under the hefty impetus of a September 2016 ‘super-complaint’ from Which?, wherein the powerful consumer group had attacked an apparent discrepancy between how banks deal with APP scams, and how they handle other types of customer-based fraud.
Fast forward to November 2017, and the PSR proposed the introduction of a UK-wide ‘contingent reimbursement model’: one that would properly compensate APP scams’ victims. The regulator confirmed that banks and payment service providers (PSPs) were working together to draw up a framework for the scheme, with September 2018 earmarked as the point when it would go live.
Now, a little later than expected, the APP Scams Steering Group – which coordinated the banks’ and PSPs’ discussions – has at last unveiled the fruits of their collaborative efforts.
Unfortunately not. Published on 28 February, the final Contingent Reimbursement Model Code for APP Scams is a voluntary arrangement and, as such, is not legally binding.
Yes – after putting so much energy into devising it, the banking industry now has a vested interest in standing by it. So the Code’s current signatories are:
Those initial supporters will work to attract other brands to the cause in the months up to – and after – the Code takes effect on 28 May this year.
The 13-page Code sets out a whole range of responsibilities that sending and receiving banks – and their clients – must observe in order to guard against this type of fraud.
However, in its opening lines, the Code neatly distils those duties into three, overarching objectives to which banking brands must adhere. In short, banks are required to:
As outlined in the steering group’s response to an industry consultation on what the Code should look like, those objectives are channelled into six, core principles:
That relates to one of the most contentious areas of the banks’ and PSPs’ discussions as they developed the Code: who should bear the cost of funding reimbursements in cases where no one was at fault?
While the majority of respondents to the steering group’s consultation felt that sending banks should administer any such reimbursements, several PSPs argued that those banks shouldn’t be directly liable if they can demonstrate that they’ve met due standards of care.
Meanwhile, PSPs stated that they should not bear the costs either, on exactly the same grounds. To make PSPs responsible, they and their trade bodies pointed out, would create unlimited exposure for those organisations, increase first-party fraud risk and disincentivise providers and customers alike.
For now, the ultimate solution remains up in the air, but is – we are assured – slowly crystallising. As the consultation response states: “Following the work of the steering group, a long-term funding mechanism has been identified. However, the precise… funding arrangements for no-blame reimbursement are in the process of being agreed.”
It adds: “In the period from implementation until 31 December 2019, a number of PSPs have committed to fund an initial contribution in order for customers in the no-blame scenario to be reimbursed from the time the Code becomes effective until the end of the year, when a long-term funding mechanism should be in place.”
Its managing director, Hannah Nixon, said: “The Code is a testament to the significant work that has gone into protecting people from APP scams. It shows that, by bringing together consumer and industry representatives, very positive outcomes can be achieved.”
She added: “We will continue to engage with developments in the Code and longer-term [no-blame] funding mechanism closely so that consumers get the protection and benefits intended. We will consider whether any further steps would help bring this about.”
It has given the Code a warm welcome, but – as any dogged consumer group would – says that “there’s more to be done to stop these scams from happening”.
In a statement, Which? pointed out: “Banks are being required to introduce new technology called ‘Confirmation of Payee’, which matches the name of the recipient of funds to their account details, to make sure that the recipient of any payment is exactly who a customer intends them to be.”
It explained: “Currently, when setting up payee details, the sort code and account number are checked to ensure that they are correct and can be sent to a valid bank account. While this helps to identify whether or not the payment will be sent to a viable account, it doesn’t confirm any details about the account holder themselves.
“This is where Confirmation of Payee steps in and adds a new step to verify that the bank details and account holder of the person receiving a payment are exactly who the person making a transfer expects them to be.”
Which? noted: “Banks were expected to have this technology in place by July 2019. However, a spokesman for UK Finance, the trade body that represents the banks, recently told the Treasury Select Committee this could be delayed until 2020.”
Matt Packer is a freelance business, finance and leadership journalist