Legal development

Mandatory reimbursement: an APP-ropriate means of compensating fraud victims?

08 October 2024

Share Share
spiral background
Share

    Written for Practical Law and published on 1 October 2024. Reproduced with their permission.

    According to figures published by UK Finance, in 2023 UK customers lost nearly £460 million to authorised push payment (APP) fraud (where a customer is deceived into authorising a payment to a fraudster) (see UK Finance Annual Fraud report 2024). It is therefore unsurprising that reimbursement for fraud losses has been the subject of recent litigation and regulatory reform.

    The Supreme Court confirmed in Philipp v Barclays Bank UK Plc [2023] UKSC 25 that the Quincecare duty does not apply where an individual customer directly instructs their bank to make a fraudulent payment. However, Legatt LJ made it clear that:

    "Whether victims of such frauds should be left to bear the loss themselves or whether losses should be redistributed by requiring banks which have made or received the payments on behalf of customers to reimburse victims of such crimes is a question of social policy for regulators, government and ultimately for Parliament to consider".

    So, what is the current regulatory and policy position on APP fraud in the UK?

    New mandatory reimbursement scheme introduced

    On 7 October 2024, the Payment Systems Regulator's (PSR) "reimbursement requirement" came into effect, with parallel regimes introduced for payments made over the Faster Payments Scheme (FPS) and CHAPS payment system (see the PSR's June 2023 policy statement (PS23/3) and Specific Direction 21).

    The new reimbursement requirement obliges payment service providers (PSPs) to reimburse customers that are victims of APP fraud (with redress costs split between the sending and receiving PSPs).

    It is intended by regulators that this will provide greater protections for consumers, ensure PSPs have the right incentives in place to drive fraud out of their systems and support growth and innovation in the UK payments industry, through increasing trust and confidence.

    However, the scheme is subject to a number of key limitations, including the following:

    • A requirement for claims to be brought within thirteen months.
    • An excess of £100 per claim.
    • In-scope customers are limited to individuals, micro-enterprises and small charities.
    • Exclusions for where a customer has acted fraudulently, and for non-vulnerable customers who have not exercised the "consumer standard of caution" when making the payment subject to the APP fraud (the PSR has provided guidance on what this standard entails (see its guidance on APP reimbursement: the consumer standard of caution exception guidance)).
    • A maximum reimbursement cap of £85,000 (to track the cap on compensation under the Financial Services Compensation Scheme (FSCS)), which was recently announced by the PSR (see the PSR's 25 September 2024 press release: PSR confirms its decision on APP scams reimbursement), having initially announced a cap of £415,000 (in line with the Financial Ombudsman Service's (FOS) compensation limit at that time).

    These limitations will significantly affect those who can claim compensation, and in which circumstances.

    Impact of the mandatory reimbursement scheme

    According to the PSR, over 99% of claims (by volume) will still fall below the revised limit. Further, as almost all high-value scams are made up of multiple smaller transactions, capping the transaction limit to £85,000 will not necessarily limit a PSP's exposure to fraud. The PSR anticipates that PSPs will therefore be incentivised to put in place robust systems and controls to prevent APP fraud, which it hopes will reduce its occurrence.

    Some critics, however, consider that the new mandatory compensation scheme (even with the reduced cap) could be exploited by organised crime gangs, who could arrange for payments to be made between a fake "victim" of fraud and a complicit payee, to claim mandatory compensation from the PSPs involved.

    It therefore remains to be seen as to whether there will be less instances of fraud due to tighter systems and controls, or whether the new scheme will incentivise fraudsters to make false claims.

    Expanding responsibility for APP fraud reimbursement?

    While action to combat APP fraud has focused on PSPs, the prominent role that social media and technology has had on the origination of APP fraud calls into question whether other actors ought to be responsible for reimbursing APP fraud victims.

    According to UK Finance, 76% of all APP fraud cases in 2023 originated online (see UK Finance Annual Fraud report 2024). Of those, 67% were purchase scams, 92% of which originated online. As a result, there have been calls for technology and social media companies, through which fraudsters often target their victims, to be held responsible for preventing and reimbursing APP fraud.

    The previous Conservative government explored the idea of extending reimbursement to technology companies but concluded it would not be proportionate or effective. However, a change of government may herald a change of approach. Prior to its election in July 2024, it was reported that the Labour Party had drafted plans to compensate victims for APP fraud perpetrated on technology platforms. Any plan to expand APP fraud reimbursement to sectors outside of financial services was, however, noticeably absent from the King's Speech and has not been raised since the Labour Party entered into government.

    So where does that leave us?

    Legislative and regulatory intervention to protect victims of APP fraud is a welcome development. The introduction of mandatory reimbursement is a statement of intent by the UK, which is the first country to introduce such a regime. The new measures will, however, impose a significant burden on PSPs who will need to upgrade fraud prevention systems and implement procedures to process the anticipated increase in claims of APP fraud. It remains to be seen whether this development will help or hinder the fight against APP fraud. In the meantime, we expect PSPs to continue to push for the reimbursement obligation to be extended to other participants in the broader payments ecosystem.

    Key takeaway: banks and PSPs should ensure that their systems and controls to prevent fraud are robust and that they are well-prepared to meet the new challenges of the mandatory compensation regime from 7 October 2024.

    Authors: Mark Donnelly and Anthony Asindi

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.