APP Fraud - Consultation Overload

Ambrose Bierce – The Devil’s Dictionary

“Consult – To seek another’s approval of a course already decided upon.”

Following the last minute decision of the Payment Systems Regulator (PSR) to consult (hurriedly) on reducing the maximum reimbursement amount for APP Fraud from £415,000 to £85,000 (but not to move the implementation date from 7th October), and then separately to bring CHAPS into line with Faster Payments on the requirements, the FCA issued a consultation paper (GC24/5: Authorised Push Payment Fraud: enabling a risk-based approach to payment processing (fca.org.uk) on 9th September. The paper focuses on amending the FCA’s Approach Document guidance to set out how firms should act, given HM Treasury’s planned amendment to the Payment Services Regulations 2017 (PSRs) to allow firms to delay payments for up to four working days if they have reasonable grounds to suspect that the customer might be the victim of APP fraud.

The idea of amending the PSRs to allow sending payment service providers (PSPs) to delay payments where APP Fraud is suspected, has been around since before the election, and the draft Statutory Instrument (SI) was published by HM Treasury earlier this year. I think we can take it from the FCA’s rush to consultation, that HM Treasury has decided to lay the SI before Parliament, as a ‘negative instrument’ in the near future (such changes do not require to be debated or voted upon unless an MP objects and calls for a debate) so the FCA feels that it will need the guidance updated as a matter of urgency.

When can PSPs delay payments?

As always, those looking for absolute clarity as to when they should and should not delay a payment will be disappointed.

The circumstances set out in the consultation paper where a firm would have the option to delay a payment are:

“(i) the PSP has established that there are reasonable grounds to suspect that a payer’s payment order has been made subsequent to fraud or dishonesty perpetrated by someone else (‘reasonable grounds to suspect fraud or dishonesty’)

(ii) those grounds must be established by no later than the end of the next business day following receipt of the payment order (D+1)

(iii) the PSP needs more time to contact the customer or a third party, such as a law enforcement agency or the payee’s PSP or a PISP, to establish whether to make the payment, and

(iv) the payment is:

- authorised by the payer in accordance with regulation 67 of the PSRs 2017,

- executed wholly within the UK in sterling,

- is not initiated by or through a payee”

Helpfully, the FCA has said that its approach to defining “reasonable grounds to suspect fraud or dishonesty” takes a similar approach to that taken in the Joint Money Laundering Steering Group Guidance, and they also set out what PSPs need to be able to demonstrate to show that they meet the test:

‘staff within PSPs would need to be able to demonstrate that they took reasonable steps in the particular circumstances, in the context of a risk based approach, to understand the nature and rationale of the transaction, the amount involved, the intended destination of the funds, and whether the payee appears to have any links with criminality.’

The FCA also sets out a number of factors which might increase the risk that a payment order has been made following dishonesty or fraud.

The practicalities of delaying payments for PSPs

While firms will, of course, be monitoring for potential APP fraud to mitigate the risk of claims from customers, the effect of the Consumer Duty means that the FCA will expect that the option to delay payments where there are reasonable grounds to suspect APP Fraud, will be used (and monitored). So, clear processes and staff training will need to be put in place, in advance, in order to facilitate this. Key to this will be the prompt and efficient investigation and decision making on whether or not the payment order in question should be executed.

The draft amendment to the PSRs requires that the customer is ‘notified’ of the delay to the payment, but mere notification will not be sufficient, as questions will need to be asked of the customer regarding the nature and circumstances of the payment. Automated processes, even using AI, are not likely to be able to meet this requirement. Dedicated staff will be needed. Firms may also wish to review their customer Terms and Conditions and the communication channels in place for contacting customers, to ensure that they meet the expectations of the Consumer Duty in this respect.

The requirement that the payment order in question does not indicate that the payer customer is in any way suspected of involvement in the fraud (indeed they would be the victim) means that concerns over ’tipping off’ under the Money Laundering Regulations will likely increase.

This does not, of course, apply to incoming payments which are suspected of being the result of APP Fraud. This is a problem which already exists for firms under the Money Laundering Regulations. It is good to see that the FCA is seeking to clarify the effect of the force majeure provisions in regulation 96(2) of the PSRs to say that:

“a payee’s PSP would not be liable for contravening the requirement under regulation 89(3) to make the funds available to a payee immediately after they have been credited to the payee’s PSP’s account

where:

(i) making the funds available to the payee would breach any of the provisions of Part 7 of the Proceeds of Crime Act 2002 and/or Part 3 of the Terrorism Act 2000, or

(ii) for reasons outside the payee’s PSP’s control, it is impossible for their nominated officer to determine if making the funds available to the payee would breach any of the provisions of Part 7 of the Proceeds of Crime Act 2002 and/or Part 3 of the Terrorism Act 2000”

Moving forward…

I am sure that firms will welcome this clarification, which will assist in general financial crime prevention considerations as well as dealing with APP Fraud issues.

In general, the proposed amended guidance appears to me to be sensible and helpful. However, if firms want to respond to the questions, the deadline for comments is 4 October, so you will need to move fast.