In December 2023, the Payment Systems Regulator (PSR) issued a Policy Statement ‘Fighting authorised push payment scams: final decision’. This introduced, amongst other matters, a new reimbursement requirement for consumer victims of authorised push payment (APP) fraud arising from Faster Payments and CHAPS.
On 4th September 2024, following a significant volume of feedback from the industry, the PSR issued a second consultation paper. This paper reduced the maximum level of reimbursement per Faster Payments/CHAPS APP scams claim from £415,000 to £85,000. The reimbursement policy began to apply from 7th October 2024.
These new requirements will likely provide impetus for payment service providers (PSPs) to improve their fraud protections, even where these improvements require significant investment. Further, as PSPs will be liable to reimburse customers in the event of APP fraud, firms will need to consider the impact of this obligation on their own internally assessed prudential requirements. This article will assess how firms should respond to these new requirements and evaluates the likely prudential impact on smaller PSPs.
What’s the financial impact of these requirements?
PSPs will be able to apply an excess of £100 per claim, excluding claims made by vulnerable customers.
Originally the PSR put a cap on the amount of the mandatory reimbursement of £415,000 for consumers. However, the PSR responded to a large volume of feedback, particularly from smaller firms who raised concerns that this maximum level of reimbursement could result in the establishment of overly onerous prudential requirements. Accordingly, the PSR proposed lowering the maximum level of reimbursement to £85,000 per Faster payments or CHAPS APP scam claim – bringing the reimbursement limit in line with the individual account protection limits under the Financial Services Compensation Scheme (FSCS).
The key impact of the reimbursement policy, however, is to set an explicit timetable for customer reimbursement. Firms will be required to reimburse customers within five days of making a claim, unless they require additional time to gather information to help them with their assessment. However, firms must come to a conclusion within 35 business days. In practice, this will mean that the responsibility for ensuring timely reimbursement will fall on PSPs – who will need to ensure they hold sufficient financial resources to settle these claims within days or weeks of an event occurring.
How should firms respond to these requirements?
There are a number of capabilities that the PSR expects your firm to put in place. First, you need to be able to track APP fraud cases, assess them and reimburse customers. Then you will need a mechanism/process for sharing information on claims with other PSPs, and also a way for sending PSPs to claim back from receiving PSPs. Furthermore, PSPs should consider identifying areas of investment to improve their fraud protections.
Firms will also need to incorporate the new reimbursement requirement into their own assessments of adequate financial resources under the FCA’s FG20/1 ‘Our framework: assessing adequate financial resources’. PSPs will need to consider the likelihood of fraud occurring. Whilst historic loss data can be a useful starting point, firms will need to take into account changing attack vectors by fraudsters, changes in their own control frameworks and the growth of their business. Simply put, more clients and more volume could result in increased instances of APP fraud.
In our view, firms should consider enhancing their prudential risk assessments to incorporate the potential financial resources required to address APP fraud risk. For many firms, prudential risk assessments may not be fully developed or documented. As such, we recommend that all payment sectors firm review their documentation and assessments, and where required, seek support to ensure that they are able to substantiate their conclusions on the amount of financial resources that they may require to mitigate potential harms, including those related to APP fraud.
What will be the Prudential impact on smaller PSPs?
The PSR noted that although most smaller PSPs have a capital requirement of £350k (or below), the impact of setting a reimbursement limit would have a low prudential impact. They based this conclusion on the fact that high value frauds are very rare and that smaller PSPs typically face frauds of less than £30k.
However, in line with the guidance in FG20/1, PSPs should consider the likelihood and size of potential frauds to ensure that they hold sufficient financial resources to meet potential reimbursement claims. Whilst the lowering of the reimbursement limit is likely to be welcome news for smaller firms, firms should continue to focus on improving their fraud protections. Multiple smaller frauds, below the reimbursement limit, could still lead to significant prudential risks for firms. PSPs will need to develop their own methodology to assess the financial resources they may require for future reimbursement claims. Understanding the size of potential frauds (for example based on the typical transaction sizes for a particular firm’s customer base) and the likelihood of those frauds occurring will be of critical importance in estimating the financial resources which should be ‘set aside’ to settle potential reimbursements.
Next steps
If you have not yet completed (or started) the process for implementing the new rules, you should start work immediately to update your policies and processes as well as updating your adequate financial resources assessment. Even if you have taken steps to implement the new rules, it may be worth obtaining further assurance from third party professional advisors.
Related resources
All resources
Webinar: Vulnerable Customers: What you need to know
Capital Markets Newsletter - October 2024
HMRC vs FCA: as money laundering supervisors of payments firms
FCA confirms new rules for payment optionality for investment research