The new APP fraud reimbursement legislation is coming: are you ready?
The forthcoming Financial Services and Markets (FSM) Bill1 requires banks and other Payment Service Providers (PSPs) to reimburse consumers for 100% of losses related to fraudulent transactions
But what exactly are the changes, how do they work and what is the likely impact for your business? Experian’s Innovation Director, Yaro Zozulya, provides some answers to your questions to help you prepare for the changes, and to protect your customers and your business.
What is APP fraud?
Authorised Push Payment fraud, also known as APP fraud, involves a fraudster persuading a victim to willingly deposit funds to their account, or to the account of a complicit third party (money mule). APP fraud often includes social engineering of the victim using fake investment schemes, impersonation scams, purchase scams, or other such schemes. Social engineering clouds victims’ judgements and encourages them to make payments willingly to one or more money mules – with funds eventually reaching fraudsters’ accounts.
What is APP fraud?
Authorised Push Payment fraud, also known as APP fraud, involves a fraudster persuading a victim to willingly deposit funds to their account, or to the account of a complicit third party (money mule).
The Payment Systems Regulator (PSR) reports that there are more incidents of APP fraud than any other type of fraud in the UK, with 95,219 incidences in H1 2022, with gross losses of £249.1 million.
The FSM Bill is reacting to the seriousness of APP fraud, requiring Payment Service Providers (PSPs), rather than consumers, to pay for related losses.
Who is the new APP reimbursement legislation for?
The new APP reimbursement legislation is for banks, building societies or any other institution with an Open Banking license – covering around 400 payment service providers (PSPs) in total. While all PSPs will need to abide by the legislation in terms of reimbursing customers for APP fraud, the 12 largest banks and PSPs will also have to provide data every six months to show their overall performance in terms of tackling and reducing APP fraud.
What is changing and what does the new APP reimbursement legislation mean for my business?
Currently, only 46% of APP fraud is reimbursed by the 10 banks who have signed up to the Contingent Reimbursement Model (CRM) Code2. Under the new legislation, 100% of consumers’ APP fraud losses will have to be reimbursed by PSPs, except in extreme cases of negligence on the part of the customer, which will – by all indications – be extremely rare. The requirement to cover 100% of consumers’ losses (50% to be covered by the sending bank, and 50% by the receiving bank), means that banks’ liability will increase dramatically. This shared liability will prompt all banks to tighten up their APP fraud controls, making it impossible for fraudsters to exploit PSPs with historically more relaxed APP fraud controls.
For APP fraud claims, consumers will be required to pay an ‘excess’ of £35, irrespective of the sum that has been lost – and funds lost to fraudsters need to be paid to the consumer by the sending and receiving bank within a maximum period of 13 months. With consumers protected in this way, many PSPs are concerned that some customers may be willing to make more risky payments without properly considering the consequences.
Is my existing fraud prevention strategy enough to reduce APP fraud and liabilities related to the new legislation?
According to the Payment Systems Regulator (PSR), APP Fraud in the UK fell by 17% between H1 2021 and H1 2022. This is an encouraging trend, but with losses of nearly £250 million H1 2022, it is clear that still more needs to be done to protect customers and to reduce the increased liability that the new legislation implies.
How can I increase protection for customers and minimise my APP fraud liability?
One tool for fighting APP fraud is the Confirmation of Payee (CoP) protocol, where the payer enters the payee’s name and other details while setting up a new payee on their app or online banking. The payer bank then ensures that the payee name entered by the payer matches the name on the recipient bank account before the transaction is authorised. The largest banks, of course, have already implemented CoP, but the technology is now being mandated for the 400 PSPs who will be subject to the new legislation to reduce fraud risks.
But CoP is not the only strategy needed to minimise APP fraud risks. Account Information Sharing, which is part of the UK Finance Initiative, makes it possible to bring in other relevant data to help flag suspicious transactions. This includes the date a recipient bank account was opened, the age of the account, the account type, and the account balance. This all helps PSPs to identify and prevent fraud based on known risk factors.
Are there any other technologies or data sources that can help?
Yes, behavioural biometrics and device intelligence are key technologies for reducing all kinds of fraud, including some types of APP fraud. For example, fraudsters using a third-party account (money mule) typically change the password before conducting transactions, and this can be picked up as a risk factor. In other cases, devices are used to access UK accounts from abroad, for example, which can also indicate elevated fraud risks.
Larger banks also have transactional monitoring capabilities, which means they run checks on payers and recipients in real time. This allows them to pause a typically fraudulent transaction until a bank representative can contact the payee’s bank and request more information on where the money is going.
How can banks, and particularly smaller banks and PSPs, implement these kinds of solutions quickly to minimise APP fraud risks?
Large banks typically have the in-house skills and resources needed to develop and implement CoP solutions and other strategies that minimise APP fraud risks and liabilities. However, many smaller banks can benefit from deploying pre-packaged fraud detection and prevention solutions from trusted technology partners.
The best partners for fraud detection have access to rich data sources on UK consumers’ financial situations, credit histories, presence on known fraud lists or databases, buying behaviours and more. In particular, access to rich credit data can support a predictive approach to detecting a consumers’ risk of becoming a money mule based on their financial situation or hardship.
The best fraud-detection partners also offer advanced data analytics capabilities to create a 360° of individuals and their behaviour across all connected current accounts. This supports more sophisticated and effective fraud risk analysis that goes beyond a single transaction.
When should I start enhancing my APP fraud detection and prevention capabilities?
It’s very important for institutions not to wait until the new legislation comes into effect before putting an effective APP fraud prevention strategy in place. Instead, the timeline for the PSR’s current consultation phase should be used to investigate available technology solutions and to join UK Finance and Pay.UK fraud and account data sharing pilots, to run PoCs for specific fraud detection and prevention solutions.
How can we help?
At Experian, we offer the rich data sources, advanced analytics capabilities, and consultancy and services needed to rapidly adopt data analytics solutions that mitigate fraud risks.
Our solutions are used by PSPs of all types and sizes – including some of the largest banks – to identify potentially fraudulent customers and transactions, and to ensure that action is taken in real time to prevent fraudulent payments being made.
Get in touch
Find out more about our position on the new APP Fraud legislation, or how we can help you to protect your customers and business as the new rules come into effect.
Let's talk- Financial Services and Markets Bill, UK Parliament (Update: March 2023)
- The Contingent Reimbursement Model (CRM) Code on APP scams, Payment Systems Regulator (Update: March 2023)