Authorised push payment (APP) fraud and regulatory pressure

Posted: 28th June 2018

First published on Thomson Reuters June 2018

Customers are now more likely to be victims of fraud than any other crime; there were 3.4 million incidents of fraud in the year ending March 2017. It has been estimated less than 20 percent of incidents were reported to the authorities.

Evidently, fraud is widespread, and its growth is further demonstrated by the recent increase in authorised push payment (APP) scams.

The UK Financial Conduct Authority (FCA) flagged up its strong interest in APP scam fraud in its Business Plan 2018/19. Andrew Bailey, the FCA's chief executive, also addressed the subject in a Dear CEO letter, in which he said:

"The FCA takes APP fraud, and the harm it causes to consumers, very seriously. Financial crime is one of our priorities across all sectors; we want to see a decrease in banking fraud."

What is authorised push payment fraud?

A "push payment" is when the customer sends funds to the payee as opposed to a "pull payment" (e.g., direct debit) when the payee takes the funds having previously obtained authorisation. Payment service providers (PSPs) have traditionally reimbursed customers where a fraudulent, unauthorised push payment has been made, but this is not always the case with APP fraud, where a customer has authorised the payment, but is unaware it is going to a fraudulent recipient.

APP scams can be broadly categorised into two types:

• Malicious redirection – where victims believe they are paying a known and legitimate payee, but are instead tricked into making a push payment into a fraudster's account.
• Malicious payee – where victims make a push payment for what they believe to be legitimate goods or services, but the promised goods or services are not legitimate.

One example of "malicious redirection" is where the fraudster intercepts an email from a legitimate business containing an invoice and bank details for a customer to pay for services. The fraudster will then send a follow-up email to the customer, informing them the bank details on the previous email were incorrect and providing new details for payment. At this point, the customer pays the invoice, but to the fraudster.

In the case of a "malicious payee", customers may be scammed by sending a payment for goods or services that are not genuine. These payments are "correctly" directed to the intended account, but the customer has been provided with untrue and misleading information to scam them into authorising the payment. These would include investment scams and advance fee fraud.

The regulatory pressure to minimise APP fraud

The "Take Five to Stop Fraud" initiative has focused on educating consumers to spot the early signs of scams. Educating consumers is not enough to stop the threat, however. In the first six months of 2017, £100 million was lost to transfer scams involving 19,370 cases with an average loss of £3,027. In September 2016, the APP scams issue was raised as a supercomplaint by the consumer body Which?, who highlighted that consumers did not have enough protection. The Payment Systems Regulator (PSR) acknowledged the growing issue and the need for payment services providers s to be encouraged to prevent fraud and protect consumers.

In March 2018, the PSR created a dedicated steering group with stakeholders from industry and consumer bodies to design a model to minimise APP fraud. This September, the group will introduce a new industry code for the Financial Ombudsman Service to consider customer complaints with APP fraud. The steering group proposes to make the final amendments by early 2019.

Firms are now under pressure from the Senior Managers and Certification Regime (SMR) to prevent APP scam fraud within their organisations. The SMR aims to reduce harm to consumers and strengthen market integrity by making individuals more accountable for their conduct and competence. In his recent "Dear CEO" letter, Bailey cited the SMR accountability requirements as a driver for firms to implement adequate measures to reduce APP scam fraud. Some questions for firms to consider in the light of this include:

1. Does the senior management function (SMF) have policies and procedures to prevent financial crime that include
2. Has the firm incorporated the UK Finance Standards into its approach, and how will these align with its current policies, procedures and target operating model?

UK Finance provides a set of APP Claim Reporting Standards. These standards are intended to improve the customer experience and, where possible, recover their funds. These standards are:

• Banks will have 24-hour, 7-day dedicated staff trained in scam management to deal with and process APP scam complaints.
• The victim will only have to deal with their bank or account provider; the victim's bank will act as the intermediary between the victim and the beneficiary bank.
• Banks have agreed on a set of necessary information, to be collated by the victim's bank, following APP scam complaints.
• The victim's bank will collate and provide this information to the beneficiary bank, and the latter will proceed with its investigation into the alleged scam.
• The beneficiary bank will conduct an investigation, recover funds where possible and appropriate, and return funds to the victim if it can.
• The banks will also collaborate more widely with each other on information to support investigations and protect victims.

Be prepared for a new wave of financial crime compliance

The guidance on APP fraud is limited, but firms should review their existing processes for gaps and areas for improvement. Firms that choose to incorporate the UK Finance Standards or look to improve their anti-fraud framework should consider the following:

• Resources and training – ensure that staff are adequately trained in scam management, handling customer complaints and dealing with authorities. Does the firm have sufficient numbers of staff to handle enquiries on a 24/7 basis?
• Anti-fraud policies and procedures – are the firm's policies and procedures fit-for-purpose to minimise APP fraud and comply with all AML legislation?
• Information sharing – has the firm set up procedures and communication channels to transfer information to and from other financial institutions?
• Investigations and tracing of funds – how effective are the firm's processes relating to recovering funds quickly and effectively, and what level of expertise does the firm have in this regard?
• Fraud prevention and detection workflow – does the firm understand the potential application of technological solutions in preventing fraudulent activity? For example, obtaining a "single customer view", using voice and network analytics, embedding ID verification software, or installing an automated alert generation system?

Fraud and anti-money laundering go hand-in-hand, particularly since fraud is the most prevalent crime in the UK, and most of the proceeds are laundered through the financial system.

A significant control to combat the APP scam issue is to obtain adequate information from customers both at the outset of the relationship and on a continuous basis. Firms must know who their customers are and the level of risk they pose. Firms should be using a strong yet business-enabling approach to customer due diligence to protect customers from fraud. As well as the significant level of internal activity, firms should be considering how they collaborate with their peers to keep ahead of criminal trends.