The focus of regulators and consumer groups on protecting the rights of customers has been underlined once again in the last few week, with the announcement from the FCA of new rules to give consumers stronger rights to complain if they fall victim to authorised push payment (APP) fraud.
The rules will come into effect on the 31st January 2019, and follow on from a super complaint raised by Which? in 2016. Under the new rules:
- In addition to the sending Payment Service Provider (PSP), the receiving PSP will also have a responsibility to investigate any complaint from a victim of APP fraud in line with the complaints handling rules in the FCA handbook
- Victims will be able to refer their complaint to the Financial Ombudsman Service (FOS) if they are unhappy with the outcome
With the growth of mobile and online banking, APP fraud has become a significant issue as fraudsters target individuals, often via email or text, and mislead them into making payments to bogus accounts. Data from UK Finance showed that there were 43,875 cases of APP fraud resulting in losses of £236 million in 2017 alone.
The FCA and the Payment Systems Regulator (PSR) found that receiving PSPs “could do more” to identify fraudulent incoming payments and prevent accounts from being compromised by fraudsters.
Which? has welcomed the FCA’s announcement as an “important step” but also said that agreement needs to be reached with the PSPs “to ensure victims are properly reimbursed when they have fallen victim to this type of fraud through no fault of their own”.
PSPs have not historically been obliged to refund customers following frauds that they themselves have authorised. However, a voluntary code to pay refunds where consumers have acted with “a requisite level of care” (such as taking reasonable steps to check a payee is the person they are expecting to pay, and heeding any warnings from the bank) has been drafted and several banks on the APP Scams Steering Group have said they are starting to implement the code straightaway. The Steering Group is hoping to publish a final code early in 2019. This will be a significant development that all PSPs should watch for.
Meanwhile, by pulling receiving PSPs into the picture, the FCA’s rules open up a new dimension by strengthening the onus on PSPs to monitor closely whether any accounts held with them are likely to be operated by fraudsters.
Dealing with a new wave of financial crime compliance
The guidance on APP fraud is limited, but firms should review their existing processes for gaps and areas for improvement. Firms that choose to incorporate the UK Finance Standards or look to improve their anti-fraud framework could consider the following:
- Resources and training – ensure that staff are adequately trained in scam management, handling customer complaints and dealing with authorities. Does the firm have sufficient numbers of staff to handle enquiries on a 24 / 7 basis?
- Anti-fraud policies and procedures – are the firm's policies and procedures fit-for-purpose to minimise APP fraud and comply with all anti-money laundering legislation?
- Information sharing – has the firm set up procedures and communication channels to transfer information to and from other financial institutions?
- Investigations and tracing of funds – how effective are the firm's processes relating to recovering funds quickly and effectively, and what level of expertise does the firm have in this regard?
- Fraud prevention and detection workflow – does the firm understand the potential application of technological solutions in preventing fraudulent activity? For example, obtaining a "single customer view", using voice and network analytics, embedding ID verification software, or installing an automated alert generation system?
Fraud and anti-money laundering go hand-in-hand, particularly since fraud is the most prevalent crime in the UK, and most of the proceeds are laundered through the financial system.
A significant control to combat the APP scam issue is to obtain adequate information from customers both at the outset of the relationship and on a continuous basis. Firms must know who their customers are and the level of risk they pose and should be using a strong, yet business-enabling, approach to customer due diligence if they are to protect customers from fraud. As well as the significant level of internal activity, firms must consider how they collaborate with their peers to keep ahead of criminal trends.