How to tackle APP fraud

Authorised Push Payment (APP) fraud is when a fraudster cons an individual or a business into transferring money to them by, for example, impersonating a business.  These frauds can be sophisticated in nature and have led to the loss of life-changing sums of money.

Due to the eye watering increase in APP fraud, the payment services regulator published a consultation paper seeking market feedback on its proposals to tackle this issue.  In this article, we publish our response.

What Answer Pay thinks

The levels of APP Fraud in the UK are eye watering with £355m of fraud in the first half of 2021, exceeding card fraud for the first time. Despite the introduction of the Contingent Reimbursement Model (CRM) and Confirmation of Payee (CoP), the levels of fraud continue to grow, causing significant harm to UK consumers and businesses.

Posing as a legitimate payee and creating a fraudulent reason for a payment is a growing and rewarding enterprise – the payments industry, its regulators and our government need to find better ways to tackle it. Wherever an organisation sits within the payments value chain, it is inexcusable not to take action on this blight on payments.

Because of APP fraud, trust and confidence in digital payments are being eroded, threatening the shift to a digital payments economy.

We note that the primary purpose of this consultation paper is to explore the three proposed measures, rather than the further measures that the PSR is considering. Our response to the consultation paper reflects our role in the industry and focuses on the areas of the consultation most appropriate to us. Given this approach, our submission does not follow the question-based structure of the consultation.

As we seek to address the blight of APP fraud, there is a need to prevent it happening in the first place, with supporting reimbursement safeguards in place to address victims who have exercised sufficient caution (and are not subject to an undue liability shift as PSPs seek to protect themselves). Our concern is that the current emphasis and activity is a mirror image of this – i.e. reimbursement first and mitigation second.

While we broadly agree with the desired outcomes of the three proposed measures, we believe there is insufficient focus on initiatives and solutions that seek to thwart the fraudster pre-event. After all, thwarting the fraudulent event in the first place both denies the fraudster of fruit of their labour and also protects consumers from the significant harm that an APP fraud causes, even if ultimately they are reimbursed.

We implore industry, regulators and government to focus on preventing APP fraud from occurring in the first place. It is our view that there are a number of initiatives that could do this – ranging from education (building on the excellent work of UK Finance and the Take Five initiative), achieving Confirmation of Payee service ubiquity, intelligence sharing and deploying the new Request to Pay framework launched by Pay.UK. Preventing a fraud event thwarts the fraudster, minimises the financial risk to banks and protects consumers from undue stress and worry.

A model to explore might be that receiving banks that work with businesses that use channels whereby the paying PSP or the payer cannot validate the identity of the message originator in channel (e.g. origination by SMS or e-mail) should automatically accept full liability for any fraud.

Whilst, in principle, we support the three proposed measures, we have the following high level observations:

We are concerned over unintended consequences of the publication of comparative APP scam data. Our concern is that the publication of this data may lead the fraudster to target those PSPs amongst the 14 that have the greater figures and, in addition, lead the fraudster to ‘trickle down’ their efforts to smaller PSPs on the assumption that these institutions might be weaker in this area due to less regulatory oversight.

The desire to improve data sharing to improve detection and prevention of APP scams has the opportunity to make a significant difference. Subject to addressing data issues such as ‘whose data is it’ and establishing the sharing protocols we would expect recent developments in AI and Machine Learning capabilities to be able to make a significant contribution to thwarting fraud.

Whilst a statement that making the reimbursement of scam victims mandatory may seem attractive, we question whether this may have an adverse impact on areas such as sending bank complacency and an increased (and inappropriate) liability shift to the end user, who is least able to protect themselves and act to stimulate increased fraudster activity.

We fully support a review of the respective liabilities between the sending and receiving PSPs, as we are concerned that the receiving PSPs actions and incentives may be based on a liability model that does not reflect their role on a transaction. The receiving PSP should know who their customer is and should have a greater obligation to prevent unauthorised receipt and disbursement of funds that it has received into the account.

Receiving PSPs need to do more to ensure that a consumer is able to validate the originator of the message in channel. With SMS and e-mail, there is no way for a customer to tell that the request is genuine. Currently, the only option would be an out of channel phone call to a listed number or visiting independently the secure website/app of the initiator. With the increasing demand for immediacy of payment and convenience, both options are too full of friction to realistically expect consumers to perform. We believe that the recent deployment of Request to Pay (RtP) in the UK has the potential to address this fraud vector.

The past few years have seen notable activity to address the issue of APP fraud. While the introduction of the CRM, consumer education initiatives and CoP are not perfect, having variation and coverage deficiencies., they have made a difference and can be regarded as successes. However, despite this, the APP fraud economy is outstripping other forms of growth in banking, payments and the economy at large.

There has been a call for social media platforms to do more, which we’d fully agree with. However, we implore the industry and the regulator to do more within their gift in respect of preventing APP fraud from occurring. Initiatives such as CoP and RTP are great examples of proactively and creatively tackling payment fraud.

We note the views regarding focussing on the Faster Payment scheme being at the vanguard of investing to prevent fraud but (a) note that whilst fraud though systems such as CHAPS may be numerically lower the value has the potential to be much higher and (b) establishing a CRM ‘insurance pot’ via the Faster Payment tariff does not represent an investment to prevent fraud but offers a blunt tool to offset the PSPs financial losses.

It is inconceivable to think that the PSR may be denied the ability to act in an appropriate way due to a statutory constraint and we welcome HM Treasury’s announcements in this regard.

If the CRM initiative is to prevail, we agree that the voluntary nature of participation is confusing, has different levels, appears to be inconsistently applied and suffers from low reimbursement levels. If CRM is to be a useful ‘post event’ tool then these apparent deficiencies should be addressed although, in our view, compulsion to participate may be offset by a criteria / rules based choice to participate or offer an alternative that, at least, offers the same protection. A model where it is clear which banks are part of the CRM arrangement may increasingly lead to the fraudster gravitating to the greatest point of vulnerability.

Notwithstanding our reservations, we understand how the three performance measures have potential to add value, but we stress the importance that the data published should be accessible via a single source (i.e. without the need to visit multiple PSP websites and then having to interpret the results) and be easy to interpret by the consumer.

We see value in voluntary opt-ins to Measure 1 although consider that, in reality, only those ‘with a good story to tell’ will actually opt in and are concerned that CHAPS is out of scope.

We believe that there is a real risk that changes to protections in one payment scheme will drive payment volume to alternative schemes which are less attractive to end users. In addition we also believe that such changes will lead fraudsters to alternative payment systems that are not subject to similar anti-fraud protections.

We note that the views that Pay.UK could administer and enforce the aspects of the proposed measures and could resource themselves accordingly. However, it is our view, that the real issue is that as a scheme operator, there are a limited number of ‘tools’ that a scheme operator may levy with scheme restrictions and expulsion being a reality which would have a significant end user detriment.

We note that some of the subscribers to the CRM code have either built or invested in solutions that allow them to make payment requests by SMS or email. This creates a confusing narrative for consumers of other banks, who in compliance with the code provide strict guidance to never click on a payment link sent by SMS or email. We don’t think that these are appropriate channels for a bank use, given that the consumer can’t validate the originator of the message. Furthermore, how can a consumer exercise sufficient caution if one PSP says clicking on payment links by SMS is OK, whereas other banks say don’t. Such mixed messages undo all the great work in consumer education.