Let me start by saying how much we welcome the Payment Systems Regulator’s (PSR) invitation for responses on their proposals to tackle Authorised Push Payment (APP) Fraud.
Answer Pay has been fighting for more action against fraud and to that end released our own “To click or not to click?” white paper and webinar which you can see here.
We will be submitting a formal response directly to the PSR but I wanted to take this opportunity to outline the principles we would like to see in any approach to tackling what UK Finance has described as a “national security threat”.
1. Prevention is better than cure
We need to see more action to prevent APP fraud rather than just deal with the aftermath. Reimbursement is of course hugely important but by the time that occurs someone has just been through a very stressful time potentially worried about the loss of life changing sums of money whilst a criminal is enjoying their ill gotten gains.
2. Receiving banks should bear some liability
Supporting the fraudster is a bank or PSP that has helped them collect their money. It is simply not right that they do not currently bear any of the burden. They must do better in vetting their clients and ensuring a stable financial ecosystem.
3. Regulation by the Payment System Operator
We cautiously welcome the call for Pay.UK to introduce new rules to provide better governance of the payments systems under its control. We would, for example, like to see them ensure that services such as Confirmation of Payee and Request to Pay, also offered by Pay.UK and which offer fraud mitigation, are mandated as part of the effort to protect consumers and thwart the fraudsters. Our caution comes from the fact that Pay.UK has thus far failed to implement these fraud mitigation measures in its ruleset without the PSR’s intervention and that it requires the agreement of its members, some of which are facilitating individuals benefiting from the proceeds of crime.
4. Actively discourage the use of SMS and e-mail
In some markets the sending of links by banks in SMS and e-mails has been banned outright. We would welcome such action in the UK. We can’t ask the customer to be liable for bad decisions when as a financial services community we are sending them mixed messages about how to deal with payments by text, e-mail and social media.
The retail arms of some banks are saying “don’t click on payment links” whilst the corporate arm of the same bank is actively selling it as a service. It simply isn’t enough to say that “we don’t have fraud on our service therefore it’s OK”. It isn’t. Influencing customer behaviour to say that it’s OK to click on e-mail/SMS links and make payments legitimises a fraud vector. Either ban the use of payment links by SMS/email/social media (this could be done via Faster Payment rules) or make payment link providers also liable for reimbursement through contribution to a reimbursement fund.
5. Do more to support the alternatives
We’ve recently seen the demise of the P2P service PayM that could have been a tool in the fight against APP fraud. It could be disastrous for the industry if other Pay.UK services such as Confirmation of Payee and Request to Pay were to go the same way. We therefore ask that suitable key performance indicators for Pay.UK and by extension the users of its payments systems are put in place that ensure that both businesses and the general public are made aware of services such as Request to Pay and Confirmation of Payee in much the same way that Current Account Switching Service was successfully publicised.