On 28 September 2018, the Authorised Push Payment (APP) Steering Group published the draft 'Contingent Reimbursement Model Code' (the Voluntary Code) designed to help protect consumers from APP fraud.
The Voluntary Code is open for consultation until 15 November 2018 with a final code expected in early 2019.
Increasing levels of APP fraud and concern that there were insufficient safeguards in place to protect consumers led to the consumer group Which? submitting a super-complaint to the Payment Systems Regulator (the PSR) and the Financial Conduct Authority (FCA).
In its 90 day response to the super complaint the PSR committed to developing an industry led programme of measures designed to investigate the issues raised.
The PSR published its report and consultation on APP scams (CP 17/2) setting out the work done by the PSR with the industry over the past 12 months. The PSR consulted on the introduction of an industry led 'contingent reimbursement model'. The PSR asked for feedback on the proposed model and how it should be implemented and administered by 12 January 2018.
The PSR and FCA published a joint statement on the outcome of the consultation on the development of a contingent reimbursement model. The PSR considered that an industry code (developed collaboratively by industry and consumer group representatives) setting out the rules applicable to the model was the most effective way to implement the proposal.
A steering group led by Ruth Evans was set up to develop the Voluntary Code. The group was comprised of representatives from across the industry including banks, consumer action groups and industry bodies. It was responsible for reaching a consensus between members on formalising the model into a set of rules that form an industry code for reimbursement of APP scam victims.
The steering committee published the draft Voluntary Code. The key points considered by the steering group were:
1. The appropriate outcomes in circumstances where:
2. Defining the requisite level of care a victim of an APP scam must have met to be eligible for reimbursement, including how it can practically be verified.
3. An appropriate set of standards of care that PSPs would need to meet under the code.
4. An appropriate governance arrangement for monitoring implementation and maintaining the code post finalisation.
Here's our high-level summary of what the code says:
The overarching provisions of the Voluntary Code are to (1) reduce the occurrence of APP fraud, (2) increase protection for customers from the impact of APP fraud and (3) minimise disruption to legitimate payment journeys.
The Voluntary Code only applies to APP fraud involving domestic payments affecting consumers, micro-enterprises and small charities. It will not apply to unauthorised transactions, international payments or payments made in other currencies. The Voluntary Code is not in force until it is finalised and therefore will not apply to scams which took place prior to that date.
Firms are expected to (1) take reasonable steps to raise awareness and educate customers about APP fraud, (2) collect and provide statistics on APP fraud to the relevant trade bodies and (3) create processes and procedures in place to help with customer aftercare when APP fraud has taken place.
The standards expected of firms are divided into three core areas. If firms fail to meet those standards, they may be liable for the costs of reimbursement to customers who have been the victim of APP fraud. The core standards are:
The starting point is that firms should reimburse customers that have been victim of APP fraud. However a firm may choose not to reimburse the customer if they can establish that (1) the customer has not acted with the requisite standard of care and (2) the customer's failure to do so had a material effect on the APP fraud taking place.
Firms should make the decision as to whether or not to reimburse the customer within 15 business days after the customer reports the APP fraud. However, in exceptional cases the deadline for the response may be extended by up to 35 business days. If the customer wishes to challenge the decision, they are entitled to do so by making a complaint to the Financial Ombudsman Service (FOS).
In considering whether to reimburse a customer, firms are able to consider whether the customer:
In assessing whether the customer should be reimbursed, firms should consider whether any of its own acts of omissions impeded the customer's ability to avoid falling victim of APP fraud.
A customer is considered vulnerable to APP fraud under the Voluntary Code if it would not be reasonable to expect the customer to protect themselves in the circumstances existing at the time they became the victim of APP fraud. This will involve a case-by-case assessment and factors will include:
Confirmation of Payee On 28 September 2018, the PSR has announced that it plans to consult by December 2018 on using its regulatory powers to give a general direction to firms to implement Confirmation of Payee. It is likely that the direction from the PSR will require firms who participate in faster payments systems to be capable of (a) responding to confirmation of payee requests by 1 April 2019 and (b) sending confirmation of payee requests by 1 July 2019.
There are a number of issues which the steering group has been unable to reach agreement on. In particular, the steering group needs to address:
As set out by the steering group, in view of the continually evolving sophistication of payment fraud, to remain effective, the Voluntary Code will need to adapt to changes in the way APP fraud is committed. It is therefore important that clear and effective governance is carried out by an appropriate body.
It is yet to be decided who that body will be and this is a key area for consultation. However, the PSR commented in its consultation paper in February 2018 that it did not consider it appropriate for it to take this role. UK Finance has similarly indicated that it would not be able to carry out this function due to potential conflicts of interest.
Suggestions currently include that the New Payment Systems Operator (NPSO) may be able to perform this role. It is unclear what the NPSO's view of this will be, however as set out by the PSR in its consultation in February 2018 "the NPSO may have limited capacity in the medium term to take on this role." A further suggestion has been that the steering group remains constituted and takes on this function itself. However, this is unlikely to be attractive to members of the steering group.
The Voluntary Code allows a firm to avoid reimbursement where it can show that the customer has been 'grossly negligent'. This is a term usually considered in the context of unauthorised transactions (Payment Services Regulations 2017, Regulation 77(3)).
There is no definition of 'gross negligence' in the Payment Services Regulations 2017 (PSRs 2017) and this term has recently received attention from the FOS where, in its newsletter 'Fraud and Scams: a moving picture' dated 21 August 2018, the FOS said it is concerned over an increasing trend of firms claiming customers have acted with 'gross negligence' in circumstances where the FOS believe the customer has fallen victim to highly sophisticated payment fraud scams.
The FOS says 'gross negligence' should not be referred to lightly and the increasing sophistication of scams means that the bar for gross negligence is high (it's more than just a test of whether someone was careless). FOS' view seems to be supported by the FCA’s Approach Document on the PSRs 2017 which stated at paragraph 8.221: “In line with the recitals to PSD2, we interpret ‘gross negligence’ to be a higher standard than the standard of negligence under common law. The customer needs to have shown a very significant degree of carelessness”.
It is therefore interesting, given the uncertainty over the meaning of this term in unauthorised transactions and the comments from FOS that the Voluntary Code now seeks to introduce this concept into APP fraud. In view of this, it may be difficult for firms to resist reimbursement based solely on 'gross negligence' unless the customer has shown a very significant degree of carelessness.
The standards imposed on firms are broken down into three key areas: (1) detection, (2) prevention and (3) response. If firms fail to meet these standards they may be responsible for meeting the costs of reimbursement.
Detection is likely to be the area that causes firms most concern on the basis that the Voluntary Code appears to ask firms to consider the extent to which it should have identified whether the payment was one which were potentially at risk of being APP when determining whether it has complied with the Voluntary Code.
Given the volume of faster payments made each year this increased expectation on firms to identify fraudulent payments in real time and take steps to block payments is likely to be a contentious area in assessing liability under the Voluntary Code. It may also remove the incentive on customers to be diligent if they believe that firms will block transactions which could be fraudulent. This is likely to be particularly important when considering liability under the 'shared blame' scenario.
The broad definition of vulnerability under the code will require a case-by-case assessment with reference to the customer's individual personal circumstances existing at the time of the APP fraud. The consultation paper gives the example of a person who is recently single being more vulnerable to romance fraud. In practice, this is likely to mean that:
(a) it is difficult for firms to detect and prevent payment scams based on vulnerability in real time, because its assessment is not be based on whether the firm has previously assessed the customer as being vulnerable but circumstances far less likely to be known to the firm; and
(b) there is potential for large volumes of customers to be brought into this definition based on their individual personal circumstances. This could remove the incentive for customers to act in accordance with the requisite level of care expected - in favour of justifying why their individual personal circumstances caused them to be vulnerable to the fraud at the time.
It is unsurprising that the steering group have found agreeing liability for the 'no blame' and 'shared blame' scenarios among the most challenging. A number of the potential approaches being considered by the working group are premised on firms being liable to pay for the cost of reimbursement in some form.
On the basis that it is a voluntary code, the decision that the steering group make on this point will inevitably have an impact on the number of firms that are prepared to sign up to the Voluntary Code. This could be particularly challenging in the case of inter-PSP disputes where one of the firms involved has not signed up to the Voluntary Code.
It is interesting that one of the options that has been suggested is imposing a charge on certain types of transactions. This combined with the introduction of the Confirmation of Payee could mean that the speed and cost of our existing payment system could look dramatically different in the near future.
The steering group has said that it does not want the introduction of Confirmation of Payee to interrupt legitimate payment journeys unnecessarily. However in so far as any delay is caused, this could arguably impact on a wider number of customers than the number presently impacted by APP fraud.
Clearly, this is a difficult balancing exercise which the steering group has taken time to consider and recommended that a working group is needed to look at this specific issue.
The draft Voluntary Code raises a number of interesting questions, many of which are yet to be answered and are now the subject of consultation. The consultation is due to close on 15 November 2018.
Progress has been made by the steering group on a number of key points, however the number of firms which are prepared to sign up to the entire Voluntary Code in its final form (and therefore the success of the Code as a whole) is likely to be decided by the steering group's decision on the issues yet to be determined.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at October 2018. Specific advice should be sought for specific cases. For more information see our terms & conditions