Mandatory Reimbursements in Authorised Push Payment Fraud: Proactive actions Firms can take now!
Following the final policy announcement in December 2023, the Payment Systems Regulator (PSR) have consulted with in-scope Payment Services Providers (PSPs) on measures to enhance fraud prevention and consumer protection.
In summary, PSPs will need to reimburse Authorised Push Payment (APP) fraud victims within five days, sharing costs between sending and receiving PSPs. The rule applies to PSPs with Faster Payments and CHAPs, overseen by Pay.UK and the Bank of England. This is proposed to take effect from the 7th October 2024.
The practical implementation of the 50/50 reimbursement split remains uncertain. Concerns exist about potential conflicts of interest, especially for smaller receiving PSPs with limited resources becoming burdened by re-imbursements that larger sending PSPs can manage.
In the meantime, we have outlined key considerations that Firms can apply when evaluating financial crime frameworks ahead of the 7th October 2024.
Key considerations for Firms
Re-considering your risk appetite:
Firms may decide it is no longer within their risk appetite to provide services to customers that they have identified as being more susceptible to fraud. However, Firms should continue to keep in mind the FCA has discouraged wholesale de-risking and focus on proportionate measures to mitigate the risks of fraud:
Do you frequently review your risk appetite statement to ensure it considers fraud risks? In particular, are you clear where you stand on the loss / customer experience continuum?
Can you demonstrate your risk appetite statement treats customers fairly (if you are thinking of revising your book in light of the changes)?
Are decisions regarding changes to your risk appetite documented formally within committee minutes?
Operational Challenges:
Implementing changes across teams and processes, such as establishing a fraud claims and reimbursement process, can create operational challenges across resource, processes and systems:
Have you considered the collaboration required across teams, such as Front Office and Finance, when designing reimbursement processes? Have you established clearly defined roles, responsibilities and training requirements for investigating fraud claims and reimbursements?
Have you forecasted the likelihood of future fraud claims? Have you assessed the potential effect of 50% reimbursements due to fraud on your annual liquidity?
Do you have appropriate oversight of fraud related processes, whether through a Head of Fraud or under the responsibilities of the MLRO? How do you know?
Does your case management system effectively capture data which can be extracted upon request to Pay.UK or the Bank of England?
Strengthening ID&V controls:
Vulnerabilities in ID&V controls increases the risk of receiving false documentation or impersonation fraud, which can enable the use of a product or service for fraudulent purposes:
Have you assessed the robustness of your ID&V process? How many incidents of fraudsters bypassing the ID&V process have occurred and have you assessed the root causes?
Have you considered implementing biometric verification methods like face recognition and do you understand how these methods work? Do you have a system testing plan in place and can show the actions taken in response to the results of testing?
How often do you review and update your ID&V process? Are they up-to-date with the latest fraud trends?
Have you considered implementing verification processes to reduce the risk of account takeover, such as, two factor authentication?
How well-trained are employees in understanding the importance of ID&V to mitigate fraud risk? Do you provide regular and effective training?
How do you balance the need for ID&V with customer experience? Do you have account blocking controls in place for customers who fail ID&V checks?
Screening against fraud databases:
Firms can strengthen screening controls through using fraud databases, such as CIFAS. This can help reduce the risk of those who have previously been identified for fraudulent behaviour using your services:
Does your onboarding and investigations process include the use of fraud databases? Are procedures clear on when and how to conduct screening against these databases?
How do you use information from fraud databases within your ID&V process?
Do you manage false positives effectively when screening against fraud databases?
Is there a clear escalation process for true matches when screening against fraud databases?
Transaction monitoring:
Transaction monitoring helps firms reduce and sometimes prevent fraud. Methods such as real-time monitoring, allows activity to be reviewed as it happens, increasing the chances of stopping financial loss from fraudulent behaviour. Transactional data can also help identify unusual behaviours and vulnerable customer groups:
Have you considered how real time monitoring can help reduce your exposure to fraud risks and enhance the ability to prevent fraudulent transactions?
Is your transaction monitoring system risk-based and calibrated to include fraud specific rules, for example, dormant account rules to mitigate the risk of mule accounts? Do you frequently review the effectiveness of the rules and thresholds?
Have you used transaction data for peer group analysis to compare customer behaviour against expected patterns? Have you identified customer groups historically more susceptible to fraud?
What is your investigation and blocking process for transactions flagged that may be fraudulent? How quickly do investigations occur?
For further discussion or assistance, feel free to reach out to us at contact@avyse.co.uk.