Pushing back on APP scams

• Banks have now signed up to a voluntary code to reimburse victims of APP fraud.

• Provided customers have not done anything to exacerbate the situation (such as ignored warnings or been grossly negligent), they will be reimbursed by the banks if they are a victim of APP fraud.

• The code also sets out further steps to be taken by banks to mitigate the ongoing risk of APP fraud.

• There is a right for customers to complain to the Financial Ombudsman Service to challenge a decision not to reimburse.

Introduction

An Authorised Push Payment (APP) is where a payer instructs their payment service provider, such as their bank, to send money from their account to another. These payments are usually made through the Faster Payment Service or CHAPS.

APP fraud is where a fraudster convinces a payer into making an APP to an account in the fraudster's control.  Usually the fraudster impersonates a third party that the victim is due to pay for a valid transaction, for example payment of an invoice.  They do this in a variety of ways, including intercepting invoices and amending the recipient bank details or emailing victims to purportedly notify of recent changes to bank details.  The scams are often sophisticated and convincing, with the victims not realising what has happened for some time.

Once the payment is made, the fraudster will usually drain the account within hours.  The chances of tracing the funds, or the fraudster, are often slim to none.

UK Finance reported that in 2017, the total losses suffered from APP frauds was £236 million with 43,875 reported cases. 

If an individual has suffered an APP fraud, there are a couple of options, depending on the circumstances.  However, the first port of call should be contacting both the paying and recipient bank to see if the payment can be caught.  Previously, this had mixed results, with banks taking differing approaches and, in some cases, significant time to investigate.  Often they would refuse to refund the payment on the basis that the victim had purportedly consented to the transaction.

The Code

As of 28 May 2019, eight banks (representing 17 brands¹) have agreed to adhere to a voluntary code for victims of APP scams, the Contingent Reimbursement Model Code for Authorised Push Payment Scams (the Code).

The purpose of the Code is to deliver on a number of principles², including:

• Where a customer that has fallen victim to an APP scam did what was expected of them under the Code, then that customer will be reimbursed.


• Where a bank has failed to meet the standards required of it under the Code for a payment journey resulting in an APP scam, and that customer should be reimbursed, that bank will meet all, or share the cost of, the reimbursement.


• Where both sending and receiving banks have met the standards expected of them, and the customer also did everything that could be expected of them, then the customer will be reimbursed, with the cost of the reimbursement being met through a "no-blame funding solution".


• Where a customer disagrees with a decision not to reimburse them, that customer will be able to challenge the bank's decision by referring their case to the Financial Ombudsman Service.

Provisions

The Code has a number of provisions that require banks to detect, prevent and respond to APP scams in a more co-ordinated and customer friendly way. The Code covers both the sending and receiving bank.  Below is a summary of some of the key requirements in the Code.

Prevention 

The Code requires the banks to raise awareness, educate their customers and identify APP scam risks before they materialise. This includes the use of shared intelligence resources and appropriate due diligence when opening accounts³ that are ultimately used to receive stolen funds.    

Banks are required to take reasonable steps to make their customers aware of steps to take to reduce the risk of falling victim to APP scams and provide "Effective Warnings", which should meet a minimum criteria as set out in the Code⁴, including that it is:

i. Understandable – in plain language and meaningful to the customer;
ii. Clear – fair, clear and not misleading as set out in the FCA Principles for Businesses;
iii. Impactful – including the customer can reasonably understand that the consequences of continuing with an irrevocable payment;
iv. Timely – at the points most likely to have an impact on the customer's decision-making; and
v. Specific – tailored to the customer type and the APP scam risk identified by analytics. 

Where a bank has sufficient concern that a payment may be an APP scam, it should take appropriate action to delay the payment whilst it is investigated⁵. 

Detection 

Banks are now required to take reasonable steps to identify customers and payment authorisations that run a higher risk of being associated with APP scams⁶ and detect accounts that may be, or are being, used to receive APP scam funds, including the use of customer behaviour analytics⁷.

Response 

This area perhaps represents the biggest shift in how banks should treat APP scams going forward.

The presumption is now that "when a Customer has been the victim of an APP scam Firms should reimburse the Customer" .  

The exceptions to the above include⁹:

i. The customer ignored the "Effective Warnings"; 
ii. Where the customer is a micro-enterprise or charity, it did not follow its own internal procedures for approval; 
iii. The customer has been "grossly negligent" (though there is no definition of what this is).   

In another welcome step towards clarity, the Code requires a commitment to decide whether to reimburse the victim within 15 working days¹⁰.

Finally, if the customer is unhappy with the way a bank has handled their complaint, they can refer it directly to the Financial Ombudsman Service who will undertake a review of the matter, notably whether or not their bank has signed up to the Code.  It remains to be seen whether the FOS will use the Code as a bench mark to measure all banks against.

Summary

In an increasingly technology-based financial sector, APP scams have been a scourge for customers.  Fraudsters are using increasingly sophisticated techniques and sometimes elaborate social-engineering to con people in to making payments.  A frequent source of frustration in these cases is often the time it takes for banks to respond, regardless of when they are notified of the payment.  As the intermediary of the payments, the banks are often also the best placed to identify and manage this risk.  The Code now recognises this and shifts the burden on to the banks to combat it using the resources available to them. 

 

 

¹ Barclays, HSBC (including HSBC, First Direct, and M&S Bank); Lloyds Banking Group (including Lloyds Bank, Halifax, Bank of Scotland, and Intelligent Finance); Metro Bank; Nationwide; RBS (including Royal Bank of Scotland, Natwest, and Ulster Bank); Santander (including Santander, Cahoot, and Carter Allen); and Starling Bank.

² https://appcrmsteeringgroup.uk/wp-content/uploads/2019/02/APP-scams-Steering-Group-response-to-the-draft-CRM-code-consultation.pdf

³ SF2(1) 

⁴ SF1(2)(e)

⁵ SF1(5)

⁶ SF1(1)

⁷ SF2(3)

⁸ R1

⁹ R2

¹⁰ R3(1)