News

Associate Johnny Shearman’s article examines the Payment Services Regulator’s response in relation to the recent Which? super-complaint in Compliance Monitor.

Johnny’s article has been published in Compliance Monitor, 7 April 2017, and can be read here.

Within consumer payment services there are two overriding payment mechanisms – ‘push’ and ‘pull’ payments. Although both mechanisms achieve the same end result, by enabling one entity to pay another, there is a difference between the two. A ‘push’ payment is one where the payor obtains details of the payee’s account and instructs their bank to send (push) money to it. A ‘pull’ payment is where the payor provides the payee with the relevant account details and authorises the payee to extract (pull) funds from their account.

One might think, despite this subtle difference, that the regulatory framework governing fraudulent activities via either mechanism would be the same. However, that is not the case as highlighted by the Payment Services Regulator’s (“PSR”) response to the super-complaint submitted by the consumer watchdog, Which?[1]. In this article we take a closer look at the Which? complaint and the PSR’s response issued at the end of last year.

Fraudulent activity affecting ‘push’ and ‘pull’ payments can occur in one of two ways:

1. Unauthorised payment: where the scammer fraudulently accesses the payor’s account using information that has been scammed from the payor;
2. Authorised payment: where the scammer deceives the payor into ‘authorising’ a payment to the scammer’s account.

For authorised pull payments and unauthorised payments (both push or pull) there are several safeguards provided for by statute, or voluntarily by financial institutions, which protect consumers from suffering loss and compensate when loss occurs. However, when it comes to an authorised push payment (“APP”), consumers have no protection at all when losses occur. This applies to retail and corporate customers alike which has led to significant irrevocable losses across the board.

Whilst scams involving retail customers may grab the headlines, fraudsters are increasingly targeting the business community as a way of increasing their gains given the larger transactions involved. The level of sophistication of the fraud is making it harder to detect even for experienced professionals. By the time the fraud is discovered the money has been moved meaning the victim has no way of recovering its money and the banks are under no obligation to compensate the customer for its losses.

The Complaint

In light of the apparent lack of safeguards in place for APP scams, Which? submitted its complaint to compel the PSR to investigate:

1. he extent to which the banks’ conduct could change to reduce consumer harm from sophisticated scams that trick people or organisations making APPs to a fraudster; and
2. the changes that are needed in legislation or regulation to ensure that more is done to manage the risks and protect consumers.

In addressing these points, Which? tackled three arguments as to why APPs receive no consumer protections.

The first was that banks have a duty to act on their customers’ instructions. Although this is true, Which? considered that there is scant justification for having lesser protection where instructions for a payment to be made are direct to the bank, as opposed to via an intermediary (as is the case with card payments (ie pull payments)). The second argument was that banks cannot do much when payments are made using the Faster Payment service which is similar to paying with cash. Which? countered this argument by highlighting that where cash transactions are anonymous, banks have control over Faster Payments and have knowledge of the consumer and end account. The final argument related to whether it is even appropriate for consumers to bear full liability as such liability is the only means of ensuring diligence in transacting as well as preventing an increase in negligent and fraudulent behaviour. Which? argued that, in a time of ever increasing sophistication when it comes to scams, it is hard to justify that ill-informed and ill-equipped consumers should be left to pay the price.

In coming to a conclusion, Which? suggested two possible remedies for solving the current issues with APP scams:

1. Option A advocated a blanket switch of liability to the banks, requiring customers to be reimbursed if they fell victim to an APP scam (except in cases consumer negligence or fraud).
2. Option B is a slightly watered down version of Option A and suggests that specific standards for risk management could be created and imposed on banks to ensure adequate processes are in place for authenticating the legitimacy of payees. Falling below these required standards would mean the liability for loss would fall on the bank.

Either of these options would incentivise banks to “do more” to prevent scams being carried out and to increase the likelihood of recovery of losses.

The Response

Although the PSR made concessions that changes ought to be made and asserted that investigations and consultations will continue, the regulator fell short of imposing any obligations on the banks and shifting the liability. Instead, relying somewhat on the limitations imposed by the PSR’s internal 90-day response requirements, the PSR concluded that there are three main areas of focus for APPs:

1. The ways in which payment service providers currently work together in responding to reports of APP scams needs to improve.
2. Payment service providers could do more to identify potentially fraudulent incoming payments and to prevent accounts falling under the influence of fraudsters.
3. The data available on the scale and types of APP scams needs to improve.

Going forward the PSR is to consider what information can be shared between organisations, and the key legal barriers to sharing further relevant information. It is hoped that the sharing of information will enable the industry to develop a ‘common approach’ that banks should follow when responding to instances of reported APP scams. It is not clear what is meant by a ‘common approach’ but the road must start with the industry collecting and publishing APP scam statistics. This will address the lack of clear data on the scale and scope of the problem and will enable monitoring of the issue over time.

Whilst the PSR is not prepared to compel banks to reimburse victims of APP scams at this time, it did note that, as additional evidence comes to light, it will consider whether it is appropriate to propose changes to the obligations or incentives that banks have for these types of scams. In the short term then it appears that the PSR is prepared to cut the banks some slack, whilst being mindful of the lack of clarity over the scope of the situation. However, the courts may take a different approach. We will have to wait and see, but if a victim of an APP scam decides to take legal action to pursue a bank for the losses suffered, we may find the courts are prepared to hold banks accountable even if the PSR is reluctant to do so at this stage.

[1] Which? is one of eight organisations with the statutory right to make a “super-complaint” and it can do so in relation to any market that it has knowledge and that it considers to be failing consumers.