Payment Systems Regulations 2024 – Are you ready?
New regulations for a safer payments ecosystem
Key highlights of the regulation
Fast Reimbursement, Shared Responsibility
- Mandatory reimbursement within five working days.
- Liability shared 50/50 between sending and receiving Payment Service Providers (PSPs).
Maximum Reimbursement Limit: £415,000
- Applies universally to all consumers, charities and microenterprises.
- Claims must be made within 13 months of the last fraudulent payment.
Voluntary Excess: £100
- Added layer of protection for consumers.
Exceptions to Reimbursement Requirement
- Consumer fraud or gross negligence.
- Special consideration for vulnerable consumers.
Challenges and Solutions
Real-time Fraud Monitoring
Challenge: Balancing fast and seamless transactions with vigilant fraud monitoring.
Solution: Implementing advanced analytics and networked intelligence to scrutinise transactions without hindering the customer experience.
Mule Account Detection
Challenge: Identifying and acting promptly against mule accounts.
Solution: Enabling real-time assessments and quick deployment of treatment strategies, recognising that funds often leave mule accounts within 15 minutes.
Cost Assessment for Reimbursements
Challenge: Evaluating the financial impact of reimbursement obligations.
Solution: Assessing potential exposure to app fraud reimbursements, preparing for potential increases in fraud losses as a cost of doing business.
Real-time Response to Suspicious Payments
Challenge: Balancing fraud prevention with a positive customer experience.
Solution: Developing responsive systems to promptly identify and address suspicious inbound payments, without compromising user satisfaction.
Stop the mules, stop the fraud
Where a scam is taking place there is also a money mule at the other end waiting to receive the fraudulent funds.
Our data science team have developed machine learning mule propensity models, utilising functionality such as Advanced Payment Screening – assessing both incoming and outgoing payments – to detect the likelihood that a payment is being sent to a mule account.
Your questions, answered:
How does the 50/50 reimbursement process work?
Pay.uk has been tasked by the PSR to build and facilitate the reimbursement process between Payment Services Providers, but the design and delivery plan for this has yet to be communicated. Pay.UK is required to create the reimbursement rules through amending the Faster Payment rules by 7 June 2024. There will also be accompanying operational guidance.
There are references in the PSR final guidance to both 5 and 35 day windows for reimbursement. How would we know if we have to make a decision within 5 or 35 days?
The guidance has been amended so that a sending PSP can ‘stop the clock’ when contacting the receiving PSP, in order to gather evidence to inform their assessment of reported APP scam cases. They have also clarified the 35 business-day timescale within which the sending PSP must make a decision on whether to reimburse an APP scam case, under the policy. These amendments allow the sending PSP to make a more informed assessment. The receiving PSP may hold key evidence that will help inform the sending PSP’s assessment of any APP scam case, and it is right that enough time is allowed for it to gather and deliver this information.
Is BACS also covered by the PSR rules?
At this time, only Faster Payments are covered. The PSR is considering giving a specific direction to CHAPS participants to support implementation of the comparable model for CHAPS (mirroring, where possible, the direction on Faster Payments PSPs). If it decides to do so, it expects to consult on the specific direction by the end of Q1 2024.
Does the reimbursement requirement cover overseas Swift payments?
No, the forthcoming regulatory framework only covers payments that originate from, and that are sent to UK bank accounts.
Do the rules apply to digital e-wallets used to hold and receive funds?
Yes, any form of UK PSP account that receives a scam payment is in scope of the new regulations.
Do the rules apply to Small Payment Institutions (SPI)?
I.e. fintechs who may only be a hop in the payment chain. We can’t provide specific advice, but we’d encourage any organisation unsure of its position in relation to the regulation to refer to the PSR’s June 2023 Policy Statement, or seek independent advice. Section 2.14 of the guidance advises that PSPs providing sending or receiving payment accounts for qualifying transactions are within scope of the new requirements, including direct and indirect Faster Payments participants. Payment initiation service (PIS) transactions are also in scope of the requirements.
Do the rules apply to business accounts (SME /Corporate) or only to individual accounts?
The new PSR rules apply to all UK payment accounts.
Do the reimbursement requirements only cover consumers, or do they also cover corporate entities making payments to individuals?
According to the PSR’s June 2023 Policy Statement, the new reimbursement requirement applies to consumers, micro-enterprises, and charities. A micro-enterprise is defined as an enterprise that employs fewer than ten persons and whose annual turnover and/or annual balance sheet total does not exceed €2 million. How will fraud types not covered by PSR regulations, such as international and crypto payment methods be treated?
These methods are out of scope of this regulation. Organisations employing these methods of payment and concerned about exposure to fraud risk should look to deploy prevention services such as LexisNexis® ThreatMetrix®.
Are we expecting a further steer on how the framework for sharing the reimbursement between sending and receiving parties will work?
Yes, Pay.UK is required to create the reimbursement rules through amending the Faster Payment rules by 7 June 2024. There will also be accompanying operational guidance. Pay.UK must also publish proposals for effective compliance monitoring for obliged PSPs by 5 April 2024. Both the monitoring and reimbursement requirements must come into force together in October 2024.
With consumer duty in mind, how far should firms go to ensure reimbursement goes towards loans and other borrowing the customer has taken and was scammed into sending?
Consumer Duty guidelines set higher and clearer standards of consumer protection across financial services and require all UK regulated firms to put their customers’ needs first. It’s not for us to comment on how organisations might interpret these guidelines, but firms should ensure they have robust controls in place on both their borrowing and payment journeys and provide appropriate customer support.
Is there guidance on how to determines when a customer has been negligent, or not, in their responsibility/accountability under the PSR rules?
In its June 2023 Policy Statement, the PSR stated two exceptions to the reimbursement requirements, namely where the consumer had acted fraudulently, or with gross negligence. Following additional consultation, the PSR has clarified gross negligence within its consumer ‘standard of care’ when executing authorised push payments. They include giving due regard to scam warnings, prompt notification to their PSP of a suspected scam, and prompt sharing where their PSP requests information about the suspected scam.
Where a consumer has not, through gross negligence, met one or more of these standards, their PSP is not required to reimburse a consumer. The burden of proof rests on the PSP to demonstrate that a consumer has, through gross negligence, not met the standard of care.
Where do you see the new 50:50 liability sitting in a Banking as a Service model? Does it sit with the MSB or the core Banking partner?
A core banking provider simply delivers the technology, they do not own the customer relationship. According to the guidance, the liability would sit with PSPs that operate the sending or receiving payment account for a qualifying transaction.
Do you think these regulations will be expanded to include authorised card fraud payments?
They are not in scope at this time and we won’t speculate on future regulations, but it’s an interesting question and we will watch closely all future developments.
Where the final guidance references “sharing data”, can you confirm this relates to Open Banking and that it is in fact in scope of the Model?
We are unable to provide direct advice on the regulations. Refer to section 2.18 of the June 2023 Policy Statement for guidance on Open Banking payments or seek specific advice.
How is remote access fraud being tackled when the customer has given access to their bank details unknowingly which is then used to make unauthorised payments, and the notification or warning is within the app so the customer does not receive SMS or text. What preventative measures can be put in place?
This is not covered by the current regulations. Protecting against this form of attack requires additional behavioural biometric technology implemented within your customer journey to analyse customer behaviour signals and provide trust scores on the legitimacy of a customer's identity. Tools such as LexisNexis® BehavioSec® give you a new set of behavioural signals that transparently evaluates risk throughout the user journey, recognising an individual’s identity, not simply flagging potential fraud.
A lot of big tech platforms (e.g. GooglePay, ApplePay) are moving into payments – do they fall under PSR rules? Do you see Telco involvement ever becoming a regulatory requirement in the future?
Telcos are regulated by OFCOM and it’s impossible to speculate here how this would work in practice across sectors. Big tech platforms that offer UK customer accounts capable of sending and receiving faster payments would be in scope. If the tech platform is simply enabling payments, they are not liable.
What do you think about friction being applied to the receiver, in a manner that they have to “prove” their legitimacy in order to receive the pending funds?
This is certainly a future possibility. There are various tactics receiving banks/PSPs could use to extend the window of opportunity to complete fraud checks on incoming payments and sender accounts. Asking customers to prove that the incoming payment is legitimate won’t be effective in reducing fraud, as the fraudster typically already has control of the recipient mule account.
What role do you believe AI will play in helping to identify and prevent payment scams?
Our fraud prevention solutions already leverage machine learning capabilities alongside digital identity intelligence and behavioural analytics to provide enhanced authentication, identity verification and fraud decisioning for customers. LexisNexis® ThreatMetrix® enables thousands of businesses globally to harness intelligence related to devices, locations, identities and past behaviours to confidently distinguish between trusted and fraudulent behaviour. Get in touch if you would like to learn more.
Are there any volumes for the number of mule accounts which are created fraudulently, for instance using stolen ID, and genuine accounts which have been taken over by the fraudsters or are being used coercively?
There is no specific volume data published on these points currently, but from our own work with clients, we know that mule accounts are a significant problem for the UK banking sector.
Do we need to add rules into our transaction monitoring systems to find money mules in our business?
Rules-based monitoring will only get you so far in detecting potential mule activity. Fraudsters operate in networks that cross institutional boundaries. Effective monitoring can only take place therefore with a full, 360-degree view of the network. Only this will provide the context required to inform rules that can reliably detect fraud. You need a network to fight a network.
Isn’t there a major risk that vulnerable customers will be off-boarded given there seems no way to avoid reimbursement obligation even with warnings?
The PSR has provided specific guidance on the treatment of vulnerable customers. PSPs are also required to follow the Financial Conduct Authority’s guidance on the fair treatment of vulnerable customers. However, there is a real risk of a growing population of de-banked UK customers and UK banking sector will no doubt be monitoring this closely as the PSR rules are implemented.
Does this mean that every time a customer claims a payment is fraudulent, firms will have to consider it as fraud, with no investigation?
There are investigations firms can conduct to determine gross negligence. Through consultation, the PSR has outlined a consumer standard of care when executing authorised push payments which includes giving due regard to scam warnings and prompt notification to their PSP of a suspected scam.
How do you see fraudsters responding to the new regulations? Will there be a shift in their behaviours?
It’s certainly possible that implementation of the PSR rules will lead to an increase in other fraud attacks, such as Card Not Present fraud, in the future. We will be helping our customers to monitor for these shifts and adapting their prevention strategies to counter any such changes in approach.With guaranteed reimbursement, won't the Fraudsters just start claiming they have been frauded themselves and work together?
There is much speculation about the risk of ‘moral hazard’ as a result of this legislation. The PSR’s June 2023 Policy Statement covers this in detail, notably on page 33 (Table 4). However one leading bank which has already been operating a reimbursement guarantee for some time, said that this risk has not materialised amongst their customers.