The hidden costs of PSR and why preparation involves more than just technology
The hidden costs of PSR and why preparation involves more than just technology
Preparing for PSR
The Payment Systems Regulator (PSR) announcement in June 2023 was widely anticipated by the industry, but the scope of proposed changes left affected payments providers, processors and industry bodies with a lot to do to prepare, and a challenging timeline to do it in.
The new rules are driving significant changes to the payment reimbursement model for fraud victims, forcing a seismic shift in the way banks and payment service providers (PSPs) perceive and address the issue. The reimbursement process itself will be well defined for banks, building societies and PSPs, and risk appetites should be relatively easy to set. However, big challenges lie ahead in defining customer treatment strategy as well as mule management strategy and then ensuring the necessary capabilities are in place to make the right decisions on treatment.
The scope of payments risk can, and will, get a lot bigger. Faster payments, for instance, are currently a key area targeted by fraudsters, who use the speed to exit funds quickly before getting caught. In order to tackle large, complex fraud networks, organisations need to take a more holistic, connected view of transactions and the people associated with them - whether they are known customers or never-seen-before non-customers.
The way to do this is with a large global network of historical transactions, shared intelligence (say, through a consortium of PSPs), and unique digital identity insights that can more closely interrogate an individual’s past behaviour and current associated risk.
Moreover, there's the immediate need to tackle the significant operational and regulatory compliance challenges presented by the new changes.
Significant operational changes are needed fast
Firstly, the rules imply transformative process design will be required on the part of banks and financial institutions in order to comply with and support an ecosystem of timely reimbursements that stand up to regulatory scrutiny. This can only begin once standards, fraud definitions and limits are established, agreed on and communicated and is likely to be a significant undertaking requiring extensive resource and design efforts.
Secondly, banks need to recalibrate and balance their risk appetite for assessing risk on outbound and inbound payments, whilst simultaneously assessing their customer base to proactively identify mule accounts. Traditionally, fraud systems focus on preventing fraudulent payments from leaving the bank, not from entering it. The new regulation makes banks equally culpable for inbound fraud and therefore creates the need to assess inbound payments for risk with equal vigour. Failure will result in liability for the fraud victim’s reimbursement costs if the money has been transferred out, which can be up to £415,000.
This could therefore have serious balance sheet repercussions for many small to medium size enterprises as the number of reimbursements grows. In conjunction with this, a bank’s capability to evidence that they have performed their due diligence will have a significant impact on how reimbursements are split, which will further contribute to the amount they will need to pay out.
These changes are putting technology, data-led analytics and AI-powered modelling tools newly in the sights of a wider range of banks and providers, fuelling innovative solutions like LexisNexis® ThreatMetrix® Payment Defense which is powered by the LexisNexis® Digital Identity Network® to combine offline and online intelligence to detect and block complex fraud in near real time while also minimising friction for trusted customers.
Who will be impacted the most by the liability shift?
Knowing the difference between witting, unwitting and coerced Money Mules
All UK citizens are entitled to a basic bank account. However, when a bank account is identified as being used for fraudulent purposes, banks have the power to close the account and exit the customer, as they see fit. With the sector now extensively collaborating and sharing fraud intelligence, accounts and their owners may be tagged as fraud or mule risks even if they were unwitting and coerced. In addition, customers can also be impacted when inbound payments are incorrectly flagged, as this will inevitably lead to disruption, for instance with the sender needing to resend the payment or else their account being frozen.
With financial institutions becoming more vigilant against money mules and potentially reducing their risk appetites, an unintended consequence could be that more UK customers are denied banking services. The social impact of this could be extensive – particularly given that financial exclusion already affects around 7 million UK adults.
Reputation could be at risk
In October 2023, for the first time, the PSR published a report showing the best and worst performers according to how they tackled APP scams and how well they treated the victims. There was a stark difference between the best and worst performers, undoubtedly to the consternation of many a PR team.
It will be interesting to see how performances change, and how motivational the league table is as more are published and banks find themselves weighing the reputational risks on top of the direct financial costs.
Rising to the challenge
AI and networked digital identity intelligence now offer financial institutions a way to assess the risk of sender and recipient accounts in near real-time as the transaction occurs. Solutions like LexisNexis® ThreatMetrix® Payment Defense help financial institutions determine the likelihood that a payment is fraudulent, and decide whether to slow or stop the transaction before fraud occurs in both inbound and outbound transactions. This risk assessment can be taken to the next level with global networked identity intelligence from billions of transactions globally, combining global crowd sources intelligence from multiple sectors and comprising digital identity intelligence from devices, locations, behaviours and more, using sophisticated AI-powered models to help detect and prevent fraud.
Larger banks with more sophisticated fraud detection and prevention systems in place might find the transition to the new PSR regulations a smaller gap to bridge than some of the smaller or less established financial institutions. However, there will nonetheless be room to take a more holistic view of fraud risk when dealing with complex scams, and the best way to deal with that is through collaboration. Those institutions that are already looking at solutions to help them risk assess inbound as well as outbound payments and benefit from cross-sector, cross-border intelligence are giving themselves a strong head start for the challenges to come.
Payment Systems Regulations 2024 –
Are you ready?
When scams occur, a money mule stands ready to receive fraudulent funds. With the new PSR requirement, explore how you can combat APP fraud and mule networks.
