Fraud Management & Cybercrime
,
Fraud Risk Management
,
Geo Focus: The United Kingdom
Payments Regulator Says Banks Should Prioritize Customer Protection Over Losses
The U.K. Payments Systems Regulator has denied The Payment Association’s request to delay the contentious APP fraud reimbursement plan by a year. The association, the largest community in payments, had warned that failing to delay the plan would permanently damage the payments industry.
See Also: BEC Defense: Advanced Tactics to Shield Your Organization
The pressure to delay the long-discussed reimbursement plan came a week after Chris Hemsley stepped down as the head of PSR, following backlash from the association and the industry over the new rules.
But interim head David Geale said the PSR needs to act quickly on APP fraud. The new rules forcing banks and payment companies to reimburse victims would be introduced in October.
According to U.K. Finance, British consumers lost GBP 459.7 million to APP fraud in 2023, and most incidents originated online. The U.K. has led global debate on the APP reimbursement. Discussions with banks and other stakeholders began in 2022. The industry has not been caught off guard, and the regulator conducted prior consultations. There has been enough debate and discussion over the past year and a half.
It seems the UK Payments Association used Hemsley’s resignation to call for a 12-month postponement. Their argument: “This will ensure the right policies, technology and systems are in place to avoid permanent damage to the U.K.’s payment industry and its ability to enable safe, instant, cheap, and convenient payments.” The extra time also would have allowed the industry to prepare for the change and involve technology companies in the process.
If the past year and a half was not enough time to “prepare,” what guarantee is there that the next 12 months will be enough? The suggestion that Hemsley had to quit due to industry pressure is rather unseemly. Hence, the interim head’s decision not to bow down to the payments sector is commendable.
Who Should Take the Responsibility?
Rather than debating whether to reimburse customers, the focus should be on which bank should bear the loss and how much. If a customer instructs the bank to pay a fraudster, the primary fault lies with the bank that allowed the fraudster to open an account in the first place.
Most sending banks inundate customers with “Are you sure you want to make this transfer?” messages, but receiving banks fail to implement proper safeguards, allowing fraudsters to open accounts. These banks must improve their identity check mechanisms to stop or at least hinder fraudsters. Rather than making the sender bank solely responsible, the receiving banks should bear more of the losses. The current system places more responsibility on the sending bank. Assigning losses to the banks at fault will ensure they start doing their jobs properly. The sooner this happens, the better.
Some Exceptions Allowed
The PSR is not asking banks to reimburse all authorized scams. Only scams made on faster payment rails qualify for reimbursement. For example, if you move your money to a cryptocurrency account, it will not be reimbursed. Even intrabank transactions are excluded from reimbursement. Given these exceptions and the time provided, payment companies must prioritize customer protection against fraud rather than seeking to evade responsibility.