This code, underpinned by the principles of fairness, simplicity and transparency, is argued to be “an important step forward towards better and more consistent protection for consumers and standards in industry”, and is designed to advance the code’s overarching objectives to:
Broadly speaking, the code is intended to equip both banks and payment service providers (PSPs) to:
Under the code, firms would be expected to participate in consumer education, raising awareness about APP fraud and the risks of their accounts being used as ‘mule accounts’. As well as this, they would be expected to provide the relevant trade body with statistics on APP fraud and have processes in place to assist with customer aftercare, going beyond simple reimbursement, including referrals for advice and tools for customers to protect themselves.
Sending & Receiving firms
Both sending and receiving firms would be required to detect, prevent and respond to APP fraud, albeit in different ways:
Sending & Receiving firms: This would include detecting customers who posed a high risk to falling victim to APP fraud. In order to mitigate this risk, firms should establish transactional data and customer behaviour analytics, as well as training their employees on identifying indicators of circumstances posing a higher risk of APP fraud.
Sending firms: If firms identify APP fraud risks throughout the payment journey, they must take steps to provide customers with effective warnings, enabling customers to take actions to protect themselves. These should be risk based, tailored to the APP fraud risk indicators and must be understandable, clear, impactful, timely and specific.
Receiving firms: Primarily focusing on preventing accounts being opened to facilitate criminal activity, firms would be expected to ensure any accounts opened should be opened in accordance with legal and regulatory provisions on customer due diligence, employing the usage of intelligence and fraud databases to identify accounts that could be regarded as susceptible to criminal activity.
Sending firms: If there is ‘sufficient concern’ that a payment is APP fraud, a firm should seek to delay execution of the payment authorisation (in accordance with law and regulation), informing the originating customer. If an APP fraud is reported to a firm, they must notify the receiving firm in accordance with Best Practice Standards, as published by UK Finance.
Receiving firms: If concerns are raised around an account or funds, the receiving firm must respond in accordance with Best Practice Standards. In the event that there are concerns that funds may be proceeds of an APP fraud, the receiving firm must take steps to freeze the funds and take steps to return the funds to the customer.
As a general rule, if a customer has been a victim of an APP fraud, a firm should reimburse them without undue delay. However, this could be departed from if a customer had acted inappropriately, which would include matters such as gross negligence, recklessly sharing security credentials or failing to take reasonable steps to ensure the payee was who the customer believed they were. When assessing if any of the matters are established, consideration will be made as to whether the absence of the matter would have materially prevented the APP fraud from occurring.
Should firms not meet the standards within the code, they may be responsible for reimbursing a victim of APP fraud – in assessing whether a firm has or hasn’t met the appropriate standard, consideration will be made as to whether complying with it would have had a material effect on preventing the incident.
The code is currently out for consultation until 15 November 2018, with a view to implementing it in early 2019. The Payment Services Regulator (PSR), who commissioned the Steering Group in early 2018, reported that five retail banks represented have already agreed to implement the code in order to achieve greater consumer protection. The PSR also confirmed it planned to consult by December 2018 on utilising its regulatory powers to issue a General Direction. The General Direction would be given to banks and PSPs to introduce payee confirmation, which banks and payment systems providers participating in the Faster Payments System would be required to:
“Be capable of receiving and responding to confirmation of payee requests from other PSPs by 1 April 2019; and send confirmation of payee requests and present responses to their customers by 1 July 2019”.
In order to align with the work carried out by both the PSR and Steering Group, the FCA are consulting on collecting data on complaints from customers on fraud of this nature, and they propose to include industry efforts on this in their amended Payment Services and Electronic Money Approach Document (Approach Document). Within their Consultation Paper 18/25 they explain that they have amended section 8 (Conduct of Business) of the Approach Document to ensure PSPs make reasonable efforts to recover funds for victims of APP fraud in the same way as is done for payment service users providing an incorrect sort code and account number by mistake. In accordance with the above, the Approach Document also intends to refer to the developments around the code. Here, the FCA will remind PSPs of their obligation to comply with legal requirements to deter and detect financial crime. Within the Consultation Paper, the FCA further details proposed changes to the FCA Handbook, specifically around requesting data from PSPs and credit unions on APP fraud. This will seek to ensure PSPs and credit unions are meeting their obligations to consumers, and providing greater information for the FCA to take supervisory action.
An earlier Consultation Paper 18/16, published this summer, proposed that PSPs would be required to handle any complaints related to APPs in accordance with the DISP section of the FCA Handbook, with eligible complainants entitled to refer complaints to the Financial Ombudsman Service.