Last month, the Payment Systems Regulator (PSR) set 7 October 2024 as its target implementation date for the new mandatory reimbursement rules for victims of authorised push payment (APP) fraud.
Why it matters. The proposed changes will require banks and other payment service providers (PSPs) to, among other things, share the cost of reimbursing victims 50:50 between sending and receiving payment firms. In effect, banks and other PSPs will be picking up the ~£500M bill that gets generated each year from APP frauds.
The bigger picture.
This is a significant shift in regulatory positioning to tackle what is today one of the world’s most pressing financial crime issues. APP fraud has claimed hundreds of thousands of victims and leads to devastating emotional as well as financial losses for victims. One recent example saw a business lose £1.6 million in 20 minutes.
Here are some high-level insights based on the most recent data from UK Finance:
Average losses are relatively small. The average APP fraud scam steals £2k from consumers and £11.4k from businesses.
Business victims are minority, but likely underreported. Micro businesses are not the most common category of APP fraud victim (6,729 business cases vs. 200,643 consumer); the PSR estimates that this is significantly underreported (more on why below).
Volume is increasing, but value see-sawing. APP fraud volume has increased steadily over the past 3 years, going up 10% on average each year. APP fraud value increased overall 4% between 2020-2022, but dropped 17% from 2021 to 2022.
Lowest volume scams tend to be highest value. CEO, mandate/invoice and impersonation scams - typically affecting businesses - are the least frequent but carry the highest value (CEO being highest, with average value of £31k). Whereas purchase scams - typically affecting consumers - are the highest in volume but the lowest in value (90% of all cases involved values less than £1k).
Zoom in. The proposed reimbursement rules cover consumers, charities and micro businesses (those with less than 10 employees and a turnover of EUR 2M) for payments made through Faster Payments (the Bank of England is proposing similar rules applicable to CHAPS, but consultation is not expected to finish until Q1 2024).
The scope is not surprising given that 98% of APP frauds occur by Faster Payments. And while technically only 10% of the UK’s 2.7m businesses are ineligible for mandatory reimbursement, all businesses remain vulnerable to APP fraud.
There is a strong disincentive to report APP fraud because it can adversely affect credit ratings and insurance premiums… let alone reputation and trust.
Being a victim of APP fraud might be perceived by creditors, underwriters and customers as the business having weak payment controls, poor compliance and/or incompetent staff.
It’s not yet clear that the new rules will do anything to mitigate these cost effects and create an incentive to report the fraud.
State of play. Compensation or not, at the end of the day a business victim of APP fraud – be it a micro, medium or large enterprise – ultimately ends up losing. Large and medium businesses are left to hang dry, and small ones might get their money back but suffer other financial and reputational consequences.
What can be done?
It goes without saying that businesses should do everything possible to prevent an APP fraud scam from arising in the first place. But more can be done to beef up defences than just ‘Confirmation of Payee’ and telephone call backs.
Enhanced checks such as determining how old a payee's bank account is (anything under a year is a high-risk indicator) and its activity levels (payment totals and net money flows, etc.) offer valuable insight as to whether the bank account is genuine and matches the economic profile of the payee. Clever fraudsters steal identity documents to open bank accounts in the name of the real payee a few days before they strike; relying only on a name check won't uncover the fact that the account is brand new or has no activity.
Digital verification using open banking improves accuracy and security, as this pulls in trusted data from the bank itself as opposed to manually obtaining it from bank statements and other documents (which may be forged).
At Lucra, we’ve made it our mission to eliminate APP fraud. Our team has engineered a digital, plug-n-play solution that delivers all this insight and more using verifiable data from trusted sources (including open banking and credit agencies).
Get in touch to learn how we can help you defend your business against APP fraudsters.
Alan Schweber is the founder and CEO of Lucra. Previously, Alan was a debt finance lawyer at Kirkland & Ellis LLP.