New rules on authorised push payment fraud in the UK

Yesterday was a big day for UK consumers when the new rules on compensating victims of authorised push payment fraud (APP fraud) came into force.

APP fraud is when consumers are tricked into sending money to the fraudster. It can happen in various ways, e.g. via impersonation fraud, romance fraud or email takeover fraud. The point is that the consumer makes the transfer of the money (and therefore the transaction is authorised by the consumer), and this fact differentiates the type of fraud from others where the consumer does not consent to the transaction e.g. when the consumers' bank card is stolen and is used for purchases (unauthorised transaction). APP fraud is the most prevalent fraud in the UK, and in Europe. The number of consumers affected increases year by year.

UK reforms started under the pressure of the consumer group Which? by submitting a Super-Complaint to the Payment Systems Regulator, noting the increasing prevalence of APP fraud and calling for rules to tackle the problem. They pointed out that the general rule of shifting the liability for the loss from the consumer onto the bank applied to all unauthorised transactions, but it does not apply to authorised transactions, and they argued that there are no legitimate reasons for maintaining this exception.

In 2019 the Contingent Reimbursement Model Code was adopted. This voluntary code was signed by most major retail banks. However, although the Code established the desired main rule, it had numerous exceptions, such as effective warnings and gross negligence. After a while, it became apparent that the Code was not as effective as it could be, and the Government decided to take action. The Financial Services and Markets Act 2023, in Section 72, deals with the payment service provider's liability for fraudulent transactions, empowering the Payment Systems Regulator to bring rules in the area. These rules (PSR Specific Direction 20) entered into force yesterday:

• the new rules apply to all payment service providers, not just banks
• the rules protect individuals, microenterprises and charities
• rules apply to UK domestic payments only using the Faster Payment System
• the rules provide for mandatory reimbursement except when consumers were complicit in fraud or grossly negligent, the Regulator, however, clarified that the gross negligence exception is a high bar and does not apply to vulnerable consumers
• firms can choose to have a £100 excess (except in the case of vulnerable consumers)
• the maximum amount claimed can be £85,000, or firms can opt for a higher threshold internally
• reimbursement amount is shared 50-50 between sending and receiving bank
• there are set claims and reimbursement deadlines.

The new rules are certainly welcomed. APP fraud caused a lot of consumer detriment, and the lack of effective rules led to legal uncertainty. It is a positive development that there are much fewer exceptions in the new rules. However, exceptions and limits do exist, e.g. the rules do not apply to international transactions, and there is uncertainty about how the gross negligence exception will be enforced and who will be considered vulnerable consumers for the purposes of the exceptions. These nuances will need to be carved out by practice, and the Financial Ombudamn Service, which handles consumer complaints, is likely to play a key role.

Although these rules apply to UK domestic transactions only, they are helpful to know given the prevalence of APP fraud in other countries, including EU Member States and can be beneficial in developing PSD3.