APP fraud continues to rise as criminals target bank customers online

APP fraud is fast becoming a UK banking scandal.

UK Finance figures show APP fraud was £208m in H1 2020, so although the total for the year is up 5% on 2019, H2 fraud was £271m, a massive 30% increase on H1, and 10% up on H2 2019.

According to the PSR, 79% of APP scams occur on Faster Payments, so assuming this held for the whole year, £378m was through FPS, or 0.02% of FPS processed value for the year. This is still low compared to cards (0.075%), but cards are inherently far riskier than authorised push payments, and in absolute terms APP is catching up - UK card fraud was £620m in 2019 (UK Finance).

This matters because real-time payments are core to the future of UK payments, core to the adoption of Open Banking payments and core to the UK economy. They continue to grow at over 20% per year, such is the demand for them. But unless APP fraud is brought under control, real-time payments in the UK will be under threat - already there have been calls to "delay the payments", which would wreck the real-time proposition and business models that depend on it; and bank fraud systems are being used more frequently to hold outbound payments in some instances for further authorisation, compromising the customer experience.

There are initiatives to deal with APP fraud, such as confirmation-of-payee, the Contingent Reimbursement Model Code, and The Stop Scams initiative, but no-one seems to be taking overall responsibility for stopping APP fraud. For example, APP fraud is a priority for the PSR, but CHAPS is outside its scope (Bank of England), as are FIs only indirectly connected to the payment systems it regulates, as is it would seem, APP fraud on-us book transfers, while only a sub-set of banks use confirmation-of-payee or adhere to the CRM code.

The real issue is that APP fraud is a failing of account management rather than payment systems. Banks have a regulatory obligation for customer due diligence and KYC. Since all APP fraud payments must go from the victim's UK bank account to the fraudster's UK bank account (set up fraudulently, taken over, or herded), it shows that bank KYC and CDD are failing.

With almost 10 billion payments flowing annually through UK payment systems, it is fiendishly difficult to detect the 150,000 or so that slip through as APP fraud each year, but banks must do more to prevent it. Better technology should be used to monitor accounts for unusual activity and be used to detect unusual inbound payments, as well as outbound payments. I would hope that an account can be used only once to receive APP fraud, so the arrival in one of an unusual payment must be detectable, especially if followed shortly after by an attempt to make an unusual outbound payment.

Very little seems to be discussed on bank KYC in the context of APP fraud. Much of the emphasis is on the victim's bank, the sending bank, whereas it is the receiving bank, the fraudster's bank that is at fault.

It is time for the UK banking industry to step up and do more, be seen to be doing more and be accountable for fixing CDD and KYC failings in APP fraud.

While the regulatory inititiatives focused on APP victims are laudable, and necessary, regulators can play their part to greater effect by also setting ceilings for APP fraud on each bank as a receiving bank, with severe enforcement penalties if the ceilings are breached.

Hi Jeremy, I think it requires all sides of the problem to be addressed simultaneoulsy (i) the CDD failures that lead to the scammers obtaining accounts (ii) the exculpation of the payee's bank from checking the name in the payment with the name on the addressed account for every payment (iii) a legal change to back that up, so that the payee name is part of the payment contract in addition to the sort code and account number.

With all those changes made, the liability would sit completely with the payee bank, and the payer would enjoy cover under the PSRs for incorrect execution i.e. if the banks contrived to pay a different payee from the one named in the payment contract.

This new situation should be a Day 1 deliverable of NPA: it is a nonsense that NPA has so far been scoped so as to allow this problem to continue.

Initiatives such as confirmation of payee are nothing more than a plaster over the issue. 

KYC needs to be discussed, but that is easy to get around - somethign card schemes have known for a very long time - and they used to address directly. 

The real issue comes from identity and identification of payment flows. Almost always push fraud is complete because the scammer looks geniune enough. However, if payments moved to a verifiable identity paying another verifiable identity basis - then this fraud would be stopped almost completely as the scammer wouldnt have the cryptographic control of who they claim to be. 

Initiatives like confirmation of payee have taken a lot of money, time and effort to get into the marketplace, however their effectiveness will be short lived (if at all based on these figures). We need to stop thinking of short term fixes and tackle such systemic issues directly.

CoP can still transform these APP fraud figures if we collectively drive the UK adoption faster. There is still too much misinformation circulating and 'do nothing' strategies, with many waiting I fear in vain for the PSR to mandate everyone for action.

I see no logic in waiting for an ambiguous 'CoP Phase 2' at some point in the future, or another regulator intervention when in fact the majority of banks can join now in the 'Phase 1' inside 12 weeks.

The analogy that comes to mind is waiting to be the last bank to put a chip on their debit card? Fraud will be displaced to the weakest link where there is no CoP.

Safety in numbers - ubiquity of adoption this year - if you are a bank with your own sort code, check in with Pay.UK or Bottomline or the Open Banking team - you can join Phase 1 NOW to close this noise down, keep reputations and reduce these disappointing APP fraud numbers.