Decision-makers from payments businesses across the UK have identified Authorised Push Payment (APP) fraud as the top threat to both their businesses and consumers.
This is according to the first findings of an in-depth financial crime survey by The Payments Association, which champions innovation and collaboration across the industry, due for full publication later this month.
APP fraud has emerged as a significant fraud, targeting the public and small businesses. Authorised push payment (APP) fraud losses were £459.7million, down five per cent compared to last year. This comprised £376.4million of personal losses and £83.3million of business losses. This type of fraud involves a fraudster tricking someone into sending money by posing as a legitimate payee. Methods include setting up fake websites for non-existent goods or sending texts or emails pretending to be from banks or even friends and family. Despite the variety of tactics, all APP fraud uses the Authorised Push Payment system that millions legitimately use every day.
The Payment Association’s financial crime survey was distributed to selected decision-makers at major UK payments companies, including many CEOs and founders. The companies represented parts of the industry ranging from Banking and Account providers (18%) and technology providers (21%) to Open Banking (3%) and Crypto (1%). Of these companies, 65% identified fraud as one of the biggest challenges defining financial crime in the next 12 months, highlighting the severity of the issue.
Why is APP fraud so dangerous?
Of the 13 types of fraud outlined in the survey, APP fraud was identified by 27% of respondents as the form of fraud that most impacted their companies and customers. Given the variety of fraud types and the diversity of companies surveyed, this is a very high number, especially considering APP fraud was relatively unknown just a few years ago.
“APP fraud is in many ways one of the least sophisticated forms of fraud around - not much more difficult to fall for than the ‘friend in need’ email and text message scams that were once common,” said Riccardo Tordera, Director of Policy and Government Relations for The Payments Association. “Often, APP fraud attempts can be as simple as a text claiming to be from a bank asking for funds to be transferred. The problem stems from how many people a fraudster can target with that message: years of data leaks mean that bad actors can get tens of thousands of phone numbers for very little, and if a fraud attempt is only 1% effective, it could still cost hundreds of people thousands of pounds. In short, it isn’t the sophistication but the scale of APP fraud that is most worrying.”
“We also want to remove the unreasonable burden of proof where the PSR’s new ‘consumer standard of caution exception’ applies - which is a lower standard than the “common law” definition of gross negligence. It doesn’t make sense and could have the effect of devaluing consumer education around fraud and scams if a refund is guaranteed. If a claim is to be reimbursed, it should require having been reported to the police in the first instance, regardless of how much the claim is for. At the very least, this will serve to educate the police force on the issue, which clearly isn’t happening enough at the moment. But more importantly, there needs to be more support in educating consumers to prevent fraud and scams in the first place.”
How is the industry fighting back?
The Payment Systems Regulator (PSR) previously issued a decision mandating that payment service providers (PSPs) be liable for any losses due to APP fraud on their platforms, split 50-50 between the PSP that sends and the PSP that receives the payment.
Further insights showed that 58% of respondents were aware of this change - this may seem low, but not all respondents are PSPs. Among those affected by the new rules, 70% are implementing a combination of measures of their own to help, including re-evaluating customers based on risk and reviewing incoming transactions.
Tordera said: “Time will tell whether these measures will be enough. That said, the currently proposed repayment threshold is disproportionate. Having to repay £415,000 could sink a small, innovative FinTech company, so we would recommend a top upper limit of £30,000. The average scam costs businesses £11,000, and members of the public £1,500, so £30,000 is still more than double the average scam for businesses and 20x the average scam for consumers. We are not contesting the principle of reimbursement, we just want this to align with the average scam.”
“The significant added pressure of these changes to the industry will illuminate competition and cause smaller PSPs - which consumers with more niche financial needs rely on - to fail. Many vulnerable consumers will be left unbanked for the same reason.”
The survey findings come as The Payments Association announced it had shared a Briefing Paper with the new interim MD of the PSR, David Geale, to highlight the community’s concerns and areas that would benefit from immediate attention. This followed the resignation of Chris Hemsley on 7th June, who was appointed managing director of the PSR in 2019.
The Payments Association understands the PSR is not inclined to concede any delay to the implementation of the rules nor listen to the industry’s demand of significantly lowering the £415,000 threshold. Nonetheless, The Payments Association will continue to demand change to these sets of rules that are set to significantly compromise competition, innovation and reduce the attractiveness of the UK jurisdiction when compared to the other global major players. It will demand the government to intervene in order to ensure regulation is set to boost growth and stifle the payments industry.