How will the PSR's new APP fraud rules impact banks' inbound transaction processing?

In September 2022, the Payment Systems Regulator (PSR) consulted on a number of measures to address Authorised Push Payment (APP) fraud within the UK’s faster payments system. Now that the Financial Services and Markets Act (FSMA) House of Lords has achieved royal assent, the PSR now has the authority to enact a number of proposals to tackle APP fraud in a more targeted and rigorous way.

The PSR proposals will radically shift the incentive to all payments firms with the aim of proactively prevent APP fraud from occurring.

According to UK Finance, over £480 million was stolen from over 200,000  consumers through APP scams during 2022, taking the form of purchase, investment, romance and impersonation scams.

Financial institutions are making progress toward tackling this challenge, and a report by UK Finance states that the amount returned to customer has increased to 59% of losses in 2022.

The proposals set out by the PSR seek to introduce measures including reimbursement to victims in all but exceptional cases, improvement in the level of protection for APP scam victims, and incentivisation for banks and building societies to prevent APP scams. These new measures are now set to come into force in October 2024.

In order to meet these new requirements, there is a need for maturation of banks’ inbound transaction processing when it comes to fraud prevention. This undertaking will incur a huge cost on banks in terms of both technical transformation and operational expansion.

The shift in liability is important not only because it is logical, but because it is going to be reflected in the fact that 50% of the refund cost will be borne by the institution where the money is being received.

Why is APP fraud such a challenging criminal activity for banks to solve?

This challenge fundamentally stems from the fact that banks have developed systems to stop criminal activity over the past 10 years which focused solely on stopping criminal activity associated with transactions leaving bank accounts. This was a result of the rise of online banking and account takeovers.

KYC and digital biometrics had emerged in efforts to prevent anyone who wasn’t the account holder from accessing accounts. Anti-money laundering and sanctions screening all tended to take place on this outbound leg.

The key to preventing APP fraud, is that banks need to be looking at the bank account receiving the payment, rather than focusing on the account which is sending the money – as typically the person making the transaction is the true account holder, not the criminal.

As the average loss associated to APP fraud is about £2,300 per loss, banks find themselves in a tricky situation of having to decide whether or not to investigate - at significant expense - each case.

This means the fraudsters have found a sweet spot.

High volume, small value thefts make it very operationally challenging for banks to justify intervening or resolving every instance of theft. Beyond operational headwinds and cost, customer experience can also be jeopardised by failed payments and investigations. Faster payments require decisions to be made in real-time, as customers expect to be able to send money instantly. False positives are therefore highly compromising for banks from a customer experience point-of-view.

Banks need systems which are much more effective via automation and centralised learning models in order to reduce overall costs and improve false positive rate – effectively allowing more non-fraudulent transactions through without friction while stopping more of the fraudulent transactions. Centralised learning models that are designed to leverage consortium level data present a compelling approach that is beginning to gain interest across the industry.

How will the PSR’s incoming rules impact bank’s approach to APP fraud instances?

Positive steps have been made around bank reimbursement in cases of APP fraud in recent years. For instance, ten PSPs have signed up to the industry’s Contingent Reimbursement Model (CRM) Code. Following the Code’s introduction, the PSR notes that the rate of victim reimbursement by value rose from an industry average of 19% in the first half of 2019 to 59% in 2022. Also, TSB has offered a fraud refund guarantee since 2019: the bank fully reimburses all APP scam losses unless the customer has been grossly negligent (refunds are currently capped at £1 million).

 “Under [the PSR’s proposal] Measure 3,” states the PSR’s policy update from March 2023, “we will require PSPs to reimburse victims of APP scams in almost all circumstances. The liability for doing so will be shared 50:50 between the receiving and sending PSPs.”

In reference to Measure 3, the regulator’s 2022 paper reads: “The industry needs to do more to prevent APP scams. This includes identifying potentially fraudulent payments before they are sent, and preventing fraudsters receiving payments in UK bank accounts. We think that the Faster Payments ecosystem as a whole – Pay.UK and PSPs – needs to work together to prevent harm to consumers who use the payment system.”

Despite these desired reductions in APP fraud, we may see a brief uptick in instances once the new rules come into play. This could be a result of a number of factors, including the fact that a guaranteed refund from the bank might increase the number of reported cases which historically consumers have been too embarrassed or ashamed to raise – for example the FBI estimated that only 7% of fraud cases are reported in the US. Also, with the guarantee of reimbursement, consumers may take less care around security and be less attuned to signs of coercement. Finally there may be an increase in first -party fraud, where customers fraudulently claim they have been the victim of a APP scam in order to claim the refund.

Ideally, even if banks see a slight short-term increase in these instances as a result of the new obligations, it will encourage them to invest in solutions that better identify APP fraud and address the fact that the liability has shifted from the customer and onto the financial institution.

If banks begin to collaborate more effectively and leverage industry-led solutions, the knock on effect in the long term is likely to deliver strong AI-based models that can tackle both outbound and inbound transaction screening to reduce APP fraud by 30-50%.

This collaboration will be essential for all players across the ecosystem, few more so than for smaller PSPs. Smaller PSPs are likely to bear the brunt of the incoming rules as they could potentially suffer higher percentages of inbound APP fraud compared to their outbound APP fraud rates. On top of this, they are currently less likely to reimburse APP fraud victims and have potentially less mature APP Fraud Prevention solutions in place currently.

Fundamentally, the PSR is trying increase liability, increase responsibility and ultimately increase effectiveness of consumer protection regulations.

The PSR’s shift toward increasing liability on institutions will also be clearly demonstrated in its proposed ‘Measure 1’, which will see periodic publication of an industry ‘scorecard.’ This scorecard will be published every six months, and will be a publicised league-table, showing the performance of APP fraud management by PSPs across the industry. While data reporting methods are likely to change over time, the three metrics used by the PSR to measure APP fraud management earlier in 2023 included:

• Metric A: The proportion of APP fraud victims left out of pocket.
• Metric B: APP fraud rates for each sending PSP.
• Metric C: APP fraud rates for each receiving PSP (not including any money that has been returned to the victims).

The publication of this APP fraud league table holds the potential to have a significant reputational impact on banks which perform badly in their APP fraud management.

Why is inbound transaction processing key to addressing APP fraud?

This shift to inbound transaction processing is essential to addressing APP fraud instances, because banks will be monitoring the criminals behaviour rather than the victims’.

In APP fraud cases, the criminal is the one receiving the money. Even if the account is that of a mule. That is where we need to shift the emphasis in terms of screening, freezing the accounts and ultimately prevention of the activity.

Confirmation of Payee (CoP) has been a recent effort to tackle this issue, and has reduced APP fraud instances by up to 10%. While some may say that's an overestimation, the reality is that you're also expecting fraudsters to shift from types of APP fraud which are easily stopped by CoP, to other tactics.

What is key in the context of APP fraud instances, is that inbound screening allows firms to identify the risk associated with the account receiving the funds. As the receiving bank has more information about the receiving account (the criminal’s account) than the sending bank, they are in a better position to pre-emptively identify, stop and close the account before the money can be received. What this means for financial crime prevention is that in five to ten years’ time, banks will be required to carry out ‘always on’ screening for any bank accounts in the banking network, so that accounts which may be being used for financial crime purposes are identified and dealt with.

Of course, denying individuals access to financial services is a very serious action, and institutions must be certain that their financial crime management tools and techniques are more sophisticated than they are today.

How can financial institutions best prepare for the incoming rules?

There are three key areas that financial institutions must address in order to prepare for the PSR’s incoming rules, and an openness to collaborating with other industry players is central for banks to achieving them.

First, they must investigate the technical requirements necessary to be able to carry out inbound screening. Given the complexity of many banks’ systems paired with legacy technology challenges, they must consider and understand precisely the type of solution or tools they will need in order to meet the demand of screening inbound payments. Working in partnership with payment processing technology firms means that banks can reduce their dependence on legacy processes, and instead allow third parties to more effectively manage the orchestration of inbound tasks.

Second, banks should prioritise selecting vendors that utilise consortium level data to make risk decisions. This is because any single bank’s internally collected and stored data for building models, will be insufficient to effectively identify criminals. If banks attempt to operate independently, they will be limiting themselves by using only the data they themselves collect and manage, rather than benefitting from the wealth of data available in a consortium data model.

By working with technology providers, banks can opt-in to consortium level solutions, which build sophisticated machine learning models that are fed data from a multitude of institutions which participate in the consortium. This means the model is much more effectively able to learn how to identify key markers of APP fraud on inbound transactions. The ability to compare fraud detection rates and false positive percentages from the vendor is a vital starting point, however, applying these case studies to the idiosyncrasies of a given bank is the key. Proof of concepts to understand performance of the solution and how long it may take to return a score is a clear example of determining real-time speed and responsiveness. Solutions that are built on consortium level data will outperform solutions which built on a single institution’s siloed data.

The third hurdle for banks to address may be the most challenging, as they must figure out how to operationally process all of the additional financial crime alerts being generated. It is not possible for banks to be able to receive and address the flagged inbound transactions if they do not have the operational capacity to investigate them. Adding the resource to be able to manage this new source of flagged incoming transactions will be a significant challenge for financial institutions.

Working with technology providers that offer a suite of technologies that will complement and enhance APP fraud inbound screening processes, while leveraging consortium level data, will ensure that the financial institution is better equipped to deal with a diversity of tools to counter the evolving financial crime environment.

Conclusion

The incoming changes in the PSR's approach to combatting APP fraud underscore crucial shifts for financial institutions in the coming 12 months. Prioritising inbound screening acknowledges the need to focus on the recipients of funds, a pivotal strategy shift to counter fraud effectively. Leveraging consortium level data emerges as a key step in effectively tackling APP fraud and will enable the creation of robust machine learning models that enhance the accuracy of fraud detection.

Balancing model performance across holistic and specific segments ensures improved screening outcomes. With the new PSR rules to be brought in in October 2024, swift action is essential to mitigate brand risks, customer experience issues, and rising costs. By embracing these changes, financial institutions can proactively adapt to evolving threats, reinforce customer trust, and navigate the changing regulatory landscape into the future.