This is the text of Chris Hemsley's speech at the 1LoD Fraud Risk Event on 5 December 2023 as drafted and may differ from the delivered version.
Good afternoon, I’m Chris Hemsley, Managing Director of the Payment Systems Regulator (PSR) in the UK.
Fighting authorised push payment (APP) scams is something I speak about a lot. Preventing payment fraud and protecting victims has been a long-term priority for the PSR.
As a result, we have seen some major changes in UK payments. The roll-out of Confirmation of Payee (the name-checking service that flags where recipient details don’t match when a payment is being made), the Voluntary arrangements for looking after victims of APP fraud through an industry code, a step-change in transparency over which firms are tackling this fraud and who is providing access to accounts.
These are all hugely important and major steps forward.
However, next year we will see a transformation in how APP fraud is dealt with.
So, I want to talk to you all today about what is needed now, in order to get ready for this change. It is a world-first, and some will find it harder to adapt. From a UK perspective, this change is coming. And I strongly suspect others will be following down this path.
Scale of the challenge
Before I do that, a brief reminder of what we are tackling and why.
We all know that APP scams have quickly become one of the most significant types of fraud, not just in the UK, but globally. APP fraud is now around half a billion pounds annually, affecting around 200,000 victims.
Each one of these frauds represents distress, shame, worry and – of course – the consequences of the financial loss. The house purchase that falls through. The lost life savings meaning that retirement becomes more distant.
Even if we protect victims from these sophisticated frauds, the costs still need to be met from somewhere. Which is why it is in all of our interests to get on top of this problem, and prevent as much of this fraud as possible from happening in the first place.
We know from data we published in October that some firms are doing much better than others at protecting their victims and preventing fraud, so we know it is possible for improvements to be made – in fact we think these actions could prevent between £70-120m of fraud, particularly if all firms were operating at the same level in terms of detection and prevention.
Prevention is key
That means driving change in the culture of payments to improve fraud prevention and focus all firms on protecting consumers and businesses.
The best way to do this is to get incentives to act and get them in the right places.
This means bringing in all payment firms into the arrangements. There are two aspects to this. First, moving to a mandatory approach – using the Faster Payments rulebook to include every payment firm using the Faster Payments system (FPS). Moving away from the previous voluntary approach that relied on firms choosing to do the right thing.
Second, it means bringing in incentives on both the sending and receiving side. After all, in order to commit an APP fraud, you need control of a payment account. Firms providing these accounts need to play their part in preventing fraud and in protecting victims.
This will be achieved by splitting the cost of protecting customers between the sending and receiving side. For the first time, this introduces a clear financial incentive on receiving firms to act.
One thing we cannot do at the PSR is to introduce a financial incentive on fraud origination. Social media and telecoms firms can (and should) no-doubt do much more to prevent APP fraud.
That’s why I was pleased to see the publication of the UK’s Online Fraud Charter last week. These developments demonstrate an important step forward and I hope will raise standards of protection against fraud on social media and telecoms platforms.
For our part, we will continue to push forward our work on transparency, considering the best way to improve the data available about both how well payments firms are tackling fraud and what their data tells us about fraud origination in social media and telecoms.
We are now implementing the changes
So, turning to the changes that we are putting in place and what UK payment firms should be doing to get ready.
We have already set out decisions on the key aspects of the arrangements. These include:
- The Faster Payments rulebook will require all firms to provide the same minimum level of protection to customers falling victim to APP scams.
- Unless the customers have acted with gross negligence, they will be reimbursed for most of their losses.
- The cost of this will be split between the sending firm and the receiving firm – 50:50. Putting those incentives in at the receiving end for the first time.
This will all be backed by legal directions from the PSR. So, all payment firms using FPS will be included in the system (both direct and indirect participants).
And, as the Bank of England itself confirmed, it intends that equivalent arrangements will also be applied to CHAPS (a same-day settling system for high-value payments).
This means that, if you run a payments business in the UK, you need to get ready now.
What you can do to get ready
There are broadly two things to focus on.
First, being engaged in the development and deployment of the new systems and processes that will be implemented over the next year.
Second, improve fraud prevention and detection. This includes:
- Improving real-time data insights
- Deploying better analytics solutions, including AI
- Invest in prevention that has the most impact
- Explore counterparties of concern.
If that list sounds familiar, it should be.
I took it from the event website for today’s sessions. So you are in the right place.
I would also add another to this list. The future solution to fraud risk management is in better data and analytics. We want risk-based, smarter ways of intervening on suspect transactions.
But there are also some slightly simpler actions that can be taken.
One is to review transaction limits and make sure that they are within your risk tolerance.
For those UK-based firms receiving payments, you will soon be picking up a liability for half of the cost of protecting victims that use accounts you provide.
There has been a lot of focus and concerns expressed about our proposed maximum level of coverage; which we set out for consultation as being the same as the limit applied by the Financial Ombudsman Service. £415,000.
While frauds of this scale are thankfully very limited in number – a fraction of one percent of overall fraud – they might have a major impact on smaller payment firms called upon to contribute to reimbursement.
This risk can be managed by deploying sensible transaction limits to your customers. Not every institution allows such large amounts to be processed instantly. My own bank doesn’t. In fact most banks don’t allow payments of this size – as Pay.UK’s website sets out.
Having effective risk-management tools in place is key but so are simpler ways to manage fraud and financial risks.
Incentives are already prompting action
So that is the challenge we are facing– making the step-change in fraud prevention a reality.
But, the positive news is that we have good reason to believe it will work and have a significant impact on fraud levels.
We know this because we are already seeing evidence that the incentives we are putting in place are helping focus efforts on fraud prevention.
- firms are investing more in fraud prevention and data technology
- we know that firms are starting to share more information
- there is progress on deploying new fraud detection capabilities in FPS
- the FCA has used the data collected by the PSR to inform its supervision of payment firms. Most publicly, taking action against firms at the wrong end of our transparency tables.
And, more generally, stakeholders have told us that our work is having an impact. Firms want to learn from others and raise their performance towards those that are currently leading the way on fraud detection and prevention.
This has to be the right approach.
The international dimension
The other piece of perspective I’ll offer is the thought that we are leading the way in addressing the problem of APP scams.
It is not a UK-only problem; and we are seeing the growth in APP scams elsewhere in the world.
However, it is important to recognise that the work that everyone in UK payments is doing is helping the UK get ahead of this problem.
Our approach and response to this challenge is being watched across the globe. Australia is looking at reimbursement mechanisms. The EU is rolling out its own Confirmation of Payee service.
The work we have driven is having a positive impact and others are looking at how the solutions we’re delivering in the UK can work in their own environments.
The next steps
So, to close with a brief look ahead.
We will shortly be setting out the final set of decisions on when the new APP arrangements will go live.
This means that from here on in, we will be focused on implementation of the new arrangements. Both in legal terms but also working through the important aspects of supporting systems, processes and communication to customers.
We will also be standing up a team within our new Supervision and Compliance Monitoring division, to support compliance with the new rules. It is important that firms comply with the new rules – and we will be reporting on how well it is going.
And we will be continuing our work to use data transparency to shine a light on who is doing well and who needs to improve – moving our focus towards origination: social media and telecoms.
So, I will leave you with one further thought:
- We have made significant progress on APP fraud
- But we now have the chance to really get on top of it.
- That means getting on with implementing better approaches to fraud risk management, as there remains time to get ahead of the new rules.
These rules will sharpen up the incentives to tackle this problem. But it is also, of course, the right thing to do.
So, I hope you have a very engaging and productive event – continuing the good work to tackle fraud by preventing it in the first place.