This is the text of the speech as drafted and may differ from the delivered version. This speech was delivered by our Managing Director, Chris Hemsley, on 22 February at the Counter Fraud Conference 2023.
Good afternoon, I’m Chris Hemsley and I’m the Managing Director of the Payment Systems Regulator (PSR).
The PSR is the UK’s independent economic regulator of the payment systems that underpin our economy - the LINK cash machine network, Faster Payments, Visa, Mastercard, Bacs and – as of the end of August – the Sterling Fnality system. So, we now regulate payment systems from cash and cheques, through bank and card payments, and now a forthcoming wholesale payments system based on distributed ledger technology.
We protect people and businesses, including by promoting competition and innovation. In terms of what that means in practice, this includes protecting the availability of free-to-use cash machines, unlocking new ways for you all to make and receive payments and tackling the harms we see today in payments. This, of course, includes Authorised Push Payment (or APP) scams.
Today, I would like to talk about the role collaboration plays in tackling APP scams. These are scams where the victim is manipulated into transferring money to a fraudster.
Given that fraud doesn’t respect the boundaries of any one organisation, any sector or the differences between the private and public sector, collaboration between us all is critical for tackling this problem effectively.
However, what I want to particularly explore is what we can do to make that collaboration more likely. Warm words are not enough. We need to ask ourselves how can we unlock greater collaboration to tackle these difficult problems?
But, before I do this, I’d like to explain where we are – collectively – on Authorised Push Payment fraud.
In short: it remains a significant problem. The most recent full-year figures published by UK Finance show nearly 200,000 incidents of APP scams in 2021, with gross losses of nearly £600 million. While a small proportion of overall payments – which are measured in the trillions of pounds – the harm we are talking about here is very real and needs tackling. The financial losses do not measure the worry, uncertainty and hardship caused to victims. And let’s be clear: this could happen to any of you in this room.
So, a lot of us – including the PSR – have been working hard to make progress. Last year, I stood here and spoke about how we - all of us - can help prevent these harms from happening.
Progress in the fight against fraud
Now, a lot has happened in the space of year - both within the financial services sector and beyond.
Looking back, from my perspective, there were some defining moments that have helped move us forward.
The first thing we did was to require all relevant payment firms to roll out Confirmation of Payee; the name checking service that is designed to reduce misdirected payments and APP fraud. You will likely have used this service by now, which checks that the name on the recipient’s account matches the details you gave to your bank. If you haven’t used it, you are using one of the firms in the remaining one per cent of the market that we directed to now adopt the service.
The next big step was the Government's support to change the law. An unintended consequence of European law prevents the PSR from using its powers. The Financial Services and Markets Bill removes this blocker, and is close to becoming law.
In anticipation of this change, we have been developing ambitious proposals that will fundamentally change the approach to preventing APP scams and protecting people.
In September last year, we formally consulted on a series of measures to address APP scams in faster payments – where we see 98% of APP scams. And here we have made considerable progress to ready ourselves and industry to implement the changes as quickly as possible, once the law is changed.
Our proposals will introduce minimum standards of customer protection into the faster payments rule book. Meaning that all payment firms using this system will need to protect their customers. This will also introduce incentives onto all payment firms to stop these frauds in the first place.
It is no surprise that there are wide ranging views on our proposals. But there was almost unanimous agreement on the need to take action to improve outcomes for victims of APP fraud.
We are considering the responses carefully, as we update and refine our proposals.
A “whole ecosystem” approach
These changes are part of a wider package of measures – we are pushing hard to make sure that all payment firms do everything they can to limit a fraudsters’ ability to access the UK banking system and their ability to move money into their control.
This is a significant step in the right direction, but it isn't the whole picture. To ensure success we need to work to tackle the whole ecosystem – from fraud origination, enforcement, and repatriation of funds.
To be successful, we need to take action right across the fraud journey:
- where a victim is recruited, whether this is via social media or an impersonation call;
- while the transaction is being initiated and when it is underway;
- when it is received into an account controlled by the fraudster and then transferred to other accounts.
We can also get better at spotting these frauds and make it harder for the fraudsters to repeatedly target the same or other victims.
So, where next?
As you would expect, we are working through this with relevant authorities including HM Treasury, the Home Office, Police, and Ofcom.
In my view, here are some areas where progress can be made:
- First, at the source of the fraud. The anecdotal data we have seen from banks paints a clear picture on where victims are recruited: a large proportion appear to have begun within a social media platform. I want to see greater transparency here. If one of the social media platforms is making it easy for criminals, why not collect the data and then call this out?
- Second, making sure payment firms can manage fraud risks appropriately and proportionately. This could involve some extra friction in payments, in certain circumstances, to allow time to investigate potential frauds. Most transactions, such as to known legitimate businesses, can continue to go through instantly. But one-off and unusual payments might need to be treated differently. This is an experience customers are used to when using their card, and consumer groups tell us some friction is acceptable when applied appropriately.
- Third, informing and empowering customers to make good decisions. This needs to be more than the generic warnings we sometimes see when we make new payments – do these really work? We increasingly need risk-based interventions, to notify customers when a payment is identified as fraudulent and then to take firmer steps to stop these payments from being made.
- Fourth, of course, we also need effective law enforcement against these crimes – making life much less pleasant for those organising and committing these frauds.
To do this, it requires coordinated action across the public and private sectors. We see this working through the Fraud Sector Charters developed between the Home Office and accountancy, telecoms and banking firms to help address specific risks within those sectors. Through collaboration, we can all make a significant difference and reduce the number of frauds committed.
We are also seeing progress in unlocking better intelligence sharing between payment firms: allowing firms to consider the riskiness of payments and improve scam prevention. UK Finance have progressed a pilot that showed that sharing data between the sending and receiving firms helps with fraud detection. They have since worked with Pay.UK and payment firms to look at data standards and how best to share this valuable intelligence, though an API.
Collaboration and coordination between regulators is also important. Here, we work closely with the FCA – sharing data to inform their supervision and drawing on their expertise to inform our proposals. For its part, the FCA has been taking steps to combat misleading promotions on social media firms. The FCA has worked closely with several Big Tech companies to change their advertising policies to only allow financial promotions that have been approved by FCA-authorised firms. But more needs to be done by tech companies to tackle APP fraud and protect consumers.
Which brings me back to the importance of collaboration, in the fight against fraud.
I have been reflecting on what can support greater levels of collaboration. Of course, we are talking here about individuals and organisations working together, across boundaries. So, much like any good team, trust between individuals is important. As is clear communication and the ability to listen and learn from each other.
We also need clarity of a shared purpose. Something that is very clear in the context of fraud – each of us would agree that it is important to prevent fraud and protect victims.
So, what to do to make a difference and unlock greater levels of collaboration, to prompt more action?
I’ll call out two – awareness and the incentive to act.
Collaboration within and across the public and private sectors will be much more likely if both are in place.
Which means, first, that we need clear evidence about the scale and nature of the problems we are trying to address. This includes their root causes. We need to understand where the weak points are, if we are to focus our efforts in the right way.
And, second, we need clear incentives on all parties to act. We all respond to incentives, whether we like to admit it or not. These incentives can play an important role – it is easier to make progress if we are all lined up in the same direction. That isn’t the case today.
Understanding the nature of the problem
Turning first to awareness and understanding.
The PSR took action in 2016 to make sure that we started to collect and share information about APP scams. UK Finance now collects and publishes aggregate statistics that have helped us better understand the scale of the problem.
We now know more about the key drivers of APP scam losses, including the social engineering tactics used by fraudsters to defraud victims. We also have a good understanding of which types of APP scams cause the largest losses – which is investment scams.
More recently, we started collecting data on where APP scams are going. This means that I now know which firms are receiving proportionately higher levels of APP scams. This helps us to understand more about the weak points. As we can share this data with the FCA, this also means that this is informing the FCA’s supervisory efforts.
We are also going further. In March 2023, we will require 14 of the UK’s largest payment firms to provide six-monthly data on APP scam performance.
We will use this data to publish a balanced scorecard of APP scam performance. This will, for the first time, provide a picture of how well firms are handling APP scams – both in terms of prevention and in looking after victims.
Aligning incentives to act
Which brings me on to the second way we can improve collaboration: aligning incentives.
We can do this in two broad ways: financial and reputational incentives. And we can, of course, use both.
I think firms are more likely to take action, and more likely to actively collaborate, if it is clear who is doing well mitigating fraud and who needs to improve.
One of our objectives for the publication of a balanced scorecard is to prompt more action. It will provide transparency to consumers on which payment firms account for the highest levels of APP scams, and how well each firm is looking after victims.
More generally, transparency plays an important role in highlighting harm, the role various actors play, and encourages private and public sector organisations to prioritise activity effectively.
Which is why we will also be requiring payment firms to provide good quality data on where funds are going: which firms are providing accounts that receive high levels of APP scams.
This principle also applies to where victims are being recruited – be that telcoms or social media firms. I want to see the performance scorecard to evolve into a wider whole-ecosystem view.
This will prompt more action across that whole ecosystem, including across the public and private sectors.
The role of financial incentives
While we are pushing transparency and the power of reputation, our approach is also firmly rooted in aligning the financial incentives on all parties to act. An approach we can use where our powers allow us to do so.
A key part of this is the introduction of mandatory standards of customer protection.
The Financial Services and Markets Bill (FSMB) provisions, which are currently before Parliament, will enable us to use powers to introduce minimum standards of protection for victims of APP fraud.
This will allow us to radically shift the incentives on all payment firms to act.
As I have talked about - we set out proposals that will require all firms using the Faster Payments System – which accounts for 98% of APP scams – to protect their customers. This moves us from a voluntary system, in which our largest payment firms chose to participate, to a system where all firms must act to protect their customers.
It is possible to characterise this as an intervention to protect victims. And, of course, it is.
But equally important is that it is also a fraud prevention measure. Introducing financial incentives where they will prompt action to cut fraud in the first place.
Consider one example – a firm providing accounts that receive a lot of APP scams. What reason would they have to take action to investigate and close these accounts today?
Our proposals will mean that it will be widely known who these firms are. And they will start to face the costs of looking after victims. Aligning their incentives to their customers’ interests, and with the wider fight against financial crime.
As more firms raise their game, we will get closer to the ultimate objective of limiting criminals’ ability to operate within the UK’s banking and payments systems.
Role for regulatory action
There is also an important role for regulators – including the PSR – to act where we can unlock progress. And we are doing this through changing the incentives on firms to act.
There is also another way that we can help – when firms rely on each other’s systems to prevent fraud. In such cases we can face a classic coordination problem. Everyone wants to act, but some coordination is needed.
The PSR’s intervention to bring in the name-checking service Confirmation of Payee is a good example of this. Most – if not all – firms wanted to see it rolled out. There was, however, no way of agreeing suitable deadlines and holding everyone to account. The PSR has now directed around 400 firms to overcome this coordination problem. Backed by powers of enforcement if there are firms that choose not to join in.
Finally, I’d like to make a point around the limits of collaboration. One that also falls to regulators and the PSR as a competition authority.
I have talked about the benefits of collaboration: aligning incentives, sharing intelligence and solving coordination problems.
We do, however, need to take some care to avoid this straying into unhelpful coordination of behaviour. Innovation and competition play an important role when combatting fraud. Firms that are better at it, should have an advantage and attract more customers.
So, for example, while intelligence sharing unlocks benefits for all customers and firms, we do not want to see all firms agreeing set ways of managing these risks. This would risk being predictable to fraudsters, would tend to slow innovation that actually tackles fraud, and also risk firms agreeing what services to offer to customers.
Which takes me right back to where we started – in the last year we have taken a number of important steps forward in the fight against APP scams.
This progress has relied upon significant collaboration between a wide range of parties – all of whom can play a role in making it harder for these frauds to happen in the first place.
But – to be really successful – we also need to make sure that the conditions for collaboration are in place. This includes making sure that there is clear and reliable evidence of the scale and nature of the problem, combined with clear incentives on all parties to act.
With this in place, collaboration between customers, government, businesses and regulators will support coordinated action across the whole ecosystem.