This is the text of the speech as drafted and may differ from the delivered version. This speech was delivered by our Managing Director, Chris Hemsley, at the Counter Fraud Conference 2022, providing thoughts on APP scams.
Good afternoon. I’m Chris Hemsley, Managing Director of the Payment Systems Regulator (PSR). We are the independent economic regulator of the systems that sit behind most of the ways that people and businesses make and receive payments – be it by cash, card or bank transfer.
And today, I’d like to talk to you about whether prevention is better than cure.
If my research serves me right, Erasmus was the first philosopher to pen the phrase.
Today, this principle is most attributed to health care, but it is also a phrase that gets used in the context of fraud and, in particular the subject I would like to discuss with you now – Authorised Push Payment scams, also known as APP scams.
All of us here will be able to talk about a scam example, whether it’s a personal experience or through someone you know. It’s a significant and growing problem.
Every year thousands of people are tricked into sending money to fraudsters in APP scams. These types of scams rely on deception and psychological manipulation so that the victim sends the money to the fraudster.
In payments speak: the transaction is authorised.
These scams can cause significant harm to victims, with many losing life-changing amounts of money. The number and cost of these scams is increasing, along with fraudster’s sophistication and persistence.
And even if these victims are reimbursed – there is still harm. The victims feel shame, embarrassment, and the worry over whether they will get their money back. And, when they do, it comes at a cost to banks, which ultimately has to be paid for.
For all of these reasons, APP scams are a very significant problem. And they are a problem that is getting bigger. Industry published data shows that in the first half of 2021, APP fraud increased by 71% to around £355m – that’s larger than card fraud.
And in the same period in 2021, it affected over 100,000 people.
At times the debate around APP scams is framed around a question of who is to blame?
This is an easy question to ask and answer – It’s the criminals.
But a more useful question is how do we prevent these harms from happening?
Here, Erasmus was right in terms of prevention being better than the cure. We should strive towards preventing APP scams from happening in the first place. Something that – as I will go on to talk about – will take some time to achieve.
But we also need to improve the cure. And make sure it works properly – looking after blameless victims by reimbursing them, when they have done nothing wrong.
This is important for a number of reasons.
First, it cannot be right that victims lose life-changing amounts of money, due to the vulnerabilities that exist in our payment systems. Any of us could fall victim to APP scams. So, we would all – surely – support the idea that we look after victims of fraud. Even if this increases costs.
And second, leaving victims to face these costs is less likely to help prevent fraud. Whereas appropriate reimbursement of victims places the incentive on firms to do more.
We do also need to be realistic. Individuals need to take responsibility and be careful when transferring money.
It will also take time to get on top of APP fraud. And it will – in common with many such crimes – require constant attention.
One reason for this is that fraudsters are very clever and change tactics quickly. This means an effective solution needs to be able to evolve over time and be replaced, if necessary.
Which is why we need to get the incentives right. So that those best-placed to act have a financial incentive to do so.
And that isn’t where we are today. The incentives to prevent the scams from happening are not properly aligned:
- Not all firms will reimburse victims.
- Firms that make it too easy for criminals to recruit victims, such as social media firms, do not yet pick up any part of the bill.
- And firms that fail to act when their accounts are being used by criminals to receive and move funds, do not yet face the costs that this puts into the system.
So, how do we make sensible improvements in the near term, and also move towards a better, coherent approach to preventing this fraud over the longer-term?
Here, I would like to talk about what the PSR has achieved so far. Our immediate next steps. And then say a few words about what a longer-term, coherent solution might look like.
At present, one significant feature of the PSR’s action is that we have had to consider what we can achieve within the current legislative framework – because there are limits. We are prevented from using our powers of direction by legal constraints in UK law – constraints originating from EU payments regulations.
It’s why we have welcomed the Economic Secretary to the Treasury’s confirmation that the legislative barriers to prevent us from taking more direct action will be removed.
The PSR’s recent actions on fraud
This current legislative barrier explains a large part about how we have gone about tackling APP fraud to date.
Our work has been focused on how best to address major harms, as quickly as possible.
The first element was to understand the problem. APP scams were not accurately recorded by banks and building societies and this, coupled with the fact that until relatively recently, victims would have never heard of an APP scam, presented a significant challenge.
We challenged industry and UK Finance to collectively set out an agreed way of reporting these losses to give us a more accurate picture. We can now see the full scale of the problem.
The second was to step in to protect people from harm. Here, we brought together industry and consumer groups to design and implement the Contingent Reimbursement Model code (the Code). This was the first time that an agreement had been reached on how people would be treated if they ever fell victim to an APP scam.
It was an incredibly important step – demonstrating to customers that those financial organisations take these crimes seriously and will protect them when they have done nothing wrong. And, for the first time, it meant there were protections available to people - protections which, quite simply, had never been available before. You would just have lost your money.
The third key deliverable is our work on Confirmation of Payee (CoP) – the name-checking service designed to help people spot when new payee details aren’t right.
The UK’s payment systems had a key vulnerability that made it too easy for criminals to impersonate legitimate businesses.
Previously, when you instructed a payment, you would typically enter the sort code, account number and account name. But the account name was – to put it bluntly – just ignored. I could have asked you to pay my account, using the name ‘British Gas’ or ‘HMRC’, or the name of the solicitor handling the deposit for your new home.
It was all too easy for criminals.
In response, we used our regulatory powers to introduce Confirmation of Payee. This additional layer of security means that the account name is checked against the account details. Allowing the customer to understand whether there is an exact match, close match or no match at all.
And I expect most of you in the room will have now used this service.
There is still more to do to make the service universal, as the roll-out has been separated into two key phases. The first saw us direct the UK’s six biggest banking groups to implement the service.
Why just those six?
Well, together, those groups accounted for around 90% of the relevant transactions. Our focus here meant that this new service could be given to the significant majority of transactions, much more quickly than if we had waited for a market-wide solution.
And it has worked. Feedback to our consultation in 2020 showed that CoP provided significant benefits and prevented certain types of APP scam.
It’s why we’ve been working with industry to get to the point where the service can be ubiquitous. Because protection should be for everyone, we must see other firms having the capability to offer it to their customers.
The next phase of PSR action
In the next phase, a number of technical changes will be made to make it easier for more banks and building societies to join, and to improve the information that can be shared between institutions – allowing a wider variety of accounts to be checked.
We continue to support this process – again, using our regulatory powers.
These are real steps forward: better data to understand the problem; the CRM Code has protected many victims; and Confirmation of Payee (CoP) has helped prevent some types of APP scams.
Turning to the second, current phase of activity.
Here, the PSR has been focused on building on the early successes and looking for ways to address the remaining issues.
I would like to highlight three such issues:
- Many banks and building societies are not signed up to the voluntary Code and are not providing equivalent protection.
- Some of those that have signed up have taken some time to handle cases properly – according to our own assessment of reimbursement in the last quarter of 2020, some institutions only refunded 30% of cases. Others reimbursed 76%.
- Today, the costs are largely met by the customer’s bank. But, what about the role of firms providing accounts to criminals or not acting fast enough to step in when accounts are taken over?
This is where our more recent proposals could play an important role – by using the power of transparency. Shining a light on what is going well and what is not.
Under our proposals, banks and building societies will need to publish data on how and what they’re doing prevent to APP scams, on reimbursement levels, and which accounts are being used to receive the fraudulent funds.
Transparency means customers can see how their bank (or prospective bank) is performing and gives them the chance to vote with their feet if they don’t think they are doing a good enough job. This has a simple effect and industry must act now to put better policies in place if they want to avoid their customers moving to banks that offer better protections.
It will also – for the first time – set out information about where the funds are going. To commit an APP scam successfully, a fraudster needs to transfer the money to another account, they have control over.
Our plans will, therefore, highlight which institutions are managing these risks, and which are not. This will help inform regulators where more action might be needed, and provide valuable information to other banks, when understanding fraud risks across the system. I also think customers – and the public more generally – will care about who is not doing enough. It goes to their reputation.
Overtime, we want to build on this approach, to obtain a transparent and balanced picture of how the whole ecosystem is dealing with fraud. And, when robust data allows, this could mean identifying where victims are being recruited: which social media platforms; and which telecoms providers.
Indeed, this highlights the importance of what can be done outside the financial system – where some of the risks originate. And where there looks to be an opportunity to make things harder for criminals.
The online safety bill is a first step into greater regulation of online content and will start to create responsibilities on the part of social media platforms for the content they host – including content from criminals.
We support this approach – there needs to be greater consequences for those opening up vulnerabilities and not doing what they can to protect their customers.
Achieving a better, longer-term outcome
Which brings me to what we can do in the future. How can we do better at designing out fraud?
A first step is allowing the PSR to act, to improve the rules that apply to our main payment systems.
Currently, provisions originating from EU law prevent the PSR from acting to make reimbursement mandatory.
Which is why I welcome the recent announcement that government will bring forward legislation to allow the PSR to act. This will help us make protecting victims mandatory, applying to all relevant firms, not just those choosing to sign up to the current code. It will also provide a way to strengthen the arrangements that hold firms to account. With this financial incentive, firms are more likely to put better measures and security in place to prevent the fraud from happening in the first place.
With these powers in place, we can start to focus on building towards a better approach.
For me, there are a few key elements emerging.
First, we need the rules in all our payments systems to address fraud risks. They simply don’t do this today, and some instead reflect a historical perspective that the system rules should focus on technical matters.
People and businesses are using Faster Payments today, without the rules codifying the sorts of protections that are needed.
Second, we need to get better at sharing data and intelligence between participants. We should aim towards making sure that the system learns fast. Fraudsters will adapt. But ultimately, they need access to an account. Once we identify a fraud, we need to act fast to close off the routes they are using to take money out of the system. The payment systems can help by sharing intelligence.
Third, we need increasingly to distinguish between different sorts of payments. Today, the customer journey when transferring a few quid to a friend, buying something on the internet with their bank account and transferring a house deposit to their solicitor are much the same.
It seems to me that a payment to a friend should look and feel quite different from when I am using my account to buy something. And feel very different when I am moving life-changing sums when buying a house. This points to the need to create clearer distinctions between different types of payments; likely backed by new branding and trustmarks, so that customers understand more about the protections that they can expect.
Fourth, we need to move towards a better allocation of fraud risks and the cost of reimbursing victims. Here, it seems generally right that your bank should protect you when transferring money to friends, including through continued use of confirmation of payee.
But, when buying something, there is a good case for much of the liability for fraud to pass to those banking the business that is selling you something. This is broadly what happens for a card purchase. And it would more closely allocate costs to where the risk arises. The introduction of legislation and the changes that the PSR would take forward would present a good opportunity to take a fresh look at these rules.
This represents a step-change in how we approach fraud within the interbank payment systems. And it implies a step-change in the approach we need from the payment system operators – notably of Pay.UK, who runs the Faster Payment System.
To deliver these changes it will require Pay.UK to take on a larger coordinating role. Taking responsibility for setting rules that make it harder for fraudsters, who currently find it too easy to take advantage of Faster Payments. These rules will need to adapt quickly in response to new threats. And, of course, we need rules that require firms to look after victims.
This is important for a whole range of reasons. Not least as it will reduce the number of victims of fraud, including by sharpening up the incentives on all parties to act.
We need to rely on everyone to play their part in order to provide better outcomes for victims, by preventing fraud in the first place.
To get on top of APP fraud, we need better prevention. And we need sharper incentives in place to prompt everyone who can act, to act.
This means continued action by those banks and building societies that took the first step to protecting their customers. It now needs to mean ALL payment firms – including those at the receiving end.
And this needs to be backed by a more active role by Pay.UK to improve Faster Payments.
The impact of what we are doing, which is ultimately to generate better ways to prevent fraud will benefit all parts of the economy, not just consumers.
So, to step up Erasmus’s theory – prevention and cure should be the gold standard for protecting people from App Scams.