Alerter by Thomas Evans and Vishnu Patel – Amendments to the Payment Services Regulations to combat Authorised Push Payment Fraud

Click here to download this Alerter by Thomas Evans and Vishnu Patel.

This article was first published in the Butterworths Journal of International Banking and Finance Law (2024) 7 JIBFL 460, available here. 

The Treasury has announced its intention to amend the Payment Services Regulations 2017 (PSR). As a means of combatting authorised push payment (APP) fraud, banks will be given the power to delay the transferring of funds where they have established that there are reasonable grounds to suspect that the payment order has been placed subsequent to fraud or dishonesty. When utilising this discretion, they must inform their customer, who can then decide whether to rescind their instruction. Although the new power may prevent many instances of fraud, it is not without its problems, and this article discusses six sets of issues.

THE NATURE OF APP FRAUD

In APP fraud, a fraudster deceives a victim into transferring funds into an account controlled by the criminal, from where they will be quickly dissipated. The fraud typically involves the advertisement of fictitious goods, services or investments which do not materialise (the malicious payee scam) or the impersonation of genuine individuals or organisations resulting in payments being made to the wrong accounts (the malicious redirection scam). Whilst the method varies, the mechanism is ultimately the same: the victim is induced to send a valid payment order to their bank instructing it to transfer funds to the fraudster’s account.

APP fraud is a significant problem. In 2022, there were over 207,000 reported incidents of such fraud within the UK – 200,000 involving consumers and 7,000 involving non-consumers. This represented a 6% increase on 2021, and a 34% increase on 2020. Between 2020 and 2022, APP fraud accounted for payments totalling £1.49bn.[2]

SOLUTIONS TO APP FRAUD

The challenging issues for financial institutions, regulators and government are how to prevent APP fraud, and, where it can’t be prevented, how to apportion losses. Any solution must balance protecting customers from fraud against the risk of causing costs and delays within the payment services network.

Recently, a possible solution was considered in Philipp v Barclays Bank UK plc [2023] UKSC 25. It was argued that the so-called Quincecare duty extends to APP fraud, and that a paying bank is liable to its customer for APP fraud where it carries out the instruction in spite of being on inquiry of the fraud. However, the Supreme Court disagreed. As Lord Leggat explained, the rule in Quincecare is a specific application of a bank’s duty to act in accordance with its authority. Where a customer’s own agent is attempting to defraud the customer by submitting an unauthorised payment order, the bank will be acting outside the scope of its mandate if it is on notice of the fraud but nonetheless debits the payment.[3] However, and crucially, in cases of APP fraud, the victim is instructing his or her bank to make payment. The payment order is valid.

A second possible solution was raised in Philipp v Barclays. Without deciding the point, the Supreme Court held (at [118]) that it was at least arguable that Mrs Philipp’s bank may have been under a “retrieval duty”, i.e. a duty to attempt to recover the misappropriated funds after the event. The possibility of such a duty was similarly considered in CCP Graduate School Ltd v National Westminster Bank plc [2024] EWHC 581 (KB), in which the court declined to strike out a claim premised on the existence of a possible retrieval duty imposed on the receiving bank, though the existence and scope of any such duty remains unclear.[4]

From 7 October 2024, the Mandatory Reimbursement Scheme (MRS) will apply. In summary, the MRS entitles consumer victims of APP fraud to reimbursement of up to £415,000, provided that they have not acted fraudulently or with gross negligence, with the loss being split between the paying and receiving banks.[5]

OVERVIEW OF THE DRAFT PAYMENT SERVICES (AMENDMENT) REGULATIONS 2024

Against this backdrop, and in particular the roll out of the MRS and (potentially) the discourse which resulted from Philipps v Barclays, HM Treasury announced its intention to amend the PSR to combat APP fraud. It published a Policy Note[6] and the draft Payment Services (Amendment) Regulations 2024 (PS(A)R 2024), to be laid before Parliament in summer 2024, with a view to them coming into force on 7 October 2024. This, however, was before the general election.

In outline, PS(A)R 2024 will introduce a beguilingly simple change to the PSR. Currently, a bank which receives a valid payment order must generally execute it. Whilst a bank may warn its customer that it is potentially being defrauded, it ultimately must comply with any valid instruction. The amendments to the PSR will confer on a paying bank a discretion to delay a transaction in circumstances of suspected fraud, giving time to the customer to reconsider, and rescind, its payment order. The power will apply to transactions executed within the UK in Sterling.

As to the detail of the new power, PS(A)R 2024 will insert new paras (2A) to (2D) into reg 86 PSR, and will make further consequential amendments. The key changes are as follows:

1. Regulation 86(2A) PSR provides the conditions in which the power to delay may be exercised, principally that the payment service provider (PSP) “has established that there are reasonable grounds to suspect a payment order from a payer has been placed subsequent to fraud or dishonesty perpetrated by a person other than the payer”.
2. Where the conditions apply, reg 86(2B) PSR provides an exception to the general rule that valid payment orders must be executed, in that “the payment service provider may delay crediting the amount of the payment transaction to the account of the payment service provider of the payee for the purpose of contacting the payer or other relevant third parties to establish whether it should execute the order”.
3. Regulation 86(2C) PSR provides the maximum period for the delay, which is “no longer than necessary to achieve the purpose described, and in any event, no longer than the end of the fourth business day following the time of receipt of the payment order”.
4. Regulation 86(2D) PSR provides the steps which the PSP must take to notify its customer.
5. Finally, reg 94 PSR as amended provides that a PSP which delays a transaction will be liable for its customer’s charges and interest incurred “as a consequence of delay to the execution of a payment order in reliance on reg 86(2B), irrespective of whether the payment order is ultimately executed”.

THE STANDARD OF SUSPICION

The first set of issues concerns the test: what does it mean for a bank to have “established” that it has “reasonable grounds” to “suspect” that a payment order has been placed “subsequent to fraud or dishonesty”?

The standard of proof is not entirely clear. Whilst the word “established” on its own might imply a balance of probabilities, all the bank must have established is its “reasonable grounds for suspicion”. This concept is more commonly found in criminal law (for example in the context of stop and search) and implies some factual basis which is genuinely believed and which is objectively justifiable, even if the weight of evidence is not persuasive.

Further, the standard of proof may be difficult to apply in practice. PS(A)R 2024 does not make clear what information and data sources can be taken into account, and which should be excluded. For example, can (any) weight be placed on the fact that the receiving bank account has only recently been opened, or has seen several inbound payments quickly sent overseas? Can a bank rely on open-source information found on social media? Is it enough if, for example, 1% of all cryptocurrency transactions are initiated subsequent to fraud or dishonesty for a bank to have a reasonable suspicion that all such transactions might be?

Perhaps more difficult is the question of whether a bank can take into account the subjective characteristics of its own customer. If the customer is financially sophisticated, is it less likely that he or she would be induced to enter into a fraudulent transaction? What if the customer is known to be vulnerable or to have been a victim of APP fraud in the past? Should a risk assessment be dynamic and assume that they are more likely to be a victim again? Can a bank consider information specifically provided by customers, for example that they previously stated that they always carry out due diligence before making certain investments? Or is this equivalent to allowing consumers to opt-out of the delay mechanism? In short, could a bank delay a transaction for one customer but not delay an identical transaction for another?

Further, the object of the suspicion is not that a payment order was caused by fraud or dishonesty, but merely that it was “subsequent” to fraud or dishonesty. This suggests a far looser connection than a “but-for” cause between the fraud or dishonesty and the transaction, whereby any fraud or dishonestly in the background factual matrix might be sufficient.

Similarly, the concept of dishonesty (encompassing mere recklessness as to truth) potentially expands the circumstances in which the power of delay might be utilised far beyond classic instances of APP fraud. For example, if there is open-source material online suggesting that a broker has been systematically and recklessly misrepresenting timeshares, is that sufficient to block payments to the timeshare broker?

Finally, an implicit requirement that a suspicion must be objectively justifiable may create issues where a bank uses artificial intelligence to carry out its risk assessments. Such systems regularly run into problems of explainability, and banks may need to be in a position to explain the algorithms used and how decisions were reached.

These are not hypothetical issues. As suggested below, a bank which errs in applying the test may face a civil claim, a complaint to the Financial Ombudsman Service or, at the very least, public criticism.

INTERACTION WITH THE MANDATORY REIMBURSEMENT SCHEME

The power to delay payments comes into force on the same day as the MRS, and the Treasury Policy Note (para 6.1) implies that the two are to dovetail. This gives rise to the second set of issues, namely how the power to delay interacts with a consumer’s right to reimbursement under the MRS.

At first blush, it may seem punitive that a bank is liable for any charges and interest which arise if, acting in its customers best interests, it seeks to prevent a fraud. This liability might be thought to disincentivise a bank from ever exercising its power of delay. However, if a bank does not exercise its power of delay, it may find itself liable to reimburse its customer (if it is a consumer) under the MRS for the full loss caused by the fraud. This may far outweigh the internal cost of carrying out fraud checks, coupled with the risk of having to pay a customer’s charges and interest, and this may incentivise banks to exercise the power of delay (at least in the context of consumers).

Further, under the MRS, consumers lose the right to redress if they fail to act with the standard of care expected of consumers. As the Payment Services Regulator has made clear, this includes:

“The requirement to have regard to interventions: Consumers should have regard to specific, directed interventions made either by their sending PSP, or by a competent national authority. That intervention must offer a clear assessment of the probability that an intended payment is an APP scam payment.”[7]

Therefore, a bank may be able to defeat a claim for redress under the MRS if it delays a transaction and warns the customer of the potential fraud. However, in addition to the information required by reg 86(2D) PSR (the mere fact of, and reason for, the delay), the bank should give a clear assessment of the probability that the transaction has been procured by fraud.

LIABILITY FOR WRONGFUL DELAY

The third issue concerns the potential that a wrongful exercise of the power of delay could give rise to liability. Where a bank is entitled to delay a transaction, its liability to its customer under reg 94 PSR will be limited to the customer’s charges and interest. However, what happens if a bank wrongly delays a transaction? Whilst the threshold for imposing a delay is a very low one, there may be cases in which a bank acts outside of the new power, perhaps because its suspicion is not based on grounds which are ultimately held (by the courts or the FOS) to be reasonable. In such circumstances, the bank will be in breach of its mandate, and may in principle be liable to its customer for more than mere charges and interest.

In addition, it must be asked whether a bank which wrongly delays transactions outside the scope of the new power could be liable to the receiving This may be very difficult to argue, as banks generally owe no duty to a receiving party, and the new power is clearly intended to protect the paying party. However, it is not fanciful to think that the point may be tested in due course. By way of example, if a bank identifies a trader’s account as being suspicious, it may stop all payments to it, thus causing the trader to lose all of its orders over an extended period of time whilst the bank investigates. The bank may later have to justify the basis for its reasonable suspicion. If it cannot do so, because its grounds were not reasonable or because it cannot – or does not want to – explain its algorithms, the trader could conceivably bring a claim. And if, for example, the trader in this scenario is an individual, he or she may allege that the bank’s suspicion may have been unlawfully based on a protected characteristic. Irrespective of whether such claims could succeed in law, banks could face clear reputational risks.

As such, it will not be open to banks to err on the side of caution, and they will be caught between the rock of liability under MRS and the hard place of liability for wrongful delay.

A DUTY BY THE BACK DOOR

The fourth issue is whether the discretion to delay could create a duty to delay by the back door. On its face, new reg 86(2B) PSR creates a discretion: the bank “may” delay a transaction, but is under no obligation to so. However, if a customer such as Mrs Philipp faces significant losses which could have been prevented if the transaction was delayed, litigation may follow. It may be argued that the power of delay to prevent fraud carries with it an implied duty to act reasonably and in good faith, and not arbitrarily or capriciously, or even that exercising it amounts to the performance of a public function in the public interest by banks, and is thereby subject to an implied duty to act reasonably. Whilst a bank could likely not be criticised where it lacks necessary information, or where information is susceptible to different interpretations, it might be open to criticism if, for example, it receives a detailed and credible fraud report from the police but does not take prompt steps to block transactions to the account in question. That would give rise to subsidiary questions. On timing, how long after receipt of a report of fraud must a bank stop all transactions (noting, as above, the potential risk of claims for wrongfully delaying transactions)? On costs, what would it be reasonable for a bank to spend on fraud prevention?

Whilst the point remains to be tested, such a claim might be attractive to business customers who do not benefit from the MRS, or to consumers if the loss exceeds the £415,000 limit. Of course, even if such an argument were to succeed in principle, banks would have open to them all of the usual defences to claims for what would presumably be a claim in breach of statutory duty, including arguments as to causation (for example, if the customer would have authorised the transaction regardless of the delay).

OPT-OUT

The delay mechanism will apply to all consumers, micro-enterprises and charities, with no ability to opt out. However, following amendment to reg 63(5) PSR, banks can agree with all others (in essence business customers) that the delay mechanism should not apply. This gives rise to a fifth set of issues.

In deciding whether to opt out, business customers will need to balance the risk of fraud against the risk of a necessary payment to a supplier not being processed on time, potentially resulting in significant consequential losses (which are not covered by reg 94 PSR).

Its decision may depend on whether banks will offer a blanket opt-out to business customers, or the ability to opt-out in respect of certain transactions. For example, under reg 63(5) PSR it would seem possible for banks and business customers to agree that the delay mechanism should apply only to transactions above an agreed threshold. As such, relatively low value and routine payments to suppliers and contractors would not risk being delayed, but the business would have the protection afforded by the delay mechanism in respect of larger payments for which it may not be able to bear the loss occasioned by APP fraud.

However, if, as suggested above, there is a potential risk that the delay mechanism could give rise to claims if wrongly exercised (or wrongly not exercised), then it may be simpler for banks to try to avoid the risk altogether. And since the MRS does not apply to business customers, there may be little financial benefit to a bank for taking on any risk associated with delaying payments. At this stage, therefore, it is unclear whether it will be in the banks’ interests to allow business customers to remain opted in, or whether some will encourage business customers to opt-out, or may even amend their terms of business to include an automatic agreement to opt-out.

NOTIFICATION AND THE CUSTOMER RESPONSE

Further issues arise out of the customer notification requirement. Once the temporary delay has been imposed, the bank must notify its customer or “other relevant third parties” (presumably account signatories such as those with power of attorney) of the fact of the delay and the reason for it by the end of the following business day. Four points arise.

First, it is unclear what happens if the customer fails to respond. One reading of reg 86(2C) PSR is that the delay can last up to a maximum of four days and that, at the end of the fourth day, the order must be executed irrespective of the absence of contact from the customer. However, this is not clear. On one view, the transaction should not be held up further, and if the customer has failed to consider the warning, then liability shifts to them. On the other hand, a customer failing to provide a response may be a further indication of fraud. Either way, the bank would be well advised to follow up its initial notification with further contact through different channels.

Second, reg 86(2D)(c) PSR provides that the bank need not comply with the requirement to inform its customer of the fact of, and reason for, the delay, if to do so would be unlawful (presumably because information was received through a protected channel). But this creates the possibility of a bank informing its customer that a transaction has been delayed, but without being able to give more than a generic reason, such as a vague suspicion of fraud. That is likely of no assistance to the customer who will be unable to evaluate the information, and may unfairly cast undue suspicion on the receiving party. Or, in extreme circumstances, the bank may not even be able to say that it has a suspicion of fraud if, for example, that information might be relayed to the potential fraudster thus jeopardising a police investigation. Either way, the bank may not be able to say enough for the purpose of the gross negligence defence under the MRS.

Third, reg 86(2C) PSR effectively gives a customer at least four days (and potentially up to eight days given weekends and Bank Holidays) to consider whether to confirm or rescind a payment instruction. However, reg 94 PSR as amended provides that the bank is liable for charges and interest. It therefore appears that the bank is liable for such charges and interest even if they occur whilst the customer is unreasonably delaying in providing a response.

Finally, reg 86(2D)(a)(iii) provides that the bank may ask for information “to enable the payment service provider to decide whether to execute the order”. This is inconsistent with the power being the mere power to delay a transaction to enable to customer to reconsider it. It implies that the bank ultimately has the power to refuse to execute the payment instruction.

CONCLUSIONS

The power to delay is a welcome addition in the fight against APP fraud. Indeed, given that banks may be liable to reimburse consumer victims of APP fraud under the MRS, it is a necessary power which they can utilise to minimise the chances of fraud, and to provide themselves with a defence where their warning is not heeded. However, the power is not without its potential problems. In particular, it remains to be seen whether it will give rise to liability in cases where the power of delay is wrongly exercised, or whether it will be argued that the power of delay in fact creates a duty to delay.

Thomas Evans
Vishnu Patel
25 July 2024

This alerter is available to download as a PDF below. 

[1] Available here: https://www.jibfl.co.uk/articles/amendments-to-the-payment-services-regulations-to-combat-authorised-push-payment-fraud

[2] UK Finance Annual Fraud Report 2022, pp 47-48 [https://www.ukfinance.org.uk/system/files/2023-05/Annual%20Fraud%20Report%202023_0.pdf]

[3] Philipp v Barclays is discussed in ‘No point preventing fraud: Philipp v Barclays Bank’ (2023) 8 JIBFL 513; ‘When is a bank put on notice of an agent’s fraud?’ (2023) 10 JIBFL 664.

[4] The possibility of a retrieval duty is discussed in ‘Does a bank owe a “retrieval duty” to the victims of fraud?’ (2024) 7 JIBFL.

[5] The Mandatory Reimbursement Scheme is discussed in ‘New challenges for tackling Authorised Push Payment fraud’ (2023) 9 JIBFL 605.

[6] HM Treasury Policy Note [Policy_note.pdf (publishing.service.gov.uk)]

[7] Payment Services Regulator: Guidance – Authorised push payment fraud reimbursement. The Consumer Standard of Caution Exception Guidance December 2023 [https://www.psr.org.uk/media/as3a0xan/sr1-consumer-standard-of-caution-guidance-dec-2023.pdf]

To subscribe to Henderson Chambers news, alerters and updates please click here.