Warning: UK Makes Reimbursing Customers Tricked into Authorizing Payments Mandatory
By: Kai Zhang and Judie Rinearson
Authorized push payment frauds (APP fraud) happen where one is tricked into sending money to a fraudster posing as a genuine payee. Currently some protection is provided to UK victims via a voluntary industry code. However, this has been considered insufficient. So now a new mandatory reimbursement regime is coming, from 7 October 2024.
Under the new regime, the payment service provider (PSP) of the payer who has fallen victim to an APP fraud (the sending PSP) must reimburse the victim within 5 business days of the victim making a claim. The PSP can “stop the clock” in specified circumstances (e.g. to investigate) but this cannot exceed in total 35 business days from the claim date. The victim must make a claim within 13 months of the payment.
Only UK domestic payments made through the Faster Payment System (FPS, a system for (almost) real-time payments of up to £1M) are covered. This means card payments or ACH payments would be outside the scope. It is the sending PSP that must reimburse the customer but it can claim back 50% of the reimbursed amount from the receiving PSP (where the receiving account is held). The reimbursement is capped at £415,000 (~US$536,000) for any single APP fraud. The sending PSP can also impose an “excess” of up to £100 (~US$125) (essentially, no reimbursement if the payment is less than £100/US$125).
In addition to individual consumers, the protection extends also to small businesses (with fewer than 10 staff plus turnover or balance sheet not over €2M/~US$2.17M) and small charities (with annual income below £1M/~US$1.28M). However, the sending PSP does not have to reimburse if the victim is found to have been “grossly negligent” in meeting certain standards of care, for example, if the victim ignored warnings. But if the victim is classified as vulnerable, then such standards of care do not apply (and the £100 excess does not apply either) — basically, reimbursement must be made regardless.
There is ongoing debate on some of the implementation difficulties, particularly with respect to the “gross negligence” concept, which is a higher standard than common law negligence. For a PSP to claim gross negligence on the part of a victim, the PSP’s warnings or other interventions must be specific for that customer — “consumer, scam, and transaction specific.” Boilerplate warnings that routinely accompany transactions of a similar type will not do. Even where a consumer ignored a bespoken intervention, the consumer should not automatically be deemed to have been grossly negligent. The PSP still needs to consider all relevant factors, including the complexity of the scam such as whether the victim was “in thrall of a scammer.” Other jurisdictions, including the US, will be watching closely to see how PSPs carry out these assessments, and whether this new rule will impact the availability and cost of real time payments.