The unappy mess of APP in the UK

I seem to have been immersed in APP fraud recently, mainly because the UK government is introducing new laws to manage such fraud on October 7.

What is APP fraud?

It is an Authorised Push Payment. It’s basically where you pay for something voluntarily which is not real, such as a parcel delivery that is false that came to you on an SMS text stating that they tried to deliver and failed. For more information, check out my recent blog about it.

Britons lost over £450 million to APP fraud last year, according to banking trade body UK Finance. However, some experts believe the true figure is likely closer to £700 million, as around a third of scams are estimated to go unreported.

OK, so consumers can be easily duped. What is the new law implementing? Seems to be basically that if the consumer is duped due to such frauds, then the payments company has to reimburse them. Sounds OK? Maybe, maybe not. In fact, the APP fraud scam ceiling has been set at £415,000 for each single case. Wow! So, if you are stupid and get involved in a romance scam or CEO fraud where the person you are paying is fake, it’s not longer your fault. It’s the fault of the payments provider.

The industry is not happy about it.

A paper produced by the Payments Association this month states the following in terms of the negatives of the new regulations:

• Guaranteed reimbursement invites moral hazard and first party fraud which attracts scammers/fraudsters to the UK and fraud rises
• Higher risk from A2A (Account-to-Account) payments results in de-banking of potential mules and vulnerable consumers, and as a result, financial exclusion rises
• Additional friction from Stop The Clock interventions* results in PSPs pushing customers to pay in cash or via the card rails
• Additional costs of reimbursement mean consumers have to pay more to make payments, especially those to new people/businesses or above a low maximum amount
• Additional cost reduces returns on investment from PSPs (Payment Service Providers) so firms leave the UK, fail or only enable payment via card rails
• Undermines competition because larger firms with other sources of income such as lending, that will benefit from only having to reimburse 50% of a scam claim rather than100% as at present, can accept the additional burden of reimbursement and the cost of handling customers who experience greater friction
• Inconsistent with other fraud regimes so reduces UK’s international competitiveness
• Public failure of PSPs gives UK bad reputation

Specifically Tony Craddock, Director General of the Payments Association, tells me that it’s not just PSPs but also EMIs (Electronic Money Institutions) and that the scale of fraud liability – and therefore the scale of the collateral that the fintech has to hand over to the EMI to get up and running – is completely different now that it includes APP fraud liability as well, i.e. companies and start-ups are hugely more exposed to such fraud and therefore will have to hold far higher levels of capital.

As a result, The Payments Association wrote to the PSR (Payment Systems Regulator), who developed this policy, calling for it to delay the measures by a year to “ensure the right policies, technology and systems are in place”.

The real issue is the £415,000 reimbursement cover when, if you look at banks, the levels are far lower. Speaking with CityAM Janine Hirt, who heads up the UK fintech body Innovate Finance, said: “The £415,000 limit will be detrimental to fintechs and challengers trying to provide a competitive landscape to have a better outcome for the end consumer. You could end up with a situation in October where this implementation could threaten to freeze our payment systems, which are critical UK infrastructure. The potential impact of implementing this incorrectly is sky-high.”

She added that the £415,000 limit could also “significantly affect” fintech investment in the UK, which would become the only country with such rules.

Interestingly, in a paper published just before the last UK election, the Labour Party has a view on this. The paper – A Shared Fight: Labour's plan for tackling Online Fraud – states that all parties should be accountable for any fraud committed, not just PSPs or EMIs.

At the heart of our proposals is the need for all relevant stakeholders to take an equal share in this fight. That means actively sharing the responsibility for preventing, detecting and investigating this type of fraud; efficiently sharing the data and intelligence that is central to those efforts; and sharing the costs more fairly when there are victims to be reimbursed. Together, we can destroy the business model for this crime, provided everyone involved plays their full part.

It will be interesting to see how government, now that Labour is in power, the PSR, the Payments Association, Innovate Finance, banks, fintechs and others develop this discussion as it is obviously hugely controversial and unclear right now.

Anyways, here is the PSR’s policy statement (December 2023) that comes into force in October 2024; and then there is the Payments Association policy response (August 2024); and the Labour Party’s policy.

PSR’s policy statement

Payments Association response

Labour party policy