The draft code (12-page / 534KB PDF) has been produced by a steering group set up by the Payment Systems Regulator (PSR), and is being consulted on until 15 November 2018. The code is based on a 'contingent reimbursement' model, setting out the circumstances in which victims of APP frauds can expect to be reimbursed. It also sets out the steps that banks and other payment service providers (PSPs) should take to protect their customers.
As part of its consultation (25-page / 960KB PDF), the steering group is particularly seeking views on a suitable funding mechanism through which consumers could be reimbursed if neither they, nor the PSP, is at fault. It is also seeking views on the evidential approach that should underpin the code; how disputes between banks and PSPs should be resolved; and who should oversee the code once it is finalised.
The code should be implemented early next year, although compliance will be voluntary for PSPs. However, the retail banks represented on the steering group have individually committed to start work towards implementing the standards set out in the draft code during the consultation period.
Civil fraud and asset recovery expert Alan Sheeley of Pinsent Masons, the law firm behind Out-Law.com, described the draft code as a "promising step" towards addressing the problems identified by Which? in its 2016 'super-complaint' regarding reimbursement for APP fraud victims. However, he noted that further work was required on the reimbursement model.
"It is encouraging that reimbursement is at the core of the code, with the consultation accompanying the draft code recognising that reimbursement is a problem that must be addressed," he said.
"The steering group has now welcomed feedback on potential new approaches and one approach includes customers having the option to obtain either a voluntary or compulsory insurance policy when making transactions. A 'Royal Mail-type' insurance system was proposed by Pinsent Masons in its response to the PSR's November 2017 report and consultation on APP frauds and it is encouraging that the steering group may take this idea forward," he said.
While the code was designed to be voluntary, Sheeley said that change was "clearly necessary" in response to recent statistics showing that APP frauds are on the rise.
APP frauds occur where a victim is conned into authorising a transfer of money from their bank account into an account which they believe is controlled by a legitimate payee, but which is actually controlled by a fraudster. Because the payment was 'authorised' by the consumer, at present they will not usually be able to recover their losses. Of the £92.9 million lost to this type of fraud by consumers in the first six months of 2018, PSPs were only able to return £15.4m to the customer, according to figures published last month by trade body UK Finance.
The draft code sets out a number of measures that PSPs should take to detect, prevent and respond to APP frauds. These include the use of analytics and employee training to identify potential frauds and providing their customers with effective warnings that they are at risk. PSPs that commit to the code should also delay suspicious payments while investigations are conducted and carry out any required reimbursements in a timely manner.
PSPs would be entitled to refuse to reimburse customers on one of seven grounds, provided that this "would have had a material effect on preventing the APP fraud that took place". The grounds include where the customer ignored warnings given by the PSP; had been "grossly negligent"; did not act openly and honestly with the PSP during the investigation; or where the customer had "recklessly shared" their security credentials. Customers would also be required to heed 'confirmation of payee' notices provided by their PSP once this system is adopted.
"The draft code makes express reference to PSPs taking steps to delay transfers and freeze funds so investigations can be carried out where there are concerns about APP frauds, reducing the risk of dissipation of funds," said asset recovery expert Jennifer Craven of Pinsent Masons. "However, as the code only applies to consumers, micro-enterprises and charities, larger businesses that fall outside its scope should not overlook their ability to use the civil law to freeze assets and pursue the perpetrators of frauds to recover their losses."
"Information has also been provided in the draft code as to the requisite standard of care that customers are expected to meet before they are able to get their money back. The code specifies that customers are expected to pay attention to 'effective warnings' and not recklessly share access to their personal security credentials. This provides much more clarity in what was still a grey area following the February 2018 outcome of the PSR's consultation and report," she said.
"A number of measures in the draft code focus on 'detection, prevention and response' to APP frauds, and the code explains how PSPs can best employ such measures to prevent APP frauds occurring in the first place," said Rachelle Issa, also of Pinsent Masons. "Amongst other things, PSPs are encouraged to participate in customer education and awareness campaigns, collect statistics and provide aftercare for customers so that they do not become repeat victims."
"In its response to the PSR's consultation, Pinsent Masons' civil fraud and asset recovery team suggested that mandatory training and enhanced resourcing on APP frauds is necessary. The steering group's proposals for more emphasis on training are therefore very encouraging," she said.