Letter to Lord Johnson

Published on 10th July 2023

The Payments Association has sent a letter to Lord Johnson about the proposed widening of the coverage for victims of Authorised Push Payment Fraud (APPF):

The letter raises three areas of concern, which could have unintended consequences:

1.      Almost all consumers experiencing APP fraud will get their money back (unless they are ‘grossly negligent’);

2.      The cost of the compensation for APP frauds will be shared 50/50 between the sending bank/issuer and the receiving bank/issuer;

3.      Despite up to 80% of APP frauds originating through purchases made on social media, social media companies are rarely involved with preventing fraud.

Subsequent to that The Payments Association asked me for my take, and I am happy to share the force of it.

Background

The Payment Systems Regulator (PSR), the Financial Conduct Authority (FCA), and the government must be exasperated by the failure of the payments industry to deal with APPF. So now, like a furious giant trying to stamp on ants, they lay about themselves with huge cudgels.

Their problem is their inability to see the interconnection between the wording of the 2017 Payment Services Regulations (PSRs) and of the Funds Transfer Regulation, and the architecture, message content and business processes of Faster Payments, upon which banks’ internal processes for account-to-account transfers within their own books have now also been modelled, and which is the main payment system/process through which APPF is effected.

There has also been too little reflection on the impact for APPF of the Faster Payments system limit being raised to £1 million per payment, when settlement is in near-real-time and the process is open to fraud. This multi-step and multi-year raising has been at the behest of the Bank of England, to move non-systemically important payments off their CHAPS real-time gross settlement system, in the wake of that system crashing in October 2014.

Perhaps it is also unwillingness to believe the issue can be solved by less drastic means – having entrusted the topic to ‘experts’ for 8 years, they probably cannot believe that any obvious stone has been left unturned. These ‘experts’ are the cadre who have sat on one or more of the APP scams steering group, the Pay.UK user groups, the PSR Panel, the PSR Digital Payments Initiative, the Digital Pound Engagement and Technology Forums, to name but a few. They include ones who have a personal vested interest in stones not being turned, either because they were involved in the Faster Payments design, or have supported Confirmation of Payee (CoP) through the Payment Strategy Forum and the APP scams steering group, or have helped write the Contingent Reimbursement Model (CRM).

There may well be unintended consequences to what is now proposed, but from the opposition’s point of view their measures are a rational follow-up to what has gone before. They build on CoP and CRM because they cannot admit that they have been on the wrong track for 8 years.

Applying the test of ‘gross negligence’

Belatedly they borrow the term ‘gross negligence’ from the 2017 PSRs’ wording, that being the test for a bank refusing reimbursement of a payment for lack of authorization. The authorities have however not taken it a step further and examined what was the content of the payment contract that was or was not authorized, and how APPF is enabled by a contract being made solely on the basis of the ‘Unique Identifier’ (which is how the courts define the Sort Code and Account Number).

50/50 reimbursement split as opposed to 100% for the payer’s bank now

They propose a 50/50 reimbursement split, coming from 100% payment by the payer’s bank, when in my view the stronger case is that the payee’s bank should pay the entire reimbursement: they have enabled APPF by opening an account for the payee who has perpetrated the fraud, via either flawed upfront due diligence or poor ongoing monitoring. This view is supported further if one considers payee mules as crooks. They perform a criminal act by abetting a fraud. It is a supposition that they have become involved ‘innocently’, and I do not subscribe to it.

Anyway, where the payers’ and payees’ accounts are with big banks, the bank is as often one or the other or both so the allocation of the loss 100% to one side or 50% to both sides results in a wash or in equal-and-opposite payments amongst 5 or 6 institutions…but possibly not when one of the members of The Payments Association is involved.

Involvement of social media giants

Lastly, regarding social media giants, it is unlikely that this argument will gain very much traction when tabled by an organization representing Fintechs. The opposition may well take the view that social media giants are Tech, Fintechs (Third-Party Providers, eMoney Institutions, Payment Institutions) are Tech, it’s all Silicon Valley – same thing isn’t it? Don’t Fintechs use the social media giants as a major channel-to-market? I say this not because I believe it fully myself, but because I am not sure the opposition will make a meaningful distinction between Tech and Fintech, seeing them instead as horses coming out of the same stable, owned by the same plutocracy, and highly interconnected with one another.

Summary

The industry has brought this on itself by its failure to solve APPF, and by there being no immediate prospect of the solutions it has rolled out making more than a modest dent in APPF over the next 2-3 years.

The industry should not be surprised that the authorities now both over-react and behave as if the failed solutions were not crafted within and supported by processes which they controlled.

The authorities can justifiably take the view that a few chips will fly when you make some furniture, and that the main thing is that the customer will get their money back quickly, in full, and with few questions asked…and if the industry doesn’t like the results, they should build better systems and pay for it out of their own pockets.

My view has always been that different legal changes – to the wording of the 2017 PSRs and the Funds Transfer Regulation – would render all APPF payments ‘unauthorized’, as they are actually in substance if not in law: the payer’s PSP effected payment to a payee different to the one named in the payment order, the loophole enabling this being that there is an absence of checking at the payee’s bank (because the process is based on the debit card business model, using ISO8583 messages).

The ‘payment contract’ is a subset of the ‘payment order’, omitting the payee name even if it is mandatory information in the ebanking device/system of the payer’s Payment Service Provider (PSP) through which the payment order is made.

The legal changes would make PSPs liable under the 2017 PSRs, without CoP or Contingent Reimbursement Model being needed, and the PSPs’ logical response would be to build a New Payments Architecture within which the payee name would be passed to and processed by the payee PSP, and rejected if there was no match to the name on the account identified by the Sort Code and Account number. This should be a Day 1 deliverable of NPA, and it would employ ISO20022 messages that are NOT like-for-like with the ISO8583 messages used for Faster Payments now.