Published on 14 March 2019

This is the sixth blog out of eight in our series on the Contingent Reimbursement Model code (“CReM”) that purports to offer customers strong protection against certain types of Authorised Push Payment Fraud, or “APPF”.

In it we discuss how customers’ baseline rights in law are overlooked.

The CReM fails to adequately qualify what happens in an APPF in the terminology used in the 2017 Payment Services Regulations (the “PSRs”), granting that a test case may be needed to bring case law up to date compared to the situation before the current PSRs were on the statue book.

In PSRs terminology as we read it the victim has used a “payment instrument” as defined on page 13 of the PSRs, focussing on part (b). A “payment instrument” is either a:

“(a) personalised device; or

(b) personalised set of procedures agreed between the payment service user and the payment service provider, used by the payment service user in order to initiate a payment order”.

The set of User ID, Password, PIN, and Memorable Information/Security Questions common to the eBanking services (through which the customer instructs a push payment) clearly qualify under (b), whether or not the eBanking service also involves a physical device for one-time password generation that requires a card and PIN to operate it.

The customer’s obligations around the usage of a “payment instrument” are laid out in Article 72 and are quite limited:

“1. A payment service user to whom a payment instrument has been issued must—

(a) use the payment instrument in accordance with the terms and conditions governing its issue and use; and

(b) notify the payment service provider in the agreed manner and without undue delay on becoming aware of the loss, theft, misappropriation or unauthorised use of the payment instrument;

(2) Paragraph (1)(a) applies only in relation to terms and conditions that are objective, non-discriminatory and proportionate.

(3) The payment service user must take all reasonable steps to keep safe personalised security credentials relating to a payment instrument or an account information service”.

A customer has no further responsibilities than these in law when using a firm’s eBanking service to instruct the firm to make a payment.

By contrast Article 73 lays out the firm’s obligations under the introduction:

“A payment service provider issuing a payment instrument must:

(c) ensure that appropriate means are available at all times to enable the payment service user to notify the payment service provider in accordance with regulation 72(1)(b) (notification of loss or unauthorised use of payment instrument);

(d) on request, provide the payment service user at any time during a period of 18 months after the alleged date of notification under regulation 72(1)(b) with the means to prove that such notification to the payment service provider was made”.

As long as the customer has carried out its responsibilities, the customer has the following right of redress under Article 74:

  1. “A payment service user is entitled to redress under regulation 76, 91, 92, 93 or 94 (liability for unauthorised transactions, non-execution or defective or late execution of transactions, or charges and interest), only if it notifies the payment service provider without undue delay, and in any event no later than 13 months after the debit date, on becoming aware of any unauthorised or incorrectly executed payment transaction”.

Regarding timing, this Article mismatches the stipulations of the CReM about discounting claims originating before the CReM’s live date of the end of May 2019: in law the customer has 13 months to raise their claim and so could raise a claim at the end of May 2019 for an APPF occurring at the start of May 2018.

As regards the content of the Article, the customer may claim under it because they have used a “payment instrument” to order a payment based on data as specified by the firm, inter alia naming the beneficiary. The firm, under “wrong name” APPF, has executed a different payment, which is therefore unauthorised.

This in turn triggers the determination as to whether the customer is eligible for reimbursement and where the burden-of-proof lies, under Article 75:

“(3) Where a payment service user denies having authorised an executed payment transaction, the use of a payment instrument recorded by the payment service provider, including a payment initiation service provider where appropriate, is not in itself necessarily sufficient to prove either that—

(a) the payment transaction was authorised by the payer; or

(b) the payer acted fraudulently or failed with intent or gross negligence to comply with regulation 72 (user’s obligations in relation to payment instruments and personalised security credentials).

(4) If a payment service provider, including a payment initiation service provider where appropriate, claims that a payer acted fraudulently or failed with intent or gross negligence to comply with regulation 72, the payment service provider must provide supporting evidence to the payer”.

The key point remains that the customer instructed the payment in its entirety: Name + Sort Code + Account Number. The customer did not authorise a payment to Sort Code + Account Number + different name. The customer’s firm has a responsibility to carry out the customer’s payment as instructed, both if the beneficiary account is in its own books (an “internal transfer”) and when it is being sent through an external clearing and settlement mechanism. Firms have a further duty to ensure that such clearing and settlement mechanisms cause a payment to be returned if the name on the beneficiary account is not coherent with the name in the payment.

This ought to be the situation as regards customers’ baseline rights in law and the CReM should have done one of two things, meaning either (i) to confirm them; or (ii) to deny them.

Then it should have stated what firms were proposing to add to those rights voluntarily under the CReM, and what the resulting cover would be.

The CReM fails to do this and thus leaves the inference that any cover for the customers is voluntary by the firms. This has the effect of causing customers’ rights in law to go up in smoke.