Will new UK rules reduce the harm of push-payment fraud?

On Friday’s Rip off Britain I’ll be talking about new attempts by UK banks to prevent fraud, and the upcoming scheme for reimbursing the victims. While these developments have the potential to better protect customers, the changes could equally leave customers in a more vulnerable situation than before. What will decide between these two extremes is how well designed will be the rules surrounding these new schemes.

The beginning of this story is September 2016, when the consumer association – Which? – submitted a super-complaint to the UK Payment System Regulator (PSR) regarding push payment fraud – where a customer is tricked into transferring money into a criminal’s account. Such bank transfers are known as push payments because they are initiated by the bank sending the money, as opposed to pull payments, like credit and debit cards, where it is the receiving bank that starts the process. Banks claim that since the customer was involved in the process, they “authorised” the transaction, and so under UK and EU law, the customer is not entitled to a refund. I’ve argued that this interpretation doesn’t match any reasonable definition of the word “authorised” but nevertheless the term “authorised push payment scams” seems to have stuck as the commonly used terminology for this type of fraud, I’m sure much to the banks’ delight.

The Which? super-complaint asked for banks to be held liable for such frauds, and so reimburse the victims unless the bank can demonstrate the customer has acted with gross negligence. Which? argued that this approach would protect the customers from a fraud that exists as a consequence of bank design decisions, and provides banks with both a short-term incentive to prevent frauds that they can stop, as well as a medium-to-long term incentive for the banks to enhance payment systems to be resistant to fraud. The response from the PSR was disappointing, recognising that banks should do more, but rejecting the recommendation to hold banks liable for this fraud and requesting only that the banks collect more data. Nevertheless, the data collected proved useful in understanding the scale of the problem – £236 million stolen from over 42,000 victims in 2017, with banks only being able to recover 26% of the losses. This revelation led to Parliament asking difficult questions of the PSR.

The PSR’s alternative to holding banks liable for push payment fraud is for victims to be reimbursed if they can demonstrate they have acted with an appropriate level of care and that the bank has not. The precise definition of each level of care was a subject of consultation, and will now be decided by a steering group consisting of representatives of the banking industry and consumers. In my response to this consultation, I explained my reasons for recommending that banks be liable for fraud, including that fairly deciding whether customers met a level of care is a process fraught with difficulties. This is particularly the case due to the inequality in power between a bank and its customer, and that taking a banking dispute to court is ruinously expensive for most people since the option of customers spreading the cost through collective actions was removed from the Financial Services Act. More generally, banks – as the designers of payment systems and having real-world understanding of their use – have the greatest capacity to mitigate the risks these systems introduce.

Nevertheless, if the rules for the reimbursement scheme are set up well, it would be a substantial improvement over the current situation. On the other hand, if the process is bad then it could entrench the worst of current practices. Because the PSR has decided that reimbursement should depend on compliance to a level of care, my response also included what should be the process for defining these levels, and for adjudicating disputes.

The level of care required of the customer should be whether the he or she falls far short of what a reasonable person would do in a comparable situation, taking into account pressures that customers are subject to, and what practices have been encouraged, or at least tolerated by, the bank involved in the fraud and other banks which the customer deals with. Our research has found that security instructions described in terms and conditions of banks are inconsistent, confusing and far exceed what customers do in practice and what they can achieve with realistic effort. Therefore failing to take appropriate care should not be defined in terms of non-compliance to such documents. Banks should present evidence that their authentication systems will lead customers to act in a way that would allow them to readily prevent fraudulent transactions.

Where compliance with bank provided customer education forms a part of the assessment of level of care, banks should provide empirical evidence that the information provided to their customers regarding secure behaviour, as well as the means of communicating this information, are easy to understand, easy to remember, consistent across all means of communication and consistent with the design of other technologies associated with this bank and that of other banks common in the region. This evidence should be provided to customers so that they can examine and challenge whether the bank have met their required level of care.

Finally, there should be greater transparency over the safety of the different payment options available, and free choice for customers. Customers are currently encouraged to use push payments which are normally not possible to revoke in the case of fraud, rather than revocable options like cheques, which are more expensive for the bank to process but safer for the customer. Cheques have the added advantage of putting the onus on the bank to check whether the name that the customer enters matches that of the recipient, an important security check not yet available for push payments.

If adopted these recommendations should help protect customers and provide incentives for banks to improve their systems. However they require an effective enforcement process and the Financial Ombudsman Service has considerable room for improvement. Tackling this problem will be the next challenge that consumer advocates will need to address.

One thought on “Will new UK rules reduce the harm of push-payment fraud?”

Leave a Reply

Your email address will not be published. Required fields are marked *