This week, at the US House Financial Services Committee hearing, Representative Stephen F. Lynch announced a draft of the Protecting Consumers From Payment Scams Act. If enacted, this would expand the existing protection for US customers (Regulation E) who have funds transferred out of their account without their consent, to also cover when the customer is tricked into performing the fraudulent transfer themselves. This development is happening in parallel with efforts in the UK and elsewhere to reduce fraud and better protect victims. However, the draft act’s approach is notably different from the UK approach – it’s simpler, gives stronger protection to customers, and shifts liability to the bank receiving fraudulent transfers. In this post, I’ll discuss these differences and what the implications might be.
The type of fraud the proposed law deals with, where criminals coerce victims into making payment under false pretences, is known as Authorised Push Payment (APP) fraud and is a problem worldwide. In the UK, APP fraud is now by far the most common type of payment fraud, with losses of £355 million in the first half of 2021, more than all types of card fraud put together (£261 million).
APP fraud falls outside of existing consumer protection, so victims are commonly held liable for the losses. The effects can be life-changing, with people losing 6-figure sums within minutes. It’s therefore welcome to see moves to better consumer protection. The UK was one of the first to tackle this problem, with a voluntary code of practice being put in place following years of campaigning by consumer rights organisations, particularly Which.
This code addresses a gap in the Payment Services Directive 2 (PSD2), an EU law that still forms the basis for fraud protection in the UK. The PSD2 guarantees that fraud victims are reimbursed by their bank if they have not acted with gross negligence. However, this only includes “unauthorised” transactions, and the UK banks assume that customers coerced into making a payment have authorised the payment and so are not entitled to a reimbursement.
Under the new code of practice, customers should be reimbursed for APP fraud. There are exceptions for customers whom the bank finds to have acted with gross negligence and exceptions if the customer was warned against making the payment. The reimbursement scheme is complex, with many criteria open to interpretation and some hidden from customers due to the concern that disclosing them might help criminals. This complexity, and an unrealistic definition of what customers must do to avoid being held liable, have contributed to the “shockingly low” rates of reimbursement and a lack of transparency in decisions.
In contrast, the proposed US law is simple, consisting of only a few paragraphs. Customers are entitled to a reimbursement if the transfer “was fraudulently induced” or if the customer was “fraudulently or coercively induced to furnish the card, code, or other means of access”. Unlike the UK code of practice, it doesn’t matter whether the bank believes the customer acted negligently. This distinction mirrors unauthorised payments: UK and EU law give banks a gross-negligence get-out clause, but in the US, to refuse a refund, the bank must show that the customer was complicit in the fraud and not just negligent.
US banks may fear this proposed law change will cause customers to be careless. However, this may not be well-founded. The US banking industry has thrived despite supposedly negligent customers being entitled to a refund when they are victims of a fraudulent unauthorised transfer. In the UK, the TSB opted out of the voluntary code and reimburses 100% of APP fraud cases – there was no avalanche of fraud, and the bank is doing well. Customers don’t want to be victims of fraud, and if they are given easy to use and effective tools to prevent it, they will do so rather than rely on reimbursement rules that most customers won’t even be aware of.
Of course, this new consumer protection would sit within the US justice system, where each party usually pays for their own legal costs. If a fraud victim disagreed with their bank’s liability assessment, the customer could take the bank to court. In contrast, within the UK, the loser usually pays the full legal costs of both parties. Due to a fear that losing a case could set a harmful precedent, banks commonly will spend far more on legal costs than might be expected for the sum in dispute. Consequently, a customer who takes a bank to court could easily be bankrupted by the experience. It’s also difficult for customers to group together to pool resources and spread the risk because while the US has class actions, the UK has no direct equivalent. This problem of access to justice has been recognised but so far has not been addressed, and the UK Civil Justice Council’s proposal to introduce class actions for financial service disputes was rejected by the government.
The US draft law creates a strong incentive for banks to prevent fraud rather than blame customers, by removing the wiggle-room that UK banks use in refusing to reimburse victims. The US proposal also incentivises the banks that receive the fraudulent transactions by requiring them to compensate the victim’s bank. This position is understandable because a bank that lets money disappear without a trace has arguably failed in its Know-Your-Customer obligations. However, the victim’s bank is also in a position to prevent fraud by detecting unusual behaviour and blocking or querying a payment before it is made. For this reason, the UK code of practice may allocate liability to either the source or recipient bank or pay for the reimbursement from a central industry fund. Perhaps some mechanism is needed to incentivise the sending bank to do all they reasonably can to prevent fraud, but this might be better done through industry agreements rather than legislation.
The US draft act is only a draft and could change significantly before being enacted. However, I think the strong level of consumer protection it sets out is to be welcomed. If it works well in the US, I also hope it will encourage future efforts to protect fraud victims, such as through a new EU Payment Service Directive, to consider dropping the problematic “gross-negligence” get-out clause.