HMT policy on delaying payments processing to counter APP fraud

On 12 March 2024, HM Treasury published a near-final version of the Payment Services (Amendment) Regulations 2024, together with a policy note.

In May 2023, the government published its ambitious fraud strategy. This included a commitment to investigate how legislation might need change to allow PSPs – such as banks to adopt a risk-based approach to payments and allow further time to assess potentially fraudulent payments. This would aim to further tackle APP fraud whilst minimising impacts on legitimate payment flows. The government also previously sought views on this policy through its Call for Evidence on the PSRs. The government has now decided to introduce this legislation and is taking this forward as a priority. 

Currently, the PSRs require that once an outbound payment order is received, the amount of the payment transaction is credited to the payee’s PSP's account by the end of the next business day from receiving the payment order (D+1). The above SI will therefore amend the PSRs to allow PSPs to adopt a risk-based approach to payments and to delay the execution of an outbound payment transaction by up to four business days from the time the order is received where there are 'reasonable grounds' to suspect a payment order from a payer has been placed subsequent to fraud or dishonesty perpetrated by someone else. 

The delay may also only be used where the payer’s PSP requires further time to contact the customer or a third party, such as law enforcement, to establish whether to execute the payment. 

This legislation will only apply to payments in sterling between accounts located in the UK.

The policy note states that the draft regulations are still under development and asked for comments by 12 April 2024. HM Treasury intends to lay this instrument before Parliament in summer 2024 and for it to commence on 7 October 2024 (the same time when the Payment Systems Regulator's rules on mandatory reimbursement for APP fraud also takes effect).

So what? 

There are some strict and time-sensitive requirements that are being placed on PSPs under the Regulations:

• PSPs can only delay payments where there are 'reasonable grounds' to suspect a payment order from a payer has been placed subsequent to fraud or dishonesty perpetrated by someone else (excluding the payer). They need to ensure that those grounds are established by no later than the end of the next business day following receipt of the payment order.
• The notification must be given in an agreed manner no later than the end of the business day following the time of receipt of the payment order. 
• PSPs must inform customers of any delays and the reasons behind their decision, also what information or actions are needed to help the PSP decide whether to process the payment order. 
• PSPs will be liable for any interest or charges resulting from a delay to payments.

PSPs need to consider these requirements very carefully and assess what changes to their current policies and processes would be required to ensure compliance. The Regulations provide that SMEs will be able to opt-out for delays by way of mutual agreement with their PSP. However, PSPs will need to ensure they have the correct procedures and methodology in place to establish the correct evidential basis to delay payments and then to be able to investigate these payments thoroughly before rejecting them. The HMT policy states that the FCA will monitor compliance and engage with PSPs to make sure this is used in a proportionate manner.

PSR consultation on compliance and monitoring under FPS APP scams reimbursement requirement

On 17 April 2024, the Payment Systems Regulator (PSR) published a consultation paper (CP24/3) on its proposals for compliance and monitoring under the Faster Payments System (FPS) reimbursement requirement to fight APP fraud. 

In its policy for APP scam reimbursement, the PSR sets out that as the operator of FPS, Pay.UK will be responsible for monitoring PSPs' compliance with the FPS reimbursement rules. Pay.UK has been developing its compliance monitoring regime in consultation with industry and the PSR. Subject to PSR's approval, the regime will be published by Pay.UK on its website and no later than 7 June 2024.  

This consultation sets out the PSR's proposals for all PSPs in-scope of the reimbursement requirement policy to report data and information to Pay.UK, so that it can effectively monitor and manage compliance with the FPS reimbursement rules. It also sets requirements for how this data must be provided, and how it will be managed. 

The PSR is also consulting on placing limits on what Pay.UK is permitted to do with the monitoring data and information it receives from PSPs, including in respect of disclosures. It is also proposing a pragmatic, streamlined approach and phased reporting from the policy start date of 7 October 2024. 

CP24/3 closes to comments on 28 May 2024. PSR plans to finalise the legal instruments in July ahead of the policy start date. 

So what? 

The proposals would involve significant work to establish the relevant reporting channels. Some of the proposed requirements and key deadlines for PSPs include the following:

• Requiring PSPs to use Pay.UK’s reimbursement claim management system (RCMS) to collate, retain and provide data to Pay.UK. In other words, PSPs will use this RCMS to manage FPS APP scam claims, communicate between PSPs and report data to Pay.UK. The PSR is proposing to deliver this by including new requirements within the existing specific directions that were published with its final policy.
• All PSPs would need to register with Pay.UK by 20 August 2024 as users of RCMS. 
• All PSPs would need to comply with the FPS RCMS rule by 1 May 2025.  
• PSPs would need to establish specific standards for the collation, retention and reporting of the data to Pay.UK. This will be set out in the proposed Compliance Data Reporting Standards (CDRS). PSR's Specific Direction 20 will require PSPs to comply with the CDRS, a draft of which has been published with this consultation to comment on. PSPs would need to comply with one of the reporting standards from 7 October 2024, under which they will be required to report a focused set of compliance data to Pay.UK on a monthly basis. This will be superseded by a subsequent reporting standard from 1 May 2025 when they will be required to make a more comprehensive set of Faster Payments APP scams data available to Pay.UK via the RCMS. 
• PSPs would also need to establish specific contingency arrangements for the reporting of data. 
• PSPs need to ensure the accuracy and quality of the reported data and safe keeping of the same by storing data on secure systems. 

Pay.UK will take steps to address non-compliance with these requirements and in appropriate cases may also escalate issues to the PSR for enforcing compliance. Firms must therefore take steps to adapt to these updates which present further complexities and challenges especially in the context of the significant work underway to prepare for the upcoming policy deadline of 7 October. There may also be concerns about the cost of using the RCMS, particularly with PSPs who may not currently process many (or indeed any) FPS APP scam claims. The paper discusses pricing information, which firms need to consider closely to assess cost implications. Firms would also need to review their operational capabilities to adapt to the changes arising from the proposed requirements.