Uncertainty around the mandatory reimbursement cap for APP frauds – a new headache for FI firms and their insurers?

New regulations coming on 7 October 2024 will require payment firms to reimburse victims of authorised push payment (APP) fraud up to a set limit. On 4 September 2024, the Payment Systems Regulator (PSR) announced a consultation proposing to set this limit at £85,000, vastly reduced from the previously proposed £415,000 cap. This uncertainty is a potential headache for payment firms and their FI insurers as the level of the cap will impact their assessment of risk and apportionment of liability between sending and receiving payment firms – and the industry will only have 7 days to prepare.

How did we get here?

APP frauds are a type of social engineering fraud where the fraudster tricks the victim into authorising a payment to the fraudster, believing the payment to be for a legitimate purpose (read our guide on redress for victims here). £459.7 million was lost to such frauds in 2023 alone. 

Currently payment firms are not obliged to reimburse customers for this type of fraud, but some banks do so voluntarily pursuant to the 2019 Contingent Reimbursement Model Code for Authorised Push Payment Scams (see our commentary on the introduction of the Code here), with 67% of losses reimbursed in 2023, according to the PSR's latest figures. However, this varies enormously per institution from 9% to 88%. 

Given the size of the issue and the impact on consumers, regulators have been under pressure to do more; hence the PSR's proposed new rules due to come into force on 7 October 2024. The new regime was announced in a PSR policy statement in June 2023 following a consultation in 2022.  

What is the background to setting the cap?

The issue of a cap on the amount of losses banks and payment firms are obliged to reimburse has been contentious. In its August 2023 consultation, the PSR initially proposed a limit of £415,000, which matched the (then) amount recoverable via the Financial Ombudsman Service (FOS).  PSR said that the limit was well understood by consumers and would capture 99.98% of APP fraud victims. It then regarded a limit of £85,000, which is now being proposed) as "too low" and would "exclude a significant number of victims" who would suffer "significant harm" where defrauded above the cap. PSR also considered that such a high cap would incentivise banks and payment firms to implement measures aimed at reducing APP fraud losses.

However, the industry expressed concern at the impact of such a high cap on the financial stability of smaller fintech firms, with some concerned that reimbursement claims could put them out of business. There were reports that Treasury officials regarded the £415,000 cap as a "disaster waiting to happen" and concerns that criminals might exploit the mandatory compensation system.

What does the PSR say about the new proposed cap?

In light of this, the PSR is now consulting on a lower limit of £85,000, which aligns with the Financial Services Compensation Scheme (FSCS) limit, which aims to protect individuals' savings in the event of a bank of building society failure. Again, this limit was described as being well understood by consumers and new data from the PSR suggests that 99% of claims will be covered by the limit.

The consultation was announced on 9 September 2024 and closes at 1pm 18 September 2024. The PSR has promised to announce its conclusion by the end of September, leaving less than 7 days before the new rules come into effect.

What does this mean for financial institutions and their insurers?

Payment firms and their insurers can respond to the consultation by email to appscams@psr.org.uk or by emailing to request a meeting to discuss their views in lieu of submitting a written response.

Whatever the result of the consultation, the tight timescales for resolution of this issue are problematic. Payment firms will be left with a very short amount of time to finalise their policies once the new cap is settled and their FI insurers will be hindered in assessing risk  / policy terms & conditions and calculating premiums for firms which renew before the cap is announced. After all, assessing the risk of exposure to reimbursement claims capped at £415,000 is a very different proposition to the risk of exposure to reimbursement claims capped at £85,000. And consumer rights groups oppose the limit, so it remains to be seen how the PSR will accommodate the strong views on both sides.  It would not be outside the realm of possibility for the PSR to reach a compromise by selecting a "splitting the difference" and selecting a limit somewhere between the two figures.

However, simply settling on an amount of the cap does not necessarily completely limit payment firms' exposure to the amount of the cap. Customers can still complain to the FOS.  And the level of the cap has a significant impact on the apportionment of liability between the receiving and sending payment firm.

The consultation specifically confirms that the new mandatory compensation rules will not affect customer's rights to complain to the FOS (which they are entitled to do if they consider that they have suffered loss due to the payment firm's acts or omissions). However, customers will of course need to account for any reimbursement when calculating quantum of their FOS claim. The PSR recognises that lowering the mandatory reimbursement cap will result in more claims to FOS, which are themselves currently limited to £430,000 under the DISP rules.

However, the consultation gives the following example, which highlights the impact of the cap on the distribution of liability between the sending and receiving payment firms:

"For example, for an APP scam of £450,000, where the sending PSP upholds the claim for reimbursement and the sending PSP or FOS also upholds the consumer’s fault-based complaint against the sending PSP for the balance of their loss:

• With a maximum reimbursement claim limit of £415,000, the sending firm is potentially liable for £242,500 (£207,500 under our policy plus £35,000 redress on the fault-based complaint). So, the loss is likely to be shared between the sending and receiving PSPs in the amounts of £242,500 and £207,500, respectively.
• With a reimbursement limit of £85,000, the sending firm is potentially liable for £407,500 (£42,500 under our policy plus £365,000 on the fault-based complaint). So the loss is ultimately shared between the sending and receiving PSPs in the amounts of £407,500 and £42,500, respectively."

In cases where both firms are found to be at fault, it is not obvious that the sending firm will always be more culpable than the receiving firm. While the sending firm may have failed to convince the customer that a fraud is being perpetrated, the receiving firm may have failed in its due diligence and fraud monitoring practices, which are just as important in ultimately tackling this type of fraud as raising awareness among potential victims.

As such, the level of the cap has a more complex impact upon payment firms and their insurers than a first glance might suggest. James Wickes would be delighted to discuss the insurance issues arising from this announcement and those interested may wish to subscribe to RPC's Thinking to receive alerts when further analysis is published.