Authorised push payments fraud and the expanded role of the Financial Ombudsman

Authorised push payment (APP) scams were a hot topic in 2019 with the authorities taking a series of three coordinated actions to push down on APP fraud. One measure, a change in the remit of the financial ombudsman, has been in place for a full year now but, in response to our freedom of information request, the Financial Ombudsman Service has told us that they do not capture data in such a way that enables them to tell us whether anyone has made use of the new right.

The remit change, which came into effect at the beginning of 2019, gives victims of authorised push payment fraud the right to complain to the Financial Ombudsman about the payment service provider (PSP) who received their payment on behalf of the fraudster if they believe that the PSP did not do everything possible to get the money back.

The change in the Financial Ombudsman’s remit was one of three coordinated actions taken to push back against APP fraud. In previous blogs, I’ve unpacked the other measures: the industry voluntary code and the confirmation of payee (CoP)  rules and standards with which the Payment Systems Regulator (PSR) has directed the UK’s six largest banking groups to comply. Now, in this final piece, we will consider the FCA’s decision to extend the jurisdiction of the Financial Ombudsman Service.

As a matter of principle, consumers can only complain to the Financial Ombudsman about financial institutions when they are a customer or potential customer of the institution. In recent years, the jurisdiction has been extended slightly to include complaints against credit reference agencies where a consumer has a complaint about the information held on their financial standing, and at the beginning of this year, it was further extended to help victims of APP seek redress from the payment service provider who received their funds on behalf of the fraudster.[1]

As the FCA notes, “in practice, many complaints relating to APP fraud will be about the receiving PSP’s actions, especially the allegation that the receiving PSP has not done enough to prevent fraud.”[2]

Consumers could make the following complaints against the PSP of the fraudster (the receiving PSP).

  1. That the receiving PSP did not do enough to prevent the APP fraud. [3] For example, the receiving PSP has evidence that its customer is using the account for fraudulent purposes (e.g. transaction monitoring alerts) but has not taken sufficient action on the basis of this evidence.[4]
  2. That the receiving PSP did not adequately cooperate with the sending PSP in its efforts to recover the funds where the customer has provided incorrect account details to the PSP and the payment has been misdirected. This could arise where the payer intended to make a legitimate payment to person A, but the fraudster deceived them into making the payment to the wrong account details. An example would be where the payer receives a fraudulent call purportedly from HMRC instructing them to settle their tax bill to account details that in actuality belong to the fraudster. In this case, a complaint could arise where the receiving PSP does not assist the sending PSP by sharing information on the fraud. [5]

Of course, the receiving PSP may not be providing payment services to a fraudster but a legitimate customer who has received the funds by mistake. The changes to the eligibility criteria allow for a complaint to be made where the misdirected payment is as a result of a simple error on the part of the payer, and the receiving PSP does not adequately cooperate with the sending PSP.[6]

Consumer journey

One salient question concerns the consumer journey when making a complaint regarding APP fraud. In particular, how will the APP victim know whether the receiving PSP is culpable in either of the two ways outlined above?

Well in practice, the FCA expects that in most cases, a victim of APP fraud will complain to the sending PSP, and that the sending PSP would then involve the receiving PSP where necessary.[7] Sending PSPs should therefore decide whether it can deal with the complaint itself, or if it should be forwarded to the receiving PSP.

The FCA makes clear in the Policy Statement that they expect the complainant to receive a single redress response, either from the sending or receiving PSP (as a single response), or where appropriate from both as a joint response. What would not be acceptable in the FCA’s view is for the complainant to complain firstly to the sending PSP, wait 8 weeks for a response, and then have to complain to the receiving PSP.

Should the complaint then be escalated to the FOS, it will have the ability to determine the proportion of the complainant’s award that each PSP must contribute. In considering any such complaint, the FOS will consider the industry guidance in the contingent reimbursement model (CRM) code.

If you would like to discuss this topic further or book a free consultation, contact me or one of my colleagues. 

[1] DISP 2.7.6

[2] PS18/22 Authorised push payment fraud – extending the jurisdiction of the Financial Ombudsman Service, p10

[3] DISP 2.7.6(2B)

[4] For the complainant to be eligible in this case the case must not be a PSD complaint, that is a complaint under Parts 6 and 7 of the Payment Services Regulations 2017 (PSRs).

[5] DISP 2.7.6(2A)

[6] This obligation to cooperate with the sending PSP is based upon regulation 90(3) of the PSRs.

[7] Although to emphasise, receiving PSPs must now accept complaints directly from payers in relation to APP fraud.

 

This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.

Related Posts

CASS Audit

TISA CASS Compliance Survey

Earlier this year, TISA launched a CASS compliance survey in association with fscom, aiming to gather insights on key areas of interest related to CASS

Read More