Scam reimbursement requirements – preparing for October

Work with Pay UK to implement Confirmation of Payee (if not already completed). For most payment firms this will need to be completed before the end of October 2024 (see ‘Group 2’ PSPs here). Implementation takes approximately 12 weeks.

Ensure you are an active participant of the CIFAS National Fraud Database. The database should be used when onboarding customers to check for historical fraud concerns and ensure prospective customers remain in risk appetite. Special attention should be paid to any historical concerns related to money mule activity. Where customers are confirmed to be involved/complicit in fraud, their information should be added to the CIFAS fraud database.

CIFAS are also developing Vision, a product that informs you if information connected or linked to your customers is filed to the NFD, allowing you to take action to mitigate or address the risk and prevent any fraud losses. Your customers could be filed by another member at any time, without Vision alerts you are unaware of the filing and potential risk to your organisation.

A key part of scam detection and prevention is based on obtaining information about the payment as it is being made by the customer. In addition to the necessary account number and sort code, collected information can include the payee’s name (for CoP), the payment purpose (e.g. paying family, a friend, an investment), and receiving account type (e.g. personal or business). This information should then be used to provide targeted and timely scam warnings to the customer, to try and encourage them to conduct their due diligence and not send the payment if they have any concerns. These warnings should be tailored for common and emerging scams, and potentially prevent a payment being sent until further contact and verification has been made with your anti-fraud team.

AI chatbots (potentially with step-up to human intervention) provide a method of interacting with the customer to truly understand the nature of the payment. For example, for purchases the chatbot could ask where the goods were advertised and if the goods have been seen in person. Alternatively for an investment, the chatbot could ask if the customer has checked the FCA register to confirm the investment firm is regulated and ask where they heard about the investment opportunity. The answers to these questions could also easily be used to provide risk scores to a risk scoring engine.

Payment requests should be risk scored, with high-risk requests subject to additional friction or payment barriers and blocks. This can start simply and mature over time. For example, you may want to refer payments requests above £1,000 to a new, novel beneficiary for further examination and questioning by customer services/anti-fraud before approving the payment. Alternatively, step-up authentication might be required for any payment above £1,000 (to new or established beneficiaries). As the engine matures, additional signals/information can be considered (for example device ID telemetry and/or behavioural analytics, offline customer profiling) along with more complex rulesets to improve the detection of scams whilst minimizing customer friction. The barriers put in place should be constantly informed by historical confirmed fraud scams seen at your institution. Vendor solutions can be leveraged to provide this functionality, alternatively solutions can be developed in house.

The CRM code states that "Firms should participate in coordinated general consumer education and awareness campaigns" and adds that "Firms should take reasonable steps to raise awareness and educate Customers about APP scams and the risk of fraudsters using their accounts as 'mule accounts’, Firms should do this by undertaking their own campaigns, and/or participating in, contributing to, or promoting, campaigns undertaken by other relevant parties". Industry campaigns that focus on educating customers include UK Finance's 'Take Five to Stop Fraud' and 'Don't Be Fooled' campaigns. In addition to industry collaboration, educative content and campaigns can be delivered directly to customers. Common approaches include periodic emails, splash screens during login to accounts, tailored warning messages during the payment journey (based on the selected payment reason), and webpages dedicated to scam awareness.

The CRM code is clear on the fact that extras steps need to be taken to protect customers who might be vulnerable customers, who may be more susceptible to APP scams. Specifically:

Firms should ensure that customer service and fraud team members are appropriately trained to be able to to identify characteristics of customers which might be indicators of vulnerability.

Procedures [in respect of payment journeys] should provide a greater level of protection for vulnerable customers.

In addition, it should be noted that vulnerable customers are exempt from having to pay an excess fee when claiming reimbursement following a fraud event – further incentivizing the appropriate treatment of vulnerable customers by payment firms.

Create a capability to proactively monitor accounts for suspicions of mule behaviour and develop a process to close and exit accounts where suspicions are confirmed (including raising a SAR). Confirmations can come from other PSPs (where their customer has reported being scammed by a payee banked by your firm) or through CIFAS notifications. Where there are suspicions based on transactional behaviour prior to a confirmation, steps should be taken to contact customers and obtain an explanation of the transactional activity observed (remembering many mules may not be aware that they are committing a crime). Care should be taken to avoid tipping off the customer, and in the interim it may be pragmatic to restrict outgoing payments until a credible rationale can be obtained from the customer. It may also be sensible to perform further identity and verification checks depending on how stringent original onboarding checks were. Fraud teams should work collaboratively with financial crime when designing this capability as there may be some overlap with transaction monitoring rules as well as the need to raise SARS.

An effective fraud claims management capability has requirements around people, process and technology. This includes creating a mechanism or mechanisms that customers can use to start a fraud claim (e.g. telephone number, chat and/or email). Personnel will need to be trained on what information to collect, how to engage with distressed customers and how this needs to be recorded and escalated (e.g., a documented procedure for logging fraud claims). Automation should be considered for low value claims, being mindful of whether your organization is applying the discretionary £100 claim excess.

Guidance on how fraud claims need to be investigated will need drafting, and the process for determining outcomes will need to be defined. A case management system will be required to ensure SLAs are adhered to and approval workflows are appropriate based on the underlying value of claims. Case management should also be able to produce detailed reporting to facilitate tracking of KPIs such as case outcomes, fraud losses, case volumes and case handling times. This reporting should be aligned to the Compliance Data Reporting Standards (CDRS) defined by the PSR.

With both sending and receiving payment firms responsible for 50% of the value of reimbursement, and rapid 5 working day SLAs expected for customer refunds, an efficient mechanism is required to request, approve and facilitate payments between PSPs. With hundreds of parties potentially involved, a consistent approach is required across the payments network to meet these expectations. Collaboration will be key!

Pay.UK is developing a ‘Reimbursement Claims Management System (RCMS) - a system for all directed PSPs to communicate, manage claims and report information for APP scam claims. This system will also help with apportioning liabilities between the sending and receiving PSP. RCMS is however planned for release in May 2025. In the interim, firms will need to provide information to Pay.UK based on their Compliance Data Reporting Standards (CDRS). This information will be used as the basis for Pay.UK to monitor compliance with the reimbursement requirements.

Explore how your firm can become a participant within the Enhanced Fraud Data (EFD) scheme, an ongoing initiative led by Pay.UK to improve fraud intelligence sharing between firms.

Fraud losses should attempt to be recovered wherever possible. The responsibility to raise a Suspicious Activity Report (SAR) under AML regulations should also be considered, with each confirmed case of APP fraud generating the proceeds of crime.