In 2023, we talked about the Payment Systems Regulator (PSR) first report on those organisations that send and receive APP-fraud transactions. The July 2024 report on 2023 data from the PSR, shows some progress, but also shows that more must be done. What next?
The 2024 report shows a 10% fraud reduction from the 14 largest bank groups; but more notable losses increase from the top-20 receiver firms – primarily the ‘non-directed firms’ or smaller payments companies.
Riskskill, as members of AIRFA, often stress that the PSR and FCA must ‘follow the money’ – i.e. where does it go and why. The 14 typically larger APP-fraud money senders receive instructions from customers like you and me when we have been tricked by fraudsters. However, the top-20 receiver PSPs of the APP frauds show us who helps the fraudsters to launder the money: i.e., the clients of firms that receive and distribute the money that is fraudulently obtained from victims.
The latest figures for 2023 show that 67% of APP fraud losses were re-imbursed by the sending banks, reflecting a slight increase on 2022. However, from October 2024 these losses will be shared (50%/50%) with the receiving firms. The receiving firms have loudly challenged this: even though it is them that are facilitating this by processing transactions for fraudsters. They have facilitated the opening and operation of accounts for them and have failed KYC and transaction-monitoring controls.
The ‘bad-boys’ are made public by the PSR, some new in 2023, i.e. the PSR has named the worst receiving PSP offenders.
Both the sender and receiving banks MUST by AML law know who and where its customer is, and must understand the nature of every transaction, and must investigate all suspicious transaction activity. It is these AML/CTF controls at the receiving firm that have failed: so we wonder whether these firms that should now accept 100% of the losses? If they adhered to the AML/CTF law, APP fraud may not exist, at a minimum greatly reduced!
In addition to the industry-agreed corrective actions, a focus MUST turn to the adequacy of KYC checks at the receiving firms, and in EVERY case upon who and how fraudsters were ‘let-into’ the payment systems. 50% reimbursement from October this year will push these firms to address their shortcomings. If they do not, the PSR/FCA must hold them 100% liable – i.e. financially and through audits and licence restrictions.
FCA action against Dzing Finance in 2022 with operating restrictions in 2023 meant that they have not appeared in the top 20 firms for 2023. But there needs to be more severe and faster action taken: and against more of these errant firms.
We strongly recommend that more assertive action is taken by the industry:
A. PSR and FCA to focus on faster and more assertive action against those firms that have inadequate KYC/CFT processes and controls, i.e., those that make financial crime easier.
B. PSR to widen its scope for directed firms and to immediately include the errant firms within the scope for directed-firms.
C. UK Finance to step-up support and guidance for its members, e.g., with performance target setting, AML/CTF training, best practices, etc., to help address problems.
D. PSR and FCA to focus support and guidance for non-directed PSPs, e.g., with APP fraud performance target setting, AML/CTF training, best practices, etc.
E. PSR to work with the FCA to initiate more urgent and formal AML/CTF audits with fast-track restrictions or withdrawal of operating permissions.
F. PSR to require receiving firm investigation and reporting on ALL reimbursed losses.
G. PSR to apply licence restrictions to receiving payments firms who take delayed, limited or no urgent action.
H. PSR and FCA to be ready to remove licences from and require audits upon the losses for any/all errant sending or receiving firms that challenge the reimbursement processes.
I. PSR and FCA to consider adjustment to the reimbursement model to reassign 100% APP fraud losses to receiving PSPs in specific situations.
If the UK payments industry wants to be seen as a global market leader and innovator or a secure payments system, it must act like one, and finally address this APP-fraud challenge.
Kevin Smith and Bill Trueman are directors at Riskskill, and are payments and risk specialist, with over 25 years of experience. For more information about Riskskill visit website at www.riskskill.com
Comments