Authorised Push Payment (APP) Fraud Insurance White Paper

Executive Summary

This White Paper examines the rationale behind introducing the new and far-reaching APP reimbursement regulations by the Payment System Regulator (PSR) that will apply to over 1,000 UK firms under Special Directive 20 (SD20), and how the insurance industry can help mitigate potentially far-reaching unintended APP-related industry risks.

APP reimbursement insurance is now available as part of the risk mitigation measures that firms can use to mitigate what may be severe and unintended industry-wide risks from these new regulations - particularly those firms that now have APP liability when receiving UK Faster Payments and CHAPS.

The new APP rules come into force on the 7th of October 2024 and are a potential minefield for many unprepared Financial Institutions (FI) - particularly small to medium-sized firms. Although this new bold action is designed to help improve fraud prevention, it is highly likely to create significant new risks and have unintended consequences for many UK banks, E-Money Institutions (EMIs) and Authorised Payments Institutions (APIs) as well as their Agents and Distributors.

In partnership with Elmore Insurance Brokers APP insurance is now available to qualifying UK banks, Payment Service Providers (PSPs), EMIs and APIs. Our new-to-market, innovative solution takes a proactive approach to insurance, combining our digital patented audit technology, Regulatory Audits as a Service (RAaaS) to help mitigate risk and exposure from these new regulations.

Due to the complex nature of APP fraud, getting insurance and keeping APP insurance coverage requires forward planning by firms that they need to start now, as well as a disciplined approach to compliance auditing and controls to ensure that the maximum amount of insurance is available for the premium paid. This paper also explains the process that has been developed with the insurance industry to make the application process and the audit verification and monitoring process as digital as possible for all concerned.

Table of Contents

1.0. APP fraud regulations

2.0. Main types of APP fraud

3.0. Payment Systems Regulator - Specific Direction 20 (SD20)

4.0. What does this mean for PSPs?

5.0. APP fraud reimbursement insurance

6.0. APP fraud Regulatory Audit as a Service (RAaaS)

7.0. APP insurance application and risk monitoring process

2.0. Main types of APP fraud

2.1. Impersonation fraud

a. Impersonation of Banks or Officials

Fraudsters pose as bank representatives, police officers, FCA, FOS or other officials to convince victims that their money is at risk and needs to be transferred to a safe account.

b. Impersonation of Family Members or Friends

Scammers impersonate friends or family members in distress, asking for urgent financial help.

2.2. Invoice or Mandate fraud

Fraudsters intercept legitimate invoices or create fake ones, tricking businesses or individuals into paying the fraudster's account instead of the legitimate payee's account. This often involves changing the bank account details on an invoice.

2.3. Purchase fraud

Victims are deceived into paying in advance for goods or services (like online shopping or holiday rentals) that do not exist or are never delivered.

2.4. Investment fraud

Scammers offer fake investment opportunities promising high returns. These can include schemes involving stocks, bonds, cryptocurrencies, or property.

2.5. Romance fraud

Fraudsters build online relationships with victims, gaining their trust over time before fabricating a financial emergency and requesting money.

2.6. CEO or Business Email Compromise (BEC) fraud

Scammers impersonate senior executives or business contacts through email, instructing employees to make urgent payments to the fraudster's account.

2.7. Advance Fee fraud

Victims are asked to pay an upfront fee for a service or product that never materialises, such as loans, lottery winnings, or inheritances.

2.8. Rental fraud

Fraudsters advertise properties for rent that they do not own or do not exist. Victims pay deposits or rent in advance and find out later that they have been scammed.

2.9. Refund fraud

Scammers claim to be from a company that owes the victim a refund. They trick the victim into "accidentally" sending too much money and then request the excess amount to be returned.

2.10. Cryptocurrency fraud

Victims are deceived into sending cryptocurrency to fraudsters under the pretence of investments, purchases, or other opportunities.

2.11. Fake Charities

Fraudsters pose as charities or use the cover of a charitable cause to solicit donations that go directly into their accounts.

2.12. Employment fraud

Victims are offered jobs and asked to pay for training materials, background checks, or other fees, but the job does not exist.

2.13. Ticket fraud

Scammers sell fake tickets for concerts, sports events, or other activities. Victims pay for tickets that either do not exist or are not valid.

It is expected that other new fraud typologies are likely to emerge post 7th October 2024.

APP Fraud Regulations

Main Types of APP Fraud

3.0. Payment Systems Regulator - Specific Direction 20 (SD20)

3.1. The PSR has issued guidance on the new fraud reimbursement rules, set by the operator of Faster Payments, Pay.UK, under Specific Direction 20 (SD20). This requires PSPs to follow certain rules for reimbursing victims of authorised push payment (APP) fraud. All firms are responsible for determining their legal obligations and all firms that participate in FPS and provide relevant accounts must comply with SD20 and the FPS reimbursement rules unless they can demonstrate otherwise.

3.2. The following definitions are all covered under SD20:

3.2.1. Account controlled by the consumer means a relevant account that a consumer can access and make payments from. It is not sufficient for it to be in the consumer’s name.

3.2.2. Authorised push payment (APP) means a consumer payment initiated by the sending PSP in accordance with an authorisation given by its consumer.

3.2.3. APP scam (authorised push payment scam) means where a person uses a fraudulent or dishonest act or course of conduct to manipulate, deceive or persuade a consumer into transferring funds from the consumer’s relevant account to a relevant account not controlled by the consumer, where:
i) the recipient is not who the consumer intended to pay; or
ii) the payment is not for the purpose the consumer intended.
For the avoidance of doubt, if the consumer is party to the fraud or dishonesty, this is not an APP scam for the purpose of the FPS reimbursement requirement, or the FPS reimbursement rules.

3.2.4. Authorisation for the purpose of SD20, in the context of a payment means that the payer has given their explicit consent to:
i) the execution of the payment transaction; or
ii) the execution of a series of payment transactions of which that payment transaction forms part.

3.2.5. Consumer for the purposes of SD20, refers to service users of PSPs. These are individuals, micro-enterprises (an enterprise that employs fewer than ten persons and that has either an annual turnover or annual balance sheet total that does not exceed €2 million) or charities (a body whose annual income is less than £1 million per year and is a charity as defined by the Charities Act 2011, Charities and Trustee Investment (Scotland) Act 2005 or the Charities Act (Northern Ireland) 2008).

3.2.6. Directed PSP means a PSP participating in the Faster Payments Scheme to which SD20 applies.

3.2.7. Faster Payments Scheme or FPS means the Faster Payments Scheme, a regulated payment system designated by Order from the Treasury on 1 April 2015.

3.2.8. FPS APP scam claim means one or more FPS APP scam payments made as part of an APP scam and made to the victim’s PSP.

3.2.9. FPS APP scam payment for the purposes of this direction, means an APP, authorised by a victim as part of an APP scam, that has all the following features:

i) It is executed through the Faster Payments Scheme;
ii) It is authorised by a PSP’s consumer;
iii) It is executed by that PSP in the UK;
iv) The payment is received in a relevant account in the UK that is not controlled by the consumer; and
v) The payment is not to the recipient the consumer intended or is not for the purpose the consumer intended

3.2.10. FPS reimbursement requirement means the obligation conferred on directed PSPs under paragraph 3.1 of SD20.

3.2.11. FPS reimbursement rules means any rules created as a result of Specific Requirement 1 (Faster Payments APP scam reimbursement rules) imposed on the Faster Payments Scheme operator to create and implement rules on PSPs reimbursing their consumers when they fall victim to APP scams.

3.2.12. Indirect access provider means a PSP with access to the Faster Payments Scheme that has an agreement or arrangements with another person for the purpose of enabling that other person (the ‘indirect PSP customer’) to provide services for the purposes of enabling the transfer of funds using the Faster Payments Scheme or to become a PSP in relation to the Faster Payments Scheme.

3.2.13. Member of the Faster Payments Scheme means a directly connected settling or directly connected non-settling participant.
Operator has the same meaning as under section 42(3) of Financial Services Banking Reform Act 2013 (FSBRA) in relation to the Faster Payments Scheme. The term Faster Payments Scheme operator is to be understood accordingly.
i) Participant has the same meaning as under section 42(2) of FSBRA.
ii) Payment System has the same meaning as under section 41(1) of FSBRA.
iii) Payment Systems Regulator (PSR) is the body corporate established under section 40 of FSBRA.

3.2.14. Payment service provider (PSP) has the same meaning as under section 42(5) of FSBRA.

3.2.15. Reimbursable FPS APP scam payment means an FPS APP scam payment where the consumer standard of caution exception does not apply, the victim is not party to the fraud or claiming fraudulently or dishonestly to have been defrauded and the claim was made within the time limit set out in the reimbursement rules.

3.2.16. Relevant account means an account that is provided to a service user, is held in the UK and can send or receive payments using the Faster Payments Scheme, but excludes accounts provided by credit unions, municipal banks and national savings banks.

3.2.17. Sending PSP means a PSP that provides a relevant account for a consumer, from which one or more FPS APP scam payments were made.

3.2.18. Service user means a person who uses a service provided by a payment system and is not a participant in that payment system.

3.2.19. Victim means a consumer who has made one or more FPS APP scam payments.

3.3. The full SD20 Reimbursement Requirements document can be viewed here.

4.0. What does this mean for PSPs?

4.1. All PSPs must implement robust fraud detection and prevention measures, including advanced cybersecurity protocols and educating their customers on recognising and avoiding scams.

4.2. They must also make sure that they communicate clearly with their customers about the reimbursement process and what customers need to do if they fall victim to fraud.

4.3. EMI principals and agency banking providers will be exposed via their Agent and Distributor network; enhanced oversight and controls will be paramount.

4.4. Most importantly, planning financial losses to cover the cost of reimbursing fraud victims is crucial. However, it is these mandatory payouts which expose the PSPs financially, and for the smaller organisations in particular, could have devastating consequences.

PSR SD20

PSPs

5.0. APP fraud reimbursement insurance

5.1. The Intended outcome of the new APP regulations is to reduce fraud on APP by providing direct financial incentives for Financial Institutions (FI) to improve the number, quality and sophistication of not only their own direct APP control, but also those of other FI in the payments chain with the 50% flow down provision. There are likely to be a number of unintended and serious consequences for FI's.

5.2. Getting APP insurance is one risk reduction measure that you can apply to your risk-based approach. The nature of your business, the way you treat and track vulnerable customers, the quality of your systems, your people and your processes and the sophistication of your controls will all impact the ability to prove that should your business have to refund an APP transaction, that there was no "Gross Negligence" and that a customer was not a 'vulnerable' customer at that time.

5.3. There are a substantial number of factors that will impact your ability to get APP Reimbursement Insurance and the pricing of this insurance, will be based on a mandatory RAaaS Compliance Audit (point 7), so we can clearly understand the mitigation controls you currently have in place and your exposure level.

5.4. The insurance policy will only cover the high spikes not your run rate fraud.

5.5. Eligible Participants: All participants within the FPS can obtain insurance, including:

i) EMI principals

ii) Banks offering agency banking

II) Individual Agents and Distributors

5.6. This insurance ensures that PSPs can comply with regulations while maintaining financial stability.

5.7. Risk Assessment: The insurance risk is high due to the prevalence of APP fraud. Effective fraud prevention measures are crucial for reducing exposure.

5.8. Robust measures can be:

i) Confirmation of Payee

ii) Enhanced customer on-boarding: such as CIFAS check-

III) Strong cybersecurity protocols: including SCA and authorisation methods-

iv) Customer education and communication be vigilant and prevent gross negligence-

v) Robust anti-fraud verification process: Including high risk payment verification and cool-off periods for large payments

5.9. Insurable PSPs:

i) Banks and Financial Institutions: With established fraud monitoring systems and secure transactional environment mentioned above

ii) FinTech’s: particularly in need of reimbursement coverage to cover the cost of reimbursement loss, specifically for any spikes of fraud.

6.0. APP fraud Regulatory Audit as a Service (RAaaS)

6.1. The APP RAaaS will review the risk mitigation and compliance controls that you have in place and it is intended, primarily, to provide the data to the underwriters to allow them to provide a risk based decision for your insurance policy - it is not intended to provide you with a consulting recommendations report for reducing this risk*.

Risk Mitigation measures for reducing APP fraud include, but not limited to:

6.1.1. Compliance

i) Culture of compliance in your FI.

ii) Adherence to the FCA 12 principles - especially consumer duty.

iii) Good Quality and well documented Policies, Procedures, and Processes are implemented and followed in practice.

iv) Quality HR processes, team training and education.

v) Warnings and UKFP 'cooling off periods for suspicious transaction' (and how these have been implemented and are they sufficient to support gross negligence).

vi) The quality and nature of your historic compliance audits and your suppliers (including banking partners and client money banking partners where relevant).

6.1.2. APP Mitigation Processes

i) The nature of your business and its risk profile to APP fraud typologies.

ii) Effective use of real time APP fraud detection technology.

ii) Effective KYC/KYB and regular refresh of this.

iv) Confirmation of Payee implementation.

v) CIFAS membership and effective use of this system and fast collaboration with other FI and CIFAS members.

vi) Fraud team size, quality, structure, tools, data, SLAs, 24x7 operations and empowerment.

vii) JMLIT membership (not open to all FI).

viii) The nature and quality of your historic fraud data including FOS complaints and general complaints.

ix) Other terms and conditions on your contracts and supply chain partners that related to APP controls and risk mitigation.

6.1.3. Consumers

i) Consumer education and warnings.

ii) Vulnerable customers - tracking of these in your CRM and the application of FCA regulations for these as they relate to APP.

iii) Methods of communications with customers and your FI ability to demonstrate these in contested and legal situations.

6.1.4. Payment Procedures

i) Payment Limits (Sending and Receiving) especially those relating to new payees and new receiving accounts and the cumulative values of these.

ii) Processes and Procedures for tracking high risk business (inc crypto, FX, NFT and non FIAT products) as well as those goods and services purchased online.

iii) Policies and Procedures for refunding and paying APP reimbursement to customers and to Recieving FI with and without consumer challenge and /or legal challenge.

6.1.5. Protection

i) The level of your APP insurance to cover fraud spikes.

ii) The level of insurance for wind down cover in the even that you FI were to hit a wind down trigger from APP fraud reimbursement.

iii) Cyber insurance and other insurance policies that may offer addition cover to your APP insurance policy.

6.2. APP fraud Reimbursement Insurance products will be tailored to your individual requirements with the application and supervision process supported by Green Swan’s digital compliance services.

*Please contact Green Swan Compliance separately should you require bespoke consulting advice or support - contact us

APP Insurance

RAaaS

7.0. APP insurance application and risk monitoring process

7.1. The following standard process steps may be adapted to individual firms' requirements and should be regarded as indicative:

Request for an initial meeting with mutual NDA between Green Swan Compliance and Elmore Insurance Brokers
Initial meeting normally via video call or face to face at Lloyds building
Completion of the initial insurance form questionnaire for a draft quotation by SD20 firm
Additional information requests from underwriters.
Indicative insurance quote and legal terms presented to SD20 firm
SD20 firm commissions APP insurance audit with Green Swan.
Finalised APP insurance application form and APP audit report presented to underwriters for final quotation and policy confirmation.
Insurance documents signed and premium paid for by SD20 firm
Weekly/monthly submission of loss data, and any additional audit updates as agreed in policy terms
Risk updates and digital APP audits by Green Swan Compliance to provide updated risk profiling and assessment of controls during the term of the insurance cover to underwriters as agreed in the policy Terms and Conditions.

Application