Authorised push payment fraud is where a payer is deceived or defrauded into authorising a payment to a criminal. If you are a victim of authorised push payment fraud, you should speak to your banking provider first. Each instance will be dealt with on a case-by-case basis as there is no one-size-fits-all.
Currently, where a payment is executed in accordance with the unique identifier (e.g. account number and sort code), Regulation 90 of the Payment Services Regulations 2017 states that a payment service provider has correctly executed the payment. As such, bank reimbursements are not mandatory.
The Payment Systems Regulator (PSR) and the payments industry have worked together to both prevent fraud, and to develop better mechanisms for reimbursing scam victims. The voluntary Contingent Reimbursement Model (CRM) Code (the Code), which began operating in 2019, has been signed by ten banking groups who agree to voluntarily reimburse APP fraud victims. The Code covers 90% of relevant transactions.
Victims may also be able to get their money back via the chargeback scheme. This is dependent on whether their debit and credit card providers subscribe to the chargeback scheme. The scheme allows card holders to challenge payments made from their respective accounts through the provider to suppliers. For direct debit payments using the BACS scheme, there is a direct debit guarantee. The real barrier with the chargeback scheme is that it does not presently cater for authorised push payment fraud.
Another route to reimbursement is through the Consumer Credit Act 1974 (CCA), if a transaction has been made using a credit card. Under the CCA, the credit borrower (card holder) is not responsible to the lender for any loss arising from another person who is not acting as the borrower’s agent (be it a friend or family member).
If a borrower gives their credit card to someone else to make purchases for them, but that individual makes further transactions that the borrower did not authorise, that someone will still be treated as the borrower’s agent. The difficulty is that, to date, “consent” is taken to be the provision of the recipient payment instruction detail.
Section 84 of the CCA states that unless a credit-token (credit card) is lost, stolen or liable to misuse, the card user may be made responsible for:
- £35 (or the credit limit if lower) for loss arising from the use of the credit-token between the period starting when the credit-token is not in the control of an authorised person and ending when the credit-token is back in their control.
- All of the loss from the use of a credit-token where it has been acquired by a person with the borrower’s consent.
Reimbursement to victims of APP scams remains inconsistent, with many victims continuing to suffer losses without reimbursement. This is in part because some firms have not made voluntary commitments to reimburse victims of APP scams, but also because even amongst firms who have made voluntary reimbursement commitments, there are disparities in how firms interpret their obligations.
In light of this, the government welcomed both the PSR’s Call for Views on APP Scams, and the subsequent Consultation on Authorised Push Payment (APP) Scams, which proposed introducing mandatory reimbursement for APP scams which occur over Faster Payments, as well as other measures to improve fraud prevention.