Making progress on push payment fraud
Authorised push payment (APP) fraud was already costing UK companies and individuals millions before the pandemic. But as digital transactions rose during lockdowns, companies sent staff home to work and people became more contactable online, by email or via smartphone, criminals took advantage. They adapted and evolved to the situation to increase the total number of APP cases by 22% in 2020, according to UK Finance.
But while the incidence of APP increased, so too did the occasions when fraud was stopped in its tracks. UK Finance members reported 149,946 incidents of APP scams in 2020, with gross losses of £479m. But banks and card companies prevented £1.6bn in unauthorised fraud in 2020. This represents incidents that were detected and prevented by firms and is equivalent to £6.73 in every £10 of attempted fraud being stopped. This outcome suggests that measures to prevent larger-scale fraud attempts may be working.
In May 2019, the Lending Standards Board (LSB) launched its Contingent Reimbursement Model Code to provide important protections for customers falling victim to APP scams. The voluntary code saw nine payment service providers sign up, agreeing that where they identify APP scam risks in a payment journey, they would take reasonable steps to provide customers with effective warnings and appropriate actions to avoid being duped into payments they believe to be legitimate.
The LSB has since reviewed the Code, and found that, while firms and payment providers are fully engaged with the process, there’s still work to be done. All participants to the review acknowledged that their warnings could be improved and enhanced, although warnings could not prevent all scams from succeeding. For these companies, the challenge lies in finding a balance between giving customers adequate and impactful warnings, without introducing undue friction in the payment journey for genuine transactions.
In the review, the LSB established that certain payment journeys didn’t flag any warnings, and the quality and type of warning differed between digital transactions and those in-branch or over the phone. The board also found that arbitrary thresholds were being applied to trigger warnings, that may result in increased risk for victims of scams below these set amounts.
In response to these and other issues, the board is recommending four key areas for improvement:
Governance approaches should not be focused purely on claims and data related to APP scam cases. Firms should use all MI at their disposal to assist with the development of warnings and to report on their impact in preventing scams.
Firms should formally document the procedures in place for designing, testing, implementing and assessing warnings across all channels to allow better evidence of reiterative review and to allow for succession planning.
Increased analysis of machine intelligence and data at key points should continue to be developed for use in both monitoring the success, or otherwise, of warnings and continual development.
Improvements are necessary to the oversight and assurance frameworks across all three lines of defence. Focus should be appropriate to the channel being overseen.