APP fraud developments: A risk-based approach to delayed payments

September 16, 2024

by Sarah Williams, senior associate, Baker & McKenzie LLP

Share this post

What is this article about?

New regulations and guidance for payment service providers (PSPs) to delay outgoing payments to combat authorised push payment (APP) fraud.

Why is it important?

It outlines measures to reduce APP fraud while ensuring PSPs adhere to consumer protection standards.

What’s next?

PSPs need to review the proposals, provide feedback by 4 October 2024, and prepare to implement the changes.

Measures to combat authorised push payment (APP) fraud remain at the forefront of regulatory and governmental developments in 2024. In the next instalment of APP fraud-related changes, on 9 September 2024, the FCA issued a Guidance Consultation (GC 24/5) with guidance to payment service providers (PSPs) on new rules permitting the delay of outgoing payments.

In March 2024, HM Treasury published a draft Statutory Instrument (SI) proposing amendments to the Payment Services Regulations 2017 (PSRs) to enable PSPs to delay outgoing payment transactions. Specifically, the proposed SI will allow a PSP to delay an outgoing payment where (a) the PSP has established that there are reasonable grounds to suspect fraud or dishonesty, (b) those grounds are established no later than the end of the next business day following receipt of the payment order and (c) the PSP needs more time to contact the customer or a third party to establish whether to make the payment. PSPs will be allowed to delay for up to 4 business days. The new rules will apply to payments initiated by the payer executed within the UK in sterling. These rules are not yet final, but legislation is expected to be laid before Parliament in due course.

In GC 24/5, the FCA is consulting on changes to the Payment Services and E-Money Approach Document to clarify:

When and how PSPs should consider whether to delay an outbound payment transaction and when to tell customers about a delay;
How PSPs should treat potentially suspicious inbound payment transactions and
How the FCA will monitor and evaluate PSPs’ implementation of the payment delays legislation and the types of information that the FCA plans to get from PSPs.

Click to explore digital pound journey

Click here to open infographic

Key proposals

FCA raises a number of questions on proposed guidance in GC 24/5 and PSPs should pay close regard to the FCA’s expectations on the controls that it expects PSPs to have in place in considering whether to delay outbound payment transactions. Key proposals include:

Defining suspicion: the FCA proposes to take a similar approach to defining reasonable suspicions as that taken by the Joint Money Laundering Steering Group Guidance to ‘reasonable grounds to know or suspect’ money laundering or terrorist financing. This involves an objective test, and the FCA expects firms to be able to demonstrate the reasonable steps taken to understand the nature and rationale of a transaction. Firms will be familiar with this test from their suspicious activity reporting procedures but must consider what changes are needed to capture suspicions relating to outgoing payments.
Risk factors: The FCA has proposed various risk factors that might suggest a payment order was made following fraud and dishonesty. The document makes clear that no single factor will be decisive, and the relevance and weight of the factors will depend on the context.
Notification requirements: PSPs must notify the payer when delaying a payment transaction and provide reasons for the delay and how to resolve it. The FCA has noted the Consumer Duty in connection with this notification requirement, particularly the likely need to have a real-time human interface to respond to customer questions on delays. PSPs will also be expected to notify the payee’s PSP to enable the payee’s PSP to investigate any concerns. The FCA has asked respondents whether notification requirements should be extended to PISPs that initiate the payment order.
Inbound payments: The SI does not change the timeframe in which PSPs must process inbound payments; however, the PSRs already provide for the ability to delay where this is due to obligations of the PSP under other provisions of national law. The FCA clarifies in the GC that this is a high threshold and that decisions to delay should be made with the Consumer Duty in mind.
Consumer Duty: Finally, the FCA makes clear that firms must regard Consumer Duty when implementing the new payment delay rules and following FCA guidance. PSPs face a challenging path to navigate between fraud risk management and delaying payments for genuine suspicion while avoiding the significant customer detriment that could arise when delaying legitimate transactions. PSPs must ensure that their systems and controls relating to delayed payments are considered through a Consumer Duty lens before implementation.

Next steps

PSPs face a series of APP fraud changes in the coming months. Changes to allow delays to outgoing payments are an important tool for PSPs to mitigate APP fraud risk, but these benefits must be balanced with the systems and controls needed to comply with FCA expectations. Firms must ensure they can navigate the balance between reducing APP fraud and minimising impacts on legitimate payment transactions once new rules come into effect.

The consultation closes on 4 October 2024. PSPs should review the proposals, provide comments to the FCA before this date, and be prepared to act on changes once implemented.