Customer protection: A regulatory ‘last stand’?

by Jonathan Tyce

Share this post

The Consumer Rights Act 2015 aimed to consolidate consumer protections in the UK, but rapid digital advancements in banking and payments have left regulators struggling to keep pace, with a renewed focus on customer protection against fraud and other risks.

In the UK, The Consumer Rights Act, which came into force on 1 October 2015, was designed to consolidate consumer rights in one place, enhance consumer protections, and “modernise the law to allow for digital advances.” Digital banking advances and the payments revolution have developed beyond all recognition since the Act came into effect, often leaving policymakers and regulators running to stand still.

As a result, and quite sensibly, industry oversight is increasingly focused on ‘customer protection’ as the yardstick for progress and success. By contrast, the industry is increasingly fixated on ‘customer experience’. Ultimately, these differing approaches should converge toward a similar end but, as ever, there will be several bumps in the road before this is realised, and much debate will remain.

The UK is leading the charge

Regulation is a dry topic at the best of times, and the consequences of change—most notably the unintended consequences—can have a far-reaching impact. “As a rule, regulation is acquired by the industry and is designed and operated primarily for its benefit.” Nobel laureate economist George Stigler’s quote neatly reflects the challenge of regulating virtually every industry.

It is also a useful place to start when considering a slew of new payments regulation kicking in from 2024 onwards across Europe. As with the tech industry and artificial intelligence (AI), the digital world of payments continues to advance so rapidly that, in many cases, regulation is often rendered outdated or ineffectual before it has fully come into effect.

The quote also succinctly encapsulates the concept of ‘regulatory capture’—where regulatory agencies sometimes advance the interests of the industries they are supposed to regulate rather than protect the public interest. A dichotomy in how regulatory change can impact sub-sectors differently is a current key debate point in the UK and worth discussing.

Unintended consequences coming into view

Robert Courtneidge, board advisor and payments expert at The Payments Association, rightly concludes that the UK—spearheaded by several regulatory and policy changes—is leading the charge on consumer protection and tackling the thorny regulatory issue of the digital revolution. While still clearly a work in progress, customer protection is vital, and tackling fraud remains central to any new regulations and rules implemented. 

Three stand out among the many important topics or ‘buckets’ regulators should consider when framing new initiatives to protect the consumer and regulate the industry:

  • Fraud;
  • Open banking/open finance/embedded finance; and
  • Digital revolution and new regulation.

For the purposes of this article, the UK and fraud risk are the focus through new regulatory initiatives across the gamut of payments providers and products throughout Europe, presenting an intriguing mix of risk and opportunity into 2025. Using open banking as a viable alternative to card schemes is one such initiative that speaks to the power of technology and its ability to level the playing field and lower costs for consumers.

A £1.2 billion problem to solve

Fraud and its prevention are among the most moveable feasts facing the payments space, as new technology and AI beget new criminal initiatives and tactics. In 2022, UK finance data revealed that the cost of payment fraud in the UK topped £1.2 billion, down 8% versus 2021 but still a painfully large number.

Within this, authorised push payment (APP) fraud represented just shy of £500 million, with unauthorised fraud (including, for example, card, payment, and remote banking fraud) making up the balance.

“A clear risk from the proposed shift in risk-bearing for APP fraud resolution is how many of the 1400+ payment service providers, affected by the rule change, could be disincentivised from driving innovation or worst case be wiped out by the hit on their bottom line by these potential liabilities. This, by definition, would reduce competition and undo much of the good work that is being delivered,” Courtneidge rightly observes.

Source: UK Finance, Annual Fraud Report for 2022

Competition and innovation at risk?

Faster payments (FPS)—the payment system across which most APP fraud occurs—will see rules change from 7 October 2024, as will retail clearing house automated payment system (CHAPS) payments.

Banks and payment service providers (PSPs) will then be required to reimburse victims of APP fraud, with the sending and receiving firms splitting the cost 50:50, alleviating the burden solely from the banking sector. While the intention is clearly worthy—mandatory reimbursement to ensure that victims are compensated swiftly and banks and PSPs are incentivised to prevent such fraud—the unintended consequences are not.

Hundreds of millions of pounds in costs attached to this burden-sharing will imperil the solvency and viability of smaller financials and payments companies. Adding to this pressure for PSPs, the March 2024 Payment Services (Amendment) Regulations 2024 and policy notes—also in force from 7 October—will require companies to revisit their terms and conditions and processes to ensure that any delays in reimbursement are deemed lawful.

In addition, FPS’s new reimbursement claim management system (RCMS) will have to be in place to receive the registrations of these PSPs and all their subsequent data submissions in time for the 6 October rule change despite not being available for testing yet. Implicitly, this means that the cost of using FPS will rise, hitting small firms with lower revenue pools relatively more. This cost will be passed on to the consumer.

Whose cost and whose benefit?

More efficient implementation of the reimbursement policy
Direct costs to PSPs for using the RCMS
Smoother running of APP fraud data reporting
Administrative and other resource costs
Medium in the interim period, low thereafter
Effective monitoring of compliance
Constraining PSP choice of claims management system
Level playing field for PSPs

Source: PSR Consultation paper ‘The FPS APP scams reimbursement requirement: compliance and monitoring’ April 2024

Annexe 5.14 of the PSR’s The FPS APP scams reimbursement requirement: Compliance and monitoring’ April 2024 update tries to put some numbers around what this will actually cost:

“The mandatory use of the RCMS will result in a direct cost to PSPs. The cost per year of operating this system, that Pay.UK would be looking to recover from industry starting from 2025, would be approximately 10% to 13% higher than the current cost of using Faster Payments. This would include onboarding, training and setting up costs, as well as ongoing costs for Pay.UK’s running and maintenance of the system. These costs will not be recovered by charging PSPs large fixed fees during registration or complex tariffs that may disadvantage smaller PSPs. Pay.UK is exploring options for a pricing model that is based on POND principles (proportionate, objective and non-discriminatory), and pricing is expected to be based on Faster Payments transaction volumes, APP scam case volumes, or a combination of both. Therefore, the cost of using the system is likely to be proportionate to the size and scale of scams and not be equally split across all the PSPs that are in scope of the direction. While this is might be a sizeable cost to some firms, is it likely to be only marginally higher than, if not similar to, the costs that many PSPs would face in the baseline scenario.”

Having spared the reader the burden of trawling through hundreds of pages of jargon-filled regulatory documents, it is worth pondering for a moment what the excerpt above actually says. What we do know is that there will be a direct cost to PSPs, and it will be double-digit. What don’t we know? A lot.

“Likely”, “may”, “approximately”, “expected to be”, and other nebulous terms sadly undermine any reassurance that smaller fintech and PSPs may have sought that this would improve the industry and drive competition and innovation.

Deep pockets always win—why the rush?

It’s not a great look to simply pay lip-service to sharing the burden of costs, especially when smaller companies will feel the impact much more than larger ones, while banks get some relief from the expenses related to payments fraud. The big three domestic banks—Lloyds, NatWest, and Barclays—reported a combined net profit of around £15 billion in 2023. With interest rates remaining high for an extended period, many fintech companies and smaller players are struggling to survive and secure funding. They shouldn’t be pushed to the brink in this manner.

Rushing through systemic changes—rather than phasing in, for example, the risk-cost sharing mechanism—seems a little unnecessary. Foisting a new reimbursement claim management system (RCMS) onto PSPs when it is not even available for testing less than six months before launch seems like an unnecessary risk, given all that is at stake.

Courtneidge’s balanced comment on addressing this is fair: “The PSR, Pay.UK, and the payments industry need to work together to create a proper rule system, similar to the chargeback system for cards, and build it into a fully functioning RCMS which will reduce fraud and properly manage compensation pay-outs to vulnerable consumers whilst providing the best education to them to stop fraud at source.  This can only be done if Big Tech and telcos also join the battle as this is the source of most APP scams.”

Having led the article with an opposite quote from one American economist, the thoughts of another renowned American economist—also a social philosopher and political commentator, seem appropriate in this case:
“It is hard to imagine a more stupid or more dangerous way of making decisions than by putting those decisions in the hands of people who pay no price for being wrong.”- Thomas Sowell

Payments Review Summer 2024
Read the entire Payments Review summer edition here

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Continue reading

UK leads in consumer protection with new payment regulations focusing on fraud prevention. Subscribe to Payments___________________ Review to read the full article.

Subscribe to continue reading

Already a subscriber? Please log in to continue

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?