Cybersecurity

New rules in UK could reimburse fraud victims up to £415,000 ($525,000)

New rules in the United Kingdom could see victims of romance and investment scams reimbursed by the banks involved in sending and receiving fraudulent payments in a radical change to who is liable for these losses.

The Payment Systems Regulator (PSR) said the new reimbursement requirement would come into force in October 2024, and would see victims repaid up to £415,000 ($525,000) unless the bank can prove the individual “acted with gross negligence.”

The definition of “gross negligence” is contentious. Historically, banks have argued that if a customer in any way authorizes a transaction — perhaps after dismissing a routine fraud warning — then they are liable for all of the losses.

However the new rules take note of observed consumer behaviors such as alert fatigue and, according to the PSR, set a higher bar for what qualifies as “gross negligence.” Disputes regarding reimbursement will be considered by the Financial Ombudsman Service.

Authorized push payment (APP) fraud involves the account holders themselves being manipulated into authorizing a transaction, as distinguished from frauds where the criminals have stolen payment card details. Cases can involve people who have paid for goods or services that are never delivered, as well as the victims of romance scams and of fraudsters impersonating banks or the police who warn them of an emergency and encourage them to transfer funds to a “safe account.”

In the U.K., more than £505 million ($639 million) was stolen from individuals in APP scams last year, and more than £77 million ($97 million) from micro-businesses and charities, according to UK Finance’s annual report.

In the first half of this year, £239 million ($302 million) was pilfered from British residents in APP incidents. Under voluntary rules that the PSR previously introduced — known as the Contingent Reimbursement Model (CRM) Code — just over £152 million ($192 million) of APP losses was returned to victims, about 64% of the total losses, during the same period.

Banks refusing to refund fraud victims

PSR data reveals a wide discrepancy between banks in terms of these reimbursements. Curiously, the bank with the highest percentage of APP fraud losses that were reimbursed to customers — with 91% of losses refunded — was TSB, a bank which has not signed up to the CRM code.

Matthew Hepburn, spokesperson for TSB, said it opted to differ from the code because the code looks “to apportion blame after customers fall victim to the UK’s most common crime,” whereas the bank instead said it “recognises that fraud attacks are increasingly complex and sophisticated, and that innocent victims deserve to get their money back and not be forced to live with the devastating consequences of fraud.”

Starling Bank, which has in contrast signed up to the code, only reimbursed 37% of losses. Other than TSB, payment service providers who are not members of the CRM code always reimbursed fewer losses than those that were, with AIB (10%), Danske Bank (20%), and Monzo (22%) the worst performers.

A spokesperson for Starling Bank said it had strengthened its anti-fraud measures since the PSR data was established. AIB’s spokesperson said that the bank had the lowest level of APP fraud per transaction. Monzo did not respond to a request for comment.

Steven Murdoch, a professor of security engineering at University College London (UCL), said the surprising range of reimbursement rates was probably why the PSR decided to replace its voluntary rules with something enforceable. He noted that the volume of APP fraud has been growing in the U.K. in recent years, which he described as “not unrelated” to the fact that the banks weren’t held liable for these incidents.

Economic incentives

A proposal similar to PSR’s has been made in the U.S. Congress. Earlier this year the House Financial Services Committee proposed the so-called Protecting Consumers From Payment Scams Act, which if enacted would entitle the customers of a payment service provider to be reimbursed if their transfer was “fraudulently induced” without any reference to negligence. That proposal also places the liability for the losses on the recipient bank, which ensures they are meeting their Know-Your-Customer obligations.

“The US draft law creates a strong incentive for banks to prevent fraud rather than blame customers, by removing the wiggle-room that UK banks use in refusing to reimburse victims. The US proposal also incentivises the banks that receive the fraudulent transactions by requiring them to compensate the victim’s bank,” as Murdoch wrote on the UCL blog Bentham’s Gaze.

These economic interventions are significant, argues Murdoch. Under the British proposals, victims of fraud would have their reimbursements capped at £415,000 ($525,000) which poses a risk of “moral hazard,” he explained, referencing the economic situation where one party could have an increased tolerance for risk because it won’t bear the full costs of that risk.

“The general principle for secure systems is that the person who is in the position to control the losses should be the one who has to pay the cost of those losses. Customers have very little control over their losses, they don’t get to set the analysis system, they don’t get to set transaction limits. So my concern is that financial institutions will not see sufficient incentive to stop these very large potential frauds from happening,” he said.

“Whereas, if their liability was uncapped — just as customers’ liabilities are uncapped — then it would justify perhaps very extensive and perhaps very expensive fraud prevention techniques. Now their liability is capped, there are not the same incentives put in place. That’s very important for financial institutions, because they have teams of data scientists and lawyers and managers who are very carefully optimising everything to do with the business.”

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Alexander Martin

Alexander Martin is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.