Anti-fraud controls and complaint handling in firms (with a focus on APP Fraud)

This multi-firm review will be of interest to UK payment service providers (PSPs) which includes banks, building societies and other businesses that provide payment accounts.

All payment service providers should regularly evaluate their approach to identifying the fraud risks that they and their customers are exposed to. They must continue to develop their defences against fraud and ensure their control frameworks are fit for purpose. 

Firms must put the needs of their customers first and deliver consistently good outcomes for them. This includes helping customers understand what fraud is and how to identify it, making it easy for customers to report fraud and setting out what they can expect from the firm when they do report it. In addition, firms should support the victims of fraud so they are treated fairly in all their interactions with the firm, including if they make a complaint. Firms should be particularly mindful of the needs of customers who may be more vulnerable. 

We recognise that firms have invested in their systems and controls to detect and prevent fraud. Some firms have made more progress or had more success than others in what is a constantly evolving issue. Firms may want to use our findings to inform a review into their own anti-fraud systems and controls, as well as their approach to handling customer complaints about fraud. Firms who identify shortfalls against our expectations should take appropriate action to address these. The section ‘What we expect from firms’ sets out our expectations in more detail.

UK Finance’s (UKF) 2023 Half Year Fraud Update[1] reported that losses due to APP scams in the first six months of 2023 totalled £239.3m, comparable with losses reported in 2022 (£485.2m annual losses). However, the volume of reported cases in H1 2023 rose by 22% to 116,324, when compared to H1 2022. These numbers are likely to be an underestimate, given that the National Crime Agency[2] estimates that 86% of fraud instances go unreported. UK Finance also show that £152.8m was returned to victims in H1 2023 (representing 64% of losses), an increase of 13% (from £135.6m) in H1 2022 (54% of losses).

In March 2023 the Government published its second Economic Crime Plan[3], which sets out what the public and private sectors should do to continue to transform the UK’s response to economic crime, and in May 2023 it published its new Fraud Strategy: stopping scams and protecting the public[4]. This recognises that 40% of recorded crime in the UK is now fraud. 

The FCA has a key role to play in delivering this strategy. The FCA’s 2023/24 Business Plan[5] reiterated our commitment to reducing and preventing financial crime, and in particular, our commitment to slowing the growth of APP fraud. 

APP fraud happens when someone is tricked into sending money to a fraudster posing as a genuine payee. There are various types of APP scams which are either:

• ‘malicious payee’, for example tricking someone into buying goods which don’t exist or are never received
• ‘malicious redirection’, for example a fraudster impersonating bank staff to get someone to transfer funds out of their bank account and into the fraudster’s account   

Fraudsters often try to exploit the challenges many consumers face due to the rising cost of living. Customers in vulnerable circumstances may be particularly susceptible to exploitation.  

It is important that firms have both robust control frameworks and well-resourced and effective customer support in place. These need to evolve as fraud threats evolve. Supported by technology and the sharing of intelligence these can help firms to identify fraud and fraud risks, and so reduce fraud and its impact on consumers.

We chose a risk-based sample of firms to review, including firms of different types, size and risk profile. This selection was informed by data submitted by firms in the FCA’s Payments Fraud Report and to the Payment Systems Regulator[6] (PSR), including data on fraud volumes, value and type. We also considered data and intelligence on customer complaints, including cases submitted to the Financial Ombudsman Service[7]. We overlayed this with supervisory insight and case-level intelligence to identify and select a mixed sample of 12 current account providers, challenger banks and payment firms. 

We carried out a high-level evaluation of their approach to fraud risk management, with a focus on APP fraud. We:

• reviewed firms’ fraud strategies and the critical elements of operational processes
• considered how fraud detection and prevention systems and controls operate in practice in the face of evolving fraud attacks 
• examined how firms ensure appropriate oversight of the risk framework for all types of fraud including how management information is reported and acted on
• assessed the customer experience and fairness of customer outcomes by looking at how firms manage and respond to fraud complaints

The PSR recently published data[8] on the level of APP fraud reported by the 14 largest UK banking groups. This shows the extent to which, in 2022, certain firms were used to send or receive fraudulent funds.

In June 2023 the PSR also published its Policy Statement PS23/3: Fighting authorised push payment fraud: a new reimbursement requirement[9] which, from 2024, will apply to payments made and received by PSPs using the Faster Payments system. It will introduce consistent minimum standards to reimburse victims of APP fraud.

Essentially it will:

• require PSPs to reimburse all in-scope customers who fall victim to APP fraud, unless the consumer is involved in the fraud themselves, or has acted with gross negligence
• share the cost of reimbursing victims 50:50 between sending and receiving PSPs, to provide incentives for both to detect and prevent fraud
• provide additional protections for vulnerable customers

Under the new reimbursement requirement, sending PSPs will also have the option to apply a claim excess, and there will be a maximum level of reimbursement set. The PSR have consulted on the appropriate maximum level of reimbursement and maximum excess and committed to publish the results in PSR guidance in Q4 2023.

Until this is in force, 10 firms are currently signed up to a Contingent Reimbursement Model Code[10] overseen by the Lending Standards Board[11] (LSB). 

In the Treasury's Call for Evidence[12] earlier this year on the Payment Services Regulations 2017, they outlined a commitment to explore potential legislative solutions to enable firms to delay making payments in cases where fraud is suspected past the currently permitted time period of D+1 (end of the next working day).

We are actively supporting the Treasury during policy development, ensuring any new legislation is fit for purpose, and minimises unintended consequences, such as an increase in delays to legitimate payments. We also recently published our findings[13] relating to firms’ systems and controls in mitigating the risk that they are used by fraudsters to cash out the proceeds of fraud (using money mule accounts). 

Although we observed some examples of effective control frameworks and good practice, we were disappointed to find several common weaknesses in key areas of firms’ fraud risk management frameworks and customer treatment including:

• an insufficient focus on delivering good consumer outcomes in many of the firms we reviewed
• management information and actions often focused on commercial risk appetite, rather than customer impact and treatment
• significant scope in many firms to improve the support provided to victims of fraud including from the first point of contact. In many cases, firms need to do more to enable customers to report fraud easily and promptly
• poor complaint handling including firms often taking too long to respond to customer complaints
• customers provided with decision letters that were sometimes unclear, confusing, or included unhelpful and, on occasion, accusatory language
• limited evidence that firms are appropriately taking account of characteristics of customer vulnerability when making decisions about fraud claims and complaints 

We include more detail on our findings below.

The approach to managing the risk of money mules was also a particular gap in several firms. In October we published our separate findings relating to Proceeds of Fraud – Detecting and preventing money mules[17] and our expectations that firms continuously reassess their strategy for identifying, evaluating and monitoring the risks associated with money mules. It included information on good practice as well as areas for improvement in detection and monitoring methods to identify and mitigate money mule activities.

We expect firms to:

• have effective governance arrangements, controls and MI to detect, manage and reduce APP fraud and losses
• treat customers fairly, including when they complain, and to deliver consistently good outcomes to customers who are victims of fraud. This includes firms ensuring they are doing enough to: 
  • enable customers to report fraud easily and promptly
  • communicate clearly with customers
  • provide appropriate support to customers who display characteristics of vulnerability
• ensure they are doing enough to mitigate the risks of money mule accounts (see our communication Proceeds of Fraud – Detecting and preventing money mules[18])

Firms should also consider what further steps they can take now to:

• put in place control frameworks that enable them to comply with the PSR’s new reimbursement requirement, and
• prepare (where not already adopted) for the expansion of Confirmation of Payee, as per the PSR’s ‘Specific Direction 17 on expanding Confirmation of Payee’.

The Consumer Duty[5], which came into force on 31 July 2023, sets a higher standard of care that firms must provide to consumers in retail financial markets and plays a key role in underpinning our expectations of firms in this area. All firms should be focused on putting consumers at the heart of their business and delivering good outcomes. Firms should assure themselves that they are complying with the rules:

• the Consumer Principle, which requires firms to act to deliver good outcomes for retail customers
• the cross-cutting rules for firms to act in good faith towards retail customers, avoid causing foreseeable harm to retail customers, and enable and support retail customers to pursue their financial objectives 
• our outcomes rules on the design of products and services, price and value, consumer understanding and consumer support

We previously included some examples of what this might mean for firms, for example, in our February 2023 Implementing the Consumer Duty[6] letter sent to Retail Banks and Building Societies. This said that firms should consider:

• processes relating to freezing of accounts, including, for example, whether it would be appropriate to make such freezing:
  • less frequent (eg through better upfront onboarding and Know Your Customer controls and more accurate and intelligent transaction monitoring)  
  • less protracted (eg through better resourced and swifter investigation of suspicions)  
  • better communicated (to the extent possible within the constraints of avoiding tip off)  
  • better supported (especially for customers put into acute financial difficulties by the freeze)
• how they provide appropriate support to customers who feel they are victims and may be distressed, and do not treat them unduly harshly when they complain 
• if a firm provides support mainly or only through one channel, for example a digital channel, having exceptions processes to deal effectively with non-standard issues that could arise: eg customers reporting fraud concerns.

We are working with firms in our review to strengthen their approach. We will continue to monitor how payment firms are meeting our expectations to slow the growth in APP fraud cases and losses, as well as fraud more generally, and to put the needs of customers first.