Tackling financial crime, including authorised push payment (APP) fraud, continues to be a priority for the FCA. This publication sets out the key findings from our review of how firms mitigate the risks of APP fraud and fraud attacks more broadly. It includes examples of good practice and areas for improvement.
Who this applies to
This multi-firm review will be of interest to UK payment service providers (PSPs) which includes banks, building societies and other businesses that provide payment accounts.
What firms need to do
All payment service providers should regularly evaluate their approach to identifying the fraud risks that they and their customers are exposed to. They must continue to develop their defences against fraud and ensure their control frameworks are fit for purpose.
Firms must put the needs of their customers first and deliver consistently good outcomes for them. This includes helping customers understand what fraud is and how to identify it, making it easy for customers to report fraud and setting out what they can expect from the firm when they do report it. In addition, firms should support the victims of fraud so they are treated fairly in all their interactions with the firm, including if they make a complaint. Firms should be particularly mindful of the needs of customers who may be more vulnerable.
We recognise that firms have invested in their systems and controls to detect and prevent fraud. Some firms have made more progress or had more success than others in what is a constantly evolving issue. Firms may want to use our findings to inform a review into their own anti-fraud systems and controls, as well as their approach to handling customer complaints about fraud. Firms who identify shortfalls against our expectations should take appropriate action to address these. The section ‘What we expect from firms’ sets out our expectations in more detail.
Why we did this work
UK Finance’s (UKF) 2023 Half Year Fraud Update reported that losses due to APP scams in the first six months of 2023 totalled £239.3m, comparable with losses reported in 2022 (£485.2m annual losses). However, the volume of reported cases in H1 2023 rose by 22% to 116,324, when compared to H1 2022. These numbers are likely to be an underestimate, given that the National Crime Agency estimates that 86% of fraud instances go unreported. UK Finance also show that £152.8m was returned to victims in H1 2023 (representing 64% of losses), an increase of 13% (from £135.6m) in H1 2022 (54% of losses).
In March 2023 the Government published its second Economic Crime Plan, which sets out what the public and private sectors should do to continue to transform the UK’s response to economic crime, and in May 2023 it published its new Fraud Strategy: stopping scams and protecting the public. This recognises that 40% of recorded crime in the UK is now fraud.
The FCA has a key role to play in delivering this strategy. The FCA’s 2023/24 Business Plan reiterated our commitment to reducing and preventing financial crime, and in particular, our commitment to slowing the growth of APP fraud.
APP fraud happens when someone is tricked into sending money to a fraudster posing as a genuine payee. There are various types of APP scams which are either:
- ‘malicious payee’, for example tricking someone into buying goods which don’t exist or are never received
- ‘malicious redirection’, for example a fraudster impersonating bank staff to get someone to transfer funds out of their bank account and into the fraudster’s account
Fraudsters often try to exploit the challenges many consumers face due to the rising cost of living. Customers in vulnerable circumstances may be particularly susceptible to exploitation.
It is important that firms have both robust control frameworks and well-resourced and effective customer support in place. These need to evolve as fraud threats evolve. Supported by technology and the sharing of intelligence these can help firms to identify fraud and fraud risks, and so reduce fraud and its impact on consumers.
What we did
We chose a risk-based sample of firms to review, including firms of different types, size and risk profile. This selection was informed by data submitted by firms in the FCA’s Payments Fraud Report and to the Payment Systems Regulator (PSR), including data on fraud volumes, value and type. We also considered data and intelligence on customer complaints, including cases submitted to the Financial Ombudsman Service. We overlayed this with supervisory insight and case-level intelligence to identify and select a mixed sample of 12 current account providers, challenger banks and payment firms.
We carried out a high-level evaluation of their approach to fraud risk management, with a focus on APP fraud. We:
- reviewed firms’ fraud strategies and the critical elements of operational processes
- considered how fraud detection and prevention systems and controls operate in practice in the face of evolving fraud attacks
- examined how firms ensure appropriate oversight of the risk framework for all types of fraud including how management information is reported and acted on
- assessed the customer experience and fairness of customer outcomes by looking at how firms manage and respond to fraud complaints
What else we and others are doing
The PSR recently published data on the level of APP fraud reported by the 14 largest UK banking groups. This shows the extent to which, in 2022, certain firms were used to send or receive fraudulent funds.
In June 2023 the PSR also published its Policy Statement PS23/3: Fighting authorised push payment fraud: a new reimbursement requirement which, from 2024, will apply to payments made and received by PSPs using the Faster Payments system. It will introduce consistent minimum standards to reimburse victims of APP fraud.
Essentially it will:
- require PSPs to reimburse all in-scope customers who fall victim to APP fraud, unless the consumer is involved in the fraud themselves, or has acted with gross negligence
- share the cost of reimbursing victims 50:50 between sending and receiving PSPs, to provide incentives for both to detect and prevent fraud
- provide additional protections for vulnerable customers
Under the new reimbursement requirement, sending PSPs will also have the option to apply a claim excess, and there will be a maximum level of reimbursement set. The PSR have consulted on the appropriate maximum level of reimbursement and maximum excess and committed to publish the results in PSR guidance in Q4 2023.
In the Treasury's Call for Evidence earlier this year on the Payment Services Regulations 2017, they outlined a commitment to explore potential legislative solutions to enable firms to delay making payments in cases where fraud is suspected past the currently permitted time period of D+1 (end of the next working day).
We are actively supporting the Treasury during policy development, ensuring any new legislation is fit for purpose, and minimises unintended consequences, such as an increase in delays to legitimate payments. We also recently published our findings relating to firms’ systems and controls in mitigating the risk that they are used by fraudsters to cash out the proceeds of fraud (using money mule accounts).
What we found
Although we observed some examples of effective control frameworks and good practice, we were disappointed to find several common weaknesses in key areas of firms’ fraud risk management frameworks and customer treatment including:
- an insufficient focus on delivering good consumer outcomes in many of the firms we reviewed
- management information and actions often focused on commercial risk appetite, rather than customer impact and treatment
- significant scope in many firms to improve the support provided to victims of fraud including from the first point of contact. In many cases, firms need to do more to enable customers to report fraud easily and promptly
- poor complaint handling including firms often taking too long to respond to customer complaints
- customers provided with decision letters that were sometimes unclear, confusing, or included unhelpful and, on occasion, accusatory language
- limited evidence that firms are appropriately taking account of characteristics of customer vulnerability when making decisions about fraud claims and complaints
We include more detail on our findings below.
Governance, Oversight and Management Information (MI)
In some firms we observed governance frameworks that appear to be effective and well established but, in many cases, firms need to do better. We were particularly disappointed that some firms could not evidence effective oversight and challenge by relevant senior management forums or Board committees.
In many cases, MI focused primarily on reporting against commercial risk appetite and financials. The strongest examples of MI included relevant customer-centric measures and demonstrated how these measures informed decision-making to strengthen anti-fraud systems and controls and improve customer outcomes and service.
Our work reporting on the Proceeds of Fraud – Detecting and preventing money mules found that where firms have more reported mule accounts than their peers, there is also a lack of MI and senior management oversight to ensure that steps are taken to address the risk and assess the impact of interventions.
Fraud systems and controls
At the time of our review, some firms in our sample had anti-fraud control frameworks that were still developing and yet to embed. Most firms had recently reviewed their anti-fraud strategy and identified the need to strengthen systems and controls to detect, prevent and manage fraud.
Most firms in our review had significant scope to further build-out and strengthen their approach. We expect firms to ensure they are doing enough to consider, monitor and mitigate the risks of different fraud types occurring, from onboarding a customer and throughout their relationship with the firm.
This includes strategies for preventing and detecting fraud such as identifying and acting on information identified through customer onboarding, transaction monitoring, ongoing customer and account-level monitoring, device monitoring, and use of intelligence.
Our communication Proceeds of Fraud – Detecting and preventing money mules also highlighted the need for firms to have proportionate and adequate systems and controls, including to mitigate the risk of money mules.
We note that the use of behavioural biometrics by some firms to try and identify whether a customer is being socially engineered can be a useful tool to prevent and detect fraud.
The use of risk-based, automated warning messages during the payment journey, can be effective to help customers consider whether the payment they are making is to a genuine payee. The Consumer Duty Finalised Guidance FG 22/5 (Paragraph 5.23) confirms the importance of firms having adequate systems and processes to avoid foreseeable harm, including to design, test, tailor and monitor the effectiveness of such messages.
We have observed that manual intervention for potentially high-risk payments, where customers need to interact with a staff member before a payment instruction is confirmed, can create positive friction in the payment journey and be helpful in preventing some fraudulent payments. Such intervention, where appropriate, supported by trained and experienced staff, can engage customers and determine whether a transaction is legitimate.
Firms should consider whether their systems and controls are effective and whether there is more they should do to enhance their approach to fraud prevention.
Use of intelligence
We were pleased to see that most firms actively engaged with various external bodies to discuss intelligence and horizon scan for future threats. As signposted in our communication Proceeds of Fraud – Detecting and preventing money mules, this enables firms to take pre-emptive action to prevent fraud, for example where a new mule network or new fraud type is identified. It is important that intelligence is acted on quickly to help prevent and detect fraud.
Some firms told us that receiving PSPs can be slow to freeze fraudulent funds. We expect receiving PSPs to act promptly in fulfilling their legal duties and ensuring good customer outcomes when notified of a fraudulent payment. The PSR’s new reimbursement requirement (due to come into force in 2024) will increase their incentives to act.
Customer treatment & awareness
We are concerned that customers cannot always report fraud easily or promptly. Firms’ websites do not always provide clear information about how a customer can contact a firm to report fraud or what action to take if the fraud occurs outside the firm’s standard opening hours. This can exacerbate the impact of fraud on customers and reduce the chances of being able to take prompt action to stop the fraud or to attempt to recover the funds.
We noted that fraud and complaints teams were not always appropriately resourced. This often impacted the quality and speed of customer service when investigating fraud cases or dealing with complaints. This, in turn, has potential to cause further consumer harm and distress, for example, long call waiting times to report fraud, incorrect advice being provided, customers being passed to multiple departments leading to significant delays and overly long call durations.
Customers whose accounts are frozen due to concerns about fraud can suffer further distress and inconvenience if they cannot access funds or make legitimate payments. Where this has occurred, firms should consider what they can do to investigate as soon as possible so that they can quickly unfreeze accounts where their concerns are unfounded. Firms should consider how they support customers and communicate effectively with them during this period.
We were pleased to see that some firms considered the extra support they were able to offer customers. For example, given the prevalence of fraud, customers may often be concerned about a payment they are planning to make. One firm offers a service where customers can contact them at any time to discuss concerns about potential scams and the firm will help them consider the risk of a payment they are planning to make.
Some firms adopt a multi-channel approach to raise customer awareness of how to avoid falling victim to a scam. For example, one firm has launched a free app that raises awareness of fraud and cyber security to help prevent people from falling victim to scams. It is free to both customers and non-customers.
Approach to customer complaints
We were often disappointed with the quality of firms’ complaint handling observed during our review. Some firms were very slow to respond to complaints.
In some cases, communication with customers throughout the complaint handling process was poor, for example, a failure to provide regular and timely updates to the customer and the customer having to chase the firm for an update (sometimes multiple times).
Final response letters were often poorly written. Some were insufficiently tailored to the circumstances of the case. We saw examples of technical jargon, aggressive and sometimes accusatory language being used. In some cases, the rationale for the final decision was unclear.
Treatment of customers in vulnerable circumstances
All firms stated they consider characteristics of vulnerability when making decisions about fraud claims and complaints. However, from our review of complaints it was often unclear how this was evidenced.
Customers in vulnerable circumstances must experience outcomes as good as those for other consumers and receive consistently fair treatment. We expect firms to provide their customers with a level of care that is appropriate, given their characteristics.
Money mules detection and prevention
The approach to managing the risk of money mules was also a particular gap in several firms. In October we published our separate findings relating to Proceeds of Fraud – Detecting and preventing money mules and our expectations that firms continuously reassess their strategy for identifying, evaluating and monitoring the risks associated with money mules. It included information on good practice as well as areas for improvement in detection and monitoring methods to identify and mitigate money mule activities.
What we expect from firms
We expect firms to:
- have effective governance arrangements, controls and MI to detect, manage and reduce APP fraud and losses
- treat customers fairly, including when they complain, and to deliver consistently good outcomes to customers who are victims of fraud. This includes firms ensuring they are doing enough to:
- enable customers to report fraud easily and promptly
- communicate clearly with customers
- provide appropriate support to customers who display characteristics of vulnerability
- ensure they are doing enough to mitigate the risks of money mule accounts (see our communication Proceeds of Fraud – Detecting and preventing money mules)
Firms should also consider what further steps they can take now to:
- put in place control frameworks that enable them to comply with the PSR’s new reimbursement requirement, and
- prepare (where not already adopted) for the expansion of Confirmation of Payee, as per the PSR’s ‘Specific Direction 17 on expanding Confirmation of Payee’.
The Consumer Duty
The Consumer Duty, which came into force on 31 July 2023, sets a higher standard of care that firms must provide to consumers in retail financial markets and plays a key role in underpinning our expectations of firms in this area. All firms should be focused on putting consumers at the heart of their business and delivering good outcomes. Firms should assure themselves that they are complying with the rules:
- the Consumer Principle, which requires firms to act to deliver good outcomes for retail customers
- the cross-cutting rules for firms to act in good faith towards retail customers, avoid causing foreseeable harm to retail customers, and enable and support retail customers to pursue their financial objectives
- our outcomes rules on the design of products and services, price and value, consumer understanding and consumer support
We previously included some examples of what this might mean for firms, for example, in our February 2023 Implementing the Consumer Duty letter sent to Retail Banks and Building Societies. This said that firms should consider:
- processes relating to freezing of accounts, including, for example, whether it would be appropriate to make such freezing:
- less frequent (eg through better upfront onboarding and Know Your Customer controls and more accurate and intelligent transaction monitoring)
- less protracted (eg through better resourced and swifter investigation of suspicions)
- better communicated (to the extent possible within the constraints of avoiding tip off)
- better supported (especially for customers put into acute financial difficulties by the freeze)
- how they provide appropriate support to customers who feel they are victims and may be distressed, and do not treat them unduly harshly when they complain
- if a firm provides support mainly or only through one channel, for example a digital channel, having exceptions processes to deal effectively with non-standard issues that could arise: eg customers reporting fraud concerns.
We are working with firms in our review to strengthen their approach. We will continue to monitor how payment firms are meeting our expectations to slow the growth in APP fraud cases and losses, as well as fraud more generally, and to put the needs of customers first.