UK bill seeks to protect access to cash and victims of APP fraud

The news: The Financial Services and Markets Bill, announced in the Queen’s Speech, aims to safeguard access to cash and also protect victims of authorized push payment (APP) fraud in the UK.

More on the bill: The bill is part of a wider plan to maintain and enhance the UK’s position as a global leader in financial services. The bill will:

• Ensure access to withdrawal and deposit facilities across the UK. Cash remains the primary payment method for millions across the country, especially financially vulnerable groups.
• Allow regulators to require banks to reimburse victims of APP fraud.

Though the bill has not yet been formally introduced, if it passes, it will address the growing fraud threat in the country. 

• In H1 2021, APP fraud losses in the UK reached £355.3 million ($488.6 million), an increase of 71% from H1 2020.

What is APP fraud? APP fraud occurs when a criminal tricks a customer into authorizing a payment from their bank account to an account the criminal controls. Typically, the criminal spends days or weeks building trust with their victim, then disappears once the money is in their possession. 

Banks’ legal responsibilities for fraud: Currently, banks are held to the Quincecare duty, which means they must use reasonable care and skill in executing customer orders and refrain from executing orders if they have reasonable grounds to suspect that the order is an attempt to misappropriate funds. 

The hold-up is that, in most cases of APP fraud, orders come directly from customers who believe the transactions are being made in good faith. After the scam is complete, it’s hard to place the blame.

• Customers claim that their bank should have identified the receiving account as fraudulent and prevented it from making the transaction.
• Banks claim that they executed the customer’s orders as directed, and even though the transaction ended in fraud, the orders weren’t fraudulently given. 

What else can banks do? In the UK, the Lending Standards Board (LSB) set forth voluntary practices that nine of the largest UK financial institutions follow. Recently, the LSB updated some of its practices to protect customers from fraud. 

• Customers need to verify the identity of recipients of outbound payments by providing the recipient’s name and additional bank information.
• Banks must clearly explain reimbursement decisions to APP fraud victims.

The big takeaway: Details on the new UK bill haven’t yet been released, and so it’s yet to be seen how the bill will impact banks. And the application of the Quincecare duty to APP fraud is still unclear. For example, a woman in the UK sued her bank when it allowed her to authorize a £700,000 ($963,000) payment from her account to a fraudster’s account in the United Arab Emirates.

• The High Court found that the Quincecare duty did not extend to cover the payment the customer made.
• The customer appealed, and the Court of Appeals ruled that the bank did not properly apply the Quincecare duty.
• The bank argued that applying the Quincecare duty to situations in which the customer gave transaction instructions would be onerous and time-consuming, but the Court dismissed that concern as irrelevant.

As technology continues to transform the banking industry, fraudsters are finding new ways to infiltrate banks, either directly or through the social engineering of their customers. 

• The guidance from the LSB can help banks put controls in place—but the point of payment is too late to prevent the transaction. Social engineering changes the behavior of the customer well before the transaction. 
• To change the behavior of their customers, banks must educate them about safeguarding their assets and raise their awareness of potentially fraudulent situations.