There is no doubt that lack of trust in the payment system remains a fundamental obstacle to a cashless society. Research shows that consumers are now more concerned than ever about the risk of payments fraud and security breaches. Meanwhile, there have been a series of news stories that have highlighted how dependent a cashless society is on systems resilience.
Unauthorised payments and consequential losses
In September 2018 thousands of people across the country found that their debit cards had been charged twice for the same transaction. In accordance with payments legislation, all customers affected were issued refunds, because the second payment was ‘not authorised’ by the customer – writes Nikki Worden, Partner, Osborne Clarke, financial institutions group.
The law makes it very clear that a PSP which processes an unauthorised payment must refund it. What is still open to debate, however, is the extent to which the obligation ‘to restore the debited payment account to the state it would have been in had the unauthorised payment transaction not taken place’ extends to consequential losses.
For example, should the customer’s bank be liable if the customer is not able to complete on a house purchase due to insufficient funds, and therefore incurs extra charges and costs outside those immediately visible on the account itself?
Where the error is due to a third party’s glitch, such as a merchant acquirer’s system seeking to settle the transaction twice, the direct transaction amount will be charged back to the merchant under scheme rules, but consequential losses could not be charged back in that way.
The spectre of a major error on a grand scale, and the potential consequences in terms of reputational damage and loss of consumer trust, should be concerns for the whole industry. When this risk is looked at through the lens of the speed with which consumers are increasingly using non-cash payment methods, it is clear that the onus is firmly on banks and payment service providers to have systemic and technological resilience.
This is particularly the case as the number of actors on the payments stage increases and relationships become more complex with the introduction of open banking and third party payment services.
Authorised payments and scams
Meanwhile, it is in the area of authorised payments that consumers have, perhaps, suffered most as a result of the speed of change and payments innovation. Thanks to the Faster Payments Services and mobile technology, it is now possible to make a point of sale push payment directly from your bank account as quickly and easily as it to authorise a pull payment using a debit or credit card, so payments by way of direct credit transfers from account to account have been increasing.
Whilst the allocation of liability for fraud where a card payment has not been authorised is clearly set out in payments legislation, there is nothing which decides who bears the loss when a consumer is scammed or tricked into authorising a payment directly out of their bank account. As a result, victims have often found themselves not only without the goods they have purchased but also without any chance of a refund of the monies paid as a result of the scam.
These so-called authorised push payment or ‘APP’ scams are a growing problem. Fraudsters are effectively exploiting consumers’ and businesses’ reliance on email, the web and the Faster Payments Service. Even though this might not be the fault of the customer’s PSP, it is trust in, and the reputation of, the payments industry that is most affected by this kind of fraud, further damaging the journey towards a cashless society.
In work led by UK Finance, the industry has been ‘upping its game’. It has already improved APP fraud response protocols and information sharing and it is now also working towards initiating a ‘confirmation of payee’ solution. Perhaps most important, however, has been the creation by the Payment Systems Regulator (PSR) of the Authorised Push Payments Scams Steering Group (the Steering Group) in April 2018. The Steering Group is tasked with designing a victim reimbursement model for APP fraud and with finding an appropriate funding model for that reimbursement.
The Steering Group recently published a consultation paper and draft industry voluntary code (draft Code) which sets out the proposed requisite level of care or ‘best practice standards’ that should be met by PSPs when sending and receiving payments. It also sets out proposals for when a customer will not have met the requisite level of care. What the Steering Group has not yet done is resolve the most challenging and pivotal question: how reimbursement is to be funded in cases where both the PSPs and the customer have taken the requisite level of care.
A variety of solutions are being consulted upon, many of which assume that some kind of fund will be required. Some are quite radical, such as getting the whole ecosystem of participants to contribute, including telecoms companies and data handlers as well as PSPs; or moving to a government-led solution, similar to the Criminal Injuries Compensation Scheme.
Other proposals could have unintended consequences for the UK payments industry, such as applying a transaction charge on higher risk and high value payments, with that charge being directed into a fund.
The final Code is due to be published in early 2019. Many are hopeful that it will drive down APP fraud and improve trust in the payments ecosystem. Many would also argue, however, that the payments industry can only do so much to prevent this kind of fraud, as in most cases it starts with an entirely unrelated compromise of data.