The Financial Conduct Authority tells payment services firms to strengthen their anti-fraud systems and improve their treatment of victims of fraud
In this article, we look at some of the takeaways from the FCA's recent review of payment services firms' anti-fraud systems and controls, in particular around authorised push payment ("APP") fraud.
Tackling financial crime, including APP fraud, continues to be a priority for the FCA. They have recently carried out a review of how firms mitigate the risks of APP fraud and fraud attacks more broadly. They identify both examples of good practice and areas for improvement.
They chose a risk-based sample of firms to review, including firms of different types, size and risk profile. They selected a mixed sample of 12 current account providers, challenger banks and payment firms.
UK Finance have reported that losses due to APP scams in the first six months of 2023 totalled £239.3 million, with the volume of reported cases rising by 22% to 116,324.
The FCA carried out a high-level evaluation of the firms' approach to fraud risk management, with a focus on APP fraud. They:
- reviewed firms’ fraud strategies and the critical elements of their operational processes:
- considered how their fraud detection and prevention systems and controls operated in practice in the face of evolving fraud attacks:
- examined how firms ensure appropriate oversight of the risk framework for all types of fraud including how MI is reported and acted on: and
- assessed customer experiences and fairness of customer outcomes by looking at how firms manage and respond to fraud complaints.
FCA's findings
Although the FCA found some examples of effective control frameworks and good practice, they were disappointed to find several common weaknesses in key areas of firms’ fraud risk management frameworks and customer treatment:
- Insufficient focus on delivering good consumer outcomes in many firms. Some firms have effective and well-established governance frameworks, but some firms could not evidence effective oversight and challenge by relevant senior management forums or Board committees;
- Management information ("MI") and actions often focused on commercial risk appetite, rather than customer impact and treatment. The strongest examples of MI included relevant customer-centric measures and demonstrated how these measures informed decision-making to strengthen anti-fraud systems and controls and improve customer outcomes and service. FCA's work on detecting and preventing money mules found that where firms had more reported mule accounts than their peers, there was also a lack of MI and senior management oversight to ensure that steps are taken to address the risk and assess the impact of interventions;
- Fraud systems and controls. Some firms had anti-fraud control frameworks that were still developing and yet to embed. Most had recently reviewed their anti-fraud strategy and identified the need to strengthen systems and controls to detect, prevent and manage fraud. Most firms also had significant scope to further build-out and strengthen their approach. The FCA say they expect firms to ensure they consider, monitor and mitigate the risks of different fraud types occurring, from customer onboarding and throughout their relationship with the firm. This includes:
- strategies for preventing and detecting fraud e.g., identifying and acting on information identified through customer onboarding and ongoing customer, device, transaction and account-level monitoring;
- The use of risk-based, automated warning messages during the payment journey can be effective. Firms must have adequate systems and processes to design, test, tailor and monitor the effectiveness of such messages;
- manual intervention for potentially high-risk payments, where customers need to interact with a staff member before a payment instruction is confirmed, can create positive friction in the payment journey and be helpful in preventing some fraudulent payments;
- and considering whether their systems and controls are effective and whether there is more they should do to enhance their approach to fraud prevention.
- Use of intelligence. Most firms actively engaged with various external bodies to discuss intelligence and horizon scanning for future threats (for example where a new "money mule" network (a money mule is someone recruited by criminals to move illegally obtained money; they may be involved either knowingly or unknowingly in the fraudulent process) or new fraud type is identified. Some firms told the FCA that receiving Payment Service Providers ("PSPs") can be slow to freeze fraudulent funds. The FCA expect receiving PSPs to act promptly in fulfilling their legal duties and ensuring good customer outcomes when notified of a fraudulent payment. The Payment Systems Regulator ("PSR")’s new reimbursement requirement (coming into force in 2024) will increase their incentives to act.
- Significant scope in many firms to improve the support provided to victims of fraud. In many cases, firms need to do more to enable customers to report fraud easily and promptly. Firms’ websites do not always provide clear information about how to report fraud or what action to take if the fraud occurs outside standard opening hours. Fraud and complaints teams were not always appropriately resourced, impacting the quality and speed of customer service when investigating fraud cases or dealing with complaints. Examples include long call waiting times to report fraud, incorrect advice being provided, and customers being passed to multiple departments. Customers whose accounts are frozen due to fraud concerns can suffer distress and inconvenience if they cannot access funds or make legitimate payments. Firms should consider what they can do to investigate as soon as possible so that they can quickly unfreeze accounts where their concerns are unfounded. Some firms adopt a multi-channel approach to raise customer awareness of how to avoid falling victim to a scam. For example, one firm had launched a free app that raises awareness of fraud and cyber security.
- Poor complaint handling including delays in responding to complaints. The FCA were "often disappointed" with the quality of firms’ complaint handling. Some firms were very slow to respond to complaints. In some cases, communication with customers throughout the complaint handling process was poor, for example, a failure to provide regular and timely updates and the customer having to chase the firm for an update (sometimes multiple times).
- Treatment of customers in vulnerable circumstances. All firms stated they consider characteristics of vulnerability when making decisions about fraud claims and complaints. However, from the FCA's review of complaints it was often unclear how this was evidenced. Customers in vulnerable circumstances must experience outcomes as good as those for other consumers and receive consistently fair treatment. The FCA expect firms to provide their customers with a level of care that is appropriate, given their characteristics.
- Customer decision letters. Final response letters were often poorly written. Some were unhelpful/insufficiently tailored to the circumstances of the case. The FCA cite saw examples of technical jargon, aggressive and sometimes accusatory language being used. In some cases, the rationale for the final decision was unclear.
- Money mules detection and prevention. The approach to managing the risk of money mules was also a particular gap in several firms. Firms should continuously reassess their strategy for identifying, evaluating and monitoring the risks associated with money mules.
The FCA expectations of firms in light of these findings
Firms should have:
- effective governance arrangements, controls and MI to detect, manage and reduce APP fraud and losses;
- treat customers fairly, including when they complain, and to deliver consistently good outcomes to customers who are victims of fraud. This includes firms ensuring they are doing enough to:
- enable customers to report fraud easily and promptly;
- communicate clearly with customers; and
- provide appropriate support to customers who display characteristics of vulnerability.
- ensure they are doing enough to mitigate the risks of money mules.
Firms should also consider what further steps they can take now to:
- put in place control frameworks that enable them to comply with the PSR’s new reimbursement requirement; and
- prepare (where not already adopted) for the expansion of Confirmation of Payee, as per the PSR’s ‘Specific Direction 17 on expanding Confirmation of Payee’.
The Consumer Duty
The FCA also place emphasis on the impact of the Consumer Duty in this context, referring to their February 2023 Implementing the Consumer Duty letter sent to Retail Banks and Building Societies. In particular this included making account freezing (i) less frequent (e.g., through better upfront onboarding and Know Your Customer controls and more accurate and intelligent transaction monitoring) (ii),less protracted (e.g., through better resourced and swifter investigation of suspicions) (iii) better communicated (to the extent possible within the constraints of avoiding tip off) and (iv) better supported (especially for customers put into acute financial difficulties by the freeze). It also commented on how firms provide appropriate support to customers who feel they are victims and may be distressed, and do not treat them unduly harshly when they complain.
Next steps
The FCA say they are working with firms in their review to strengthen their approach. They will continue to monitor how payment firms are meeting the FCA's expectations to slow the growth in APP fraud cases and losses, as well as fraud more generally, and to put the needs of customers first.
Commentary
This review makes for uncomfortable reading and firms would be well advised to look at their own systems and arrangements to ensure they are not subject to the weaknesses that the FCA describe. Moreover, having highlighted these concerns, we doubt the FCA will be very sympathetic if they find that relevant firms have not sought to address these perceived issues. Indeed, they may contemplate enforcement action for example under their Principles for Business; Principle 3, Management and control – requiring firms to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems; or they may give a run out for their new Consumer Duty Principle 12, requiring firms to act to deliver good outcomes for retail customers.
These materials are for general information purposes only and are not intended to provide specific legal advice nor to be a comprehensive review of all developments in the law and practice, nor to cover all aspects of those referred to. Please take legal advice before applying anything contained in these materials to specific issues and transactions.
Author: David Capps