Transpact Blog Search

Click on the links below to expand and read the blog entries:

APP Scams in the UK - Know your Rights

Monday, 15th November, 2021

If you are the victim of an APP scam - transferring your money to a fraudster by bank transfer - you should be aware of two separate processes.

The first is the FCA Handbook rule changes that apply to all banks and Payment Service Providers (PSPs), introduced by the FCA in January 2019.
These changes offer both consumers and smaller businesses exceptionally strong access to possible redress, as they bind all banks and PSPs in the payment chain to free and mandatory arbitration by the Financial Ombudsman Service (FOS), and make those banks and PSPs potentially liable for any lapse. (For more details, see the letter below).

The second is the Contingent Reimbursement Model (CRM), which is a voluntary scheme run by certain larger banks that offers reimbursement back to defrauded consumers under certain criteria, even sometimes where the banks and PSPs involved have been at no fault themselves.

Except in rare circumstances, the protection provided by the FCA Handbook rules will always be stronger than the protection provided by the CRM !
But you would not know this from reading the Press. The CRM dominates the agenda, and the FCA Handbook rules are scarcely, if ever, mentioned.

So when the Lending Standards Board, the Quango that has been handed the role of running and improving the CRM, put out a Call for Input on improving the CRM, our submission strongly requested that the CRM be adapted to take account of the existing FCA Handbook protection for consumers and small businesses.

The Lending Standards Board (LSB) have just published their response to that Call for Input, and the existence of the FCA Handbook rules is neither acknowledged nor referred to. We believe this is a negligent and scandalous omission by the LSB, and so are publishing our submission to the LSB's Call for Input below to place it on the public record:

===================
From: Transpact.com
Sent: 12 April 2021 4:19 PM
To: Lending Standards Board
Subject: Response to Call for Input - Contingent Reimbursement Model Code for Authorised Push Payment Scams

Dear Lending Standards Board,

I am responding on behalf of my firm Transpact.com to your Call for Input - Contingent Reimbursement Model Code for Authorised Push Payment Scams.
See https://www.lendingstandardsboard.org.uk/wp-content/uploads/2020/07/Call-For-Input-CRM-Code-March-21.pdf.
This response is all non-confidential.

Please note that all parts of the response below (including the background and the paragraph comments) are part of our firm’s response, and should be considered as part of our response to this Call for Input.
Please do not only consider the answers to the specific questions – please consider all comment.

Background to this Call for Input
We were distressed and somewhat taken aback by the LSB’s recent response to its prior Consultation on the CRM (Contingent Reimbursement Model), which has led to this current Call for Input.
It is really disappointing to see the LSB position the Contingent Reimbursement Model (CRM) as the main form of consumer protection from APP scams, as it is in reality a red-herring and of no real effect !
This is because other meaningful and legal protection is available to consumers (which trumps the CRM, making the CRM – which is itself lacking – redundant)

Consumers and small businesses are already protected from PSP malpractice in APP fraud by the changes to the FCA Handbook rules introduced from the 31st January 2019, referred to here: ’https://www.fca.org.uk/publication/policy/ps18-22.pdf.
These rules mean that from 31st January 2019, consumers and small businesses have protection from fraud if due even partly to a fault or lack of care by either the payer’s PSP or the payee’s PSP.

This protection suffers from none of the deficiencies of the CRM – which is keeping the CRM from reimbursing consumers.

In nearly all situations, this FCA Handbook protection is vastly superior to (and trumps any protection from) the Contingent Reimbursement Model (which is actually nowadays irrelevant, except in a situation where neither the payer nor any PSP was at fault – something that in reality almost never occurs – see our comments later below).
There is an ignorance in the industry to this state of law, and it is sad to see the LSB repeating and compounding this error by ignoring the FCA Handbook Changes throughout its response, and again in this Call for Input.

Under the FCA Handbook changes from 31/1/19 (hereafter referred to as The FCA Handbook Changes or FHC), a consumer is entitled to protection via the Financial Ombudsman Service (FOS) whenever the payer’s PSP or the payee’s PSP could have done more to prevent the fraud. Please note, the FHC do not require the consumer to be blameless – under the FHC, if any PSP in the payment chain could have done more to prevent the fraud then that PSP becomes at least partly liable to the consumer.

Because in virtually all cases of fraud (as we will show below), the payee’s PSP is at fault of not doing enough to prevent the fraud, then as a minimum the consumer is liable to recompense by the payee’s PSP (and if the payer’s PSP was also at fault, also from that organisation).
So the FHC already provide almost full protection to consumers today.
The CRM (with its many loopholes) is irrelevant and also unworkable.

It is a tragedy to many consumers that their rights under the FHC have not been publicised, and the payment industry has instead been allowed to hide behind the CRM – which was designed from scratch by the banking sector to look impressive but which contains loopholes which can effectively evade banks from liability in many fraud cases – which is the situation today.
If consumers only knew of their existing rights under the FHC, the CRM would not be needed.

Remember, the FHC make the payee’s PSP (and if appropriate the payer’s PSP) liable to the consumer:
'if the PSP did not do enough to prevent or respond to an alleged authorised push payment fraud.'
That is the sole criterion required to establish liability by the FHC (which are effective law in the UK) – and it goes much further than the CRM – and without equivocation.

Due to the FHC, even if a PSP executes a transaction correctly, then it already faces significant liability for reimbursement to consumers and small businesses:
'if the PSP did not do enough to prevent or respond to an alleged authorised push payment fraud.'

This is strong and effective law already in place and operating today due to the FHC which correctly penalizes PSPs’ lack of appropriate prevention – and we are amazed that the LSB does not acknowledge or mention this at any point, nor take this into account in this Call for Input.

Note that Authorised Push Payment Fraud is defined in the FHC in the glossary of the FCA handbook from 31st January 2019 as:
A transfer of funds by person A to person B, other than a transfer initiated by or through person B, where:
(1) A intended to transfer the funds to a person other than B but was instead deceived into transferring the funds to B; or
(2) A transferred funds to B for what they believed were legitimate purposes but which were in fact fraudulent

Note that under the FHC, the FCA handbook at DISP 2.7.6(2B) states that any PSP in the payment chain can be the subject of the consumer-payer’s complaint, if
the respondent is (or was) involved in the transfer of the funds

So both the payee’s PSP and the payer’s PSP are also included within the FHC.

The upshot is that the FHC already provides the consumer protection that the LSB is seeking to refine (except in no-fault cases, which as explained below in this response should not provide protection), and the LSB needs to publicise the FHC rather than take any other action (and can ditch the ineffective CRM).

The FHC are already in force today (and have been since 31st January 2019), and simply applying the FHC is sufficient to achieve all that the LSB is attempting to do in this Call for Input.

It is worth noting that there is one area where the CRM does provide protection to consumers that the FHC does not – where neither the consumer nor any PSP was at fault in the fraud.
But in reality, this is a vanishingly small number of cases.
This is because the payee’s PSP will nearly always be at fault, as explained further below (see answer to Question 3), so the consumer will nearly always have an available legal claim against the payee’s PSP.

See also our comments further below in Question 4.b. on why it is an anathema for the LSB to encourage moving liability onto PSPs where that PSP committed no fault whatsoever and operated good anti-fraud procedures. And how the LSB doing so could cripple and decimate the UK payment market, and as a result the UK economy.

It is commendable for the largest banks to cross-subsidise consumers who are the victim of fraud in situations where the bank was not at any fault in the fraud.
This is a great charitable move by those largest banks, and to be commended.
But it is not a move that can be made mandatory to all PSPs, to destroy innovation and stifle competition in the payment sector (only allowing the largest banks who can afford to cross-subsidise loss to act in future as PSPs).

Question 1. Please tell us about any APP scams which you have encountered, and which you perceive do not fit into the Code adequately?
c. Do you have views on how the Code should be amended to help the prevention of such scams or mitigate their impact?

Note that under the existing protection already fully provided by the FHC in law, a consumer is entitled to make a claim and therefore receive reimbursement from ‘any PSP who is (or was) involved in the transfer of the funds.
The wording of the FHC do not limit the application of liability to only the payer’s PSP and the payee’s PSP.
So any PSP in the payment chain at any stage is already included in the currently binding FHC.

When the CRM is abandoned, and instead the FHC are taken up by the LSB as the appropriate consumer protection process already in law, the problem posed by the questions set in this section (1c) will disappear, as the FHC is already well drafted in this respect.

Paragraph 3.b.) Implementation of Confirmation of Payee (CoP)
We do not understand why all PSPs who are able to join CoP now already under Phase I (which is all PSPs who provide their customers with their own unique bank account and sortcode combination) are not already bound by CoP under the code.
These PSPs could have had CoP in full operation many months ago, and if they have not done so then they are at fault in allowing APP scams for their customers to continue today.
They should already be being penalised for their delay which will have allowed APP fraud to operate where it otherwise would have been prevented, and be accepting liability under the CRM when APP scams do occur.

All other PSPs should be able to implement CoP by 1st August 2021, when Phase 2 of CoP will have been implemented (subject to Pay.UK’s planned implementation of their CoP payment simulator coming into successful implementation before the end of June 2021).
From that date, if a PSP fails to implement CoP, then it should become liable for APP fraud.

Question 3. Do you have views on whether there should be a priority amongst firms with regards to Code participation? Please explain your view.
At this time for an APP fraud, in virtually all cases occurring today, the payee’s PSP will be at least partly at fault for the APP fraud.
This is because the payee has either opened an account at the payee’s PSP with false ID, or the payee is operating as a mule account.

In the first case, the payee’s PSP accepted false ID, and is therefore partly at fault in the loss.
Now that machine readable passports are commonplace, which allow verified identity information and photograph to be read off the passport with high certainty and confidence (as they are digitally and cryptographically signed), there is no reason why any PSP should today open an account with false ID. It is extremely difficult for a criminal or fraudster to do so – way beyond the capabilities of the ordinary crook.
We would ask the LSB to lobby the Government so that driving licenses also become machine readable and crypto-signed, as at present driving licenses are easily faked. This is a Government weakness, and the LSB should be pressing the Government to immediately address this issue, so that accounts can be opened for customers who have a driving licence but no passport).

In the second case, the payee is acting as an account mule.
Account mules are always caught by the Police, as they are committing crime in the open and do not hide their crime – that is the nature of an account mule.
The defence of account mules – which is effective at present – is they did not know they were doing wrong.
As a result, the Courts will not prosecute, and as a result the Police will not act (it is not worth their while, with no expected penalty due).
And as a result, account mules are free to continue unabated in a tsunami of APP fraud.

This is all the result of banks’ failure to alert their clients to the illegality of account muling.
I have never received any communication from any of the various banks I personally bank with (and I personally bank with a few, to help me understand consumer experience with their banks) instructing me that I cannot receive a payment in to my bank account for another party.
If I was instructed by my bank that I can only receive payment into my bank account on my own behalf, and never for another person or another party, and that such receipt was actually potentially illegal and money laundering, then I would be aware that account muling was illegal. If I was told at the same time by my bank that such receipt can well lead to fine or prison sentence, then I would take note.
But I have never received such a message from any of the many banks I bank with.

As soon as banks take action to directly inform all their clients that the client is not allowed to receive payment into their bank account for another party, and that such receipt may be money laundering and subject to fine or prison sentence, then Courts will immediately on the basis of these warnings start prosecuting account mules.
And Police will immediately start arresting and taking to Court account mules, as the Police know they will have an easy conviction (and this will make them look very effective).
And account muling will stop, because no account mule will continue knowing they are committing crime in the open, and will be certainly caught and prosecuted.

As payee banks have not made clear to their clients that account muling is not allowed and potentially illegal, the payee banks are all at fault if their accounts are used for account muling (the bank is also in breach of the Money Laundering Regulations 2017 – but that is a different matter).
So if an APP fraud takes places, and the payee turns out to be an account mule, then it is correct that the payee’s PSP should be liable, as the payee’s PSP did not warn and make crystal clear to the payee that acting as an account mule was not allowed and possibly could cause fine or imprisonment (which in turn allowed the account to be used to defraud the original payer).

The upshot is that a payee’s PSP is currently almost always at fault (at least partially) in an APP fraud (whether due to false ID or account muling), and liability should always reside with a payee’s PSP unless i) they did not allow their account to be opened with false ID, and ii) they made clear to their customer that they could not receive payment for any other party.
And as made clear above, these two criteria are hardly ever currently both met by a payee’s PSP.

[As an aside, when PSPs and banks do finally start educating their clientele that accounts cannot be used to receive third-party payments, APP fraud will shrink in the UK by several levels of magnitude].

So, It should be made clear to consumers that the payee’s PSP will always be at fault and liable in APP fraud, unless the payee’s PSP can show that false identity of the payee was not involved and that the payee’s PSP made sure that the payee could not act as an account mule without the prospect of a jail sentence.

This will clear up 95% of all APP fraud cases.
In the remaining 5% of cases, it should be made clear to the consumer that if their own PSP (the payer’s PSP) was partially at fault for the APP fraud, then their own PSP should be liable.
Otherwise, if their own PSP was not at fault in any way then the consumer should know that they were liable.
Question 4. If you are a non-signatory firm, please tell us about your business model and your inclination to be a signatory to the Code.
Our escrow service (now Europe’s leading) was commenced in 2009 as a consumer and business total payment protection service, when the confluence of the new Faster Payment Service and the introduction of the Payment Service Regulations 2009 allowed escrow to be regulated by the FCA in the UK.
Since then our escrow service has protected many millions of pounds of consumer payments, and ensured that consumers are fully protected in payments.
We are an FCA authorised Payment Service Provider (PSP).

A normal payment is a one-step payment – the payer pays the PSP who immediately pays the payee.
Escrow is another name for a conditional payment, and in escrow there are two extra steps: i) The payer and the payee first agree together the escrow conditions which will later determine whether the payment is made onto the payee or back to the payer, ii) The payer then pays the PSP, and iii) depending on events that then transpire, the PSP either pays the payee or makes payment back to the payer as determined by the escrow conditions.
An escrow service makes the process quick and immediate with a swift and simple user experience.
Escrow is the only payment method that fully 100% protects both the payer and the payee in a transaction (if the escrow conditions are set correctly).
So whether a consumer is acting as a buyer or a seller or in a deposit situation, escrow can fully 100% protect a consumer’s payment.
Escrow is currently available from only 57 pence per transaction to eliminate risk and ensure full payment protection.

Escrow is obviously ideal to prevent APP fraud (if the escrow conditions are set properly)

As set out above, the FHC already apply to our firm, and impose a much higher liability on our firm than anything in the CRM code, so we have no inclination to sign the code – we are already held to a much higher standard.
So the CRM is irrelevant to us, as we are already bound by the FHC which is more onerous in every way.

It is worth noting that there is one area where the CRM would impose liability on us that the FHC does not – where neither the consumer nor any PSP was at fault in the fraud.
As we have set out above, this is only a tiny number of cases, as the payee’s PSP is nearly always at fault.
And as we set out below, it would be disastrous if we were made liable under the code in cases where we were not at fault in any way.
b. If so, what changes to the Code would be needed to accommodate your business model?
If the CRM was improved to match the FHC (which already applies to our firm), and liability was removed from us in all cases where we were not at fault and where we were proactive, then we would almost certainly join the CRM.

Why should our firm not have liability imposed when we were not at fault in any way ?
PSPs in the UK are fiscal enterprises.
They earn pennies (if that) from each payment.
If they become potentially liable for the full value of a payment just by handling that payment, even when they are in no fault whatsoever (whether for a vulnerable customer or other no-fault case), then only the largest organisations could continue to act as PSPs (only through cross subsidy from their general business), as the liability for a normal PSP from handling any payment would mean that it could not guarantee that it will otherwise be able to continue to carry on in business – to do so would be in breach of FCA rules.

This is so even in cases of a vulnerable consumer facing loss.

Transferring liability from consumers to no-fault and proactive PSPs for APP scams will destroy the payment sector in the UK, as only the largest banks will be able to subside the losses from their general revenue caused by those APP scams where the bank/PSP was not at fault, and payment will become a privileged monopoly of only the biggest banks.

c. If these changes were addressed, how likely are you to become a signatory?
Very likely

d. Please tell us about the steps you currently take, or sector initiatives you participate in, which offer consumer protections against APP scams for your customers. Please also tell us about any APP scams you encounter and your current processes for resolving them.
Our escrow business is an anti-fraud tool, designed in part to prevent APP scams.
A consumer worried about an APP scam can use our low-cost secure service to protect their payment, to ensure that they do not fall victim to an APP scam (whether as a payer or payee).
Our service is an important tool to prevent APP scams generally.

We have had a couple of cases where fraudsters have talked very vulnerable consumers into using escrow service and then trying to get the vulnerable consumer to release payment from the protection of escrow to the fraudster. Once payment leaves escrow, then the protection of escrow ends, so if a vulnerable consumer makes payment out of escrow to a fraudster, then they can be defrauded.
However, because escrow requires full disclosure of both the entire detail of the underlying transaction and also the parties involved (banks and other PSPs can only dream of obtaining such information for their payments) it is possible for a proactive escrow service (like our own) to warn off vulnerable consumers in such situations and protect the consumer.

Paragraph 3.c.) Banking and finance industry steps taken to prevent money muling
The three bulleted steps listed taken by the banking and finance industry have not worked – that is self-evident and clear today.
The industry steps taken to prevent account muling and fraud have all been ineffectual and half-baked.
As set out above, until UK banks make clear to their customers that using your account for receiving third-party payments is not allowed and can lead to a prison sentence, then account muling will continue unabated and APP fraud will continue to proliferate.

This one step in itself if taken will eliminate a large majority of APP fraud.
But it has not been taken, and at this time for inexplicable reason there seems no likelihood that it will be taken.
So until it occurs, payee banks must remain liable for APP fraud.

Question 6. Do you have a view on how the responsibilities between sending and receiving firms are laid out in the Code?
See answer to question 3 above.
Question 7. Are there any changes to the Code you believe would help to resolve any imbalances in sending or receiving firm responsibilities?
See answer to question 3 above.

Question 8. Do you have views on Code provisions and how they relate to the role of different firms on the payment journey?
Generally, see answer to question 3 above.

PISPs – With specific respect to PISPS, we believe that a PISP making a payment has a similar role to a payer’s ASPSP.
Under the FHC, both can be liable to the defrauded consumer if they did not do enough to prevent the fraud. This seems right (although remember, in the majority of cases it will be the payee’s PSP and neither the PISP nor the payer’s PSP who will be at fault).

Separately, for reasons we do not understand and believe are extremely damaging to the industry, Pay.UK have excluded PISPs from CoP, for no apparent reason.
The LSB should be lobbying Pay.UK for Pay.UK to immediately remove their irrational block on PISPs participating in CoP.
Question 11. Do you have views on how Code responsibilities should be attributed along the payment journey?
See answer to question 3 above.

Please let us know if you require any additional information or clarification to the above – we will be happy to provide if required.

Best Regards,

Transpact.com


PayPal and Bitcoin - Too big to prevent Money Laundering

Friday, 23rd October, 2020


Our 10 Year Anniversary

Friday, 1st November, 2019


PSR - Payment Systems Regulator - and Push Payment Scams

Thursday, 1st March, 2018


Escrow companies authorised by the FCA must never be unclear or misleading

Thursday, 30th November, 2017


Transpact.com offers Best Payment API for
Online Marketplaces
Act now before PSD2 starts in Europe on 13th January 2018

Thursday, 28th June, 2017


Another Glowing Testimonial

Thursday, 18th May, 2017


Welcome to TrustMark - Government Endorsed Standards Body

Wednesday, 28th October, 2015


We've added a fee calculator

Monday, 7th June, 2015


Open Letter to BBC MoneyBox

Monday, 29th September, 2014


Transpact.com on BBC Radio 4.

Thursday, 3rd July, 2014


UPDATE 6 - Cyber Crime UK - It's so easy !

Sunday, 29th June, 2014


UPDATE 5 - Cyber Crime UK - It's so easy !

Tuesday, 24th June, 2014


UPDATE 4 - Cyber Crime UK - It's so easy !

Wednesday, 11th June, 2014



European Escrow Organisation letter to FINCEN (USA) -
A Money Launderers' and Terrorists' free-for-all if Escrow Unregulated

Tuesday, 10th June, 2014



UPDATE 3 - Cyber Crime UK - It's so easy !

Monday, 28th April, 2014



UPDATE 2 - Cyber Crime UK - It's so easy !

Friday, 25th April, 2014



UPDATE - Cyber Crime UK - It's so easy !

Sunday, 20th April, 2014



Cyber Crime UK - It's so easy !
Anatomy of a high-return cyber crime

Tuesday, 8th April, 2014



No Chargebacks !
Low Value Pricing (2.9%) Revolutionises Retailing

Thursday, 20th March, 2014



UKTI (UK Trade & Investment - a UK Government Agency) now endorses use of FCA authorised escrow services:
Article: How to clinch overseas sales (and also get paid)

Monday, 20th January, 2014



Mike Freer MP, our Local Member of Parliament, Assists

Thursday, 20th June, 2013



Transpact.com service model copied by Escrow.com.
Imitation is the sincerest form of flattery.

Friday, 5th April , 2013



Transpact.com, world's leading domain escrow service ?

Friday, 21st December, 2012



Another BBC Apology ?

Thursday, 15th November, 2012



The world leader in art markets partners with Transpact.com

Thursday, 9th February, 2012



Payment without delay across the EU

Monday, 9th January, 2012



Welcome AutoTrader - Transpact.com's latest website partner

Tuesday, 13th December, 2011



The Metropolitan Police recommend use of FSA Authorised escrow providers

Monday, 7th November, 2011



Why we raised our Prices for large payments

Tuesday, 4th October, 2011



MRI machines to Stethoscopes - MedWow.com

Friday, 9th September, 2011



FSA Registration offers little or no comfort

Monday, 8th August, 2011



More Websites use Transpact.com's API to integrate Escrow services into their websites

Monday, 11th July, 2011



Fraudster's access to Debit Card Details -
BBC gets it terribly wrong again !

Thursday, 16th June, 2011



HM Treasury replies Again

Monday, 6th June, 2011



HM Treasury replies

Wednesday, 4th May, 2011



Welcome BondPay.co.uk

Monday, 4th April, 2011



Government-linked Organisations getting it wrong ?
Bank / Credit Card Details Disclosure

Tuesday, 8th March, 2011



Response from HM Treasury ?

Friday, 4th February, 2011



An open letter to the Financial Secretary to the Treasury

Monday, 3rd January, 2011



Welcome MyArtBroker.com

Wednesday, 1st December, 2010



When should you use Transpact - Section 75 of the CCA

Friday, 22nd October, 2010



Partner Websites

Monday, 12th September, 2010



The Guardian

Friday, 23rd July, 2010



Exceptional Protection

Tuesday, 6th July, 2010



Tenancy Deposits - Is yours an Assured Shorthold Tenancy ?

Wednesday, 2nd June, 2010



Redsky Design - Web Designers Extraordinaire

Thursday, 22nd April, 2010



First Transpact blog

Monday, 19th April, 2010