APP Fraud – Time to STOP the Banks That Enable Criminals
The UK Payment Systems Regulator (PSR) has just reported on 2022 APP-fraud scams.
For five years, Riskskill as members of AIRFA has explained the need many times to the PSR and FCA to ‘follow the money’. We know who the 14 largest APP-fraud money sender institutions are (who typically send money with valid customer instructions); but at last we now know the top 20 APP-fraud receivers relative to their fraud ranking. Most importantly, these are the firms that facilitate account opening for fraudsters and for money launderers, i.e., that help them receive and distribute the money that is tricked from customers, the victims.
These payment firms ‘bad-boys’ have now been made public; such that the focus and ACTION can move to looking at their woeful KYC deficiencies and to make the offending parties start to pay for the support given to these vile criminals. These APP-fraud receiving organisations must be made accountable and liable: both financially and through audits and licence restrictions or ultimately licence removal. Does the PSR have a plan to make this happen though?
For five years, marketing/communications officers at payments firms have ‘danced around hand-bags’ and tried to do this with unfocused ‘best practice’ alone. Let’s now start to recover this money either from the criminals or the banks that assist them.
UK Finance, as the industry association, reported in 2022 that APP-fraud accounted for 40% of total fraud reported and growing in the first half of 2023. This impacts the UK payments integrity and reputation.
From the PSR APP-fraud performance publication, we know:
1. Banks are not currently obliged to refund customers rather it is typically facilitated through an existing voluntary code.
2. The sender bank/payment firm, currently liable under the voluntary code to reimburse the victim, still seems to be held liable for 50% under the new reimbursement programme in 2024; for the failure of the receivers.
3. Sending banks have reimbursed customers when they have done no wrong.
4. In 2024, the reimbursement plan is to share losses between the sender and receiver firm. At last, the receiving firm will feel some pain for their sub-standard KYC and transaction monitoring controls. They must take more, even all, of the liability.
5. Of real concern, a small number of receiving payment firms are responsible for a vast proportion of the APP fraud problem reported. These institutions must continue to be called out and be required to act, in line with regulatory obligations and to ‘foot the bill’.
6. We can now ‘follow the money’ to find these criminals. Fraud and AML specialists must drive this, it is no longer a ‘communications team issue’.
Let’s be clear. A receiving bank MUST by law know who and where its customer is. By law they must investigate suspicious transaction activity. The failure is a breach or AML/CTF legislations. No ‘buts’.
This is far more important than the current 2024 plans to report more, to extend the requirement to more banks i.e., beyond the current 14 directed payment firms, or to play with the liability divisions – even though to move some of the liability to whom we see as the guilty party is a good first step.
So, what have these firms learned and actioned in 2023? Recent analysis by the FCA on its financial institutions highlighted good operating practices but equally more common demonstration of weak controls and poor practices.
We strongly recommend, as always that the sector ‘grows some..’ and takes assertive actions to include:
A. PSR to focus on ‘follow the money’ and take assertive action against those payment firms that have poor processes and controls, i.e., APP-fraud receiving firms that make financial crime easier.
B. PSR to greatly widen the scope of the directed firms involved in the programme.
C. UK Finance to step-up support and guidance for its members, e.g., with performance target setting, AML/CTF training, best practices, etc, to help address problems.
D. PSR to establish mechanisms to reverse the money flow to place greater liability upon the payment firms that receive and launder illegal and stolen funds.
E. PSR to work with the FCA to start urgent/formal AML/CTF audits with fast-track restrictions or withdrawal of operating permissions.
F. Suspend licences and membership to payments firms who take limited or no urgent action.
G. Stops treatment of this as a PR/customer communications exercise as announced this week and start to demand action against the payments firms with deficiencies.
If the UK want to be seen as a global market leader, it must now act like one, and finally address this APP-fraud issue.
Kevin Smith and Bill Trueman are directors at Riskskill, and are payments and risk specialist, with over 25 years of experience. For more information about Riskskill visit website at www.riskskill.com