Illustration of map, clipboard with justice scales - demonstrating how global regulation for scam liability is shifting in different regions

Who should pay for scam losses? How much should they pay? What types of scams are eligible for reimbursement? And what does an ideal scam liability framework look like? 

If you ask these questions to any two banks, you’ll likely get a long list of very different answers. Global banks and regulators are reflecting on these decisions as scams reach epidemic proportions and scam liability takes effect. The rapid rise of authorized push payment (APP) scams and increased expectations to help customers recover their losses are pushing global banks and regulators to an inflection point. 

But as different countries and regions craft their scam liability and reimbursement policies, regulators face a “Goldilocks” challenge: getting scam liability just right.

In this post, we’ll take a deep dive into the state of global scams, examine how different regions choose to handle liability, and discuss the pros and cons of each approach. We’ll also investigate what banks can do to protect their customers and bottom lines as scammers grow increasingly innovative.

A History of the UK’s Mandatory Scam Liability Policy

Understanding how financial institutions reached this stage of the scam debate helps to understand the history of the scam liability issue. This history lesson takes us back to the UK as it faced down a massive scam challenge.

Once upon a time, the UK was known as the “scam capital of the world,” with scammers stealing as much as USD $1 billion from consumers in just a few months. Scammed consumers were understandably furious about losing money to an APP scam – including imposter scams where criminals pretended to be bank employees. That anger only increased when they learned they would not get reimbursed. 

Unlike an account takeover (ATO) fraud, a legitimate customer ultimately approves an APP transaction, meaning banks only act as directed. Therefore, customer refunds were not covered under traditional fraud guarantees.

As the UK’s scam scourge mounted, a coalition of payment service providers and consumer groups launched a Contingent Reimbursement Model (CRM) for APP scams. CRM is a voluntary agreement where participating banks agree to reimburse APP scam victims for losses unless the bank believes the customer was grossly negligent. UK banks, on average, returned 69% of scam losses to victims under the CRM in the first half of 2023.

UK regulators plan to replace the CRM with a mandatory policy issued by the Payment Systems Regulator. By late 2024, regulators will require reimbursement for almost all APP scam victims, with sending and receiving banks each paying for half of the loss.

The Global Scam Liability Debate Kicks Off

Financial institutions and regulators worldwide are watching the UK’s experience, which aims to reimburse as many victims as possible for scam losses. Others, however, are rejecting the UK’s approach, with one Australian bank calling it a “honeypot for organized crime.” 

Returning to our Goldilocks example, one nation’s porridge might be too hot or too cold for another nation. 

Illustration showing infographic of Regional Scam Reimbursement Rules for Financial Institutions, ranging from Exemption Zone; No Mandatory Reimbursements as in Australia & USA; Regulatory Minimum, Some Mandatory Reimbursement Requirements as in the EU; and Hazard Zone, where banks face Mandatory Reimbursement Requirements as in the UK
Illustration showing infographic of Regional Scam Reimbursement Rules for Financial Institutions, ranging from Exemption Zone; No Mandatory Reimbursements as in Australia & USA; Regulatory Minimum, Some Mandatory Reimbursement Requirements as in the EU; and Hazard Zone, where banks face Mandatory Reimbursement Requirements as in the UK

In Australia, while the customer is the one who has to own the loss, they plan to implement delays and cooling-off periods into the payment journey to allow customers to change their minds and consider their actions more thoughtfully at the point of material risk. But this policy also has its considerations, as we’ll discuss later. 

Meanwhile, banks in neighboring New Zealand are now facing their own mandate. New Zealand’s Commerce and Consumer Affairs Ministry recently gave the nation’s banks until September to outline a voluntary CRM like the UK’s model. Banks have also been directed to step up their efforts to implement Confirmation of Payee safeguards by the end of the year. The ministry could implement regulations if the deadlines are not met.

With scams on the rise, a one-size-fits-all strategy that works evenly across different is highly elusive. Many variables make each region unique, and each must be carefully considered as a reimbursement stance is taken. This includes the banks’ detection capabilities, consumer attitudes towards scams, and external pressures from the media.

Scam Liability: A Global Snapshot

With these variables in mind, several countries or regions have crafted their own reimbursement policies to address the scam threat. So far, these policies range from “by exception” (no reimbursement at all) to victim-friendly policies (very few reimbursement restrictions). 

Each region’s approach has both its benefits and considerations. Let’s break down the pros and cons of each region’s scam liability model.

UK: Banks 100% Liable for Any Scam Loss

The UK’s Payment Services Directive (PSR) will require banks to compensate scam victims in almost all cases. Liability will be split evenly between sending and receiving institutions.

UK Liability Policy Pros 

  • Customer Protection: Full reimbursement for any scam losses builds trust and confidence in the banking system. Customers will not be out of pocket as a result of a scam.
  • Incentive for Banks: Banks are more motivated to minimize losses and protect their customers. 
  • Simplicity: Scam victims can access a straightforward reimbursement process as their bank invariably assumes responsibility for the loss.
  • Consumer Confidence: Knowing their transactions are secure will encourage more people to engage in digital banking and eCommerce.
  • Strong Scam Knowledge: Guaranteed reimbursement encourages more people to report scams. With more data, banks can properly label and classify scams, strengthen their scam prevention efforts, and build better models. With this new layer of knowledge, banks can warn customers how to spot scams and red flags more effectively. 

UK Liability Policy Cons

  • Cost to Banks: The financial burden on banks could be substantial. Banks must budget for expected scam losses and calculate how this will affect their bottom lines. 
  • Heightened Risk of Complacency: Customers might become less vigilant about protecting themselves from scams, knowing they will automatically get reimbursed. This may unintentionally lead to an increase in fraud and scams.
  • Financial Stability Risks for Smaller Banks: Smaller banks could face severe financial pressure, potentially reducing market competition.
  • Policy Abuse Risk: Customers may collude to abuse mandatory reimbursements, increasing the likelihood of first-party fraud.
  • Underbanked Populations Rise: Because of mandatory liability, some customers could be treated as a liability risk, not a profit-making opportunity. As a result, more people may be unable to access essential banking services.
  • De-prioritization from Law Enforcement: Law enforcement may feel” numb” about scam losses due to the sheer volume of reports and the fact that victims are not out of pocket. This means many scams may not be adequately investigated, and prosecution rates may decrease.

Australia: Cooling Off Periods, Delays in Payment Processes, and Victims Held Liable

Australian banks will reduce the immediacy of payments to give customers time to reconsider if they want to allow a transaction to be completed. Victims ultimately bear the responsibility if the transaction turns out to be fraudulent.

Australia Liability Policy Pros

  • Increased Awareness: The delay in payment gives customers more time to recognize red flags and stop fraudulent transactions.
  • Customer Responsibility: The policy encourages customers to be more vigilant and responsible with their transactions, promoting better financial habits.
  • Short-Term Impact: In the short term, Australia’s policy is anticipated to impact scam losses positively. The long-term impact, however, could be harder to sustain (similar to the Confirmation of Payee (CoP) policy).
  • Customer Liability Clearly Outlined: Customers understand their responsibilities concerning liability.
  • Broader Exposure Momentum: Banks can demonstrate they are taking steps to stop scams while continuing to push other parts of the chain to do more. This includes pushing for non-financial services like social media companies and telecom providers (where scams often originate) to share in protecting customers. 

Australia Liability Policy Cons

  • Customer Losses: Scam victims ultimately bear the financial loss for scams. This can be life-altering in some cases, leaving victims unable to pay essential bills or mortgages. These losses go beyond the wallet. They also inflict severe emotional and mental scars on victims.
  • Slower Payments: Many customers have grown accustomed to the convenience of faster payments. Introducing delays, even if they are designed to protect customers, will contribute to customer frustration.
  • Limited Effectiveness: It’s unclear if cooling-off periods will be sufficient to prevent all scam types, especially sophisticated ones capable of deceiving even vigilant customers. 
  • Difficult To Measure: It is not safe to assume that anyone who doesn’t complete a transaction post-delay is a victim. Some people could simply change their mind about a transfer, realize they are exceeding their spending budget, and reconsider a transaction. This means it will be challenging to gauge the overall impact of intervention delays on reducing scams. 
  • Inaccurate Reporting: Challenges in measuring effectiveness can also create inaccurate messaging to the public domain on the initiative’s performance.

EU: Banks Will Become Partially Liable Under PSD3

Banks in the European Union are mandated to reimburse victims of a particular category of scam: bank impersonation scams. 

EU Scam Reimbursement Liability Policy Pros

  • Highly Targeted Protection: By refunding victims of impersonation (also known as “spoofing”) scams, support is directed towards scenarios deemed most likely to create harm. This is a serious risk when the bank’s name and brand are impersonated as part of the scam.
  • Incentivized Education: Customers are motivated to educate themselves on scams more broadly if they understand that only specific scams are covered.
  • Balanced Responsibility: The financial impact of scams is shared between banks and customers, leading to a more sustainable reimbursement model.
  • Increased Reporting: Customers are more likely to report scams if they believe they might get reimbursed. Access to more scam data can help banks improve their scam detection capabilities.

EU Liability Policy Cons

  • Inconsistent Reimbursement Patterns: Understanding which scams are covered and which are not can be confusing and may lead to frustration, dissatisfaction, and inconsistent customer outcomes.
  • Potential for Disputes: The reimbursement criteria could lead to disputes between banks and customers over eligibility. This may complicate the victim recovery process and damage bank-customer relationships.
  • Limited Future-Proofing: Scams change as criminals innovate their tactics. The reimbursement model must evolve constantly to keep up with the latest scam types.
  • Administrative Overheads: Banks will face an increased administrative burden in assessing claims and determining eligibility for reimbursement, which could increase operational costs.

US Banks Face Calls for Scam Reimbursement Clarity

US regulators do not currently require banks to reimburse scam victims. However, there are some signs that US banks are changing their approach.

Several US banks have agreed to start reimbursing victims who were scammed on Zelle, the bank-owned person-to-person payment service. However, reimbursements only apply to specific types of imposter scams. This includes if a scammer pretends to be a bank employee, government official, business, or utility provider.

Some US lawmakers want Zelle to publicly clarify who is eligible for a scam reimbursement and expand eligibility. They are also calling for Zelle to simplify its reporting process and make it public.

US regulators are keenly watching how the UK and EU’s different approaches to scam liability unfold. It’s possible that US regulators will adjust their strategy based on these observations. However, it might take a few years before significant changes are enacted.

Until a regulatory requirement is enacted, US banks must decide for themselves how much protection to offer scam victims. Reimbursing at least some scam victims will allow US banks to offer competitive differentiators (similar to TSB Bank’s scam refund guarantee) and move closer toward the middle of US market policy. 

Going Above Liability Mandates is a Market Differentiator

A review of each country and region reveals that a unified approach to scam liability does not exist.  Liability ranges from zero-mandated reimbursement (Australia and the US) to very few reimbursement restrictions (UK). 

Whatever the existing or upcoming regulations a bank faces, one thing is clear: banks that proactively exceed their market’s minimum requirements, for example, providing victim refunds when they are not mandated to do so, will be better perceived in the court of public opinion. 

Take TSB Bank, for example. TSB offered a guaranteed fraud reimbursement before the UK’s requirements were enacted. As a result, TSB can boast that it reimbursed more customers than competitors after the UK’s Payment Services Regulator (PSR) publicized how banks performed regarding reimbursements. 

TSB can also demonstrate that it is helping to address one of the most significant elements in scam prevention: removing customer stigma. In a note to the UK Parliament, TSB noted that customers are more likely to share important information about how their scam encounter unfolded if they are confident they will get refunded. This has contributed to an astonishing 1338% increase in reports to law enforcement. 

A guaranteed reimbursement might work for some banks but not for others. As global regulators weigh their next moves, scam liability will be a hot topic in 2024 and beyond.

A Scam Prevention Guide for Banks

Whatever risk exposure banks face because of increased scam liability, they will need robust prevention mechanisms to minimize scam losses. Here are some essential steps banks can take to reduce scam losses.

Evaluate Your Bank’s Risk Exposure

If your bank isn’t currently required to reimburse scam victims, assess how much liability could cost your organization if regulations take effect. This cost could be staggering, reaching tens of millions in regions heavily targeted by scams. A proactive risk analysis protects your financial institution’s reputation and bottom line. 

Implement AI First Controls

The scam threat should crystalize the importance of investing in a machine learning-first approach to prevention. Machine learning models adapt to ever-changing scam patterns and transactional subtleties and can better detect signs of fraud that rules alone might miss. Rules should act as a supplement to AI models, not as a lead mechanism. 

Selecting the Right Enrichment Capabilities

Move away from the mindset of needing “one of everything” (e.g., behavioral biometrics, malware detection, device ID, etc.) and instead focus on the right tools to solve your organization’s challenges. Move beyond everyday solutions and consider new capabilities like network-level models offered by Form3 in the UK. Make sure your bank achieves a strong ROI for its enrichment efforts.

Strengthen Operational Processes

By implementing strong operational processes, banks can reach out to customers with tailored messaging specific to their situation. This means going beyond a simple “Did you approve this transaction?” to understand their intent and why they are making the transaction, ultimately leading to a more productive and informed discussion before money leaves the account.

Invest in Strong Educational Campaigns 

Education should be straightforward, relevant, and easy to access. Tailor your messaging to the most common scams in your region and deliver it when it matters most – right before the potential transaction. Avoid overloading customers with generic warnings; a targeted approach driven by data maintains customers’ attention. Don’t forget to keep your staff up-to-date on the latest scam trends so they can be your front line of defense.  

Use an Omnichannel View of Risk

Scams occur across multiple channels. For example, card scams are emerging as a new serious threat in the UK. Banks must be able to view activity across different channels to connect various events. An omnichannel view is critical for banks to detect a high-risk incident on one channel while evaluating a decision on another channel.

Inbound Payment Monitoring

To profit from scams, criminals need money mules. To stop fraud, banks need to stop money mule activity. Inbound payment monitoring has emerged as a vital step in monitoring payments coming into accounts and purging money mule accounts.

Unlike the fairy tale heroine Goldilocks, all regions are unlikely to ever find a “just right” scam reimbursement solution that makes all parties happy. However, there appears to be an increasing progression of FIs shifting away from zero scam liability toward offering some assistance or guidance for victims. 

The banks that will stand out in the market will go above their market requirements. Helping customers at a critical time when they need help most is vital to securing a long-term relationship with customers. 

Will it guarantee a “happily ever after” for financial institutions? Taking these steps is an excellent way to find out.