What APP Scam Reimbursement Requirements Mean for Banks

While this policy is just starting in the UK, these changes will likely ripple across global markets. It is essential for banks to stay focused on outgoing fraud prevention – while also emphasizing mule account detection strategies that focus on where the money goes.

How APP Scam Reimbursement Policy is Evolving

UK consumers lost an estimated £485.2 million to authorized scams in 2022. UK Finance reported that they reimbursed nearly 60% of scam victims for their losses. This amounts to £285.6 million returned to victims.

The UK’s Payment Systems Regulator (PSR) is rolling out new policies aimed to push that reimbursement rate even closer to 100%. According to these rules, the sending bank (the scam victim’s bank) and the receiving bank that ultimately received the scam funds will split the APP scam reimbursement costs 50-50.

The game-changer here is that APP scams are, well, authorized. So, the real onus falls on the receiving institution. After all, from a fraudster’s standpoint, a scam is a bust if they can’t get their hands on the money.

PSR’s new rules will ultimately prompt banks to think of the broader end-to-end payment cycle, not just the sending part of the transaction. Banks on the receiving side of transactions should carefully consider their risk exposure and the amount they must pay for scam losses.

Global Banks Consider New Scam Liability Approach

The UK’s new policy represents a significant change for banks by splitting APP scam reimbursement costs between sending and receiving institutions. It’s also expected to require banks to focus on inbound payment monitoring to detect and stop scam losses.

While it’s early, there are signs that the policy could get picked up in other markets. In Australia, for example, consumer groups are pushing for local banks to adopt a policy similar to the UK’s. Meanwhile, Australia’s Finance Minister recently announced the launch of a new anti-scam agency that will partner with government agencies, banks, telecom firms, and social media platforms.

Meanwhile, some lawmakers in Singapore have also proposed following the UK PSR’s policy change. However, opponents of the proposal argue that it could lead to a more reckless attitude toward scams and diminished personal responsibility. Other unintended consequences may include an increased risk of financial exclusion, increased risk of first-party fraud and collusion, and reputational damage to the bank if customers experience too much friction.

These discussions are in their early stages. Global regulatory eyes will fall on the UK as the PSR’s proposal is enacted early next year. This allows them to see what works and what doesn’t before formally implementing their own version of the policy.

But even if similar APP scam reimbursement models are adopted in other regions, it’s unlikely to end the debate for good. The odds are that liability will expand beyond banks to other players, such as telecom companies and social media platforms, where many scams originate. 

How Banks Can Prepare for APP Liability Changes

Given these changes, banks must revamp their scam prevention approach by getting to know their customers at a granular level. Here are some steps to help banks safeguard their customers and themselves from scam losses:

1. Layer Data for Informed Risk Decisioning

Banks must have the right data at the right time to make informed decisions. This will require proactively collecting data for both incoming and outgoing transactions. However, banks should analyze more than just transaction data. 

Banks must also consider supplementary data in their decision-making. This includes analyzing the customer’s device, behavioral patterns, and biometric data to form a complete picture of their normal activity. By closely monitoring this activity, banks can understand if the customer’s recent transactions should alter their risk decision for the transaction.

2. Practice Effective Data Utilization

An old adage in data science states, “garbage in, garbage out.” That philosophy is critical when using data effectively to prevent scams and protect customers. If banks have good data and good analytics, they’ll get good risk decisioning results. However, if they’re using bad data and bad analytics (or just one or the other), they’ll get poor risk decisioning results. 

Ultimately, banks must take care to place the customer at the center of their risk decisioning process. This means continuously assessing transaction data, not just in the moment but also relative to historical patterns. This process emphasizes the importance of using data intelligently to yield favorable results.

3. Shift from Authentication to Transaction Intent

Scams differ from unauthorized fraud types because they ultimately require the customer to approve the transaction. Bad actors realize that customers are the most vulnerable link in the chain, requiring banks to distinguish between unauthorized transactions and scams and adjust their responses accordingly. With this reality in mind, banks must move beyond simply asking the question, “Is this the legitimate customer?” 

Instead, banks should focus on understanding the intent of a transaction. For example, a customer making a high-value transfer to a recipient based overseas could be ensnared in a romance scam, an imposter scam, or another deceptive tactic. If banks understand the customer’s profile and the intent behind the transaction, they can intervene with an appropriate message at a critical juncture in the transaction. This warning allows the customer to reconsider their transaction before approving it.

4. Invest in Customer Education

As stated earlier, customers are the most vulnerable point in the transaction. This means banks must ensure customers are the first line of defense against scams. Banks must invest in educating customers on how to recognize common scam types.

At the same time, banks must walk a fine line between teaching customers to protect themselves and oversaturating them with warnings. Customers who receive too many notifications or educational assets may tune them out, making these efforts futile. Instead, tailor educational messaging to the risk present within the transaction and the customer’s profile and deliver it at an appropriate time in a transaction.

5. Develop a Comprehensive Feedback Loop

Risk assessment and decisioning will need to evolve continuously over time. Banks must implement a feedback loop that constantly improves their organization’s risk assessment and response processes. Part of this updated process should include labeling APP losses as scams to track how they unfolded and the first point of contact between the victim and the scammer. 

For example, was the victim contacted by a fraudulent SMS message or a social media post? Keeping tabs on the source of scams could open the discussion to expanding responsibility for scam losses from banks to other players like social media platforms and telecom providers.

But a bank’s feedback loop must go beyond labeling. Banks should use the findings to understand the effectiveness of their scam prevention efforts. Are customers interacting with the bank’s messaging? How many customers are being reimbursed for scam losses? These insights can inform how to evolve and improve the overall process.

Preparing for changes to reimbursement policies for authorized push payment scams requires a multifaceted approach that relies on robust data collection, effective data utilization, evolving authentication methods, and a commitment to ongoing improvement. By adopting these strategies, banks can navigate the transition to a 50-50 reimbursement split between receiving and sending banks while enhancing their ability to combat financial crime.