PSPs will need to think carefully about the people and processes involved in their fraud and reimbursement operating model. 

On the process front, they need to consider how they will manage customer APP fraud claims, false positive resolution, investigations and reimbursement processes for scenarios both as sender and receiver, as well as the governance of reimbursement processes. Supporting processes such as monitoring controls of counterparties also must be considered. 

On the people front, firms will need to consider whether their teams are large enough to cope with new requirements, the roles and responsibilities of teams and individuals, the skills required, the locations of teams, whether 24/7 support is needed, and whether tasks are performed in-house or by third parties. Some skills, such as investigations experience, will likely be in short supply as demand increases, so training will be key, and attracting and retaining skilled individuals will become a critical success factor. 

Existing technology used to support detection, orchestration and decisioning may need significant uplifts to be fit for purpose for case management of claims and investigations, as well as reporting.

Lastly, firms will need to consider their approach to change, monitoring and risk-based decision making. To be efficient and effective in the new world, models will need to constantly adapt not just to APP fraud typologies, but also to increasing volumes of customer claims, sender claims, fraud detection and investigations. This is likely to be a challenge for years to come as firms battle to limit their exposure and costs with better prevention and more efficient handling.

As APP fraud risk increases, so too does the need for effective governance and oversight. With the requirement for PSPs to reimburse victims, we will likely see ‘naming and shaming’ of PSPs who are not doing this effectively, so effective governance will be critical to minimise reputational risk for PSPs as well as fraud risk for customers.  

Firms will need to consider expanding their key performance indicators (KPIs) to track and stay accountable in relation to APP fraud. KPIs could include financials, volumes and values of APP fraud reimbursement (including by payment counterparty), volume and value of payments rejected due to suspected APP fraud, investigation metrics (from an SLA and outcome perspective), as well as customer metrics, including volumes and types of customers impacted, customer response times, reimbursement response times and more.  Firms will need to feed these KPIs into operating and financial decisions, such as new investment in technology and controls. 

Critically, firms must comply with legislation. Adequate governance structures should include oversight, segregation of duties, signoffs and approvals. These structures need to be highly efficient to ensure compliance with the mandated five working day SLA.

Additionally, as firms increase transparency and communication with sender/receiver firms, they will need to consider GDPR risks associated with sharing customer information, as well as the risk of tipping off where investigations involve fraudsters who are already subject to SARs. As always, proactive dialogue and cooperation with regulators will improve a firm’s ability to address these risks.

It’s no secret that this regulation will place a significant new financial burden on firms, both in terms of reimbursement costs as well as greater investment in fraud controls and operations.   

Firms will certainly need to invest in increased fraud prevention, controls and operations, from both a technology and resource perspective. It would be wise for firms to invest strategically. Investments in technology should provide a significant ROI and be communally beneficial. For example, investments in transaction screening will not only benefit a firm’s ability to better detect and prevent APP fraud, but also other fraud, money laundering and terrorist financing risk, potentially reducing risk of regulatory fines and significant losses. Equally, investments in resourcing, recruitment and training will hopefully mean more skilled workers leading to overall reduced headcount through smaller and more effective teams.  

However, in the short term the main financial impact will likely be the cost of reimbursement for most firms. With 50% of the liability falling to both the sending and receiving firm respectively, both will need to plan on the basis that the vast majority of their customers’ APP Fraud losses will be reimbursed. Firms will need to set aside funds based on historic APP losses and margin to reflect market trends and a potential increase in customers’ risk appetites given the promise of reimbursement.  

With the 7th October deadline for the new requirements fast approaching, firms should focus on defining their target state and plan backwards. This should take into consideration all the elements discussed above including how the operating model should look, the team structure including size and skillset, the technology capabilities, governance and how they will work with their counterparties. Firms will need effective change programmes to plan and deliver the change in a short period. To do this they will need cross-skilled teams with programme management experience as well as deep expertise in fraud risks and controls to ensure robust governance and oversight, with targeted and effective change.

In setting up these change programmes firms need to take a realistic approach to sizing up the work needed to get from current state to target state. Firms will need to prioritise efforts pre- October and then post October. It is clear that changes will need to continue far beyond the October deadline but having a clear target state for Oct 7th and clear priorities that will fall into post 7th October plans will help ensure clarity of scope and focus for efforts over the coming months. The right advice, support and ruthless prioritisation will all be crucial in determining how prepared firms are when the new regulations come into effect. 

Finally, the requirement for the sender firm to reimburse 100% of customer losses within five working days will increase pressure on the sender firm’s debt collection processes to ensure receipt of the outstanding 50% from the receiver PSP.  

There is no question that the changes in APP fraud reimbursement requirements pose significant challenges for PSPs. For some, this may even be an existential threat. For others, it represents one of the most potentially costly regulations ever introduced, and the cost of failure will be extremely high. The reimbursement rules create a huge amount of pressure to deliver change effectively across all areas of fraud prevention controls, and new requirements which will need to be built. Ultimately this will drive enhanced protection for customers, but in the short term it promises to be one of the biggest challenges faced by PSPs in recent years.