The Financial Conduct Authority (FCA) has expressed concerns about a loophole in the mandatory APP fraud reimbursement scheme which excludes intra-firm payments from the rules.

The policy only applies to payments routed through an external payment system like the Faster Payments System (FPS) or CHAPs.

When both the sending and receiving payment accounts are held with the same bank or group a transaction can be made via an internal channel, meaning it would not be covered by the rules.

In letter to the chief executives of UK banks and payment services providers (PSPs) earlier this month, the financial watchdog said that firms are still expected to meet Consumer Duty rules whether an APP fraud transaction is made between two separate companies or not.

The Payment Systems Regulator’s (PSR) policy, which came into effect on 7 October, requires all UK banks, building societies, payments and e-money firms to reimburse victims of APP fraud up to £85,000.

The FCA warned firms that consumers are unlikely to understand that the level of protection that a PSP provides against APP fraud may vary depending on the type of payment process used.

“We are therefore concerned that consumers will not understand if they receive a lower level of protection in respect of an intra-firm payment, compared to a payment made by FPS or CHAPS, and that this will lead to poor consumer outcomes,” it wrote. “Under the Consumer Duty firms are required act to deliver good outcomes for consumers.”

The regulator says that it expects banks and PSPs to make sure that their approach to 'on us' or intra-firm payments still meets their obligations under the Consumer Duty.

If banks provide a lower level of protection to victims of APP fraud because they have made a non-FPS or CHAPs transaction, they must contact the FCA to provide an explanation of the steps they have taken to meet its obligations.

Commenting on the news, the co-founder of FinTech Tunic Pay – a FinTech that Helps Banks use verification data to prevent APP fraud – said that the organisation is surprised the loophole hasn't already been closed given that FinTechs have been "whispering about it for months."

"The loophole issue is bigger than most think, as it's not restricted simply to those fraudulent transactions that happen within the same bank," explained Nico Barawid. "FinTechs without their own EMI licence often rely on a banking as a service (BaaS) provider to enable core banking operations like opening accounts and making transactions for their customers."

He says that when a fraudulent payment is made between two FinTechs that share the same BaaS provider, then that transaction operates in the same "regulatory grey zone" as same-bank transactions.

"This means that even some victims who have a different bank than their perpetrator may not be protected," warned the co-founder. "Some BaaS providers have sent out guidance earlier this summer to their FinTech customers informing them of this loophole (that they may not have to reimburse all victims)."

---