Two months have passed since the Payment System Regulator’s mandatory APP fraud reimbursement scheme came into effect, but what impact has it had so far? FStech news editor Alexandra Leonards speaks to industry experts to see how the banking and payments sectors have been innovating to address this growing issue, taking a deep dive into the recently announced data-sharing collaboration between UK mobile networks and banks, future hopes for tackling fraud, and how the new rules could re-shape the financial services industry’s approach to APP scams.

Following much anticipation, some hesitance, and a little backlash over since quelled concerns about an arguably generous reimbursement limit, the Payment Systems Regulator’s (PSR) new mandatory Authorised Push Payment (APP) fraud rules were launched on 7 October 2024.

Although it is challenging to see the impact of the policy at this juncture, especially considering the transient nature of criminal tactics, the reimbursement scheme is anticipated to have a substantial influence on mitigating APP fraud rates.

But the rules won’t do much on their own. The PSR expects the initiative – which forces all UK banks, building societies, payments and e-money firms to reimburse victims of APP fraud up to the revised sum of £85,000 – to drive these firms to innovate and create new data-driven solutions to reduce these kind of scams.

Behind the scenes, many firms have been actively implementing innovative technologies and collaborative initiatives to address a pressing issue that has long been on the financial services industry’s agenda.

Cross-industry data sharing

Nicky Goulimis, co-founder and chief executive of Tunic Pay, a tech start-up that focuses on tackling APP fraud, says that the PSR’s APP reimbursement scheme has triggered a seismic shift in how banks approach fraud prevention and customer protection.

“In the months leading up to the scheme's implementation, financial institutions faced an unprecedented operational challenge, having to completely overhaul their consumer communications and claims processing frameworks,” she explains.

This has ultimately pushed many banks to fundamentally reimagine their approach to fraud prevention.

“Rather than relying on generic warning messages and reactive fraud detection, institutions are now grappling with the complex task of developing intelligent, transaction-specific warning systems,” continues Goulimis.

The chief executive notes that this transition from detection to prevention necessitates a comprehensive restructuring of their data collection and processing methodologies, with a specific focus on payment context and counterparty information. This restructuring must be carefully balanced to ensure both security and customer experience metrics are met.

Despite the implementation of new regulations that compel firms to prioritise fraud prevention, that over 99 per cent of all claims are covered by the policy does not negate the fact that numerous industry players have been developing innovative tools and methodologies to combat the escalating prevalence of rising APP fraud for months or even years.

"Perhaps most notably, we're seeing unprecedented momentum in cross-bank data sharing initiatives,” adds Goulimis. “Major financial institutions are now actively pursuing collaborative approaches to identify bad actors and reduce false positives, recognising that effective fraud prevention requires a unified industry response."

Arguably one of the most compelling instances of this concept is a recently introduced tool which has been developed by a consortium of the UK’s top banks and mobile network operators.

Dubbed Scam Signal, this collaborative effort has been spearheaded by EE, Virgin Media O2, Three, Vodafone and UK Finance members, including NatWest. The tool, facilitated by an API, enables banks to enhance their ability to detect and prevent application fraud by analysing real-time network data and identifying correlations between phone calls and fraudulent bank transfers.

While this new tool has arrived just in time for the PSR’s new rules, Dianne Doodnath, principal of economic crime at UK Finance reveals to FStech that it has been almost half a decade in the making.

“I think it originally started about four years ago, we began by exploring existing APIs and deciding what we could do based on existing technology,” she says. “It took a little while before we completed that and said: how do we invent something new?"

She explains that Scam Signal is not just building on an existing API, it is instead something brand new.

“We needed to work out how we could bring everyone on that journey and validate all the findings, making sure it's not just a fluke based on the market leaders that spearhead the movement,” continues Doodnath.

She says that the organisations involved in developing the tool had to go through a lengthy iterative process.

“We had to do a lot of show and tell at each stage of progress because it’s not realistic for all mobile networks and 40 banks to test ideas out, there has to be some leaders in the pack to really focus in on it to avoid it becoming decision by committee,” she continues.

The new tool can discern the hallmark indicators of social engineering and mitigate the incidence of false positives as a result. In its nascent stages, Vodafone completed a successful three-month pilot project which resulted in scam detection improving by 30 per cent at a major UK bank.

"The new Scam Signal coalition is a fantastic example of strong collaboration between banks and telcos,” adds Bronwyn Boyle, chief information security officer (CISO) at PPRO, a FinTech company that provides digital payment solutions to businesses and banks. “Cross-industry partnerships are essential to combat the sheer scale of fraud we're facing: recent reports highlight a staggering £420 billion 'fraudemic' is sweeping the globe.”

This figure, published by the Social Market Foundation (SMF) and Santander UK in September, encompasses the broader societal implications of fraud, including reduced productivity resulting from the subsequent cleanup efforts.

Social media

UK Finance data shows that most fraud originates on social media sites and via more old-fashioned telecommunications approaches like scam text messages and phone calls.

And while 16 per cent of APP scams take place through these methods, 72 per cent are now enabled by online sources, including social media, dating sites, auction websites, and search engines.

In response to the question of whether a tool similar to Scam Signal could be utilised by social media platforms, particularly considering the elevated incidence of application fraud originating from these platforms, Dianne Doodnath, a spokesperson for UK Finance, acknowledges that this is a complex issue for the industry.

“One of the challenges we have with this is that obviously for any business to create something like this, they need a business case, which often ends up with them making it into a commercial proposition,” she explains. “That's not necessarily where we want it to go.

“There desperately needs to be more equitability in terms of the threat across the ecosystem, so the commercialisation model isn't ideal, but irrespective of this, what Scam Signal has done is proven that you need to begin by sharing the information to be able to develop solutions that safeguard victims.”

Doodnath explains that, in terms of the strategic prevention approach going forward, industries are concentrating on seeking assistance from the government to establish an agile intelligence and data sharing entity. Such an entity would facilitate the frequent and strategic application of cross-sector collaboration as exemplified by Scam Signal.

“Because as soon as you close something down, the criminals are going to migrate,” continues the economic crime expert. “So, you need something that's agile.

“Some of these projects take several years to come to fruition and then once you solve the problems, the criminals change what they're doing overnight. Scam Signal itself took a few years to create from scratch, to where we are as a sort of collaboration concept to then developing a new solution.”

UK Finance, which represents over 300 firms in financial services, believes what the industry really wants is a system that houses the “whole chain of events.” This system would provide flexibility while ensuring that organisations feel comfortable sharing information and data with appropriate privacy controls.

Speaking about the role of social media, Doodnath argues that, following the implementation of the PSR’s APP fraud scheme, it would be unjust for banks to solely bear the responsibility of addressing risks arising from the exploitation of systems and services on these platforms. She instead emphasises the necessity of finding a more equitable distribution of the burden of protection and prevention more equitably.

Innovating detection and prevention

Financial institutions have also been investigating alternative detection and prevention techniques to keep up with emerging fraud patterns.

Dal Sahota, director of trusted payments at LSEG Risk Intelligence, says that the market approach has been somewhat split between firms that have been at the forefront of addressing APP fraud, organisations that are following the leaders, and those that are lagging behind.

Starling is one bank that is looking to be at the forefront of these efforts with a new industry-first tool launched on its app in October.

“Just recently we’ve launched a new feature to help customers identify bank impersonation scams, and also ran a widescale campaign to encourage people to create a safe phrase, to combat AI voice fraud,” explains Sarah Lenette, financial crime specialist at Starling Bank.

Starling’s new tool helps customers identify bank impersonation scams through ‘call status indicators’ which instantly let customers know if they’re receiving a genuine call from the bank in the moment. This provides customers with greater confidence on whether there is a scammer on the phone trying to dupe them into to making a transaction.

The digital bank is simultaneously running a Safe Phrases campaign which encourages the public to agree a ‘Safe Phrase’ with their close friends and family that no one else knows, to allow them to verify that they are really speaking to them. The programme hinges on the alarmingly easy access to voice cloning technology which can replicate a person’s voice from as little as three seconds of audio.

Lenette tells FStech that the bank plans to continue innovating with similar tools and initiatives.

“We’re constantly improving our detection methods and providing our customers with the education they need to protect themselves when new trends emerge,” continues the financial crime specialist.

Although the bank did not disclose whether it has been involved in the development of Scam Signal, as a member of UK Finance, it is likely to have access to the technology, in addition to its newly introduced impersonation tool.

Lenette did say that Starling is a member of Stop Scams UK, a membership organisation comprising responsible businesses from various sectors, including banking, technology, and telecommunications. Additionally, the bank is actively involved in numerous cross-industry projects that are currently in the development phase.

PSPs

But while the focus from a consumer perspective has largely been placed on banks, payments processors also have a responsibility to address the growing issue of APP fraud under the new rules.

"Many payment service providers (PSPs) have been working hard during 2024, preparing for the PSR’s reimbursement scheme well in advance of its official launch in October,” says PPRO’s Bronwyn Boyle. “Efforts have focused on strengthening fraud detection capabilities, investing in real-time monitoring, and uplifting internal processes to ensure seamless customer service under new requirements.”

She asserts that businesses are also investigating the potential of artificial intelligence (AI) and machine learning (ML) to provide real-time insights into potential fraudulent patterns, suspicious activities, and high-risk customer profiles.

In addition to meeting compliance targets, these preparatory measures demonstrate a proactive approach to preventing fraud, safeguarding customers, and mitigating financial risks associated with the newly implemented reimbursement requirements, Boyle states.

"This is a problem space where prevention is definitely better than cure, so it's great to see significant efforts focusing on changing customer behaviours to stop fraudulent transactions at source,” she tells FStech.

Currently, PSPs are implementing innovative features that utilise data-driven, personalised prompts to alert customers about potential red flags based on their previous transaction patterns and risk indicators. These prompts can disrupt common scam tactics by providing timely and relevant warnings, nudging customers to reconsider suspicious transactions before completing them.

Despite the ongoing efforts of payments firms to modernise their processes, there remains a significant challenge in maintaining security as criminals continually adapt their tactics.

“While these are welcome developments, more sophisticated approaches are urgently needed to prevent the devastating customer harm caused by investment- and romance scam-based APP fraud,” warns Boyle.

A new era of ‘good friction’

LSEG’s Dal Sahota says that in the past there has always been a focus on creating a frictionless payment journey via full digitalisation of the process.

“I think what's changed principally is that now what we're starting to see is that while there is bad friction, there is equally good friction,” he says. “What the latest level of innovation in the market brings out is good friction i.e. those few seconds to have confirmation of payee, verification of payee, by design it is good friction.”

Sahota continues: “That is something that the market is working through and really comprehending that some level of friction is good in the prevention of fraud, and there's clearly some friction in that users, consumers, businesses just don't accept, but this they do accept.”

High-risk accounts

One area in which the banking sector is exploring further ways to innovate is high-risk accounts.

“What about if the industry had an almost clean list of highly regulated accounts that legitimate businesses use?” asks UK Finance’s Doodnath. “Could that help reduce impersonation scams, for example, where criminals are purporting to be from this brand or that entity?”

She continues: “If we can prove out the benefit, then we can actually try and make more policy around that become mainstream. We’re obviously trying to share more data even within the banks as well where possible.”

Doodnath says that there are continual efforts happening in the industry related to furthering cross-sector information and data sharing.

“We try and engage with the Information Commissioner’s Office (ICO) as well to see where they might help unlock people’s understanding of data sharing, because some of these companies are based in the US, others have got really tight privacy controls for electronic communications,” she explains. “And so, you’ve got to go through the whole 360 degrees of all the different avenues to facilitate greater data sharing, like an API as a predictive model.”

Despite the implementation of GDPR and the existence of legitimate interests, the data protection framework is still grounded in the risk appetite of each entity across various sectors, she adds.

“Whereas if you had a centralised body that is government endorsed and has sufficient safeguarding then you could potentially accelerate that massively, rather than having to convince the data protection officers and the legal departments, as it really slows things down if they're not liberal-minded in terms of how you can proportionately do some of this stuff,” continues Doodnath

She explains that this that this is indeed a significant challenge, but not necessarily due to any inherent issues with GDPR. Instead, the crux of the matter lies in the interpretation of the regulation and the corresponding lack of agility in the process.

The ICO has recently called on organisations to share personal information responsibly to protect their customers from scams and fraud, informing firms that data protection is “not an excuse” when tackling these issues.

“Data protection law does not prevent organisations from sharing personal information, if they do so in a responsible, fair and proportionate way,” says the government office.

The impact of the PSR’s reimbursement scheme

Although the PSR’s mandatory APP Fraud reimbursement scheme is likely to have a substantial impact on the market, given the constant development of new technologies and approaches, it is challenging to predict the precise effects at this early stage, especially considering the rapid pace of scammers’ adaptation.

The regulations will be subject to review in 12 months, during which time businesses will assess whether the ongoing concerns regarding the policy being exploited by criminals will materialise.

UK Finance’s Doodnath says that, as with any other regulation, stats generally start to drop just before the rules come into play because everyone's moving towards compliance.

“We'd expect some change, but whether that just displaces to something else the criminals do is another question,” she explains.

For instance, following the implementation of enhanced transaction controls at the PSD2 level, criminals shifted their focus to account takeover rather than individual transactional fraud.

“The fraud levels are still massively lower than what they were still, but criminals migrate their techniques to what will give them the greatest access,” says Doodnath. “The criminals don't have any due diligence or compliance that they need to go through, so we expect there to be displacement when new controls are put in place.

“The question is, what will be the lowest hanging fruit? And what are the things that they can expand and pivot to? And how can industry react to that?”

Starling Bank’s Sarah Lenette agrees that it’s still too early to see any impact from the scheme.

“But it’s fair to say that we would anticipate criminals trying to take advantage of the new rules,” she continues.

Nicky Goulimis from Tunic Pay says that the organisation’s banking partners have not observed substantial surges in fraudulent activity. However, the industry acknowledges that the long-term impact of the scheme on fraudulent patterns remains uncertain.

LSEG’s Dal Sahota argues that there could have been more of a risk of criminals taking advantage if the initial reimbursement proposal of £415,000 had remained, describing this figure as a “catalyst” for this kind of activity.

“So, it’s now more favourable versus the skepticism that was there, say two or three months ago,” he says. “I think overall the broader expectation now is that it's going to decline, at what level is questionable and to be unfolded.”

Despite the reduced reimbursement, UK Finance anticipates potential manipulation of the system due to the industry’s historical experiences.

“In the past we have seen social media posts where criminals offer to claim back your last five or ten years of direct debits because there’s a direct debit guarantee,” says Doodnath. “But obviously our industry is very good at sharing intelligence because if you don't stop the fraud, then it becomes somebody else's money laundering.

“And so, it's in our own interest to try and spot those types of things and stamp them out as much as possible.”

Ultimately, there are plenty of data sharing initiatives across the industry to help stop such fraudulent activities.

“Based historically on things that we've seen, including direct debits and first party claims of card fraud, this would be normal,” she says. “The question is whether it would be a higher proportion than we see elsewhere, which is why it is important that there's a review coming from the regulator at 12 months. It takes time with fraud for people to spot things.”

Many banks and payments firms have already started thinking outside of the box when it comes to addressing APP fraud. As new regulations intensify the significance of addressing this escalating concern, the coming 12 months present an opportune period for the development of groundbreaking tools and collaborative efforts.

As the financial services industry grapples with the intricate challenges of fraud prevention, the collaborative efforts of banks, payment service providers, and technology companies stand as a glimmer of hope. As Dianne Doodnath from UK Finance emphasises, "as soon as you close something down, the criminals are going to migrate," highlighting the ongoing challenge of staying ahead of ever-evolving criminal tactics. The upcoming year will be pivotal in evaluating the efficacy of the PSR’s newly introduced reimbursement scheme and the innovative tools such as Scam Signal.

While no single solution can completely eradicate application fraud, an unwavering commitment to cross-sector data sharing, sophisticated detection systems, and comprehensive customer education presents a promising trajectory in combating this pervasive digital menace.

---