Fergal Parkinson
Published on: October 2, 2024
It’s something that consumer protection groups have long been lobbying for – and politicians have been increasingly open to.
I’m talking about the news that the UK this month will see the immediate introduction of strict new rules to protect – and, crucially, to compensate – victims of so-called APP fraud.
APP, which stands for authorised push payment, describes any scam in which the victim is deceived into voluntarily paying money to a scammer. This umbrella term can cover numerous different types of deception: fake goods like concert tickets which are paid for but never received; romance fraud when the target lends money to cover a crisis experienced by their supposed new love; investment fraud where worthless shares are paid for upfront; family fraud where a scammer poses as a relative in trouble and needing money urgently; impersonation fraud where a call looks like it comes from your bank and warns you to move money to protect it, only for it to go to the scammer – and many more variants.
These all have the common feature that rather than taking the money, the victim is deceived into voluntarily giving it – into authorising that push payment. And all these will be covered by the new scheme.
APP fraud has become a bigger and bigger issue for businesses, for their regulators and ultimately for governments too. And that’s because of the continually soaring cost of these scams and the number of people affected, often in life-ruining ways.
The latest available figures in Britain, from UK Finance, show that the number of cases had risen year-on-year by 12% to take the number of victims to 232,429 in 2023, with their losses totalling £459.7 million
These kinds of huge numbers make the problem increasingly hard to ignore.
Many people will know a victim personally – and there are new cases reported in the media every week, often very high-profile ones.
Just last week the veteran newsreader Moira Stuart went public with her warning about how she nearly fell victim to an impersonation fraud. This was halted only when she very fortunately actually walked into a branch of her bank while on the phone to a scammer pretending to call from it.
Thankfully this enabled the real bank workers to detect the fake ones and she was saved – but she still felt embarrassed at how close she had come to falling victim and wanted to warn others. Cases like this – and there have been many – have forced the issue up the agenda.
As of next week – October 7th – UK banks must refund fraud victims up to £85,000 of any losses. And they have to do it very quickly – within five days of a credible claim being made.
In fairness to the banks, this is in reality only making mandatory what many have been doing voluntarily already. But the new rules, announced and to be enforced by The Payment Systems Regulator (PSR), do nevertheless represent a formalisation of the position that the onus is on the banks themselves to stamp out these scams rather than on individual customers.
It will certainly cover most people: of those 200,000 plus cases recorded last year only 411 saw people lose more than the level of the cap on claims under the scheme, £85,000, which is fewer than 0.25% of annual victims. So most will be covered in full. There are a couple of exemptions though. Anyone who has committed fraud themselves will not be eligible. Nor will those who have been ‘grossly negligent’; it will be for the regulator to determine how this is applied and to whom.
Interestingly the announcement also contained a footnote: once the bank or payment company has refunded a customer victim, it can then itself claim back 50% of its losses from the financial institution the fraudster used to receive the stolen money.
Clearly, the intention here is to lean on all financial institutions to make it harder for fraudsters to receive money electronically and then disappear – as so many do now. But it also sets up interesting future tussles between financial organisations over liability and where those lines will be drawn.
And, more generally, it should encourage all to apply more scrutiny than ever before to who’s using their accounts and for what purpose.
This move is, in a sense, a gamble by the regulator. The PSR is plainly hoping that in response to the new rules, the banks will continue to try to raise customer awareness of the risk of APP and add further measures to try to catch it before it happens. For instance, it’s now standard for bank apps to ask questions like ‘Do you trust this person?’ when moving cash. And many banks now even require customers to speak to their fraud teams in person before authorising larger transfers.
The danger is that once customers realise that they’re covered for scams, they will become less vigilant, not more so. So if they see some Oasis tickets for sale online and they’re not sure if it’s real or a scam – they might take a punt knowing they will either get the tickets they are desperate for or a mandatory refund from their bank five days later.So expect to see banks arguing with the regulator that customer conduct like this would amount to ‘gross negligence’ and so should not be covered for refunds. They will not want blasé customers gambling with their money.
However, it’s important to note that banks are not the only entities involved in the chain of responsibility. There’s a glaring lack of accountability for websites that host scam ads, ISPs and hosting services that provide access to platforms, and even dating apps that fail to verify users. Right now, the responsibility for protecting customers lies almost entirely with the banks, while other points along the journey are often overlooked. This gap in oversight allows scammers to thrive, and tightening the net will require addressing these vulnerabilities outside the banking sector.
But if the move sees fraud going up rather than down – what next? Well, this could finally be the cue for banks to employ number recognition checks in customer transactions. While it’s easy for a fraudster to spoof a number to make it look like they are calling from, say, an international bank, number recognition technology isn’t so easily fooled – in fact, it’s all but impossible to deceive these systems when they’re based on real-time telecom intelligence and historical data.
Crucially, banks need to improve identity verification for their ‘thin-file’ customers. Mobile number identity checks can help verify not just the number, but also the identity behind the number, and the device in session throughout the customer lifecycle. Mobile integrity is critical at the beginning of the lifecycle, but also during high-risk transactions.
For example, verification should begin during onboarding to reduce the likelihood of fraudsters obtaining a bank account in the first place, standard KYC checks, combined with more advanced ones, such as Online Presence checks for ‘thin-file’ customers. When sending money, banks should authenticate the transaction by verifying that the mobile number hasn’t been recycled, that porting or call forwarding isn’t enabled, and that there is no SIM-swap activity.
Beyond just identity verification, banks should leverage situational insights. While behavioural insights can help detect fraudulent patterns, situational insights related to the mobile device itself can provide further protection. Checking real-time mobile behaviour – such as whether a device is engaged in unusual activity during an attempted transaction – could help stop fraud in its tracks.
Before now, only larger banks were routinely using data insights to prevent APP fraud at this level of sophistication. The new mandatory maximum reinbursement provides an important opportunity for smaller banks to follow suit. Given the increasing cost of fraud, investing in such preventative measures could be a wise financial decision for institutions of all sizes, particularly as the PSR’s rules place the burden of protection squarely on the banks.
Data sharing is another key element in the fight against APP fraud. Banks can detect potential fraud by identifying whether the receiving account is personal or business, whether the mobile number linked to the account has been flagged before, and if it has a history of suspicious activity. When risk signals accumulate – such as account behaviour, unusual transaction amounts, and mobile device insights – the transaction should be flagged for further investigation. By sharing this data across institutions, banks can more effectively collaborate to stop fraudulent transactions in their tracks.
The UK appears to be ahead of the curve on this one. Lots of other governments and regulators globally will be watching for what happens next in the UK. Will this move arrest the growth of APP fraud or will it only protect customers at the banks’ cost – and at a cost to the wider UK economy? There is much to play for. Watch this space.
Last updated on October 3, 2024
TMT allows your business to check important indicators of fraud without destroying your customer’s experience; preventing fraud and eliminating anxiety, frustration and wasted time for everyone involved. Get in touch to reduce APP fraud.
Talk to a Scam Signals expert"Phone number verification plays a critical role in helping to detect and prevent online fraud. TMT ID’s TeleShield product provides easy access to global mobile data, enabling us to enhance the actionable results of our MaxMind minFraud® services."
"BTS (Business Telecommunications Services) is successfully using TMT’s Velocity and Live services to check the status of mobile numbers. This way we make sure we optimize the performance of the service offered to our customers and ensure the quality of terminating traffic to all countries.”
"Working with TMT’s TeleShield service has expanded our ability to detect fraud and minimise the risk to our business. TeleShield brings peace of mind and the opportunity to stop fraud before it affects our customers’ bottom line or the service."
"LATRO relies on TMT’s TeleShield to provide the most up to date and reliable numbering qualification information within our fraud reporting tools, enabling us to protect our customer’s revenues and empowering them to defend themselves against fraudulent numbers."
"TMT is a valued partner that enables us to manage our routing costs effectively. They proactively and continuously expand their operator and country coverage while delivering exceptional customer service. We can always count on them to achieve high-quality results and look forward to our continued collaboration."
"TMT provides us with the most comprehensive numbering intelligence data through their fast and reliable Velocity and Live services. TMT is a trusted partner for us, their products ensure that we continue to optimise the best performance and service to our customers."
"TeleShield from TMT gives 42com the power to detect and target telephony fraud scams internationally, thereby protecting our company from the financial and customer experience impacts of telecommunications fraud."
"It has been a pleasure to work with the team at TMT. They have become an essential provider of accurate numbering data information and Number Portability services globally."
"Deutsche Telekom Global Carrier uses TMT ID as one of their key suppliers for Mobile Number Portability Data services. Deutsche Telekom Global Carrier uses TMT ID’s Velocity MNP solution. This is an ultra-fast query service that optimises the routing of international voice calls and A2P messaging."
We provide the most comprehensive device, network and mobile numbering data available
Contact us > Chat to an expert >
