APProaches to Protecting the Vulnerable – The journey to protect vulnerable customers from APP Fraud
The Journey to Protect Vulnerable Customers from APP Fraud
Protecting Vulnerable Customers (VCs) is a key focus area for the FCA, with 53% of UK adults displaying at least one indicator of vulnerability. FCA figures point to an increase of 3 million in the number of VCs between February and October 2020 (now an estimated 28 million) .
Over a similar timeframe cases of Authorised Push Payment (APP) Fraud – wherein scammers trick customers into making payments to destination accounts – have also grown quickly (by 22%).
Although the two issues may initially appear unrelated, there is a relationship between vulnerability and APP Fraud. A VC is defined as someone who is “especially susceptible” to harm due to their personal circumstances – and suffering APP Fraud is an indisputable form of harm. In fact, the FCA’s latest guidance on the fair treatment of VCs expressly highlights that “consumers with some characteristics of vulnerability may be more likely to fall victim to scams, including misleading online financial promotions”.  The APP Contingent Reimbursement Model (CRM) voluntary code also recognises vulnerability by reference to a customer’s ability to protect themselves from a scam. In both cases, firms are expected to take additional steps to prevent harm arising to VCs. Given the connections between the issues, how can firms address APP Fraud for all customers, including those who are vulnerable?
APP Fraud growth continues despite industry efforts
The retail payments sector has taken collective and concerted action to attempt to tackle APP Fraud, including:
- Participation in consumer awareness campaigns;
- Enabling customers to delay faster payments to first time payees for a pre-determined period of time;
- Implementation of the Confirmation of Payee (CoP) solution to match payee names to account details;
- Working with Pay.UK on the Mule Insights Tactical Solution to identify the accounts through which the proceeds of APP Fraud are funnelled;
- Roll-out of the voluntary CRM code which has reimbursed £188m since its introduction in May 2019;
- Sponsoring the Dedicated Card and Payment Crime Unit which tackles the organised criminal groups associated with fraud and scams.
However, despite these efforts, APP Fraud continues to grow – suggesting that different solutions are needed.
Considering the customer journey and interventions throughout it can help improve protection from APP Fraud for VCs and other customers.
Better customer awareness should reduce the occurrence of APP Fraud as customers become better equipped to recognise the scam and protect themselves. The ‘Take Five To Stop Fraud’ campaign had a positive impact in that the majority of people who recalled it said they would behave differently as a result.
However, ‘off the shelf’ customer education initiatives may not be appropriate for VCs with low knowledge/confidence in managing finances, or with poor language/numeracy/digital skills. Bespoke awareness initiatives could have more impact in reducing APP Fraud, for example workshops could be held to educate VCs on common tactics used by fraudsters.
Onboarding and pre-payment
The FCA expects firms to use data to identify vulnerabilities in their customer base. Firms already score or assess retail customers for a variety of matters such as credit worthiness, affordability, product suitability and money laundering risk – they can also assess customers for vulnerability through a combination of attribute analysis and predictive modelling. Vulnerability scoring of a retail customer base could draw together customer specific data, generic customer data, indicators of vulnerability and information on susceptibility to APP Fraud, to identify the most vulnerable who need additional support with the aim of delivering the fair customer outcome of not becoming a victim.
The industry is exploring the concept of configurable bank accounts which allow customers to control the level of friction they can tolerate to increase their protection. Firms could also enable customers to self-declare vulnerability (e.g. in-app toggles) and thereby increase the level of protective friction in more risky payment journeys. Although scammers may seek to persuade customers to reduce friction levels, transactions set-up shortly after a reduction in friction would be good candidates for additional controls, such as dynamic risk warnings, scrutiny by the firm, and/or delayed execution.
During payment set-up and processing
Customers who become vulnerable due to life events may, quite understandably, not have fraud concerns front of mind whilst making a payment. Payment journeys can be tailored to include dynamic risk warnings on payments that might bring a greater risk of harm, particularly where firms are aware of specific potential vulnerability. For example, someone who has recently used the death notification service, might be temporarily vulnerable due to a recent bereavement. Payments can be analysed to identify potential indicators of vulnerability, with those carrying a higher risk of customer harm stopped for additional validation. This might be through on-screen messages or a ‘callback’ by appropriately trained personnel, depending on a customer’s vulnerability indicators. Although recent years have seen a drive towards ‘click reduction’ and real-time service, targeted friction at strategic points could enable firms to deliver fairer outcomes for VCs and better protect customers generally from APP Fraud.
The use of random controlled experiments such as time spent on a particular payment screen, combined with machine learning can be used to test and learn which nudges form the best protection for particular groups of customers and form the basis of dynamic risk warning, as advocated by industry bodies.
The Payment Systems Regulator (PSR) has sought views on the possibility of requiring Payment Service Providers (PSPs) to adopt a standardised approach to risk-rating Faster Payments and Bacs transactions and include these scores within payment messages. This could enable receiving PSPs to evaluate whether the receiving account is a mule account controlled by a fraudster, and suspend the onward transfer of funds from the receiving account (supporting freezing and return to payer).
Greater use of detective controls combined with enhanced industry collaboration can help tackle APP Fraud in the future. For example, the proactive alert capability within the Cifas National Fraud Database alerts an account holding firm if another firm identifies that one of its accounts is involved in fraudulent conduct. In addition, work is underway to develop a secure mechanism for firms to share information about confirmed APP frauds in order to enhance collective ability to freeze and repatriate funds. In our view, Cifas protective registration (which operates in the context of ID Fraud) could be extended to cover victims of attempted and successful APP Fraud, such that victims (or near victims) can choose to have firms alerted to this status when they subsequently seek services elsewhere, in turn enriching the new firm’s understanding of vulnerability in its customer base. Such schemes will need careful design to identify and mitigate any potential unintended harms to customers.
As noted by the Lending Standards Board (LSB), reimbursement should be a last resort. That said, with only 47% of ‘no blame’ cases actually receiving reimbursement in 2020, the CRM can be enhanced. The LSB is leading potential reforms to CRM funding with a CRM code review throughout 2021 and a call for industry inputs. The PSR has floated the idea of using payment scheme rules to make reimbursement mandatory. However, the need to fund a CRM model arguably indicates that APP Fraud prevention is not effective enough. – better prevention should reduce the reimbursement requirement.
The duty of care and liability of sending and receiving PSPs with respect to APP Fraud is much debated, but one thing is clear – the greater the customer’s vulnerability, the more the firm serving them should do to deliver a fair outcome, including protection from APP Fraud. That said, banks and other PSPs cannot reduce APP Fraud alone – the first line of defence is the customer themselves.
There is no single, simple solution which balances customer experience, risk management and commercial outcomes. In our view, a combination of consumer awareness, better focus on vulnerability in customer bases, strategically targeted friction in the customer journey and greater collaboration between firms should lead to the more consistent delivery of fair outcomes for VCs and greater impact on the scourge that is APP Fraud.
 FCA, Guidance for firms on the fair treatment of vulnerable customers, Guidance for firms on the fair treatment of vulnerable customers | FCA, 2021
 FCA, Financial Lives Survey 2020: the impact of coronavirus, Financial Lives 2020 survey: the impact of coronavirus (fca.org.uk), 2020
 UK Finance, Fraud: The Facts 2021, Fraud The Facts 2021- FINAL.pdf (ukfinance.org.uk), 2021
 FCA, Treating vulnerable customers fairly, Video transcript – Treating vulnerable customers fairly (fca.org.uk), 2021
 UK Finance, Financial Crime Customer Education and Awareness, https://www.psr.org.uk/media/r4ph5arn/psf29092017-2-financial-crime-education-and-awareness.pdf, 2021
 Lending Standards Board, Contingent Reimbursement Model Code for Authorised Push Payment Scams, https://www.lendingstandardsboard.org.uk/wp-content/uploads/2020/12/Thematic-review-of-Effective-Warnings-1.pdf, 2020
 UK Finance, Fraud: The Facts 2021, Fraud The Facts 2021- FINAL.pdf (ukfinance.org.uk), 2021