Foreword

With the pending regulatory changes coming this month from the Payment Systems Regulator (PSR), I was motivated to delve deeper into Approved Push Payment (APP) fraud – how it occurs and the significant impact it can have on victims. During my research, I discovered more about the ongoing efforts led by the financial industry, the Financial Conduct Authority (FCA), and innovators in the private sector, who are collaborating to develop long-term solutions to tackle this issue. One promising approach includes the use of synthetic data to enhance fraud detection while preserving user privacy. 

I’ve shared some of my findings below, which I hope will be informative for those, like me, newer to the world of banking fraud. For those more experienced in this field, I encourage you to explore the ongoing data pilots and innovation projects with the FCA if you’re not already involved – it’s an exciting space to be a part of. 

Finally, I’d like to issue a call to action. We all have a role to play in raising awareness about APP fraud and taking whatever steps we can to help prevent further harm. 

What is APP fraud?

There are two main Authorised Push Payment fraud types which are categorised as:

• ‘malicious payee’, for example, tricking someone into buying goods which don’t exist or are never received 
• ‘malicious redirection’, for example, a fraudster impersonating bank staff to get someone to transfer funds out of their bank account and into the fraudster’s account   

Both are based on the bad actor or fraudster using false information or misrepresenting themselves to be a genuine financial sector employee – to gain the trust of the customer. Different methods are deployed to achieve this crime, including online, using email, telephone, text message or even in-person in extreme cases. There have also been examples of dating sites to be used as a platform for perpetrators of this crime type.

Case study – HSBC customer becomes victim to romance fraud

Two years after her husband passed away, Marjorie decided to try online dating and joined a site for widowed people over 50. She soon connected with a man named Gerald, and they quickly hit it off. 

“Most of our communication was through WhatsApp, though we also spoke on the phone,” Marjorie said. Gerald, claiming to be from Milton Keynes and running an electrical business, explained he was in Dubai working on a shopping mall project, which is why they couldn’t meet in person. 

Cash flow problems

In February, Gerald mentioned having cash flow issues with his business and asked Marjorie for a short-term loan, promising to repay her by April. He sent her a copy of his passport, shipping documents, and a link to a website for his supposed company, Gerald Symonds Electrical. He also sent an image of a £2 million cheque, which he said he would receive upon project completion. All of this was later revealed to be fake. 

Bank transfers

Marjorie first transferred £54,000 from an account with another bank. She then made a £42,000 payment from her HSBC UK account, which Gerald claimed was the last amount needed. He instructed her to tell the bank it was for home renovations, coinciding with actual work she was having done. The bank accepted her explanation. 

Later, she made another transfer for health and safety checks Gerald said were required before handing over the project. 

Romance fraud exposed

When Marjorie tried to make a further payment, her local HSBC UK branch, through the UK’s Banking Protocol, contacted the police, revealing the fraud. “Gerald Symonds” was a fake identity created by criminals. Investigations were launched by HSBC UK, the police, and other banks involved. 

Marjorie had fallen victim to romance fraud, a scam where fraudsters quickly build online relationships, often claiming to be abroad, and then start asking for money under false pretences.

Case study – Former newsreader Moira Stuart nearly falls victim to bank scam

The Classic FM presenter, 75, risked losing a ‘fortune’ from her account when she was targeted by a gang of fraudsters. Moira said she never anticipated being nearly hoodwinked as she was ‘very aware’ of scams from her years as a reporter. However, she wants to speak out to ensure no one else feels the ‘shame and embarrassment’ associated with being scammed.

The criminals first contacted Moira and pretended to be her bank on her landline which she ‘didn’t question’ as she is ex-directory.

They told Moira a staff member had removed money from her account as part of an ‘inside job’ at the bank. To catch the guilty parties, they wanted Moira to transfer another amount to see if they would intercept it. But while still on the phone to the scammers, she went to her bank in-person and recounted to a cashier what she had been told. He realised there was an issue and immediately transferred her to the anti-fraud team who were able to stop the scam.

But Moira said she felt ‘absolutely devastated, embarrassed and angry with myself.’ She continued: ‘If you’re very independent, as I am, it feels like you have let yourself down, your family, everyone who knows you.

‘This feeling, this intrusion, it doesn’t leave you.’

Moria now wants to raise awareness of being a victim of a scam and has joined forces with BT Group and AbilityNet to encourage people to learn new digital skills ‘There is so much shame and embarrassment attached to this sort of thing but it’s important that it’s talked about so people are aware,’ she said.

The scale of APP fraud

The latest findings from the Financial Ombudsman Service (FOS) show that fraud and complaints made to them, exceeded 8,000 between April- June 2024, totalling 8,734 cases. This is a 43% increase compared to 2023 figures. Of these cases, 50% related to APP, where customers are tricked into approving an online bank transfer to a criminal.  

The FOS say there are several reasons that could have led to such an increase in these fraud reports, including: 

• Growth in investment fraud on social media where fraudsters demand payment by credit or debit card
  • Consumers making multiple claims as funds pass through several banks before reaching the fraudster
  • More online fraud cases being handled by companies who manage claims for consumers. 

The FOS have reinforced that they are working hard to get money back to customers where they can, and their message has been that people should not be afraid to come forward. It’s clear that with levels of reports rising so dramatically more can be done to raise awareness with individuals to avoid them falling victim in the first place.  

Insights from the finance sector – UK Finance

UK Finance, a membership body in the UK serving 300 members in the finance sector, say that APP fraud loss is driven up by the abuse of online platforms and telecommunications. Criminals commit investment fraud advertised on search engines and social media, romance fraud via dating platforms and other purchase frauds using social media or auction sites.  

Typically, criminals will focus on socially engineering personal information from their victims with a view to getting the customer to make the payment themselves. If not successful, the criminal may have gleaned sufficient information to impersonate the victim, and with this insight can take over their accounts or apply for further credit with their identity.  

UK Finance’s mission is to bring expertise together, and through collaboration, build a better society. Helpfully, UK Finance publish regular facts and figures to help us understand more about the scale and type of threat posed by APP fraud and other harm.

In their reporting, they reveal that 77% of APP fraud cases originate from online sources, and 17% through telecommunications. This makes sense when reflecting on the types of methods that criminals are deploying. UK Finance state that criminals stole £580m through unauthorised and authorised fraud in the first half of 2023, a 2% decrease compared with the same period in 2022.

UK Finance is working alongside its members in the financial services sector, including collaborating with government and law enforcement agencies to prevent and disrupt this type of activity. In this reporting period for 2023, they state that Banks prevented £651m of unauthorised fraud from being stolen through advanced security systems.

Member insights from UK Finance

UK Finance reported that for 2023, APP fraud was down overall, but only slightly by 1% to £239m, but the total number of cases had increased to 116,324 (24% up). Two-thirds of these cases were where goods were not received, and payment was given by the victims. Romance fraud connected to APP losses also rose by 26% to £18.5m.

Interestingly, there were large reductions in the number of impersonation frauds (where the criminal pretends to be the bank or police), with volumes down by 35% and the amount lost by 27%.  They believe this is due to the awareness raising for consumers that the finance sector has promoted.  The other area of progress UK Finance celebrates is the increase in losses returned to consumers. They reported £152m of APP loss being returned (13% increase from 2022).

Insight on wider fraud loss

From their data insights, UKF can monitor trends across fraud types and the progress in responding to and helping victims.  They recently reported that losses due to unauthorised transactions across payment cards, remote banking and cheques were £340.7m for the first half of 2023, down 3% compared to 2022. The total number of cases are also down overall, 1.26m (10% reduction).

Victims of unauthorised fraud cases such as these are legally protected, and UK research indicates customers are fully refunded in more than 98% of such cases.

Remote purchase, or known as ‘card not present’ fraud, remained the biggest single category of loss, but still an overall YoY reduction to £173.8m (12% down). They believe that this reduction is down to the introduction of Strong Customer Authentication and One Time Passcodes, as this is the lowest level of reported loss for remote purchase, since 2015. Prevented unauthorised fraud is also up, by 10%, with £650.7m overall protected.

The regulatory (FCA) response

The Financial Conduct Authority (FCA) is also taking an active role in this space with a clear commitment to deliver against the revised UK Fraud strategy this strategy. Its 2023/24 Business Plan reiterates this commitment to reducing and preventing financial crime, and in particular, a commitment to slowing the growth of APP fraud.

It’s clear that financial institutes should expect more regulatory scrutiny around fraud as regulators continue to place increasing importance on good customer outcomes. Following several consultations, the FCA published a June policy statement setting out their policy position on the reimbursement requirement for APP scams, and in December 2023, their final policy statement finalising points in the June paper, not superseding it. In the lead up to October 2024, when the FCA’s reimbursement requirements come into force, the FCA has published a roadmap to implementation. This sets out steps firms should be.

Read on for more later in this report on the innovation in technology being led by the FCA. 

PSR-Regulatory changes

In May 2022, HM Treasury announced its intention to legislate to allow the PSR to require victim reimbursement for APP scams and in June 2023, this legislation came into effect with the Financial Services and Markets Bill receiving Royal Assent.

Protecting customers against APP fraud is more important than ever. The Payment Systems Regulator (PSR) rule changes on October 7 require 50/50 reimbursement from both sending and receiving banks – for the losses to victims of Authorised Push Payment (APP) scams and frauds. Any reimbursable payments taking place on or after 7 October 2024 will be covered by the new regime.

Key facts about the PSR changes: 

• Reimbursement in 5 days 
• Cost to be split 50/50 between sending and receiving PSPs 
• Coming into force on 7 October 2024 
• No claim minimum, maximum £85,000  
• Voluntary excess of £100 
• Both Faster Payments and retail CHAPS payments are within scope

Summary of requirements

The requirement to have regard to interventions:  Consumers should have regard to interventions made by their sending PSP or by a competent national authority,  such as the police. However, even where a PSP personally engages with a consumer to help assess the trustworthiness of a prospective payment, it cannot transfer responsibility for assessing transaction risk entirely onto the consumer. PSPs can pause and potentially reject a payment instruction where appropriate.  

The prompt reporting requirement: Consumers should, upon learning or suspecting that they have fallen victim to an APP scam, report the matter promptly to their PSP and, in any event, not more than 13 months after the last relevant payment was authorised. 

The information sharing requirement: Consumers should respond to any reasonable and proportionate requests for information made by their PSP to help them assess a reimbursement claim. This includes requests under the PSR’s ‘stop the clock’ rules, giving the sending PSP up to 35 business days to gather evidence and decide on whether to reimburse an APP scam case under the policy. 

The police reporting requirement: Consumers should, after making a reimbursement claim, and upon request by their PSP, consent to the PSP reporting to the police on the consumer’s behalf, or request the consumer directly report the details of an APP scam to a competent. 

While many payment service providers (PSP) have systems in place already to receive and handle APP scam claims, all relevant firms will need to ensure they are ready for the new regime, particularly with regards to identifying vulnerable consumers.  

Where a consumer has not, because of gross negligence, met one of the four requirements of the consumer standard of caution below, a PSP may refuse the reimbursement request. The standard of caution exception does not apply to customers identified as vulnerable. 

How may these changes impact on vulnerable customers?

Defining customer vulnerability is not easy and can be rather subjective, which will add to the challenge for financial bodies to introduce the rule changes. To help define this term, the Financial Conduct Authority (FCA) recently published  The Financial Lives 2022, a survey of UK adults using financial services. This includes key findings on UK adults with vulnerabilities.

The FCA defines a vulnerable consumer as “somebody who, due to their personal circumstances, is especially susceptible to harm, particularly when a firm is not acting with appropriate levels of care.” 

Initially the FCA has defined four categories/drivers of vulnerability: 

• Poor health, including cancer, multiple sclerosis, or HIV infection. 
• Experiencing a negative life event, including income shock, relationship breakdown/separation/divorce and financial abuse. 
• Low resilience, including low financial resilience and low emotional resilience, causing difficulty to recover from negative experience/financial shocks. 
• Low capability, including weak financial knowledge (difficult to manage money), poor digital skills, learning impairment and low English skills.

Some of the challenges around the vulnerability categorisation are as follows

• 52% of UK adults according to the FCA, have characteristics of vulnerability. This will mean in practical terms it will prove challenging to administer the scheme with so many exemptions to apply.  
• The link between gross negligence and vulnerability – vulnerabilities are not always visible, making this increasingly difficult to appraise for validity.  
• The vulnerabilities of people may make them more susceptible to a financial scam.  

However challenging, it’s right that there are special arrangements for those most vulnerable to fraud and harm, and I hope that those working in the financial sector can continue to work together to share best practices in this space to make this practicable to implement.  

Public-private partnerships

Industry and law enforcement have a key role to play in helping to disrupt and prevent harm from occurring. I was excited to hear firsthand from Chris Hayward, Chair of the City of London Corporation at his industry address recently about how they are working closely and supporting the innovation in the financial sector to maintain the role of the UKL as the centre of technology.

Chris was clear in his messaging that across industries, technology needs to be used to protect citizens from harm, and I think that’s a clear common goal. To this aim, the Corporation funded the FCA to develop the digital sandbox, which has innovated to help understand more about how to detect and prevent APP fraud.  

FCA sandbox on APP fraud

“Synthetic data opens up unprecedented opportunities to harness the power of data through innovative and trustworthy AI.” 

Matt Lowe, from the FCA, leads the innovation lab there. At the industry briefing he explained how they have taken synthetic data – millions of it- and allowed selected industry experts to test it.  The findings from this process are being shared with others, to demonstrate the learning about the types of risks that are associated with APP fraud, the controls that help mitigate them, and how AI can be harnessed to make these insights be available in real time or as near as possible.  

The Sandbox was developed to provide innovators, both incumbents and new players, access to regulatory expertise and gives firms:

• The ability to test products and services in a controlled environment 
• The opportunity to find out how a particular technology works in the market 
• Support in identifying consumer protection safeguards that can be built into new products and services 

What did the different users do with the synthetic data? Some examples here from one of the key innovators Fincrime Dynamics – who focussed on how to address the challenges in tackling fraud. The three challenges they looked at were data sharing, detection and emerging threats

FCA’s work in the Sandbox involved the use of:

• Applied generative AI to identify network patterns and behaviour 
• Building processes off the back of the insights, for banks to use to analyse transactions and review their detection rates and performance 
• Insights to inform better controls – including creating a catalogue of typologies that they use to enhance this 
• Tailored dashboards based on the typologies and insights for customers 

The work by the FCA and industry has helped to highlight the current challenges associated with accessing and sharing quality data in UK financial markets and build the use case for innovation with synthetic data, these include: 

• Real data not being accessible to collect at scale. 
• Real data may have inherent imbalances (such as a lack of demographic diversity), raising issues around representativeness. 
• The cost. Purchasing datasets can be expensive and impractical for a new market entrant. 
• Real data may be inherently sensitive and is rightly privacy protected. 
• Poor data management practices, a culture of operating in data silos and a lack of standardisation between datasets. 

Synthetic data techniques provide avenues for overcoming or mitigating these challenges, and that synthetic data is one promising way of accessing the insights inherent in the data without accessing the sensitive properties in the real data. 

The FCA found from their wider work on the use of synthetic data that nearly half of respondents indicated that financial crime detection, including fraud and anti-money laundering, is the most urgent use case.   

Conclusion – and how we can all play a role

It is clear from this exploration of APP fraud that it remains a high harm and threat to society, particularly for those most vulnerable. The regulatory changes will, it is hoped, improve the outcomes for those who do suffer losses, but as outlined the process is complex and there are challenges with the (well intentioned) categorisation financial firms will need to apply and adhere to.  

However, it is positive to see the cross sector working to bring technological advances and AI to bear to help prevent harm as much as possible – and I’m excited to see the new risk tooling and intelligence sharing being implemented across banks as we speak.  

Help prevent harm

We can all in our professional and personal lives play a role to help amplify how APP and other financial crime can manifest, and give our friends, colleagues and neighbours the tools to spot it and prevent it from happening. Consumer awareness is key and is the fastest way to help prevent ongoing harm.  

In industry, continuing to work collectively, to share data, risk insights and intelligence – using technology to make that happen in real time – will again support this aim.  

Staying safe

The Take Five campaign promotes taking time out to pause, stop and think. It could help make the difference for your or your friends/family.  

Stop – take a moment to stop and think before parting with your money or information could keep you safe 

Challenge – could It be fake? Its ok to reject, refuse or ignore any request. Only criminals will rush or panic you 

Protect – contact your bank immediately if you think you’ve fallen for a scam and report it to Acton fraud by calling 0300 123 2040 or online at https://www.actionfraud.police.uk/. 

Joining the Dots Podcast – Hear from a reformed APP fraudster:

Hosted by Clue’s CCO, Thomas Drohan, the ‘Joining the Dots’ podcast featured a compelling discussion on APP fraud. Hear first-hand from reformed fraudster Alex Wood as he shares his experience and involvement in these scams.

Joining him is Matt Horne, Clue’s Director of Intelligence and Investigations and a former NCA organised crime expert, who provides insight into how practitioners can better understand APP fraud and the strategies they can use to combat it effectively. Watch and listen here. 

Contact Clue to arrange a personal consultation with me, Laura Eshelby, Head of Economic Crime and learn how our intelligence and investigation software supports the detection and prevention of fraud and other economic crime types.