A

All about Authorized Push Payments!

Which Super complaint

Did you transfer money to a scammer by using online-banking tools? if yes, pls read this:

So scammers convinced you by making false pretenses to send money via online banking to an account controlled by the scammers. As you gave instructions to your bank and authorized them to send the money to a different bank account, the bank is obliged to transfer your funds. Such payments are also termed “Authorized Push Payment”. As payments made using real-time payment schemes are irrevocable, such payments cannot be reversed once the victims realize they have been conned. This is the legal situation right now under European Payment Services Directives I and II (PSDs).

In case of Unauthorized Push Payments the scammers fraudulently access the consumer’s account using information that has been scammed from (or otherwise gathered about) the consumer. Unauthorized PushPayment transactions are not authorized by the account holder; instead, they are carried out by a fraudster using compromised account authentication details given to them by the true account holder.

If a consumer can proof that he/she has not been grossly negligent or fraudulent in the case of Unauthorized Push Payments the banks have the legal obligation to reimburse the money at their expense without delay (this is valid European wide).

In case of Authorized Push Payments it gets much more difficult. Unlike with chargebacks (debit and credit card, direct debits) where the bank takes the liability and loss, in case of Authorized push payment fraud solely the customer has to take the loss and he/she is the only one to blame (according to the banks) even if that payment later turns out to be fraudulent. 

Push payments came into play in Europe after the European Payment Services Directive ordered European nations to speed up their payment settlement systems by 2008. This was deemed a big step forward in payments technology, with customers for the first time being able to send and settle payments directly through mobile and online portals on an almost-immediate basis.

Unfortunately with greater reliance on online banking and mobile banking facilities, a massive rise in Authorized Push Payment fraud is noticed. Criminals make use of the easiness to send money with this technologies and explore all their possibilities like online loan applications and so on. With the European nations forging a real-time (instant)and digital-first payment environment also for the transfer of large sums of money, push payments are becoming more attractive to criminals because they can quickly take the money and run.

Losses from Authorised Push Payment (APP) schemes cost victims over £455 million in the UK in 2019, a 29% increase over 2018. While fraudsters showed a propensity to perpetrate these schemes against personal accounts (£317.1 million), business accounts (£138.7 million) were also significantly impacted. Across Europe, similar patterns were found, with more than €24 billion in financial losses from scams over the past two-year period (compare here) .

For Unauthorised Push Payments, and for Pull payments (debit card, credit card and direct debits) generally, banks have arrangements and incentives for appropriately allocating between themselves the liability for losses due to scams. Chargeback provide not only a means of reimbursing consumers, but also of shifting costs – through interbank arrangements – onto the misbehaving payee’s bank (the merchant acquirer in a card scheme). So, in the case of a scammer, these interbank processes provide for liability to be passed to the bank where the scammer holds his account. So thus liability is allocated to those who are best able to manage the risk of scammers using bank accounts and payment systems to facilitate their scam.

The allocation of liabilities for Authorized Push Payments onto the consumer places little incentive on banks to manage the risks of relevant scams. Not surprisingly therefore there is much less evidence – compared to other payment types – for the banks developing systematic approaches to adequately manage the risks from scammers using bank accounts and payment systems to receive push payments.

So for example banks can be very slow to act when consumers alert them to a push payment scam, so it takes them sometimes up to five business days to contact the receiving bank. Since fraudsters typically access the funds quickly, these delays do not appear indicative of careful and coordinated procedures for minimizing risks.

So as a matter of fact it is very rare that a defrauded consumer can successfully recover stolen money if he wired his stolen money to scammers by using online-banking facilities.

Our advice on this:

As soon as you discover that you got scammed inform your bank and ask them to hold the transfer, to inform the receiving bank about the fraud and to try to freeze the amount. Here you can find a draft letter for this procedure, pls adapt for your purpose.

Most probably your bank will come back and inform you that as the beneficiary´s account has been emptied by now, there is no possibility to get a refund.

Nevertheless be persistent and write them again a letter and ask for being connected with the fraud department and telling them that they should have cared much more. Here is a further draft for a formal complaint to your bank We always propose to cc the bank of the beneficiary – to get them informed that you will be persistent.

After having received again a refusal for your request pls identify the relevant (regional) Financial Ombudsman (here you can find the relevant authority) in your country and address him by telling your story.

Our conclusion on the situation:

As banks provide the systems that enable the scam and have the ability to vet and monitor where the Authorised Push Payments are going and to whom they are in a much better position to develop proportionate ways of authenticating the legitimacy and associated risk of payees.

Key risk factors could be identified and used, for example, if scammers typically open and use accounts for only a short period, or ‘mule’ accounts have certain patterns of usage, then payments to accounts with such characteristics could trigger additional layers of protection.

Also, banks (who hold customer relationships with the accounts that scammers are using – and who ought to ‘know their customer’) are – unlike consumers – able to develop systemic approaches and to use their data to reduce risks from fraud (and, where incentivized, have demonstrated an ability to do so). Such systemic approaches can be far more effective and efficient than individual consumer responses.

In recognizing the issue in the UK some of the big banks have established the new ‘Authorised Push Payment (APP) Scam Code’. The Code is voluntary and was launched back in May 2019 due to immense size of the fraud experienced in the UK involving Authorized Push Payments.

Under the new APP Code customers who are protected will be fully reimbursed if they fall victim to an APP scam, provided they did everything expected of them under the Code. This APP Code applies only for payments made between UK banks and was developed under pressure by the big UK consumer protection agency WHICH.

The UK APP Code is definitely a step into the right direction but its limited extent and voluntary approach prevents a real relief for the thousands of defrauded consumers in Europe.

We think that the European regulations and legislation have to act and to change the incentives on banks and payment systems thereby ensuring that more is done to manage the risks from these types of scams and to protect consumers from harm.

Up to them EFRI goes against the banks holding the scammers accounts as they definitely failed to adhere to the Know Your Customers rules, legally required.

Leave a Reply

Your email address will not be published. Required fields are marked *