All about Authorized Push Payments!

WHICH Push Payments

All about Authorized Push Payments!

Did you transfer money to a scammer by using online-banking tools? If yes, pls read this:

So scammers convinced you to send money via online banking to an account controlled by the scammers. As you gave instructions to your bank and authorized them to send the money to a different bank account, the bank is obliged to transfer your funds. Such payments are also called “Authorized Push Payment”. As payments made using real-time payment schemes are irrevocable, such payments cannot be reversed once the victims realize they have been conned. This is the legal situation under the European Payment Services Directives I and II (PSDs).

In the case of Unauthorized Push Payments, the scammers fraudulently access the consumer’s account using information that has been scammed from (or otherwise gathered about) the consumer. Unauthorized PushPayment transactions are not authorized by the account holder. Unauthorized Push-Payment Transactions are triggered by scammers using compromised account authentication details given to them by the actual account holder.

Suppose a consumer can prove that he/she has not been grossly negligent or fraudulent in the case of Unauthorized Push Payments. In that case, the banks have the legal obligation to reimburse the money at their expense without delay (this is valid European wide).

In the case of Authorized Push Payments, it gets much more difficult. Unlike with chargebacks (debit and credit card, direct debits) where the bank takes the liability and loss, in case of Authorized push payment fraud, solely the customer has to take the loss. They are the only ones to blame (according to the banks), even if that payment later turns out to be fraudulent.

Push payments came into play in Europe after the European Payment Services Directive ordered European nations to speed up their payment settlement systems by 2008. This was deemed a big step forward in payments technology, with customers for the first time being able to send and settle payments directly through mobile and online portals on an almost-immediate basis.

Unfortunately, with greater reliance on online and mobile banking facilities, a massive rise in Authorized Push Payment fraud is noticed. Criminals use the easiness to send money with these technologies and explore all their possibilities like online loan applications. With the European nations forging a real-time (instant)and digital-first payment environment to transfer large sums of money, push payments are becoming more attractive to criminals because they can quickly take the money and run.

Losses from Authorized Push Payment (APP) schemes cost victims over £455 million in the UK in 2019, a 29% increase over 2018. While fraudsters showed a propensity to perpetuate these schemes against personal accounts (£317.1 million), business accounts (£138.7 million) were also significantly impacted. Across Europe, similar patterns were found, with more than €24 billion in financial losses from scams over the past two-year period (compare here).

For Unauthorized Push Payments and Pull payments (debit card, credit card and direct debits); generally, banks have arrangements and incentives for appropriately allocating between themselves the liability for losses due to scams. Chargeback provides a means of reimbursing consumers and shifting costs – through interbank accounts – onto the misbehaving payee’s bank (the merchant acquirer in a card scheme). So, in the case of scammers, these interbank processes allow liability to pass to the bank where the scammer holds his account. So thus, liability is allocated to those who can manage the risk of scammers using bank accounts and payment systems to facilitate their scam.

The allocation of liabilities for Authorized Push Payments onto the consumer places a little incentive on banks to manage the risks of relevant scams. Not surprisingly, there is much less evidence – compared to other payment types – for the banks developing systematic approaches to adequately manage the risks from scammers using bank accounts and payment systems to receive push payments.

So, for example, banks can be very slow to act when consumers alert them to a push payment scam, so it sometimes takes up to five business days to contact the receiving bank. Since fraudsters typically access the funds quickly, these delays do not indicate careful and coordinated procedures for minimizing risks.

So, it is scarce that a defrauded consumer can successfully recover stolen money if he wired it to scammers by using online banking facilities.

Our advice on this:

As soon as you discover that you got scammed, inform your bank and ask them to hold the transfer, tell the receiving bank about the fraud, and try to freeze the amount. Here you can find a draft letter for this procedure; pls adapt it for your purpose.

Your bank will probably come back and inform you that as the beneficiary’s account has been emptied by now, there is no possibility of getting a refund.

Nevertheless, be persistent and write them again a letter and ask for being connected with the fraud department and telling them that they should have cared much more. Here is a further draft for a formal complaint to your bank. We always propose to cc the beneficiary’s bank to get them informed that you will be persistent.

After receiving a refusal for your request, please identify the relevant (regional) Financial Ombudsman (here you can find the relevant authority) in your country and address him by telling your story.


Our conclusion on the situation:

Banks provide the systems that enable the scam and can vet and monitor where the Authorized Push Payments are going and to whom. So, they are in a much better position to develop proportionate ways of authenticating the legitimacy and associated risk of payees.

Bank can identify red flags; scammers typically open and operate accounts for only a short period, or ‘mule’ accounts have specific usage patterns. Appropriate actions for payments to accounts showing such usage patterns could trigger additional layers of protection.

Also, banks (who hold customer relationships with the accounts that scammers are using – and who ought to ‘know their customer’) are – unlike consumers – able to develop systemic approaches and use their data to reduce risks from fraud (and, where incentivized, have demonstrated an ability to do so). Such systemic strategies can be far more effective and efficient than individual consumer responses.

In recognizing the issue in the UK, some of the big banks have established the new ‘Authorized Push Payment (APP) Scam Code’. The Code is voluntary and was launched back in May 2019 due to the immense size of the fraud experienced in the UK involving Authorized Push Payments.

Under the new APP Code, protected customers are reimbursed if they fall victim to an APP scam, provided they did everything they expected. This APP Code applies only for payments made between UK banks and was developed due to pressure from the big UK consumer protection agency WHICH.

The UK APP Code is a step in the right direction, but its limited extent and voluntary approach prevent natural relief for the thousands of defrauded consumers in Europe.

We think that the European authorities have to act and change the incentives on banks and payment systems, thereby ensuring that more is done to manage the risks from these types of scams and protect consumers from harm.