Payments delay legislation: Balancing speed and security

19 December 2024 | UK & Europe | Articles

The Treasury has now enacted the Payment Services (Amendment) Regulations 2024, implementing measures to improve protections against fraud. This provides payment service providers (PSPs) with the ability to delay completion of payment transactions in order to carry out relevant checks when fraud is suspected.

As the FCA has now published its final guidance FG24/6: Guidance for firms that enables a risk-based approach to payments, it’s worth taking stock to determine whether you’re meeting these obligations, particularly under the Consumer Duty and the AML / CTF regime.

The guidance addressed some of the problems arising from the interaction between the payments delay rules and the broader regulatory obligations of PSPs, such as financial crime and Consumer Duty considerations.

However, the guidance stops short of covering how PSPs should operationalise the requirements and what can be done to minimise potential disruption to legitimate payments.

Financial impacts on firms are also a concern: when payment processing is delayed, any resultant costs such as interest and charges incurred by the payer, will be borne by the delaying PSP.

What is the scope of the rule changes?

The changes enable PSPs processing sterling payments in the UK to adopt a risk-based approach to payments processing. They give PSPs additional time to investigate potentially fraudulent transactions or transactions that are likely to be linked to money laundering.

Regulation 86 of the Payment Services Regulation 2017 is amended accordingly and allows for delays, as long as the following conditions are met:

• There must be reasonable grounds to suspect a payment order from a payer has been placed through fraud or dishonesty by someone other than the payer.
• These grounds have to be established by no later than the end of the next business day following receipt of the payment order.

The execution of an outbound payment transaction may not be delayed “longer than necessary” and, in any case, cannot be delayed longer than the end of the fourth business day following the time of receipt of the payment order.

What are the financial crime considerations?

Some of the steps you should be taking to ensure your systems and controls around fraud are appropriate include:

Adopting a risk-based approach: you would be allowed to assess the risk associated with individual transactions which could involve the identification of high-risk transactions based on payment patterns, counterparties, or geographical location.

Fraud prevention: you must have robust systems in place to detect, prevent and manage fraud risks effectively.

Due diligence: you would be given more flexibility in applying due diligence measures based on the specific risks identified for each transaction. This means allowing more dynamic verification procedures, which would help to focus resources on higher-risk transactions.

Real time monitoring: you are expected to implement systems that enable real-time monitoring and reporting of suspicious activities of fraud attempts. This would let you respond quickly to emerging risks especially in high-speed payment environments.

Technological innovation and data use: AI, machine learning, and data analytics can help you manage risks more effectively, allowing for more efficient processing without compromising security.

Collaboration with other PSPs: the FCA encourages greater collaboration between stakeholders to share information on emerging risks and fraud patterns. This could involve creating a framework for sharing real-time data and best practices to improve the overall resilience of the payments system. Consider utilising the new information sharing provisions introduced by the Economic Crime and Corporate Transparency (ECCT) Act 2023.

How do these changes affect Consumer Duty obligations?

The FCA expects PSPs to consider their obligations under the Consumer Duty when deciding to delay processing a payment order. One of the key findings within the recently published FCA’s Payments Consumer Duty review, was that the implementation of the Duty was most successful in firms that acknowledged its role in helping to deliver their long-term commercial interests.

Within this context, it’s important to determine whether and how your APP fraud controls reflect the Duty’s outcome requirements and cross-cutting rules. Key areas of focus are likely to include the following:

Policies and procedures: Review whether your policies and procedures for investigations, reimbursement requests, and intelligence sharing provide a solid framework for securing fair and consistent customer outcomes.

Training: Determine whether your training supports staff in delivering sufficient support to APP fraud victims, including the additional steps needed to identify and deal with vulnerable customers appropriately (such as making relevant adjustments to internal SLAs).

Service design: Firms should review whether their product governance assessments identify APP fraud as a “foreseeable harm”, and factor this into your target market assessment and the design of your service. Remember that analysis will need to be sufficiently granular to account for the impact of APP fraud on different customer cohorts.

Customer understanding: You’ll need to evidence that customer communications on APP fraud are effective, with particular attention on how customer understanding is tested. The communication type, frequency, content, and delivery channel must all allow customers to make an informed decision on how to respond. The FCA has emphasised that relying on customer surveys alone is unlikely to be enough. You can validate whether appropriate attention has been dedicated to customer understanding of APP fraud, by comparing the approach taken with other commercial marketing campaigns. This also highlights what communication should be made to individuals if their payment or account is under suspicion, with the need to balance this with their duties under the MLR’s to avoid tipping off (where they deem the customer may be part of the fraud or acting in a dishonest manner).

Customer support: Appropriate use of delays to payment processing is essential, and firms should avoid such delays becoming a BAU activity. In last year’s Dear CEO letter on Implementing the Consumer Duty in payments firms, the FCA highlighted concerns about the reasonableness of account freezing in cases of suspected fraud. Whereas delays in payment processing may be an inconvenience for some customers, the FCA noted the risk of significant financial hardship that could be caused by firms taking a disproportionate approach to identifying and investigating potential fraud. It is therefore key that firms have robust processes for determining whether the threshold for suspecting fraud have been met, and that subsequent investigations are carried out efficiently to minimise any further delay.

Monitoring and MI: Make sure you have appropriate management information to monitor the range of customer outcomes expected under the Duty (such as being able to identify when incidents occur) and conduct prompt root-cause analysis. The outputs should be used to take action on identified issues, including effective “feedback loops” for sharing lessons learned with relevant internal teams. The FCA has also mentioned in its Dear CEO letter that it will be monitoring firms’ implementation of the Duty. This allows the regulator to ensure that delays are appropriately managed and are not creating additional friction within the payments ecosystem.

How can Bovill Newgate ensure that you’re meeting the new Payment Service Regulations?

Given the FCA has published the Final Guidance, now is a good time to take the following first steps to help you be in a position to demonstrate compliance with the new regulatory expectations:

1. Perform a gap analysis to assess weaknesses in your systems and controls to prevent and detect fraud.
2. Review internal risk appetite statements.
3. Review policies and procedures, specifically relating to fraud prevention.

Our team has extensive experience working alongside the regulator in helping our clients to review and remediate their fraud frameworks. We’ve supported various clients with creating and improving their risk controls and assessments and can help you with tailoring them to your business.