Last the week the UK Payment Services Regulator (PSR) responded to the UK Consumer Association’s November 2016 super-complaint over the lack of consumer redress for Credit Transfers. The PSR has been conducting a study into “Authorised Push Payment (APP) Scams and the Role of Payment System Operators” and after consultation, some early ideas on a bank reimbursement model are emerging. Whilst the UK’s initiative is to be applauded many would argue there is also a pressing need for a broader EU investigation into the suitability of Credit Transfers (CT’s) to perform as a modern retail payment instrument.
The UK Consumer Association concerns and those of similar EU consumers bodies reflect growing consumer complaints over banks’ reluctance to take responsibility for Credit Transfer fraud. UK Finance (UKF) data suggest that in the first six months of 2017 over 19,000 consumers and businesses were victims of APP scams involving a value over €110m. Of these 88% were consumers who lost an average of €3,200 and corporates €23,000.
However, many consumers are not fully aware they will also be exposed to similar risks when using new concepts, such as Instant Payments (SCTInst) and alternative forms of payment encouraged by Open Banking and the PSD2/PIS/AIS access via API’s.
Historically the CT was never designed with consumers and retail payments in mind. It’s the banking sector’s ageing push payment workhorse. Its 60-year-old roots are in cash and cheque displacement based on interbank Automated Clearing House (ACH) payment systems. Finality of settlement, non-repudiation and no refunds were core features of the early CT for business to business payments and electronic payrolls. Today, across the EU, once a CT is authorised, the payment is more or less absolute. There is little the consumer can do to obtain returns of funds fraudulently obtained, erroneously transferred to the wrong individual, or in the event of non-delivery of goods/services.
In early 2017 UK PSR defined the principal APP problems encountered by consumers – when making push CTs as summarised on the table below.
UK PSR Definitions of APP Push Credit Transfer Problems
When CT payers dispute payments because of non-delivery of goods or not as described they often encounter refund problems with their bank. The UK Consumer Association claims 4 out of 10 complaints receive no redress. UKF says financial providers only returned €28m to victims (25%) in the first six months of 2017. Similarly, consumers who make misdirected payments as a result of incorrect data entry, and ask their bank for the return of funds are often denied the name of the recipient’s account. More serious are maliciously misdirected payments by third parties who (for example) intercept house purchase deposit payments using a false lawyers account. Again, banks generally deny liability. Finally, malicious payees who are often fictitious online merchants and who do not deliver goods or services and subsequently disappear. Often banks will not supply names and account numbers even when they hold the fraudsters account.
Many of these problems reflect the legacy design of the credit transfer which is frozen in 1960’s and 1970’s thinking. Contrast the CT process with card based payments and significant differences are apparent. Over the same time period card payments have constantly adapted and improved the offer to consumers and merchants. Card issuers take responsibility for a high proportion of fraud. Payment acceptance risk is always assessed at merchant on boarding. Cards have Chip and PIN, secure online authorisation, there is a solid refund process and transactions are monitored for fraud. Cards issuers also allow consumers to chargeback disputed transactions and have funds returned in the event of merchant bankruptcy. In some countries (UK particularly) issuers also guarantee full credit card refunds for faulty goods and services. CT’s offer none of these features leaving consumers with little or no redress.
Benchmarking the Push CT with Cards
Unfortunately, it’s not just simple CT’s that offer no redress and refunds processes. For many years the card business has looked with concern at the proliferation of new payment products based on the CT. Most countries now have mobile P2P payments, several offer payments initiation for eCommerce. Many Alternative Payments use the CT mechanism for eCommerce and for direct to merchant account top ups. Across Europe there are 15–20 such payments methods, most operating with the minimum of consumer redress. Many more are expected particularly when “Instant Payments” are implemented in 2018. Regulators in national markets, and at an EU level, have struggled to appreciate these limitations. Observers hoped the PSD2 would close the consumer rights gap between cards and CT Instant payments but regrettably this has not happened and there appears no ECB plan to harmonise CT’s and card redress processes.
Some suggest that the CT Instant problems reflect poor design by product owners who misunderstand the widespread trust card payments have generated. The Instant product designers operate in a narrow ACH silo with modest research into consumer needs. As a result, teams have either forgotten consumer redress features (or given a low priority) to reduce costs and enable speed to market. Similarly, Fintech entrepreneurs riding the benefits of online payments assume that because they are using a traditional bank instrument it must be fit for purpose. As a consequence consumers across the EU are about to be exposed to unknown risks.
In defence Instant product owners from Central Banks through to electronic payment departments are highly protective of the “Finality of Settlement” principal claiming that enabling repudiation will destabilise certainty of payment. Others argue that consumers should remember “Caveat Emptor” and not expect banks to bail them out when they experience problems. Instant payment developers claim adding card-like guarantees would be complex to implement, and require substantial investment, and in any event, they believe merchants and customers want low cost and simple transfers.
The good news is that the UK PSR is taking steps to improve the recording of scams and fraudulent push payments and encouraging banks to improve the speed to which they respond to victim’s complaints. More importantly by September 2018 the PSR plans a voluntary contingent reimbursement scheme by banks, but only for those victims who are assessed to “have acted appropriately”. Sadly, these proposals are modest and around the edges. They do not propose the sufficiently radical changes the current CT product needs.
At the centre of much CT fraud are the limited merchant risk controls applied by banks at account opening time and thereafter. In addition, core interbank and banking systems typically lack features to monitor transaction fraud. Similarly, the consequences of merchant bankruptcy and the loss of deposits is often pushed back to consumers. Many banks claim they cannot reveal names of fraudulent account holders into which funds have been paid because of Data Protection rules.
In summary, there is a significant disparity between the redress procedures for cards and those of the CT, on which Instant and other new payment methods are being constructed. Four possible scenarios for improvement can be considered by the key EU stakeholders namely.
Scenario for Improving Instant CT Redress
Scenario 1. Minimum Change: This pragmatic scenario assumes that change will come slowly, that banks will push back at the high cost of implementation and open-ended fraud liability. Here the most that can be expected (under the minimum scenario) is fragmented national market “patch and mend” initiatives and perhaps refunds only where there is conclusive proof of fraud as UK PSR propose. As a result, the current situation will continue with many new CT based products developed with growing concerns by consumers bodies and a steady rise in fraud across the EU.
Scenario 2. Modest Improvement: Under this scenario the banking community voluntarily decides to issue Codes of Practice, take on selective liability for CT fraud, radically improve merchant/corporate risk fraud checking and allows payee data to be more readily available. The EPC’s new “Request to Recall” which enables semi-repudiation when mistakes are made would be a key feature of this scenario. Scenario 2 is relatively easy to implement but banks costs would increase, and some consumer stakeholders may not consider this sufficient action.
Scenario 3. New Retail Push Payment Instrument: This more radical option which may only be effective through regulatory intervention. The objective would be to create a new CT Instant Retail Push Payment instrument in addition to the traditional CT which would continue to operate. The new instrument would be modelled on cards best practice framework and would seek harmonised redress for both instruments. New processes would include chargebacks, refund processes, mandated merchant risk assessment, and transaction fraud monitoring. Banks would also be liable for all fraud and bankruptcy, and implementing common data security process.
Scenario 4. Competition: The final option is to generate widespread consumer redress through competition. The EU’s card schemes would therefore be encouraged to develop an Instant Card Product that runs on the card network rails and delivers the current range of consumer redress benefits. Networks, acquirers and issuers would move to fully online, clearing and settlement would be accelerated and a low cost offer made to the merchant community. Competition from the cards business would stimulate the ACH silo developers to value add through new redress product features.
Instant Redress Solution Comparisons
So how might an EU plan for improved CT redress be developed? Action rests primarily with the ECB, the EPC, EC and the card schemes to take the initiative, to define requirements and consult the Banking Associations and Consumer Bodies.
To conclude, Citizen Europe has been well served by the traditional CT but increasingly it is an uncomfortable fit for retail POS and remote payments. Europe’s pioneering Instant Payments and Open Banking initiatives cannot be developed on a legacy payment instrument which is so unsophisticated and which offers such basic features. It’s now time to harmonise the framework for cards and ACH transactions and offer a common service to consumers which is highly secure, prevents scams and minimises fraud. Failure to take action will eventually erode the public’s trust in the Credit Transfer as an alternative to card payments, an outcome that all stakeholders should avoid.
DNB is working on technology that makes it possible to identify clients with just a mobile phone and a passport. The bank combines technology in the phone and data stored in the biometrical passport with its own systems. An important focus of the project is the customer experience and to resolve challenges related to international identification.