Push payment fraud
March 2018 | FPROFESSIONAL INSIGHT | FRAUD & CORRUPTION
Financier Worldwide Magazine
March 2018 Issue
Payments are described as ‘push payments’ when the payer obtains the payee’s account details and instructs their bank to send, or ‘push’, money to it. A push payment fraud will therefore involve the fraudster somehow persuading the victim to organise a transfer to the fraudster’s account. Examples could include a fraudster who poses as a solicitor and asks the victim to deposit monies for a property transaction, a fraudster who poses as a builder to receive a large cash transfer or a fraudster who impersonates a victim’s friend in order to persuade them to transfer a sum of money.
In most cases, the victim will notify the financial institution only after the payment has been made, by which time the fraudster will have made off with the funds by transferring them out of the offending account and possibly out of the country. These types of frauds are being increasingly reported in the mainstream press, as is the financial services industry’s perceived inconsistent treatment of such frauds, with some financial institutions admitting fault for allowing the fraud and reimbursing the victim – while others do not.
UK Finance regularly publishes data on this growing problem and recently cited that there were 19,370 cases in the first six months of 2017, with over £101.2m being sent by customers, both individuals and businesses, who had been tricked into authorising a payment.
Almost a quarter of those losses – £25.2m – were returned by financial providers, but there are now calls for changes to legislation as well as to the regulatory framework, so that institutions are required to do more.
A ‘super-complaint’ was submitted by the consumer action group Which? to the Payment Systems Regulator (PSR) in September 2016 entitled ‘Consumer safeguards in the market for push payments’. Which? argued that customers do not receive sufficient protection from this type of fraud, compared to the protections in place for other types of fraud, for example credit card and direct debit frauds.
The PSR initially responded to Which?’s complaint in December 2016 and then, on 7 November 2017, it issued a consultation paper which will affect how financial institutions prevent push payment fraud, as well as how customers are compensated once a fraud has taken place.
The main thrust of the consultation is a suggested ‘contingent reimbursement’ scheme. The PSR believes that financial institutions have a role to play in preventing such scams, and the fact that they have no requirement to reimburse customers provides weak incentives for banks to take responsibility for doing so. A model has therefore been proposed that makes reimbursement contingent on the actions of the banks both sending and receiving the funds when a push payment scam occurs. The scheme could introduce eligibility criteria for reimbursements that may include, for example, whether the victim’s bank had warned the victim about the transaction.
The introduction of a reimbursement model would not prevent victims from bringing court action against a financial institution if they felt that it had failed to take steps to prevent their losses, however.
UK Finance has also drafted a set of best practice standards that financial institutions should follow when responding to reported push payment scams. These include institutions having dedicated staff trained in scam management available 24 hours a day to deal with and process such complaints, the victim only having to deal with their own account provider, which will act as a sole point of contact and the intermediary between the victim and the beneficiary institution, an industry-agreed set of necessary information to be collated by the victim’s bank following push payment and similar scam complaints, and increasingly collaborative and protective investigations being carried out between institutions.
UK Finance is also seeking to take various further measures, including improving customer education and awareness, putting in place a data-sharing agreement between member institutions and giving businesses quicker access to more robust data, publishing draft guidelines for verifying users’ identities and confirming that the payee name matches the name on the account before a payment is sent. The latter is to be introduced as part of new payment systems due to be implemented in 2021.
The Joint Fraud Taskforce is also working on a funds repatriation scheme, to be introduced in a phased approach over two or three years, so that stolen money can more readily be tracked across payment systems, frozen, then returned to the victim of the crime.
Prevention and cure
There are some simple, practical steps that all businesses can take, both to help manage the risks and to mitigate any damage caused in the event of an attack.
In terms of prevention, customers and clients should be advised of the risks – if they are alive to the risks they can help, especially in relation to the protection of their own data and communications. Staff training is also vital. All staff should be trained to recognise and react appropriately to the risks and indicators of push payment fraud, and indeed of cyber crime and fraud generally. In particular, all staff should be made aware of the existence and terms of businesses’ policies, procedures and reporting requirements where fraud is suspected.
Businesses should also adopt and foster a culture which includes good cyber security and data protection governance, thus leaving the business less vulnerable to hacking and impersonation attempts. Where possible, it is safer for colleagues, customers and clients to meet and speak, rather than always communicating by email. Bank account details, specifically any instructions to change account details, should be confirmed in person or on the telephone and this should include asking security questions to which only the genuine party or solicitor would know the answer. Where electronic communication is essential, encrypted emails and password-protected portals offer a much greater level of data security.
If a business does find itself a victim of push payment, or any other type of fraud, as well as following any internal incident management regime, the police should be notified immediately in case they are able to recover some of the stolen monies and potentially take action against the fraudsters. Any lender, insurer or other parties to the transaction or the customer or client should also be informed. Businesses should also seek immediate specialist legal advice and investigate, for example, the potential to initiate a freezing injunction to try to preserve stolen monies in the fraudsters’ bank accounts or, if the whereabouts of the monies is unknown, to deal with tracing and recovery.
There are other tactical options which specialist solicitors could deploy on a victim’s behalf. In a recent unreported case, an individual was defrauded of substantial sums of money when a fraudster hacked into his email account and masqueraded as his builder. As the individual was expecting an invoice in respect of building works, he paid sums over to the fraudster in the belief that he had been sent a genuine invoice. However, the victim then obtained from the High Court both what is known as a ‘Norwich Pharmacal’ order, which required the bank that had been inadvertently involved to reveal the identity of the holder of the account into which the defrauded sums had been paid and a declaratory order that the monies were held by the holder of that account on trust for the victim.
Other civil remedies which may assist in any fraud case may, depending on the circumstances, include breach of contract, negligence, breach of trust, unjust enrichment or tracing claims, all of which could help to recover lost funds.
If the PSR’s proposed contingent reimbursement model is implemented, it will become even more incumbent upon financial institutions and payment service providers to ensure that they have taken steps to prevent push payment scams taking place. However, there is no doubt that fraudsters and cyber criminals today are increasingly sophisticated, and often one or two steps ahead. The best advice for businesses, and the best protection for their customers, is therefore to be proactive in data protection and security practices, and to have expert legal assistance on hand just in case anything does go wrong.
Louise Power is a partner and Rachel Elgar is an associate at Walker Morris. Ms Power can be contacted on +44 (0)113 283 2542 or by email: firstname.lastname@example.org. Ms Elgar can be contacted on +44 (0)113 283 2502 or by email: email@example.com.
© Financier Worldwide
Louise Power and Rachel Elgar