It’s said in jurisprudence that hard cases make bad law.
Bad laws have the unintended consequences of hurting society, encouraging bad behavior, or both.
In payments, and in the United Kingdom, the hard choices of what to do about authorized push payment (APP) fraud are translating into bad law, or at least bad regulatory policies that don’t go far enough to establish liability and impose penalties accordingly.
The Payment Systems Regulator (PSR) is slashing the reimbursement mandates faced by banks and payment companies as soon as next month. Under the previous proposals, these firms would have been on the hook for a maximum of 415,000 British pounds (about $545,000), but they will now have to pay a maximum of 85,000 pounds (about $112,000). Nothing is etched in stone yet, as a consultation period is in place this month.
The rationale behind the new APP fraud caps was published by the regulator Wednesday (Sept. 4), and the final policy position from last year details what to expect.
In terms of the impact, the PSR noted that last year — out of over 250,000 cases — there were 18 instances of people being scammed for more than 415,000 pounds and 411 instances of more than 85,000 pounds.
“The analysis also highlighted that almost all high value scams are made up of multiple smaller transactions, reducing the effectiveness of transaction limits as a tool to manage exposure,” the PSR said.
“The proposed new cap will still see over 99% of claims (by volume) covered,” it added.
However, the PSR also noted: “For larger firms who have been operating under the voluntary CRM code for a number of years, the adjustment will be smaller, but some smaller firms have a much bigger adjustment to make.”
The read-across here is that the burden of compliance will be borne perhaps more urgently by smaller companies, with the built-in assumption that they are, in fact, to blame for the fraud.
The PSR also published a cost benefit analysis that estimated that a maximum claim limit of 85,000 pounds would reduce the level of APP scam reimbursement by about eight percentage points relative to a limit of 415,000 pounds. It concluded that the lower level of reimbursement (benefit) is balanced out by the reduced cost to payment service providers (PSPs).
It also noted that there would be a “small decrease” in PSP incentives to prevent APP fraud, as well as a “small decrease” in “moral hazard” and “prudential risk and reduction in competition and innovation.”
“We have listened to industry concerns about the prudential impact of our proposed policy,” the PSR said in the analysis. “We continue to seek to understand this impact and acknowledge the uncertainty about the impact of our initial 415,000-pound limit on the solvency of firms, particularly smaller PSPs. We are therefore making a conservative assumption that a maximum claim limit of 85,000 pounds may reduce firms’ liability (relative to the current 415,000-pound limit) and mitigate their prudential risk.”
The October deadline is rushing toward the banks and PSPs, and they will have to scramble to reconfigure their fraud-battling frameworks and their transaction analysis. That means real costs will be incurred over the span of a few weeks.
But the question remains as to the moral hazard that will still exist and whether more rigor is needed to create a set of standards or frameworks for establishing liability and imposing fines accordingly. At the moment, the regulation is a blunt instrument that assumes banks and PSPs are at fault. The moral hazard is that consumers, with the knowledge in the back of their minds that the banks and payment firms will be on the hook for fraud, might send their payments without thinking as hard as they might or should about who is on the receiving end. The “sender beware” model would suddenly become less urgent.
For the scammers, the lure of the first-party fraud scheme — where they effectively pose as victims and get reimbursed — is a risk too, especially with artificial intelligence-powered fraudsters capable of tricking many people into doing things they probably shouldn’t. We’ve already seen evidence of slower payments in the U.K. as this regulation looms large.
More careful consideration of the regulation is required — lest the unintended consequences become consequential indeed.