#3 - Why a U.S. Version of the UK’s APP Reimbursement Scheme Isn’t Coming Soon

This article was written for Celent's new series featuring industry perspectives on critical global topics.

1/  Introduction

The United Kingdom’s Payment Systems Regulator (“PSR”) recently implemented a new reimbursement scheme in an attempt to combat Authorized Push Payment (“APP”) fraud. As of October 7, 2024, payment service providers (“PSP”) in the UK were mandated to reimburse victims of APP fraud up to £85,000, with the cost split evenly between the sending and receiving PSPs. This initiative could mark a significant step towards consumer protection in the UK financial landscape. However, the prospect of a similar reimbursement scheme taking root in the United States appears remote.

2/  The UK's Response to Rising APP Fraud

The UK's APP victim reimbursement scheme emerged as a response to the escalating issue of APP fraud, where individuals are deceived into authorizing payments to fraudsters and/or a collaborative party. The PSR increasingly recognized that victims often faced significant financial losses with little hope of recovery under the previous system. In 2023 alone, UK Finance reported authorized fraud totals of £459.7m (~£20m less than 2020 figures).  That’s roughly 39% of total fraud losses but only 8% of total confirmed fraud instances, indicating the high value nature of these scams and the likelihood that there are more instances not captured in the reported data.  

It’s important to note that the industry began its collective campaign in earnest in 2019, with the PSR’s Contingent Reimbursement Model.  This was a voluntary program.  The world has since seen scams significantly accelerate in numbers and sophistication during COVID lockdowns, with advancements in electronic forms of payment, artificial intelligence, and economic desperation playing catalysts. 

Fast forward to today, the  scheme is not voluntary.  In early 2021, the PSR moved to codify APP fraud reimbursement as mandatory and the FCA published its proposal later that same year and the rest is history.  By enforcing reimbursement obligations on payment service providers (“PSPs”), the PSR takes the ‘stick’ approach to consumer protection.  The PSPs are held to account, presumably for failures in fraud prevention measures, in lieu of individual accountability of the authorizing party.  The intended aim is to incentivize financial institutions to implement more robust fraud prevention measures on their own client base and other participants in the payments ecosystem.

3/  Existing U.S. Reimbursement Obligations

In the United States, consumer protection against fraudulent transactions is primarily governed by the Electronic Fund Transfer Act (“EFTA”) and its implementing regulation, Regulation E. For the more committed readers, you can have a look at the details of 12 CFR Part 1005 on the Consumer Financial Protection Bureau’s website (specifically subsection 1005.6).  

This regulation offers protections for unauthorized electronic fund transfers, requiring financial institutions to investigate and, in certain cases, reimburse consumers for unauthorized transactions. Notice the keyword, ‘unauthorized’.  Protections are generally limited to transactions that occur without the consumer's authorization. In cases of APP fraud—where the consumer is tricked into authorizing the payment—Regulation E offers limited recourse.

4/  Obstacles to Implementing a Similar Scheme in the U.S.

Several significant obstacles impede the adoption of a UK-style reimbursement scheme in the United States for authorized payments.  I offer three  (setting aside the massive potential for 1st party abuse) for constructive dialogue:

1. Fragmented Regulatory Framework: The U.S. regulatory system is federated.  We can trace the separation and state and federal powers back to our founding Constitution.  Fast forward to 2024, and there is a decentralized approach to regulatory oversight as opposed to a centralized leviathan.  The tip of the iceberg looks like the Federal Reserve, the Consumer Financial Protection Bureau, and various state banking authorities.  If you have tried to get a money transmitter license, congratulations (or my condolences), as you’ve experienced the regulatory fragmentation first hand.  This makes it challenging to enact comprehensive regulations akin to the PSR's mandate.
2. Section 230 of the Communications Decency Act of 1996:  According to Revolut’s Consumer Security and Financial Crime Report 1H 2024, Meta platforms Facebook, WhatsApp, and Instagram accounted for 67.6% of total authorized fraud Revolut tracked.  The Federal Trade Commission disclosed more money was reported lost to fraud originating on social media than by any other method of contact from January 2021 to June 2023.  The total?  $2.7 billion. While the topic has become a point of contention in the UK, as impacted institutions have called out the glaring lack of accountability for the other service providers purportedly enabling these scams, there’s a codified complication in the US.
   
   In short (and this is not legal advice), Section 230 provides immunity to online platforms from liability for third-party content. This ‘shield’ extends to social media and telecommunications providers.  The content produced on a social media platform that enables scams and attracts victims is protected from legal accountability.  There is likely to be plenty of pushback from regulated financial institutions unless Section 230 is addressed.  Given this law became a lightning rod political issue in the wake of the 2020 US election cycle, only the bravest politician(s) would consider a revision at this point in time.
3. Resistance and Responsibility:  The commercial banking lobby is significant in the US.  In 2023 alone they spent >$67m in lobbying efforts.  That sort of capital goes a long way in Washington.  Mandating reimbursement would impose substantial financial liability on banks and other PSPs. Historically, when banks have borne a higher operational cost due to regulatory burden they seek to offset those costs, often downstream at the expense of consumers.  
   
   And what of the responsibility paradigm?  The U.S. legal system and cultural norms place a strong emphasis on personal responsibility and freedoms, particularly when it comes to our finances.  There is a general sentiment that we need to protect the vulnerable while balancing our individual liberties and responsibilities.  We have yet to find that compromise effectively.  

5/  Conclusion

The UK PSR’s new reimbursement scheme has set a historical marker for regulatory involvement in the traditionally profit-and-loss oriented fraud world.  Implementing a similar reimbursement scheme in the U.S. would require a significant overhaul of existing legal, regulatory, and cultural frameworks. There’s a complex interchange between consumer protection laws, federal and state regulations, and roles and obligations amongst the banking, technology, telecommunications, and cloud/infrastructure providers to account for.  The liability shift is improbable in the near future for the U.S..

To address APP fraud effectively, the U.S. should consider incremental reforms that strike a balance between the interests of all parties.  I’m of the opinion this cannot be achieved without targeted amendments to Section 230 to hold all parties in the fraud chain accountable for the role they play.  This doesn’t require another Volcker Rule-style upheaval, just common sense.