Key takeaways

• As highlighted in our recent Engage article on the PSR’s proposals on compliance and monitoring requirements for the APP reimbursement requirement for FPS, the PSR is consulting on a specific direction to PSPs requiring PSPs to comply with the Bank of England’s APP scam reimbursement rules for CHAPS.

• The PSR states that it has made its approach to APP scam reimbursement for CHAPS as similar as possible to the approach it has taken to FPS to ‘reduce unnecessary duplication of work for directed payment firms while ensuring a high level of protection in both systems’. This sentiment is repeated by the Bank in its draft CHAPS reimbursement rules (which include its draft CHAPS data standard). The Bank states that, in developing the data reporting approach, it has taken into account the way in which PSPs organise themselves – typically a central fraud team – along with the ‘strong feedback that PSPs want a consistent set of processes’. The PSR is not consulting on the draft CHAPS reimbursement rules in the current consultation. Any comments on them should be sent directly to the Bank (see further ‘What’s next?’ below).

• Some particular points to note on the approach to CHAPS, compared to FPS, include:

• Transition from reporting standard A to reporting standard B: The obligation on in-scope CHAPS participants to report CHAPS APP scam metrics to the Bank, in accordance with the CHAPS reimbursement rules and the CHAPS data standard, would be broken down into two reporting standards A and B, matching the standards that the PSR proposes to add to SD20 in relation to APP scams through FPS (see our recent Engage article). However, in a slight change from the FPS position for reporting standard B, this will apply from 1 May 2025 or from the date when PSPs are able to access Pay.UK’s reimbursement claim management system (RCMS) – whichever is later. If the RCMS is not available for CHAPS by 1 May 2025, an option to submit to the Bank via email will remain in place.
• Hybrid claims: Where an APP scam claim contains payments made across both FPS and CHAPS (a so-called ‘hybrid’ claim), the PSR is proposing that the payments should be treated as part of the same claim, meaning that a single excess and maximum level of reimbursement will apply. The proposal is that the maximum claim excess and maximum level of reimbursement will be the same as for FPS (ie £100 and £415,000 respectively).
• PSP registration for Pay.UK contact directory: PSPs in scope of both SD20 for FPS and the proposed specific direction for CHAPS will only need to register their contact details for inclusion in the Pay.UK contact directory of PSPs once. The contact directory will be handled by Pay.UK on behalf of the Bank. The Bank’s rules specify the method of and required information for registration.
• Obligation to provide list of all indirect PSP customers: As for SD20, the PSR is proposing to place an obligation on CHAPS indirect access providers to inform it of all indirect PSP customers they provide access to. A list of all indirect PSP customers for the previous calendar year must be provided by 31 March 2025. As with SD20, this will be an ongoing annual obligation. The deadline will match that in SD20, allowing PSPs to complete a single return for both FPS and CHAPS indirect PSP customers.
• Clarifying consumer’s right to reimbursement: As for the proposals relating to FPS in CP24/3, the PSR is considering two options to clarify the consumer’s right to reimbursement in accordance with the reimbursement rules:
  • Option 1: A provision in the proposed specific direction to require PSPs to amend their contractual terms and conditions with the consumer, to include a provision that a PSP would reimburse their consumers in line with the CHAPS reimbursement requirement and rules.
  • Option 2: A provision in the proposed specific direction to make it explicit that if a sending PSP fails to reimburse a consumer as required by the CHAPS reimbursement requirement and rules, the consumer will have a right to enforce the CHAPS reimbursement requirement and rules and recover the outstanding amount from their sending PSP in the civil courts.

The PSR recognises there may be a cost and administrative burden in bringing in Option 1 by 7 October 2024, so it’s interested in views on what a reasonable timescale for introducing this requirement may be, or whether a phased approach might be more appropriate.

• The draft CHAPS Compliance Data Reporting Standard (CCDRS) - specifying the data and information that all PSPs will be required to collate and retain for the Bank to effectively monitor compliance – has been published with the other consultation documents. The data reported under the CCDRS will also be made available to the PSR to enable it to monitor compliance with its proposed specific direction. The PSR flags that, given their similar nature, it may look to amalgamate both the FPS CDRS and the CCDRS into one document in the future.

What do firms need to be thinking about?

• Many firms will already be working to implement the PSR’s APP scam reimbursement requirement for FPS for 7 October 2024.

• Given the similarity of the new CHAPS reimbursement requirement under the PSR’s draft direction and the Bank’s draft rules, firms should be updating their implementation plans to take account of these proposals. Given the limited time to 7 October 2024, firms that only participate in CHAPS will need to press ahead with developing plans to implement this policy.

• Where firms participate in both CHAPS and FPS, they should not face an additional reporting burden due to the consistency between the reporting requirements and the potential use of Pay.UK’s RCMS reporting tool to cover CHAPS as well as FPS.

• The PSR flags in its draft cost benefit analysis for the CHAPS APP scam reimbursement requirement that, following industry feedback, it has committed to monitoring the incidence and impact of high-value scams over FPS and may review the reimbursement level ahead of October 2024 if there is convincing evidence to do so. It states that if the PSR makes a change to this limit, the Bank could choose to review the maximum limit set in the CHAPS reimbursement rules to remain consistent with the FPS reimbursement rules. This will be an issue for firms to watch in the months ahead.

• Although one objective of the CHAPS reimbursement requirement is to reduce the likelihood of fraudsters switching from FPS to CHAPS, the PSR acknowledges that there is still the possibility that fraud could switch away from these payment systems to other methods, such as credit or debit cards and on-us payments, or for customers to switch to these other payment methods in response to increased friction within FPS and CHAPS. The PSR notes that these alternative channels have some existing customer protections in place and it is working with the FCA to consider what additional protections could be put in place for on-us payments. This is another area for firms to monitor going forward.

What’s next?

• The consultation closes at 5pm on 31 May 2024. The PSR expects to finalise and publish the specific direction in September 2024. Given this timeline, it will not grant extensions for consultation responses. It is proposing 7 October 2024 - the same as the FPS reimbursement policy - as the go-live date, meaning APP scam victims will get the same protection across both payment systems.

• The PSR highlights that it is not consulting on the draft CHAPS reimbursement rules in the current consultation. Any comments on them should be sent directly to the Bank at the following email address by 5pm on 31 May 2024: chapsappfraud@bankofengland.co.uk.

Read on for a more detailed look at the PSR's consultation proposals.

Background

When the PSR published its policy statement PS23/3 ‘Fighting authorised push payment fraud: a new reimbursement requirement’ in June 2023 to increase protections within FPS, the Bank, as the operator of CHAPS, announced its commitment to achieving comparable outcomes of consumer protections for CHAPS.

What are some key points from the consultation?

Some key points from the consultation are as follows:

Scope of proposed specific direction

• The proposed specific direction (Annex 1 to the consultation) will apply to PSPs who participate (directly or indirectly) in CHAPS and who provide a relevant CHAPS account in the UK to their payment service users which can send or receive payments over CHAPS (in-scope PSPs).

• To ensure that the same types of PSPs are captured by the CHAPS reimbursement requirement as by the FPS reimbursement requirement, credit unions, municipal banks and national savings banks will be out of scope. For the avoidance of doubt, the PSR has also specified that financial market infrastructures (FMIs) will be out of scope.

• The proposed specific direction will apply to all CHAPS payments executed with a pacs.008 message. The PSR’s intention is to capture only retail transactions initiated by a consumer within scope of the CHAPS reimbursement requirement. The definition of consumer remains the same as for the FPS reimbursement requirement – defined as individuals, charities and microenterprises.

• The PSR has aimed to make the specific direction for CHAPS similar to Specific Direction 20 (SD20) for FPS in form and function, while allowing for the differences in the CHAPS payment scheme. The specific direction will apply to all reimbursable CHAPS APP scam payments made after the go-live date (7 October 2024, as currently proposed) and will comprise:

• The CHAPS reimbursement requirement.
• The scope of the reimbursement requirement.
• An obligation on both direct and indirect CHAPS PSPs to comply with the Bank’s CHAPS reimbursement rules.
• An obligation on in-scope CHAPS participants to inform consumers of their rights under the CHAPS reimbursement requirement.
• An obligation on in-scope CHAPS participants to report CHAPS APP scam metrics to the Bank, in accordance with the CHAPS reimbursement rules and the CHAPS data standard. This would be broken down into two reporting standards A and B, matching the standards that the PSR proposes to add to SD20 (see our recent Engage article). However, in a slight change from the FPS position for reporting standard B, this will apply from 1 May 2025 or from the date when PSPs are able to access Pay.UK’s reimbursement claim management system (RCMS) – whichever is later. If the RCMS is not available for CHAPS by 1 May 2025, an option to submit to the Bank via email will remain in place.
• An obligation on indirect access providers to inform the PSR of any indirect PSP customer they provide CHAPS access to.

Limitations to reimbursement

• The Bank intends to include the same claim limits as for FPS (excess, maximum level of reimbursement and time limit) in the CHAPS reimbursement rules.

• The Bank has also included the same consumer standard of caution that the PSR has published for the FPS reimbursement policy. Likewise, the same maximum claim excess (£100) and maximum level of reimbursement (£415,000) have been included in the CHAPS reimbursement rules as for FPS (although for CHAPS these will be set by the Bank).

• Where an APP scam claim contains payments made across both FPS and CHAPS (a so-called ‘hybrid’ claim), the PSR is proposing that the payments should be treated as part of the same claim, meaning that a single excess and maximum level of reimbursement will apply.

Registering with the CHAPS operator

• As for FPS, there is a proposed requirement in the specific direction for both direct and indirect PSP participants in CHAPS to register in line with the Bank’s CHAPS reimbursement rules so that their details can be included in the same contact directory as for FPS to help them in managing CHAPS APP scam reimbursement claims.

• PSPs in scope of both SD20 and the proposed specific direction for CHAPS will only need to register their contact details once. The contact directory will be handled by Pay.UK on behalf of the Bank. The Bank’s rules specify the method of and required information for registration.

Draft CHAPS reimbursement rules and draft CHAPS Compliance Data Reporting Standard (CCDRS)

• The draft CHAPS reimbursement rules have also been published and should be read alongside the PSR’s proposed direction (although they don’t form part of the current PSR consultation). The Bank has based the rules on the latest available FPS reimbursement rules created as required by the PSR’s Specific Requirement 1 (SR1). The Bank, as the operator of CHAPS, will include the CHAPS reimbursement rules in an annex to the CHAPS Reference Manual. The PSR points out that this aligns with the approach Pay.UK, the operator of FPS, took with the Faster Payments reimbursement rules.

• In the draft rules, the Bank highlights some of the ‘notable differences’ with the FPS reimbursement rules as follows:
  • Sending and Receiving PSPs should agree the payment system to be used for sending the Reimbursable Contribution Amount (ie the receiving PSP’s share of the compensation payable to the APP scam victim). Pay.UK require this to be via FPS.
  • References to handling a ‘hybrid’ claim (ie a claim with a mix of CHAPS and FPS payments).
  • There are no references to updating a central claim record – instead, the CHAPS reimbursement rules refer to provision of information bilaterally between the sending and receiving PSPs. This may include use of the UK Finance Best Practice System.
  • Reporting will be via email to the Bank directly initially rather than via Pay.UK’s system.
  • Confidentiality provisions have yet to be added, although the Bank points out that as a general principle both it and PSPs are subject to a range of statutory and regulatory requirements around keeping customer information confidential, with confidential information disclosable to the extent required by applicable law or regulation.

• The Bank also sets out some of the ‘unknowns’ remaining in the latest available draft of the FPS reimbursement rules:
  • The notification period for a sending PSP to notify a receiving PSP of a CHAPS APP scam claim (clause 4.1).
  • The timeframe for the receiving PSP to pay a portion of repatriated/recovered funds to the sending PSP (clause 6.4).
  • A list of reason codes for extending the five business day reimbursement timescale (clause 5.2.4).
  • Compliance and monitoring – which the Bank will set out separately for CHAPS.

• As flagged above, the Bank is also developing its own compliance monitoring regime for CHAPS. The Bank intends to keep this broadly consistent with the one Pay.UK is creating under Specific Direction 19 (SD19).

• The draft CHAPS Compliance Data Reporting Standard (CCDRS) - specifying the data and information that all PSPs will be required to collate and retain for the Bank to effectively monitor compliance – has also been published together with the other consultation documents. The data reported under the CCDRS will also be made available to the PSR to enable it to monitor compliance with its proposed specific direction. The PSR flags that, given their similar nature, it may look to amalgamate both the FPS CDRS and the CCDRS into one document in the future.

• The PSR states that its consultation on the CHAPS APP scam reimbursement requirement (CP24/8) should be read alongside the recently published CP24/3, in which it is consulting on proposed amendments to SD20 for FPS. Given its intention is to align the reimbursement requirements in CHAPS and FPS, the PSR has included its proposed amendments to SD20 in its proposed approach to CHAPS. The PSR points out that as the CHAPS compliance monitoring regime also seeks parity with the approach Pay.UK is taking with FPS, directed PSPs will not need to provide data metrics based on fundamentally different definitions for CHAPS APP scam reporting. Take a look at our Engage article ‘APP fraud mandatory reimbursement: UK PSR consults on ‘key’ compliance and monitoring requirements’ for more on CP24/3.

Process for amending the CCDRS

• As for FPS, if the PSR decides to change the CCDRS it will publish a notice setting out the changes on its website. Any changes will come into effect no sooner than 30 days following publication of the notice. Where proposed changes are material, the PSR will follow standard procedures and consult on them, as required. The PSR would also expect the Bank to cascade the proposed changes to CHAPS participants.

Information and record-keeping provisions

• PSPs will be required to comply with the CCDRS, which the PSR will publish, and will be required to assure themselves of the accuracy, quality and integrity of the reported data.

• PSPs will also be required to provide timely, complete and accurate responses to reasonable and proportionate requests for information from the Bank that are appropriately scoped, having regard to the timeframe for the response. The Bank will set what constitutes a timely response. Table 2 at paragraph 4.5 of the PSR’s consultation sets out examples of the types of information that may be considered ‘reasonable requests for information’ from the Bank, subject to appropriate scoping of any such request.

• There will also be a requirement for PSPs to retain all data within the CCDRS and other information relevant to a CHAPS APP scam claim for a period of five years from the date of collection. This reflects the approach adopted for FPS and the PSRs intends that this will align with FCA record-keeping requirements in a number of areas).

Indirect access providers to inform PSR of any indirect PSP customers they provide access to

• As for SD20, the PSR is proposing to place an obligation on CHAPS indirect access providers to inform it of all indirect PSP customers they provide access to. A list of all indirect PSP customers for the previous calendar year must be provided by 31 March 2025. As with SD20, this will be an ongoing annual obligation. The deadline will match that in SD20, allowing PSPs to complete a single return for both FPS and CHAPS indirect PSP customers.

Consumer’s right to reimbursement under the rules

• As for the proposals relating to FPS in CP24/3, the PSR is considering two options to clarify the consumer’s right to reimbursement in accordance with the reimbursement rules:
  • Option 1: A provision in the proposed specific direction to require PSPs to amend their contractual terms and conditions with the consumer, to include a provision that a PSP would reimburse their consumers in line with the CHAPS reimbursement requirement and rules.
  • Option 2: A provision in the proposed specific direction to make it explicit that if a sending PSP fails to reimburse a consumer as required by the CHAPS reimbursement requirement and rules, the consumer will have a right to enforce the CHAPS reimbursement requirement and rules and recover the outstanding amount from their sending PSP in the civil courts.

• The PSR recognises there may be a cost and administrative burden in bringing in Option 1 by 7 October 2024. The PSR is seeking views on what a reasonable timescale for introducing that requirement may be, or whether a phased approach might be more appropriate.

• Again as for FPS, the PSR is also proposing that PSPs notify consumers of their rights to be reimbursed in line with the CHAPS reimbursement requirement and rules.

Go-live date

• PSPs will have less time between the publication of the CHAPS specific direction and the go-live date than with the package of legal instruments for the FPS reimbursement requirement. However, the PSR considers that 7 October 2024 is reasonable as an implementation deadline because much of PSPs’ work in preparing for the FPS reimbursement requirement will also apply to CHAPS. The PSR and the Bank do not believe there are many, if any, firms that would be in scope for CHAPS but not in scope for FPS.

• The PSR highlights that Pay.UK is still working through the RCMS for APP scam reimbursement and the system may not be ready by 7 October 2024. However, it points out that the Bank has created a manual reporting solution for PSPs to report CHAPS data and, in light of the lower volumes of APP scams in CHAPS, the PSR doesn’t believe that the absence of the RCMS will result in its specific direction placing a disproportionate reporting burden on directed PSPs.

Further reading

• As well as CP24/3, the PSR’s current consultation should also be read alongside PS23/3 (June 2023) and PS23/4 (December 2023), which include further context on the PSR’s work on APP scams, and the broader context in which the Bank is implementing the CHAPS reimbursement requirement.

 Next steps

• The PSR’s consultation closes at 5pm on 31 May 2024. The PSR expects to finalise and publish the specific direction in September 2024. It is proposing 7 October 2024 as the go-live date - the same as the FPS reimbursement policy - meaning APP scam victims will get the same protection across both payment systems.

• Any comments on the draft CHAPS reimbursement rules should be sent directly to the Bank at the following email address by 5pm on 31 May 2024: chapsappfraud@bankofengland.co.uk.

• The PSR’s consultation on compliance and monitoring requirements for FPS APP fraud mandatory reimbursement closes at 5pm on 28 May 2024. The PSR plans to finalise the legal instruments in July 2024 ahead of the policy start date on 7 October 2024.

If you would like to discuss any aspect of the FPS and/or CHAPS reimbursement requirements, please get in touch with one of the people listed above or your usual Hogan Lovells contact.

In other payments news…

PSR consultation on APP scams data publication guidance for the second cycle

• On 7 May the PSR published a consultation on its APP scams data cycle 2 publication guidance. The PSR explains that it is collecting and publishing data to provide greater transparency about PSPs’ APP scam levels, fraud prevention rates and reimbursement levels.
• The PSR published its first report on its website in October 2023. It also required the 14 directed PSPs to publish a subset of this data on their homepage. This requirement is set out in Specific Direction 18 (published in March 2023 and revised in December 2023). To support directed PSPs with publishing this comparative data, the PSR provided guidance in October 2023. In this guidance, it asked directed firms to publish the data in chart form.
• The PSR is proposing to make changes to the publication guidance for cycle 2 (January to December 2023), and it is seeking views on the changes.
• The consultation paper accompanies the PSR’s draft guidance for cycle 2. A comparison version of the previous publication guidance has also been published.
• The consultation closes at 5pm on 30 May 2024. The PSR welcomes comments from all stakeholders and interested parties, not just entities that it regulates. During the consultation the PSR will engage with directed firms and industry trade bodies through an industry roundtable to give stakeholders the opportunity to ask questions and provide feedback in person.
• The PSR expects to issue the final publication guidance for cycle 2 by the end of June 2024. It will consult on the more substantive issues raised during its cycle 1 consumer testing in Autumn 2024 and will look to address these in cycle 3.

PSR mid-point review of five-year strategy

• Also on 7 May 2024, the PSR announced a mid-point review of its five-year strategy (launched in January 2022) to ensure it is responsive to new developments in the payments landscape such as the increasing use of AI and the expansion of big tech firms into payments. In addition to discussing the review in roundtables and as part of its ongoing stakeholder engagement, the PSR is launching an online stakeholder survey, which is open until 4 June 2024.