Financial Conduct Authority publishes two ‘Dear CEO’ letters on authorised push payment fraud reimbursement

On 7 October 2024, the UK Financial Conduct Authority (the FCA) published two ‘Dear CEO’ letters setting what it expects firms to do on authorised push payment (often called ‘APP’) fraud reimbursement. The letters are addressed to:

banks and building societies; and

payment and e-money institutions.

These letters quickly follow the Payment Systems Regulator’s policy statement, PS24/7, which was published on 3 October 2024 setting out new maximum reimbursement limits for APP fraud victims at £85,000 (which followed the Payment Systems Regulator’s press release and consultation on 4 September 2024). That decision came into force on 7 October 2024.

The Dear CEO letters set out the FCA’s expectations. These include:

Anti-fraud systems and control: Firms should have effective governance arrangements, controls and data to detect, manage and prevent fraud, and regularly review their fraud prevention systems and controls to ensure that these are effective. Firms should also maintain appropriate customer due diligence controls (both at onboarding and throughout the relationship).

Consumer duty: There is a perhaps unnecessary reminder that the consumer duty requires firms to avoid causing foreseeable harm. There is an example of such harm: a consumer becoming victim to a scam where a firm has inadequate systems to detect and prevent scams.

On us APP fraud reimbursement: Where there are internal transfers (often called “on us” or intra-firm payments) which do not use an external payment system, the FCA is concerned that consumers may not understand that a different (and lower level) protection will be provided. Firms are required to ensure their approach complies with the consumer duty.

Capital and liquidity: for payment and e-money institutions, the FCA reminds firms to recognise and manage their potential liability and the impact APP fraud may have on their capital and liquidity.

Systems and controls: the FCA says firms must ensure that they have appropriate oversight, systems and controls in place to comply with its requirements.