End Users Are Not Liable for Fraudulent Payments

Context

Motivations and incentives to mitigate fraud risk must be aligned

The experience of fraud and any associated loss of funds can have a severely negative and immediate impact on low-income and women end users, including the inability to have sufficient funds for basic daily needs. The occurrence of fraud may also lead to a loss of trust in DFSPs (the participants in IIPSs) and use of their services. Potential loss of customers and revenue should provide the impetus for DFSPs to mitigate fraud risk.

However, this may not provide sufficient motivation or ability for a DFSP to address the risk alone.

Regulations provide key guidance

Clarity in laws and regulations (reinforced by scheme rules) that the end user is not to be held responsible for financial loss due to confirmed fraudulent payments (in cases where the end user is not complicit in the fraud) is an important starting point in aligning motivations and incentives toward improved fraud mitigation.

In many markets, regulations are in place to protect the end user from the harmful impact of fraud. These regulations typically specify that end users are not financially liable for fraudulent payments they did not authorize. In light of rising authorized push payment (APP) fraud, regulators are increasingly evaluating or implementing policies that entitle end users to refunds in cases of APP fraud.

The details of the regulations vary. Financial liability for fraudulent payments may be allocated to the DFSP (sending, receiving, or both) and/or other entities involved in the payment value chain (and whose controls failed to prevent fraud). Standards on end user fraud reporting also may differ (e.g., how, to whom, and submission deadlines for disputes) and the details of funds refunds (e.g., how quickly the funds must be returned to the end user).

Minimum best practices to mitigate fraud risk and refunds

Best practices to decrease fraud risk, and therefore fraud liability, may change over time and should be influenced by market context. Best practices likely include DFSPs applying know-your-customer (KYC) risk-based controls, end user authentication, tools that screen payments for fraud, investigation processes to determine whether fraud has occurred (including an independent body to be a final arbiter), simple and accessible tools for end users to report fraud, and mechanisms to return end user funds in a timely manner.

Role of the IIPS

IIPSs play an important role in guiding and supporting DFSPs

As participants in IIPSs, DFSPs play the primary role in mitigating fraud risk for their customers and the broader IIPS ecosystem. However, the IIPSs should support them by being clear and detailed in their rules on strong risk management (Principle 2), providing tools for DFSPs to use (Principle 3), and sharing data and information to enable the tools and operational controls to be most effective (Principle 4). 

—

Regulators have an important responsibility to provide a robust regulatory and supervisory foundation on fraud mitigation. Their guidance gives direction to financial institutions in stopping scams and fraud from happening and in better protecting and providing a remedy for people if they do fall victim.

Innovation in regulations will need to keep pace with evolution in fraudsters’ tactics.

Next Topic in this Section: Scheme Rules Guide DFSPs