Who Should Pay for Payment Scams - Banks, Telcos, Big Tech?Making the Case for Penalizing Social Media Firms for Authorized Push Payment Scams
Big banks want social media firms to take accountability for scams that occur on their payment platforms, but that doesn’t mean reimbursing victims. Banks have traditionally been responsible for reimbursing customers for fraudulent transactions, and they need to take the lead in making victims whole quickly.
The way to get the attention of big tech and telco firms is to increase regulatory scrutiny that requires them to help control the scammers.
The debate over who pays to reimburse victims of authorized push payment scams surfaced in the wake of a recent decision by U.K. regulators to make banks liable. The U.K.'s Payment Systems Regulator recently released a long-awaited policy that would split the reimbursement cost between sending and receiving banks. The agency aims to incentivize the payment industry to invest further in end-to-end fraud prevention and increase customer protection.
U.K. banks, on the other hand, say social media companies should shoulder some of the responsibility to victims. For example, UK Finance's recent fraud report shows that 78% of authorized push payment scams started online on one of the social media platforms in the second half of 2022.
“"The banking sector is the only sector reimbursing at the moment, and our belief is that the burden should be spread. I think tech companies should be putting their hands in their pockets, particularly as they profit from it," said David Postings, chief executive of UK Finance.
In a letter last week to Prime Minister Rishi Sunak, a group of major U.K. banks said technology companies must contribute to the cost of the online fraud "pandemic" that is undermining international investor confidence in the U.K. economy, according to a report on Sky News.
It makes sense for social media companies and others to be held accountable for scams. Users of Facebook, Instagram, Twitter and other platforms have fallen prey to romance scams, cryptocurrency investment scams and more.
But before the government starts looking for ways to ask big tech to contribute, let's not forget about the victims. It might be difficult to prove which platform is liable and for how much. Social media conversations are often fluid and move from one platform to another. Tracing back the conversation and then establishing the responsibility across banks and tech companies could take time. Meanwhile, thousands of banking customers have just gone through a traumatic experience and want immediate resolution.
The most obvious challenge is determining who is liable - the bank, the telco, the social media platform or the customer. "This will be very challenging and require a lot of investigation and communication between all involved parties," said Ken Palla, retired director of MUFG Bank. For instance, a conversation may start on Facebook, move to WhatsApp and, much later, actual conversation regarding a financial transaction may take place somewhere else. Which entity is liable? Are some entities more liable than others?
Frank McKenna, chief fraud strategist at Point Predictive and author of the blog FrankonFraud, said that the other challenge is being able to spot friendly fraud, or first-party fraud. "Genuine people can get into fraud if they know that they will be reimbursed. They will exploit this policy and take advantage of the banks and the platforms. They will claim fraud or scams when it was completely legitimate," McKenna said.
The Way Forward
Rather than focusing on liability, the aim should be to define the role of big tech companies and telcos in the value chain even before a payment is initiated.
The U.K. Payment Systems Regulator, for now, is only focusing on making parties outside of the financial industry more accountable in its effort to reduce scams.
“The aim of Payment Systems Regulator is not to share reimbursement across three parties,” said Neira Jones, panel member of PSR. "U.K. Regulator is not proposing to share reimbursement across three parties but to make big tech companies more accountable for their actions. The proposed model, where both receiving and sending banks share the reimbursement burden, is practical and long overdue."
"Any party outside that process, such as big tech companies, should be subject to different policies with regards to accountability," Jones said.
For example, social media companies should be made accountable for whom they allow on their platforms and what activities should be scrutinized. The U.K. plans to achieve this through its Codes of Conduct, which is already in place for other industries. For example, the Financial Conduct Authority, a regulator for financial services firms and financial markets, and Google have a voluntary agreement to change their advertising policies to only allow FCA-approved organizations ads on Google. Depending on how the policies are deployed, platforms may be subject to penalties for breaking the code, but the penalty would be a fine, not a reimbursement to victims.
Another way to handle the APP scam problem is to form a cross-industry task force in which the biggest banks, telcos and social media platforms participate collectively to devise a plan for helping consumers avoid becoming victims of scams. Each of the players could collectively agree to educate consumers about how to spot and avoid scams and commit to interdicting or blocking scam attempts in their own ecosystems.
"Telcos could block phishing, robotext or scam calls, while social media companies can block obvious scam-attempt messages or profiles and banks could block suspicious money transfer requests. Each industry could do its part to educate, block and mitigate scams for consumers," McKenna said.
There is one more important player - consumers. Customers of banks, telcos and social media platform must be more vigilant. If customers know they will be reimbursed, they may be more likely to take risks online. How many times should one customer be eligible for reimbursement? The U.K. has no set policy, but as the old adage goes, "Fool me once, shame on you. Fool me twice, shame on me."