Two reports in the last two weeks should be seen as a wake up call for the future of open banking payments. On 22nd September, UK Finance highlighted a 71% increase in Authorised Push Payment (APP) fraud during the first half of 2021 with the amount stolen significantly exceeding card fraud losses for the first time. On 2nd October, the Daily Telegraph reported that millions of pounds had been stolen from Barclays accounts by fraudsters initiating payments via a PISP, having first stolen banking credentials through social engineering attacks. In this post we argue that open banking payments need an equivalent of the payment card chargeback regime to win consumer trust and reach critical mass.
PIS Payments may benefit the retailer, but it’s the customer that matters
While open banking enabled Payment Initiation Service (PIS) payments currently only account for a tiny fraction of all online purchase payments, they hold a number of attractions for retailers looking for a simpler, cheaper alternatives to cards. They are arguably secure and simple for consumers, offer merchants, cheap, instantly settled, irrevocable payments and are free of chargebacks.
On this basis open banking payments hold much promise. However to ensure mass adoption, benefits and protections need to apply equitably across all stakeholders and risk management must be holistic and effective. Here open banking payments are still very much work in progress and what appears beneficial for the retailer, may not be so for the consumer. Any failure to adequately protect consumers from the consequences of fraud and unscrupulous or inadequate merchants could kill the prospects for ecommerce PIS payments in card dominant markets such as the UK.
APP purchase scam losses outstrip card e-commerce fraud
The data just released by UK Finance gives some important signals as to why this needs to be taken seriously. It shows how criminals are focusing their activity on APP fraud, where the customer is tricked into authorising a payment to an account controlled by a criminal. The largest category of APP fraud, representing 49% of cases, is purchase scams where the victim pays in advance for goods or services that are never received. The embedding of mobile banking authentication into the PIS payment process is not guaranteed protection against this, as the Barclays fraud incident highlights.
The differences between the growth in APP and card fraud and the end impact on consumers who are the victims is notable, and worrying. According to UK Finance, the gross loss through APP fraud reached nearly £400m vs. £261m overall for cards. Around £200m was lost to APP purchase scams whereas £177M was stolen through unauthorised card based e-commerce fraud – a reduction of 3% year on year despite significant growth in card e-commerce volumes.
This likely a sign that the more mature fraud prevention regime around card payments is having a positive effect. The UK Finance data also shows that 65% of attempted unauthorised online banking and payment fraud was prevented.
APP fraud victims are much less likely to get refunded
More importantly, the report highlights the significant difference in end outcome for consumers who are victims. Losses from card fraud were fully refunded in more than 98% of cases. In contrast, the amount returned to victims of APP purchase scams was only £11M, or 29% of the amount stolen – a clear statement of the inadequacy of consumer protection.
Merchants might hate chargebacks but consumers are protected
Consumers paying by cards are protected by a single chargeback regime. This is backed by law and regulation. There is an established liability framework, along with claims and arbitration processes. All a consumer has to do is raise a claim with their issuing bank and regardless of whether they have lost money due to fraud, or a failure by a PSP, or they have not received their promised goods or services, they will get their money back. So long of course, as they have not knowingly done something to facilitate a fraud.
Buyers know they are protected if they pay by card, and as much as merchants hate chargebacks, the confidence they bring to consumers keeps them spending. UK Payment Services Regulator (PSR) research data shows that consumers view security as a far more important factor when making a payment than ease of use or speed for all but low value purchases under £10.
Open banking payment protections are weak and fragmented
Unfortunately for open banking payments, an aggrieved consumer faces a much more complex and uncertain path when trying to recover their money if things go wrong. For sure, there are regulatory and legal protections they can turn to, but these are fragmented. The route that a customer needs to take to claim compensation depends on whether they have suffered payment fraud or loss, or the merchant appears to have failed to deliver. Furthermore, there are no clear definitions of liability. This means that if a customer buys online using an open banking payment and something does go wrong, they have to work out how they raise a complaint, and do all the work to establish who is liable.
Coming back the purchase scam story, UK consumers who have been tricked into authorising payments to fraudsters are only protected by a voluntary code that currently has nine bank signatories. The UK Finance report notes that in the cases of APP purchase fraud assessed using this voluntary code, only 28% of all losses were reimbursed to the victim. In the wider context of problems with account to account based payments, the PSR has noted, the only way a buyer is likely to get resolution where liability is disputed is if through the small claims court, if the problem is with the goods or services provided, or the Financial Ombudsman if there has been a failure in the payment.
As a consumer, if you knew all of this, and got no personal benefit from using an open banking option, how would you choose to make your payments?
Payments regulators have noticed
The disparity in protections between cards and account to account (A2A) payments has not gone unnoticed by UK Government and regulators. The issues have been highlighted in Competition and Markets Authority (CMA) roadmap for open banking, the UK Treasury’s Payments Landscape Review and, most specifically, in a PSR Consumer Protection Call For Views published in February 2021. This consultation addressed consumer protection for A2A and Open Banking payments. The PSR, which is currently considering the responses, has been clear that it believes that more rigorous protections are needed.
PIS payments should be more fraud resilient
Of course It should be easier to prevent PIS payments being abused for APP purchase scams than it is to prevent these frauds taking place through online or mobile bank transfers. At the very least, TPPs can and should be playing a role carrying out due diligence on the merchants they serve to identify criminally controlled accounts. Similarly, so long as online and mobile bank authentication stays a step ahead of the fraudsters these payments should remain fundamentally secure due to the authentication. However this is not sufficient to provide consumers with equivalent protections to those they enjoy if they pay by card.
Open banking should embrace the chargeback principle
So TPPs, banks and merchants keen to accelerate adoption of open banking payments should embrace the idea of a single, coherent and comprehensive framework for raising complaints, establishing liabilities and rapidly and fairly handling and arbitrating disputes and processing refunds. This needs to go beyond the OBIE’s current Dispute Management System and code of practice. We don’t have to use the term chargeback, and there is an opportunity to learn from and improve on the card regime to deliver something that is simple, cost effective and fair.
Doing this will build consumer confidence in PIS payments. There are currently many unanswered questions about how to make it happen where there is no equivalent of the card schemes to facilitate and enforce it. But it does need to happen if open banking payments are to have a real chance of competing against cards.