Fraud and scam activity is increasing in African economies, as more citizens access digital financial services and as incomes rise. The latest Findex results show that more than 30% of adults in Sub-Saharan Africa report having received scam or online extortion messages, well above the global average. At the same time, cybercriminals are increasing their reach and sophistication (themselves powered by the digital economy), and consumers in advanced economies are becoming more difficult to target due to increased prevention and enforcement activity.

These crimes risk undermining trust in the digital economy and inhibiting progress towards financial inclusion and access. In response to this, it is vital that regulatory authorities apply their attention to fraud and scam prevention and to consumer protection.

This includes reconsidering who is liable when something goes wrong and redefining how and where consumers can seek redress. Likewise, in the context of consumer data protection, the question of where liability rests in the case of data breaches becomes a relevant consideration.

Consumer liability varies. In many jurisdictions, consumers have typically been liable for any authorised transaction, with varying degrees of protection for unauthorised transactions. The United Kingdom’s shared liability regime sets a new precedent for payments service provider (PSP) liability.

In a prominent example of regulatory changes to liability, in October 2024, the UK implemented a shared liability regime for authorised push payments that requires the sending PSP and the receiving PSP to compensate the consumer for payments that are authorised, but fraudulently induced.

This covers any payment where the consumer believed the recipient was someone they were not, whether a legitimate investment opportunity, a genuine re-seller or a true love match. A consumer will only be liable if the financial service provider (FSP) can prove gross negligence, which is described as a ‘high standard’, and vulnerable consumers will not be liable even in the case of gross negligence.

Other jurisdictions are planning or considering alternative ways of addressing the root causes of scams and providing for appropriate redress that is responsive to the particular context of each financial system. For example:

• The European Commission’s draft Payments Services Directive 3/ Payments Services Regulation proposes a shift in liability only for cases of spoofing, where an FSP is impersonated and the fake FSP (website, customer contact centre, SMS) induces the consumer to share their details or to authorise a transaction. In the European Commission’s impact assessment for the draft, this is explicitly stated as a compromise between consumer groups who expect compensation for consumers in all cases of fraud or scam, and FSPs who do not expect to be liable where a transaction is authorised.
• Singapore and Australia have created a new set of obligations on both FSPs and telecommunications providers (and in Australia’s case, online platforms) to detect and prevent scams. These regimes require compensation to the consumer from the relevant system participants only where the participant does not meet its obligations.

There is no one-size-fits-all approach. As these examples show, there is no global convergence to the UK’s shared liability regime, and it is far from being a perfect solution for all. The UK approach provides an appealingly neat and consumer-centric solution, which is intended to encourage both the sending and receiving PSPs to prevent these transactions from occurring. However, this approach has several potential downsides, including encouraging scammers to pose as victims, reducing consumer incentives to take precautions to protect themselves, and imposing additional compliance and reimbursement costs on PSPs, which could in turn destabilise the financial system and discourage innovation.

Critical for developing countries to consider is that increased potential liability also means increased risk to the FSP/PSP and so may lead to more of the kinds of de-risking we have seen with respect to anti-money-laundering and combatting-the-financing-of- terrorism (AML/CFT) risk. To ‘de-risk’ banks simply exclude customers they perceive as risky – in this case, perhaps those more likely to seek redress, more likely to be a victim of scam or fraud, or to be perceived as a money mule. This can result in customers having accounts closed or consumers being denied access to services. It is particularly relevant for vulnerable consumers, who are often, by their nature, more likely to be victims of financial crime.

This could undermine progress towards universal financial inclusion and access. In addition, by allocating liability only to FSPs/PSPs, incentives for other participants, including telcos and online platforms, to address their own contributions to enabling fraud and scams are reduced. If consumers are already made whole financially by the FSP/PSP, there is also potential to disincentivise pursuing law enforcement and therefore prosecution of the cybercriminals.

Effective policy responses must be context sensitive. A liability approach cannot be taken in isolation but must be considered as part of a broader range of measures to protect consumers and manage risk in the digital economy. Consumer protection needs to be weighed against other regulatory and economic priorities. As such, in responding to the increased risks in a digital financial ecosystem, policy and regulatory authorities must first:

• Consider the local market structure and identify where the risk is most concentrated within the financial system
• Evaluate the existing legal underpinnings for liability and mechanisms for consumer recourse and
• Understand the capability and resources of the various actors in the system to identify and address scams and fraud, including PSPs/FSPs, regulatory authorities, consumers, third party providers, and law enforcement.

Developing economies face different challenges. The context for regulators in developing economies raises some specific considerations that should inform policymaking with respect to fraud and scams generally, and liability specifically. Emerging economy policymakers are often working to both develop digital financial services and encourage innovation and competition in the financial sector. Fraud and scam prevention can support digital financial services, but can also inhibit competition by disproportionately increasing costs on smaller market participants.

At the same time, consumers in emerging economies may have lower financial capability and digital literacy than those in the developed world – meaning they are perhaps more likely to become victims with a need for better prevention and recourse. In addition, the consequences of de-risking can be more acute in economies where there is less competition and where financial inclusion is a key policy objective. Carefully balancing competing policy priorities will be essential as regulators seek to respond to the increase in scams and fraud.

The question of liability and how regulators address the growing prevalence of scams and fraud is urgent and will have a significant impact on billions of consumers. The growing digitalisation, collection, sharing, and use of personal data has rapidly exacerbated the complexity of the risks, while technologies have exponentially enhanced the sophistication and cost efficiency of scams.

Cenfri intends to further explore the problem and considerations for financial regulators, particularly in developing countries, through a series of articles that will cover:

• Allocating responsibility for scams and fraud: Options and examples
• The importance of recourse for consumers
• Considerations for African regulators