Following our earlier post on the complexity of liability in the digital financial system, this article looks more closely at the challenges of existing arrangements and the new approaches emerging in some markets.

As fraud and scam activity continues to rise, particularly in Africa’s fast-growing digital economies, regulators face the difficult task of strengthening consumer protection and recourse while avoiding measures that could discourage innovation, drive de-risking, or undermine financial inclusion.

Today’s digital financial ecosystem is complex, with multiple organisations involved in each transaction. This can make it challenging to pinpoint who is responsible when things go wrong. For example, if a consumer uses an AI financial adviser to send a payment from their bank account to a friend’s mobile money wallet and it goes missing, it is not obvious where the consumer can go for help or which provider is responsible. Where there is a scam or fraud involved, it becomes even more complicated.

Liability under existing arrangements

Which participant in the transaction is liable will typically depend on whether the participant has met its obligations. These obligations are imposed by different instruments – including contracts, voluntary codes, legislation and regulations. Liability under these overlapping instruments varies widely, both between consumers and providers and among providers themselves.

Contracts often favour larger players. Contractual arrangements usually govern relationships between financial service providers, such as banks, and the providers they work with, such as payment service providers, which are often smaller and newer. They also set out terms between providers and their customers. In most cases, the contracts reflect the relative bargaining power of the parties involved. This means smaller providers and consumers can bear a lot of contractual obligation:

• For consumers, there may be obligations to regularly change passwords, to sign up for and monitor SMS notifications and to timeously report the loss of an access device or a suspicious transaction.
• For smaller providers, this might mean that they are responsible for any transaction they are involved in.

When the bulk of the responsibility is shifted onto a smaller provider, it can be problematic for a consumer seeking redress. This is because a small provider may not have funds or insurance to cover the loss, or a system to deal with consumer losses. The smaller provider typically will not control all parts of the process and so cannot effectively manage the risk of losses  . This can discourage these kinds of businesses from entering the eco-system. For the consumer, not being able to get their money back from the provider can reduce trust. It also means that liability is not aligned to where the risk originates or manifests.

In addition, putting substantial responsibility on the consumer may seem unfair when the financial providers have more access to tools and information to protect the consumer. The mismatch between consumer and provider expectations can further reduce consumer motivation to engage in the financial system.

Consumer liability often hinges on whether a transaction is authorised or not. In many places, there is additional protection beyond the contract, such as in legislation/regulation or banking codes, for consumers if unauthorised transactions are made on an account. Generally, unauthorised transactions are those where the customer has no involvement for example where someone’s identity is stolen, where a bank or credit card is lost or stolen, or a system is hacked. In many places, the account provider will be liable for these transactions, and the consumer will be entitled to a refund. However, liability may be attributed to or shared with the consumer if they are considered to have been negligent or careless (such as by storing a PIN with a card).

There has been less protection for consumers where transactions are authorised. Consumers typically bear responsibility for transactions that are technically or legally authorised but are induced by fraud (e.g. scams). This occurs either where the consumer inputs the payment instructions themselves (e.g. where a consumer is tricked into sending money for a fake investment opportunity) or is convinced to share account access details, including codes or other inputs from multi-factor authentication (e.g. if a consumer provides a one-time-password to a scammer under the belief that they are talking to a representative of their bank).

Shifting liability under newer regimes

There is increasing recognition that current liability regimes do not offer sufficient clarity and may no longer be appropriate. Changes or proposed changes, in the UK, Singapore, Australia and Europe have resulted in less focus on whether the transaction was authorised, shifting more of the burden of protecting consumers from scams or unauthorised transactions onto the providers. Consumer compensation/ and redress is key to these new rules and the obligations that providers must meet in order to avoid the liability to consumers are increased. For example, across various regimes, providers are expected to:

• Implement measures to prevent and detect scams, including monitoring behavioural markers.
• Provide effective warnings to consumers where a scam is suspected.
• Offer a matching service between the name and account number of the payee, and reject the transaction, or warn the consumer where there is a mismatch.
• Offer strong customer authentication.
• Share relevant data with other PSPs and/or telecommunications providers.
• Take measures to protect phone numbers and digital channels from being spoofed (where a scammer appears to be calling or SMSing from a legitimate business).
• Provide education and guidance to consumers around avoiding scams and fraud.
• Delay outgoing suspicious payments.
• Take measures to close mule accounts.

Under the Singaporean regime, if a provider can demonstrate that it met its obligations, it will not be held liable for compensating the consumer, while in the UK, the provider will be held liable, unless it can show that the consumer had not met their obligations. The consumer obligations are generally that the consumer has not engaged in fraudulent or grossly negligent behaviour, which would have to be more than mere negligence or carelessness.

Liability is being shared between banks, payments providers and other relevant entities. These regimes also acknowledge the role of entities other than the sending payment service provider, and shift or share liability accordingly:

• In the UK shared liability regime, the sending provider must compensate the consumer, but the sending provider can seek 50% of the amount from the receiving provider. 0
• Under Payments Services Directive 2 (PSD2) in Europe, the account provider (usually a bank) must be the one to compensate the consumer but may seek indemnity against other parties who may have been liable. This is currently only the case for unauthorised payments and would extend at least to spoofing scams under the EU’s proposed payments services regulation (which will replace PSD2 with respect to fraud)
• Under Australia’s new scams framework, there is no clear allocation of liability, however, the provider (whether that is the online platform, telecommunications company or bank) that the consumer approaches must assess whether it has met its obligations or compensate the consumer.
• Under Singapore’s waterfall liability model, the first entity to assess its liability for a smishing scam (a type of cyberattack that combines “SMS” and “phishing”) is the financial services provider, followed by the telecommunications provider. If each of these has met its obligations, then the consumer will be liable.

The way forward

In determining how to address the complexity of liability in a digital financial system, examination of leading jurisdictions and existing regimes offer key factors that policymakers and regulators must consider. Leading jurisdictions offer examples of potential approaches and also illustrate the inherent complexities and uncertainties.

As African regulators are contemplating a change in approach to address the growing problem of scams, considering the following is essential:

1. What, if any, distinction should be made between authorised and unauthorised transactions?
2. Who should be responsible for preventing and detecting scams and fraud?
3. Where should the burden of proving compliance with relevant obligations sit?
4. What is the appropriate mechanism for imposing obligations – soft measures such as codes or moral suasion, guidance or legislation and regulation?
5. What complementary measures might need to be taken by government or the sector?
6. From whom, and how can the consumer seek redress?

There is no single right answer for every market, and new regimes are yet to be tested sufficiently to offer compelling guidance.  Nevertheless, to ensure the ongoing viability of digital financial systems, it is necessary to, at the very least, understand and evaluate existing regimes to determine whether they remain fit for purpose in the current digital economy.

This is the second of four articles exploring liability in the digital financial system – the next article will further discuss the importance of consumer recourse and redress, while our final article will bring our thinking together in the context of the African regulatory environment.