On 21 January 2025, Matthew Long, Director of Payments and Digital Assets at the Financial Conduct Authority (FCA), highlighted the role that the UK's Online Safety Act (the Act) may play in combatting fraud taking place on tech platforms.
Long's remarks were made during City & Financial's annual payments conference. Commenting after a panel discussion on the key challenges and opportunities arising in the future payments landscape, he emphasised that the Act could significantly accelerate efforts to require social media platforms to take stronger actions to protect consumers from online scams.
His observation was made in response to longstanding concerns within the financial services sector, which has repeatedly argued that it carries a disproportionate burden in tackling online fraud.
Background
Since October 2024, banks and other payment services firms have been required to reimburse victims of unauthorised push payment (APP) fraud up to £85,000. In response, the financial sector has lobbied for government to impose regulation on tech giants to support their compliance with this requirement. In November 2024, a Dear CEO letter was sent by the Payments Systems Regulator (PSR) to tech firms, revealing its plans to publish "fraud enabler" data each year. A fraud enabler is defined as a platform or service through which fraudsters contact victims or a website or platform where victims encounter advertisements or profiles that lead to APP scams.
On 17 December 2024, the PSR published the first report on fraud enabler data, which was entitled "Unmasking how fraudsters target UK consumers in the digital age." According to the data, 54% of APP scams originated from three major social media platforms. The PSR intends to publish data annually and improve data collection processes starting from Q1 2025. The data will include the frequency of fraudulent activity reported via certain tech firms' platforms or services, as well as through other providers.
Although some tech companies have signed a voluntary charter against fraud, their obligations, in the view of some payment services firms, remain limited. Long stated: "[The Online Safety Act], which gives powers to Ofcom, is in my view the way that we will catapult this forward. And particularly, we as regulators have all got around the table and we’re working with Ofcom on that."
Online Safety Act
The Online Safety Act passed in October 2023, includes a three-year implementation period for online search and user-to-user services. Companies within scope of the Act must prepare an assessment of fraud risks arising from user-generated content by 16 March 2025. After that, the operative provisions will require firms to introduce systems for moderating and removing suspected fraudulent content, as well as creating channels to report fraud. Ofcom, the UK's communications regulator, will have authority under the Act to fine companies up to 10% of their global turnover for breaching the rules.
The Act also bans paid-for fraudulent advertising, but these provisions will not take effect until a separate code of practice has been published. Consultations on that code are planned by the end of year and it could take another full year before those provisions go live.
One consequence of the Act is that it has brought the digital remits of Ofcom and the FCA closer together, as the regulators have a shared ambition to tackle online fraud and scams. The two regulators have been working towards greater regulatory coherence under the Digital Regulation Cooperation Forum's Illegal Online Financial Promotions workstream, to identify overlap between platforms’ obligations under the online safety regime and financial services legislation, and to leverage each other’s expertise and improve regulatory clarity for online services.
For further information on the Act, including its scope and impact on firms in the payments and tech sectors, please refer to our webpage.
Data sharing and the way forward
To date, tech and financial services firms have been hesitant to share data with each other, with Long noting that, "[it] does require leadership from both the regulator and from firms."
The PSR noted in its December report that it considers that "systemic action is needed to address the scale of the threat [of APP scams]." As fraudsters' techniques for targeting their victims continue to evolve, only a concerted collaboration between the government, regulators, PSPs, and technology platforms will be able to improve the fight against APP fraud, as exemplified in cross-sector arrangements in other jurisdictions such as Singapore and Australia.