Stop Payforit Fraud
Response to PSA Consultation on Business Plan 2018/19
I am writing this response because these consultations tend to get many responses from the industry and few or none from the consumers that PSA are supposed to be protecting.
I have begun to campaign for reform of direct carrier billing in the UK after a member of my family was the victim of fraud via ‘Payforit’. She was signed up, without her consent, to a subscription service costing £4.50 per week. I was able to cap her losses at £4.50 by sending a STOP message within three hours of the initial subscription message. However, the battle to get the £4.50 returned took eight weeks, twelve telephone calls, 17 emails two ‘signed for’ letters and the threat of legal action. My battle to get an explanation of how she came to be subscribed is ongoing.
The timescales and difficulty I experienced in complaining are completely in conflict with para 2.6 of the Code of Conduct, and I am not alone in experiencing these difficulties. The failure to deal with complaints in a timely manner should be sufficient to enable the regulator to suspend the offending company’s ‘services’.
I was astonished at the lack of any form of consumer protection against these frauds and at the lack of cooperation or concern from the network, the level 1 provider and the regulator.
A look through the user forums of the major networks will leave nobody in any doubt that there is a serious problem with fraudulent subscription services. Hardly a day goes by without a consumer claiming that they have been signed up, without consent, to a subscription service costing £4.50 per week (or occasionally less). I refuse to believe that all these people are lying or stupid!
Payforit is an archaic and inherently insecure payment mechanism. It has not adapted to reduce the incidence of fraud as other payment mechanisms have. It doesn’t have a centralised service for complaints and disputes. It doesn’t have a refund mechanism. PSA are well aware of these shortcomings, but do nothing to encourage reform. They know that malicious code in a web page, or in a downloaded App can sign users up to these services, without the consumer being aware that it has happened. They have been aware of the use of these exploits for several years, but nothing has been done to prevent them. They sit on their hands instead of being proactive in bringing these frauds to a halt.
Consumers are becoming increasingly aware of the fraudulent use of direct billing and are coming to regard the industry as a bit like the ‘Wild West’ with an ineffective and reluctant sheriff in the form of PSA.
Q1 – Do our plans for 2018/19 sufficiently deliver our role as a regulator?
Most consumers are unaware of the role of PSA and only become aware when they have a problem with a ‘service’. Even the industry doesn’t seem to understand the regulator’s role. One of the major networks still refers defrauded customers to PSA ‘to get a refund’, implying that PSA would deal with their individual complaint.
Those consumers who refer issues to the regulator are frequently dissatisfied. Facebook reviews show a predominance of 1 star reviews from consumers dissatisfied with the service PSA has provided. Some of this dissatisfaction stems from a misunderstanding of PSA’s role. However, there is nothing more galling for a complainant, weeks after reporting a ‘service’, than to find that ‘service’ is still defrauding consumers. I see little prospect of improvement while the PSA exhibits such complacency. The regulator needs to engage more with the consumers it is supposed to be protecting.
Consumers will compare the consumer protection offered by phone paid services with those of other payment methods (Paypal, Contactless Payments, Direct Debits, Credit Cards, Debit Cards etc). The providers of all these payment methods provide clear mechanisms for the resolution of disputed transactions. Payforit and other direct operator billing methods offer no clearly defined or published mechanism for the resolution of disputes.
Obtaining a refund for losses due to fraud is rarely possible due to the nature of the ‘service providers’ who hide behind an automated phone number, an email address which is never replied to, and an accommodation address shared with dozens of other companies. Most consumers admit defeat and write off their losses.
If I dispute a direct debit with my bank, the burden of proof will rest on the payee to prove that the debit was authorised and not with the payer to prove that it wasn’t! If I report fraudulent transactions to my bank, they will take the matter seriously and put a stop on any further fraudulent payments. The MNOs don’t even offer this minimal level of support. Instead, they ask the consumer to send a message to the fraudster asking them to STOP. To add insult to injury, they are charged for sending this message!
Payforit expects the consumer to negotiate directly with the originator of the charge. What is worse is that, if the recipient of the payment fails to respond, there is no process to follow to resolve the issue. In the absence of a defined process, these uncooperative companies continue to trade for months, until the volume of complaints is such that PSA cannot ignore them.
It is not the role of PSA to adjudicate on individual disputes. However, it could insist on the introduction of a mechanism by which consumers can receive swift refunds when they are defrauded by rogue companies. Much of this could be automated, as it is with other payment mechanisms.
The problem is not that fraud happens. It will happen to some extent with any payment system regardless of the security and authentication measures put in place. Fraudsters are continually refining their methods and finding new ones. Most payment systems respond to attempted fraud by putting effort in to fraud prevention, but this has not happened with the arrangements for charging to a phone bill.
The problem is the lack of any defined process for the consumer to resolve their complaint (within a reasonable timescale) and obtain a refund if one is adjudged to be appropriate. Current arrangements would appear to be in breach of the Consumer Rights Act 2015 as it applies to digital services, in terms of methods and timescales for dealing with consumer complaints, and in terms of the refund process.
Looking at Tribunal Cases in the 2017 calendar year, of 18 cases, no less than 8 related to subscription services priced at £4.50 per week or less. A further 7 related to non-compliance with sanctions. In most of these 7 cases, the initial breach resulted from a similar subscription service. Surely money and time could be saved by subjecting these ‘services’ to a more rigorous regulatory regime.
Fraudulent subscription services are doing untold harm to the reputation of the industry as a whole .
Q2 – Do you have any comments on the proposed budget for 2018/19?
The priorities here seem to be wrong. If these payment mechanisms want to gain consumer trust, the amount spent on regulation will probably need to increase, at least until the industry is ‘cleaned up’.
From the weak and slow actions of the networks and the regulator, one gets the impression that the MNOs and the regulator are quite content to be complicit in fraud.
Resources need to be deployed to investigate these frauds quickly, as soon as the regulator becomes aware of them. There really is no excuse for fraudulent ‘service providers’ to be allowed to continue plundering consumers’ phone accounts for months before the regulator belatedly acts.
Q3 – Do you have any comments on the proposed levy for 2018/19?
In Appendix A you write:
“Different types of content, goods and services have different consumer satisfaction levels. They operate at different levels of compliance with our Code of Practice, as measured by the consumer queries and complaints we receive, and the monitoring we are able to do”
Would it not be possible to impose different rates of levy on different services, based on the regulatory work they generate? A higher rate of levy on subscription services priced at £4.50 or less, and without a double opt-in, would seem appropriate given the evidently large number of complaints these generate.
Of course, one method of reducing costs would be to require ALL subscription services to have a double opt-in. (This is currently recommended in your guidance, but not mandated). It is clear that your guidance is ignored by some rogue companies which deliberately price their service at £4.50 per week in order to avoid these requirements, knowing that malicious code can then be exploited to obtain ‘consent’ from ‘subscribers’.
It seems unfair that services that create few complaints and are fully compliant with the Code are charged at the same rate as services which continually test the boundaries of the Code and generate significant volumes of work for the regulator.
If the size of the levy is to be reduced, the level of consumer complaints needs to be reduced. Making ‘direct carrier billing’ services ‘opt-in’ rather than ‘opt-out’ would make a massive difference, as many consumers are unaware that third parties can charge their bill in this manner. The GDPR should address this, as companies will need to have explicit and unambiguous consent to pass consumers phone numbers to a third party, whether for charging purposes or not. It will no longer be acceptable to hide this consent in the small print. A requirement that consumers opt-in to the use of PRS services would increase awareness of these services and make consumers more careful when navigating ‘service providers’ web sites.
PSA need to become more effective at collecting the financial penalties they impose. Fined services should be suspended until the fines and administrative charges are paid. An increased rate of collection of these financial penalties would allow a reduction in the levy on compliant services.
Q4 – What is your view on the estimated size of the market for 2018/19?
Direct payments from ‘phone accounts are competing with an increasing number of other payment processes. Consumers are poorly educated about these services and often, as in my case, only become aware of the potential to charge goods and services to a phone bill when they are the victim of a fraudulent transaction. Consumer confidence is the key to growth, but it has been given a low priority. In my view ‘Payforit’ and other direct to bill payment mechanisms will gain a smaller market share of a growing market. Until the industry takes its responsibilities to consumers more seriously, they will choose to pay by other mechanisms wherever possible. If Direct Carrier Billing is to compete seriously for market share, it will need to implement consumer protection measures and refund mechanisms similar to those of its competitors.
Two major Australian MNO’s (Telstra and Optus) have been forced to abandon third party billing for premium rate subscription services after a succession of scams similar to those we have experienced in recent years. Unless the networks stop aiding and abetting these frauds, public opinion will eventually force a similar result in the UK.
Q5 – Do you have any other comments on the Business Plan and Budget 2018/19?
PSA seems to listen to the service providers, but appears out of touch with the concerns of consumers. A consumer panel could help to correct this imbalance. Consultations rarely include any input from consumer organisations. The lack of a clearly defined disputes resolution process puts consumers at a massive disadvantage. PSA has failed to protect consumers adequately thus far and I have little confidence that this will change.
Reading the https://psauthority.org.uk/for-consumers/solutions-centre page of the PSA website one finds this:
I was charged when I clicked on the X symbol to close the site. What do I do? (false X?)
Answer: There should always be a way to exit the page without making a purchase. In some instances you must interact with the site but you should be able to exit the site. In some circumstances, exiting a site may lead you to an advert for another service. If you do not want to exit in this way, enter a different website address in your browser toolbar.
After reading this the consumer comes to the conclusion that ‘anything goes’ in this industry. It doesn’t matter how you trick consumers into clicking on a disguised subscription link. According to you it’s legitimate to disguise the subscribe button as an X (to close a popup!). That is immoral and unethical. I can’t believe that an organisation, supposed to protect consumers, implies, in print, that it thinks this is an acceptable practice.
If the industry is to dispel its ‘Wild West’ image it needs to stop condoning these practices and state, quite simply, that they are fraudulent and wrong. Deceptions of this sort are in conflict with the Code of Conduct. They destroy consumer confidence. PSA would do well to review its guidance to consumers, to avoid the impression that it condones fraudulent practices. It should be encouraging consumers to complain when they encounter these deceptive practices, and taking action against the perpetrators.
PSA needs to be able to be held to account when they fail to act in a timely manner to prevent consumers being defrauded. It seems that the economic survival of offending companies is always put ahead of consumer protection.
By providing a mechanism for third party payments to be taken from consumer’s telephone accounts, the MNO’s are setting themselves up as payment processors. I therefore believe it is fundamentally wrong for the MNO’s and level 1 providers to be exempted from the requirements of the Payment Services Directive v2 (PSD2). The exemption, however, restricts both the size and type of purchase that can be made via Direct Carrier Billing. If services like Payforit want to be able to handle larger purchases, or be used other than for the purchase of digital content and similar products, they will need to conform to the requirements of PSD2.
In fairness, direct carrier billing services should be subject to the same regulations as the payment services they are competing with. The directive provides additional safeguards to consumers. It reduces their potential losses from fraud, and requires the Service Providers to provide robust, two factor, authentication. The directive also forces Payment Service Providers to provide a proper dispute mechanism. I am disappointed that consumers will be denied the additional protection these safeguards would have afforded them.
Ultimately it is not good enough to say that the MNO’s are just providing a payment mechanism. They are responsible for the design and rules of that payment mechanism, agree to provide it to their customers, and profit from it. It is time that the regulator forced them to take their responsibilities seriously and provide support to customers who have been defrauded.
The suggestion that PSA might look at a system whereby consumers might be refunded automatically when a service provider has been found non-compliant is welcome, but does not go far enough. The current system of handling third party payments is unfair to consumers and needs to be changed.
In the event of a disputed transaction, the burden of proof should lie with the recipient of the funds to prove that the payment was taken lawfully and in compliance with the Code. In the absence of such proof (within a specified period, say 3 weeks) the consumer could and should be automatically refunded. At present, many of these ‘service providers’ fail to engage with consumers, on any meaningful level, leaving the consumer with no redress and no refund.
Another issue is that, even if the service provider accepts that a refund should be made, there is no proper mechanism for that to happen. There is a general principle in commerce (embodied in the Consumer Rights Act 2015) that refunds should go to the account from which the original payment was made.
Refunds for transactions made on a credit or debit card are made back to the same card. If a fraudulent payment occurs on my bank account, the refund is made to my bank account. When a Paypal payment is reversed, the refund will go back to the Paypal account from which it was taken.
Why can’t refunded Payforit charges be returned to the account from which they were taken? Why can the refund not be made by the same method and with the same speed and ease as the transaction which is being reversed? We are told that this is ‘technically impossible’. This just goes to show how anachronistic and poorly regulated this payment system is.
The industry is at a turning point. If it continues to turn a blind eye to fraud it will lose consumer confidence, and remain a niche payment system. The alternative is to take steps to prevent abuse of the payment system by fraudsters. Direct carrier billing can compete with other payment services, but only if it can match them, not only for convenience, but for security and consumer protection.