Combating Authorised Push Payment Fraud

Understanding threats, the role of the Contingent Reimbursement Model (CRM) Code and the new reimbursement requirement.

Authorised push payment (APP) fraud occurs when a customer is deceived into instructing their bank to send money from their account to another account which is controlled by a fraudster. In 2022 alone, UK Finance reported that £485.2 million was lost to APP scams, affecting thousands of individuals and businesses.

The CRM Code is a voluntary framework established in the UK, aimed at reducing the prevalence and impact of APP fraud. Introduced by the Lending Standards Board (LSB) in May 2019, the CRM sets out principles and procedures for reimbursing victims of APP fraud, provided they meet certain criteria and have taken reasonable care. The CRM Code has been instrumental in reimbursing victims, with UK Finance noting that 59% of the total value of cases assessed under the Code resulted in full or partial reimbursement to the victims in 2022.

Overview of the CRM Code

The CRM Code outlines the responsibilities of both payment service providers (PSPs) and customers. Its primary goals are to:

1. Protect Customers: By providing clear guidelines, the CRM Code ensures that victims of APP fraud are treated fairly and reimbursed when they have met the Code's standards of care.
2. Prevent APP Fraud: It encourages banks and PSPs to implement effective measures to detect and prevent fraud, including educating customers about potential risks.
3. Support Detection and Investigation: The Code promotes collaboration between PSPs to identify fraud and take appropriate actions swiftly.

Key Principles of the CRM Code

1. Customer Education and Awareness: PSPs are required to inform customers about the risks of APP fraud and the steps they can take to protect themselves. This includes clear communication about secure payment methods and the dangers of sharing sensitive information.
2. Effective Warnings: PSPs must provide adequate warnings to customers during the payment process. These warnings should be clear, concise, and relevant, alerting customers to the potential risks associated with a particular transaction.
3. Customer Care: Victims of APP fraud are expected to act with a reasonable level of care. This means they should follow the guidance provided by their PSPs and not ignore explicit warnings. If they do, they may not be eligible for reimbursement under the CRM Code.
4. Reimbursement: When a customer falls victim to APP fraud and has adhered to the principles set out by the CRM Code, they should be reimbursed by their PSP. This reimbursement is contingent on the customer's compliance with the Code's standards and is not automatic.
5. Fair Treatment: The Code emphasizes the fair treatment of all customers. This includes ensuring that vulnerable customers receive the support they need to understand and adhere to the guidance provided by PSPs.

Impact and Challenges

The introduction of the CRM Code has been a significant step toward tackling APP fraud. It has provided a structured approach for dealing with cases of fraud, ensuring victims are treated with fairness and consistency. However, the Code is not without its challenges:

• Voluntary Nature: Since the CRM Code is not mandatory, not all PSPs are signatories, which can lead to inconsistencies in the treatment of fraud victims across different institutions.
• Determining Liability: Establishing whether a customer has met the required standards of care can be subjective, leading to disputes over reimbursement.
• Awareness and Adoption: Both customers and PSPs must be aware of the Code and its provisions. Continuous efforts are needed to promote understanding and adherence.

The New Reimbursement Requirement

In response to the continued prevalence of APP fraud and to further strengthen customer protection, new reimbursement requirements will be introduced for all PSPs using the Faster Payment System (similar requirements may be introduced for BACS and Image Clearing System operators) with effect from 7 October 2024.

These requirements aim to build upon the existing CRM Code framework and ensure that victims of APP fraud are reimbursed more consistently and promptly.

1. Mandatory Reimbursement: One of the most notable aspects of the new requirement is the shift towards mandatory reimbursement. This will cover the majority of transfers between UK banks for sums under £1million but only for customers not acting in the course of business, smaller charities, and business with fewer than 10 people and turnover under £2million. Under this model, banks are generally required to reimburse victims of APP fraud unless it can be clearly demonstrated that the customer, as a result of gross negligence, has not complied with the customer standard of caution.
2. Standardized Procedures: The new requirement also calls for standardized procedures across all signatory banks. This includes clear guidelines on the timeframe for investigating and processing claims, which helps to ensure that customers receive swift resolutions. The aim is to reduce discrepancies between different institutions' handling of fraud cases, leading to a more equitable system.
3. Liability Allocation: Another key element is the more precise allocation of liability between sending and receiving banks in cases of fraud. This helps to clarify which party is responsible for compensating the victim, reducing disputes between institutions and facilitating faster reimbursements.
4. Enhanced Transparency and Reporting: The new requirements also emphasise the need for greater transparency in how banks report and handle APP fraud cases. This includes public reporting of the number of cases and the amounts reimbursed, which aims to hold banks accountable and encourage adherence to the CRM Code principles.

‍

The CRM Code and the new reimbursement requirements represent a significant advancement in the fight against APP fraud in the UK.

It is hoped that by promoting shared responsibility, mandating fair treatment of victims, and fostering transparency, these measures will enhance the safety and security of digital payments and swiftly reimburse victims of APP fraud.

However, challenges remain. The interpretation of what constitutes "gross negligence" can be subjective, leading to disputes. Additionally, the financial implications for banks in reimbursing customers can be significant, especially if fraud levels remain high. There is also an ongoing need for customer education, as awareness and understanding of APP scams are critical in preventing them.

‍