This website will offer limited functionality in this browser. We only support the recent versions of major browsers like Chrome, Firefox, Safari, and Edge.
Last updated: 5 May 2020
On 28 May 2019, the Contingent Reimbursement Model (CRM) Code for Authorised Push Payment (APP) fraud came into effect.
Alongside the Practitioners' Guide, it provides a new landscape for payment services providers (PSPs) in their dealings with customers who are victims of APP fraud.
The code represents the culmination of much work by regulators and input from PSPs and other stakeholders.
This summary is intended to be useful as a reference guide for those with some familiarity with the issue in this developing area, including highlighting some challenges the code has to overcome if it is to be successful. I look at aspects of the code in more detail in related briefings, which I will link to below.
£354.3 million was lost to APP fraud in 2018. The impact on individuals and businesses that fall victim to such fraud can be devastating.
Tackling fraud and scams remains one of the FCA's priorities in the 2019/20 business plan.
It is therefore not surprising that prior to the code becoming live, the Contingent Reimbursement Model Steering Group indicated that the PSPs already signed up would cover 85% of consumers.
The direction of travel in this area can be charted from the introduction of the Payment Services Regulations 2009, supplemented by the Payment Services Regulations 2017 (the PSRs). However, critics have argued the PSRs often left victims of fraud without any viable route to recovery.
Since the introduction of the PSRs, due to the increasing size and complexity of APP fraud, a number of developments have taken place, each of which has sought to offer victims greater protection.
Some of those developments include:
More recently, on 2 April 2019 Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services published the “Fraud: Time to Choose” report.
For the financial services industry, the report highlighted that, in the absence of additional resource devoted to policing measures specifically targeting fraud, there is a growing expectation that industry stakeholders will need to confront it.
Indeed, UK Finance’s response to the report recognised the requirement for the finance industry to play a substantial part.
On 31 March 2020, the Confirmation of Payee protocols required by the Payment Services Regulator will also come into force – offering the most noticeable difference to the way payment transactions are processed and, potentially, fraud prevention.
The CRM code has at its heart the following overarching objectives:
The code offers customers a swifter and more generous outcome than has often been the case to date and, certainly, more than is required under the PSRs. Broadly, the outcome for customers will be as follows:
As for who bears the cost of this reimbursement, the code proposes the following (if both paying/receiving PSPs are code participants):
What does this mean for PSPs?
The code establishes “Standards for Firms” against which PSPs’ processes can be measured. As can be seen above, a PSP not meeting these standards will be required to reimburse victims and may suffer an impact to confidence in its fraud prevention measures.
Further, the code also provides for a "no blame" fund to reimburse PSPs where they have met the required level of care (and the victim has been refunded), and an allocation mechanism for situations where PSPs have not.
If a PSP is signed up to the code or, like new participants such as the Co-Operative Bank, thinking of joining, the questions it needs to address are:
These questions merit detailed examination. I have set out some thoughts on each in the articles below:
If you have any questions or thoughts you would like me to explore as part of it, please get in touch at [email protected].
