The CRM code on app fraud – an introduction

Last updated: 5 May 2020

On 28 May 2019, the Contingent Reimbursement Model (CRM) Code for Authorised Push Payment (APP) fraud came into effect.

Alongside the Practitioners' Guide, it provides a new landscape for payment services providers (PSPs) in their dealings with customers who are victims of APP fraud.

The code represents the culmination of much work by regulators and input from PSPs and other stakeholders.

This summary is intended to be useful as a reference guide for those with some familiarity with the issue in this developing area, including highlighting some challenges the code has to overcome if it is to be successful. I look at aspects of the code in more detail in related briefings, which I will link to below.

Background to the CRM code's development

£354.3 million was lost to APP fraud in 2018. The impact on individuals and businesses that fall victim to such fraud can be devastating.

Tackling fraud and scams remains one of the FCA's priorities in the 2019/20 business plan.

It is therefore not surprising that prior to the code becoming live, the Contingent Reimbursement Model Steering Group indicated that the PSPs already signed up would cover 85% of consumers.

The direction of travel in this area can be charted from the introduction of the Payment Services Regulations 2009, supplemented by the Payment Services Regulations 2017 (the PSRs). However, critics have argued the PSRs often left victims of fraud without any viable route to recovery.

Since the introduction of the PSRs, due to the increasing size and complexity of APP fraud, a number of developments have taken place, each of which has sought to offer victims greater protection.

Some of those developments include:

  • September 2016: The Which? super-complaint
  • December 2016: The FCA and Payments Services Regulator's response to the super-complaint
  • February 2018: The regulators' ongoing work, leading to the Policy Statement proposing that a contingent reimbursement model should be established under the oversight of a steering group
  • December 2018: The expansion of the Financial Ombudsman Service's jurisdiction (pursuant to PS18/22) to include a victim of APP fraud from 31 January 2019
  • February 2019: The publication of the final CRM Code, alongside a number of industry responses to the Steering Group’s Consultation Paper.

More recently, on 2 April 2019 Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services published the “Fraud: Time to Choose” report.

For the financial services industry, the report highlighted that, in the absence of additional resource devoted to policing measures specifically targeting fraud, there is a growing expectation that industry stakeholders will need to confront it.

Indeed, UK Finance’s response to the report recognised the requirement for the finance industry to play a substantial part.

On 31 March 2020, the Confirmation of Payee protocols required by the Payment Services Regulator will also come into force – offering the most noticeable difference to the way payment transactions are processed and, potentially, fraud prevention.

What are the CRM code's objectives?

The CRM code has at its heart the following overarching objectives:

  • To reduce the occurrence of APP scams
  • To increase the proportion of customers protected from the impact of APP scams, both through reimbursement and the reduction of APP scams
  • To minimise disruption to legitimate payment journeys

The code offers customers a swifter and more generous outcome than has often been the case to date and, certainly, more than is required under the PSRs. Broadly, the outcome for customers will be as follows:

As for who bears the cost of this reimbursement, the code proposes the following (if both paying/receiving PSPs are code participants):

What does this mean for PSPs?

The code establishes “Standards for Firms” against which PSPs’ processes can be measured. As can be seen above, a PSP not meeting these standards will be required to reimburse victims and may suffer an impact to confidence in its fraud prevention measures.

Further, the code also provides for a "no blame" fund to reimburse PSPs where they have met the required level of care (and the victim has been refunded), and an allocation mechanism for situations where PSPs have not.

If a PSP is signed up to the code or, like new participants such as the Co-Operative Bank, thinking of joining, the questions it needs to address are:

  • What additional standard of care does the code impose?
  • How should decisions on reimbursement be reached in the requisite timeframe?
  • How does the "no blame" fund and allocation mechanism function to resolve disagreements between PSPs?

These questions merit detailed examination. I have set out some thoughts on each in the articles below:

If you have any questions or thoughts you would like me to explore as part of it, please get in touch at [email protected].

Related