jagOn 28 May 2019, the Contingent Reimbursement Model (CRM) Code for Authorised Push Payment (APP) fraud will come into effect.

When the code goes live, alongside the Practitioners' Guide (due to be published by the Lending Standards Board shortly), it will provide a new landscape for payment services providers (PSPs) in their dealings with customers who are victims of APP fraud.

The code represents the culmination of much work by regulators and input from PSPs and other stakeholders.

This summary is intended to be useful as a reference guide for those with some familiarity with the issue in this developing area, including highlighting some challenges the code will have to overcome if it is to be successful. I will look at aspects of the code in more detail in future briefings, which I will link to from here once published.

Background to the CRM code's development

£354.3 million was lost to APP fraud in 2018. The impact on individuals and businesses that fall victim to such fraud can be devastating.

Tackling fraud and scams remains one of the FCA's priorities in the 2019/20 business plan.

It is therefore not surprising that the Contingent Reimbursement Model Steering Group has indicated that the PSPs already signed up to the code will cover 85% of consumers.

The direction of travel in this area can be charted from the introduction of the Payment Services Regulations 2009, supplemented by the Payment Services Regulations 2017 (the PSRs). However, critics have argued the PSRs often left victims of fraud without any viable route to recovery.

Since the introduction of the PSRs, due to the increasing size and complexity of APP fraud, a number of developments have taken place, each of which has sought to offer victims greater protection.

Some of those developments include:

  • September 2016: The Which? super-complaint
  • December 2016: The FCA and Payments Services Regulator's response to the super-complaint
  • February 2018: The regulators' ongoing work, leading to the Policy Statement proposing that a contingent reimbursement model should be established under the oversight of a steering group
  • December 2018: The expansion of the Financial Ombudsman Service's jurisdiction (pursuant to PS18/22) to include a victim of APP fraud from 31 January 2019
  • February 2019: The publication of the final CRM Code, alongside a number of industry responses to the Steering Group’s Consultation Paper.

More recently, on 2 April 2019 Her Majesty’s Inspectorate of Constabulary and Fire & Rescue Services published the “Fraud: Time to Choose” report.

For the financial services industry, the report highlighted that, in the absence of additional resource devoted to policing measures specifically targeting fraud, there is a growing expectation that industry stakeholders will need to confront it.

Indeed, UK Finance’s response to the report recognised the requirement for the finance industry to play a substantial part.

What are the CRM code's objectives?

The CRM code has at its heart the following overarching objectives:

  • To reduce the occurrence of APP scams
  • To increase the proportion of customers protected from the impact of APP scams, both through reimbursement and the reduction of APP scams
  • To minimise disruption to legitimate payment journeys

The code will offer customers a swifter and more generous outcome than has often been the case to date and, certainly, more than is required under the PSRs. Broadly, the outcome for customers will be as follows:

    Level of care met Level of care not met
PSP Level of care met Customer reimbursed A PSP may choose not to reimburse – subject to other factors
Level of care not met Customer reimbursed Customer reimbursed

As for who bears the cost of this reimbursement, the code proposes the following (if both paying/receiving PSPs are code participants):

    Level of care met Level of care not met
PSP Level of care met The paying PSP can make a claim against the “no blame” fund. If customer is reimbursed, the paying PSP can make a claim against the “no blame” fund.
Level of care not met The allocation mechanism will apply between the paying and receiving PSPs  The allocation mechanism will apply between the paying and receiving PSPs 

What does this mean for PSPs?

The code establishes “Standards for Firms” against which PSPs’ processes can be measured. As can be seen above, a PSP not meeting these standards will be required to reimburse victims and may suffer an impact to confidence in its fraud prevention measures.

Further, the code also provides for a "no blame" fund to reimburse PSPs where they have met the required level of care (and the victim has been refunded), and an allocation mechanism for situations where PSPs have not.

If a PSP is signed up to the code, the questions it needs to address are:

  • What additional standard of care does the code impose?
  • How should decisions on reimbursement be reached in the requisite timeframe?
  • How does the "no blame" fund and allocation mechanism function to resolve disagreements between PSPs?

These questions merit detailed examination. I have set out some thoughts on each in the articles below:

If you have any questions or thoughts you would like me to explore as part of it, please get in touch at james.gliddon@footanstey.com.