Last month, the CRM Code, which has safeguarded customers from Authorised Push Payment (APP) fraud since 2019, will be replaced by a new framework from the Payment Systems Regulator (PSR). Overseen by the Lending Standards Board (LSB), the CRM Code covered over 90% of APP fraud cases. In 2023, signatories reimbursed 73% of customer losses, a significant increase from 23% before the Code’s introduction.
The Contingent Reimbursement Model (CRM) Code – which put in place requirements for signatory Payment Service Providers (PSPs) to detect, prevent and reimburse Authorised Push Payment (APP) fraud – closed on 7 October as new statutory rules on APP fraud reimbursement come into effect, the Lending Standards Board (LSB) has confirmed.
Since its introduction in 2019, the CRM Code, which is governed by the LSB, has had a significant, positive impact in the fight against APP scams. This type of fraud sees customers tricked into authorising a payment to a scammer posing as a trusted individual or organisation.
The CRM Code, which covered over 90% of reported APP fraud cases in 2023, has helped drive up reimbursement rates for victims and improved the financial services sector’s ability to prevent and detect APP fraud, helping to limit the harm that these scams cause consumers.
With the CRM Code in place, reimbursement rates have more-than trebled, with 73% of CRM Code customers’ APP fraud losses reimbursed by PSPs in 2023 – up from just 23% in 2018 (the year before the Code’s launch).
The average amount of money stolen per reported APP fraud case has tumbled from £4,200 in 2018 to £1,600 in 2023 for customers covered by the CRM Code (and £2,000 for all customers).
As the CRM Code has bedded in, the amount lost through APP fraud has begun to fall – £460m was stolen in 2023, representing a 20% fall from the 2021 peak.
The rate at which APP fraud has increased has slowed dramatically, from a runaway 45% year-on-year increase in 2019 to 12% annual growth in 2023.
The Financial Ombudsman Service (FOS) has noted that over half the complaints received about APP fraud reimbursement come from customers not covered by the CRM Code – while CRM Code customers’ complaints are more likely to be upheld.
Emma Lovell, Chief Executive of the LSB, said: “The CRM Code has been a milestone improvement in customer protections – vastly increasing the chances of customer reimbursement after an APP scam and having a significant impact on the financial services sector’s efforts to prevent their customers from falling victim to an APP scam in the first place.
“The CRM Code’s focus on prevention and detection, in particular, demonstrates what can be done when financial services firms pull in the same direction and opt to go above and beyond statutory requirements. Crucially, this focus on prevention not only limits harm to customers but stops money reaching criminals too. While there is still much work to be done to tackle APP fraud, the CRM Code’s signatories have delivered better outcomes for their customers over the last five years. We’re proud of the Code’s impact.”
The CRM Code covered ten PSPs, comprising major high street, digital, and challenger banks, lenders and other providers. It was launched in May 2019, with the LSB’s independent oversight starting in July 2019.
Since its introduction, the LSB has monitored signatory PSPs’ implementation of the CRM Code, including specific reviews of signatory PSPs’ approaches to reimbursement and their use of effective warnings to halt payments to fraudsters. The CRM Code was subject to a full review in 2021. The LSB has also conducted research into what makes a scam warning effective, with recommendations rolled out to signatories.
In June 2021, the LSB issued a warning to all CRM Code signatories, requiring all firms to improve the consistency of their reimbursement processes, how they identify vulnerable customers, their use of effective warnings, and their record keeping. Signatory PSPs responded to the warning with significant increases in reimbursement rates as well as decreases in the amount of money stolen through APP fraud.
The CRM Code’s protections have been based on three key pillars: the detection of payments which may have been made as a result of a scam; the prevention of APP fraud; and a requirement for signatories to reimburse customers who fall victim through no fault of their own.
The incoming statutory framework for the reimbursement of APP fraud victims, which will be overseen by the Payment Systems Regulator (PSR) from 7 October, does not contain specific APP fraud prevention or detection requirements, includes the option for PSPs to levy an ‘excess’ fee of up to £100 per claim, and will cap reimbursement at £85,000. The CRM Code does not feature any excess fees or reimbursement caps.
Lovell adds: “Reimbursement following a successful scam helps undo the financial impact of fraud on a customer, but reimbursement alone cannot undo the emotional distress so often associated with APP fraud.
“PSPs signed up to the CRM Code have worked hard on putting preventative measures in place since 2019. Even though the new regulatory framework does not include prevention requirements, I’d expect the CRM Code signatories to continue to build on the progress they’ve made, and the sector must ensure that the momentum from the Code is not lost. The Code has helped slow, but not yet reverse growth in the number of APP scams; now is not the time to lose focus. The prevention of APP fraud must remain top of the agenda for all PSPs, otherwise there is a risk that customer harm may increase under the new framework.
“PSPs that will now be required to reimburse customers for the first time should look to the Code to catch-up on the lessons already learned by signatory firms.”
Click below to share this article