Introduction
The Contingent Reimbursement Model (CRM) Code came into force from 28 May 2019 and brought with it increased protections for customers against authorised push payment (APP) scams. Firms signed up to the CRM Code agreed to implement procedures to detect, prevent and respond to APP scams, whilst providing an increased level of protection for customers considered to be vulnerable to such scams. Firms also agreed to take steps to reduce the number of accounts being used to launder the proceeds of APP scams.[1]
A central tenet of the Code is that customers of a Payment Service Provider which is signed up to the Code can expect to be reimbursed where they were not to blame for the success of the scam. The decision about whether a customer receives their money back is made following an investigation by the firm and should be on the basis of the customer’s individual circumstances.[2] The Code sets out that ‘when a Customer has been the victim of an APP scam Firms should reimburse the Customer’ but that a ‘firm may choose not to reimburse’ if it can establish any of the listed exceptions are found to apply.[3] Before deciding that a customer made a payment ‘without a reasonable basis for believing’ the payment and payee was legitimate, firms must consider the ‘characteristics of the Customer and the complexity and sophistication of the APP scam.’[4]
This thought piece will consider how firms can understand the ‘characteristics’ of a customer when investigating a case under the CRM Code. It will do this by looking at the different stages of the investigation and the evidence gathering conducted by investigators. This includes looking at how a customer’s individual circumstances affect how they could fall victim to a scam; the skills needed to get a holistic view of a customer’s situation; how firms should record any information that is gathered; and the importance of explaining a decision to a customer.
By sharing our thoughts with firms signed up to the CRM Code, we aim to increase the consistency of approach and promote examples of best practice at a time when APP scams continue to be a focus of regulatory and media attention.
Different people, different scams
An individual’s situation at the time of an attempted scam impacts the likelihood of them falling victim to it. Scams are often aimed at a large number of people, with scammers knowing they will only be ‘successful’ on a few occasions. This highlights a basic but important point; that different people have the potential to fall victim to different types of scam. This is why firms signed up to the CRM Code cannot simply reject a case outright, regardless of the type of scam. Rather, firms need to look at the customer’s situation and consider it along with other important details, such as the sophistication of the scam.
Even for customers who are aware of the risk of being scammed, the volume and vast array of scam types creates a risk of falling victim to one. Firms spend a great deal of time and resource monitoring and assessing new types of scams. Any insights that are gathered are then used to ensure their own systems are protected, that their staff are aware of scams affecting customers, and, importantly, educating customers on scam types so they can best protect themselves. Education is a key part of the CRM Code as it mitigates the risk of customers falling victim to scams in the first instance.[5]
APP scams can take many forms and have different levels of sophistication. The range of scam types that fall within the scope of the CRM Code mean that firms must take care to get all relevant details of the scam from the customer, along with any other evidence to demonstrate what occurred. By considering the detail of how the scam was delivered, for example, if exclusively online or with an element of personal interaction with the customer, an investigator can begin to understand how the customer became a victim of a scam. It is only then that, along with understanding the other details of the scam and the requirements of the CRM Code, a decision can be made on whether the customer is going to be reimbursed.
The CRM Code requires that controls are put in place to protect customers against scams.[6] Part of these controls are effective warnings. These should be delivered at certain points in the payment journey (for example, when setting up a new payee or before a payment is authorised) and should, where possible, be specific and tailored to potential scams and the type of payment being made.[7] The provision of effective warnings is always evolving, as they must change to account for new scam types and emerging risks. However, some firms have confidence that their existing warnings make it clear to customers the risks involved in certain types of payments and that steps are given to customers that would mitigate the risk of them being scammed.[8] Firms must ensure that in all instances when investigating a CRM case, the details of the scam and the customer’s individual circumstances are considered, without a claim decision ever solely relying on the provision of a warning.
Seeing the whole picture
The type and level of contact between a CRM firm and a customer who has fallen victim to an APP scam will depend on the individual firm’s processes and policies, and it will often be influenced by the scam type and level of loss. For example, where a customer has been the victim of a low value purchase scam, the customer may speak to the firm’s fraud contact centre once when reporting the scam, before the case is handed onto the investigation team. When an APP scam is more complex or high value, it is possible that the customer is spoken to on multiple occasions before a decision is made on the case, including when reporting the scam and during the investigation period.
In situations where the customer’s reporting of the scam is taken in one instance (such as at first point of contact), firms must be confident that their approach ensures that all relevant details are gathered at the time. This includes information about the customer’s circumstances and whether there are any vulnerabilities that need supporting or that could have impacted the customer being scammed.[9] Even in seemingly ‘simple’ cases, it is important that firms gather all information relevant to the scam. Accurate records of the account given by a customer must be made, both for an audit trail to evidence the reasoning behind a case decision, but equally so other colleagues within the firm can get the whole picture of what the customer said. This is especially important in instances where the customer’s initial account is taken by one member of staff (for example, within a fraud department contact centre), before the case is handed onto another team for investigation. Without accurate records of what was said by the customer, the firm risks making case decisions based on incomplete or inaccurate information.
For all interactions, including those at the point of reporting the case and further along the investigation phase, it is vital that good conversations are held with customers. This means having staff who actively listen to the customer’s account of the scam and take time to understand their situation. Open questions should be used to establish what occurred and the conversation should flow naturally, to avoid sounding process driven or displaying a ‘tick-box’ approach.
Enabling good conversations
Firms signed up to the CRM Code will want all their staff to have good conversations with customers, regardless if it is about a scam or any other part of a customer’s journey. However, in a similar manner to when dealing with vulnerable customers, it is especially important to hold open and engaging conversations when investigating an APP scam. This is because without allowing the customer an opportunity to provide their account of the scam and their situation at the time, it is possible the wrong outcome is reached when assessing the case.
The best way to ensure that good conversations occur is through training, monitoring, and continual development. Firms should consider the training that has been provided to those staff tasked with gathering information and investigating cases under the CRM Code. There is a large amount of technical and process information that staff need training on to deal with cases and it is possible that as a result, there has been less focus on the ‘soft skills’ needed to engage with customers. If this is the case, firms should look to include soft skills within the training programme for new joiners and ensure that it forms part of the refresher training for existing team members.
Good conversations are more likely to occur when staff appreciate the importance of customer engagement during the reporting and investigation stages of an APP scam. Staff with an understanding that open questions and active listening are a central part of the investigation phase should be more able to adapt to the flow of a conversation. This will help them build a relationship with the customer whilst getting the information that is required to make a fair assessment of the case. The need for soft skills goes beyond an expectation of good customer service, but rather is integral to ensuring the correct outcome.
It could be beneficial for firms to consider soft skill training in conjunction with staff working on the systems they use to set up a case or add information in the live environment. Firstly, this could provide more realistic training for staff, so they can see how to utilise active listening and questioning whilst using the system. Secondly, it offers an opportunity for the firm to see if their systems allow for good conversations and where, in the longer term, re-ordering how information is gathered or recorded could improve the process.
An important part of ongoing training involves keeping investigators up to date on the emerging scam types facing customers, including how a customer’s personal circumstances could make them vulnerable to particular types of scams. For example, a firm could see through its monitoring that a new type of scam is targeting customers shielding at home due to the coronavirus. It would be highly beneficial to make investigators aware of this as it would add insight to cases they may have involving such customers. It would also enable staff to educate customers about the scam and potentially mitigate the risk of others falling victim to it.
Good conversations – assurance and continual development
Quality assurance (QA) frameworks and processes will already be in place across firms signed up to the CRM Code. Firms should be confident that their QA process captures the information gathering stage of customer contact. QA checks should go beyond just reviewing what is recorded on a system and checking it is an accurate reflection of what the customer said. Quality checks should also give a judgement on the quality of the conversation and whether it allowed the customer the opportunity to give their side of the story.
Providing QA feedback can sometimes be challenging when discussing subjective areas, such as the tone or pacing of a call. It is very possible that an adviser asks all the right questions but that the delivery, for example, their active listening or positioning of questions within the call, required improvement. In such situations, QA staff need to have the confidence to openly engage with the adviser to understand their thoughts on the call, before discussing how it could be improved. QA staff should have support structures in place, so they can share thoughts with colleagues and management when unsure on whether a customer contact reached the required standard.
Firms should be confident in the feedback loop between QA teams and the first line. Alongside informing the adviser on the QA check itself (such as whether a pass or fail, or if there are areas for improvement), there should be training and development delivered to improve future calls. It should be clear who is responsible for this training, so that QA staff know if it is up to them or the adviser’s line manager. If this is unclear, there is a risk that advisers do not receive the development they require to improve for future customer contacts.
The CRM Code has a specific section on the treatment of vulnerable customers.[10] Within this, the Code recognises that vulnerability is ‘dynamic’ and that a number of different elements, including the personal characteristics of the customer, can create a vulnerability. The LSB has previously seen incidents where vulnerability was not correctly identified in the CRM space.[11] As a control against vulnerability going undetected, inadequate support being offered, or incorrect outcomes being reached, QA should check that the vulnerability process has been correctly followed. In instances where this is not the case, it is vital that firms not only develop and train the adviser involved, but also that the case is reviewed to ensure any customer detriment has been addressed and rectified.
As well as ensuring that individual advisers receive any feedback as a result of assurance testing, there are benefits to firms analysing QA results across the teams handling APP scam cases. Analysing where assurance activities are discovering QA fails enables firms to consider if this is a case of repeated adviser error or misunderstanding, or whether this is a process or policy issue. This insight then influences the corrective actions, for example, if further training is required on an area of the APP journey or the process itself needs to be reviewed and, potentially, changed.
The customer’s circumstances and supporting information
When firms are given an account of what occurred during an APP scam, it is likely that they will wish to review any available information for evidence to support what has been said. It is important that staff understand that information should only be requested when it is needed in the assessment of the case. This mitigates the risk of the process being unnecessarily slowed down.
We have seen situations outside of the APP setting where evidence was requested from customers without there being a clear reason for it. For example, one firm’s policy was for customers to be taken at their word if they disclosed a medical condition, but staff mistakenly thought that evidence of any medical need was always required. This misunderstanding of the policy risked creating additional steps for the customer and slowed down the process for offering support.
To mitigate the risk of something similar happening when assessing APP scams, firms should be confident that the process for requesting evidence is clear and that training is provided to support the firm’s approach. Quality assurance testing should also check that any supporting evidence requested from the customer was proportionate and required for the assessment of the case.
When speaking to a customer about the steps taken to check that a payment was real, there will be a number of checks that an investigator can make without requesting information from the customer. For example, if a customer says that they have made previous payments to the same company (or who they believed to be the same company) over a period of time, investigators may be able to see this on their account. This type of evidence could play a role in assessing whether or not the customer had a ‘reasonable basis for believing’ that ‘the payee was the person the Customer was expecting to pay.’[12]
Record keeping
If staff do not have a clear understanding of what is required in relation to record keeping and APP cases, firms risk having an inconsistent approach within their investigator teams and it being difficult to see how a decision was reached. This could undermine the quality controls that firms have on the process, making it difficult to say that a case was assessed correctly and the right outcome reached, if there are insufficient notes of the steps taken and rationale applied.
When a decision is reached on a case under the CRM Code, notes on the system should be clear on the details of the scam and the customer’s individual circumstances at the time, as they relate to the case. When a customer has provided their version of events, including any information such as vulnerabilities or reasoning as to how the scam occurred, this should be clear on the system and easy for others to find. Firms may decide to have a process where a particular note type or name of system note be applied to any case summaries. This can make it easier for others to see that adequate notes were taken and what the reason behind an assessment was.
Alongside the details of the scam and the customer’s situation, notes should include the steps taken during the assessment of the case, including describing the evidence that was reviewed. If key evidence (for example, supporting the customer’s version of events of how the scam took place) is reviewed but found to not influence the outcome, notes should describe the reason for this. It is important that the investigator’s rationale for a decision is clear on the system, as this increases the effectiveness of assurance testing and ability to conduct customer journey reviews.
Firms and their staff should understand that clear and informative notes do not necessarily mean lengthy or verbose ones. It is not expected that each case has pages of notes accompanying it, but that the key information used to assess the case is described and that it is clear how a decision was made. The expectation should be that any individual could review the case and understand what has occurred on it, without having to reassess the case to see how the decision was reached.
Quality assurance checks should review the notes left on cases. Feedback along with training and development should be delivered when notes are found to be lacking in detail or a rationale for a decision. To make this effective, QA staff must first themselves be clear on what constitutes adequate record keeping. By checking QA teams’ understanding in this area, firms can see if additional training is needed to increase their knowledge of what is required.
Communicating the outcome
The way a decision is communicated to a customer will have a great effect on their overall feelings of the process and the ‘fairness’ of the decision. It is easier for a customer to accept a decision, even one that goes against them, if it is clear that their specific situation was understood and considered in the process. Without a clear communication of the decision and, importantly, the rationale for it, customers are more likely to feel they have not been heard or treated fairly.
One way for firms to think about the importance of communicating a decision is in relation to a complaint. When a complaint is made and a decision taken on whether to uphold or reject it, the customer is not simply told the outcome. Instead, it is explained to the customer why that decision was taken, along with providing background on the complaint itself. This demonstrates to the customer that the complaint was listened to and properly investigated, and the same principle is true for scams investigated under the CRM Code.
Firms will have individual policies in place on how a customer should be informed of the outcome of the CRM Code investigation. A number of different mediums are currently used by firms including telephone calls, letters, emails and even text messages.[13] By reviewing the channels that are used to communicate decisions, firms should consider whether they are suitable to effectively communicate decisions. If the way a decision is currently communicated does not allow for a reasonable level of detail to be included, firms may wish to consider if alternative channels are better placed to deliver those messages. Firms should also be confident that any decisions provide customers with an avenue to challenge the decisions, provide further evidence, or complain.[14]
Effectively communicating a decision gives firms the opportunity to ‘show their working’, meaning the customer understands what has been considered and how it has affected the outcome. Providing limited information, for example, saying that the claim has been assessed and the customer will not be reimbursed, does not clearly explain the process followed under the Code. Rather, by explaining the rationale, with reference to the nature of the scam and the customer’s situation, firms can show that a full investigation was completed and all aspects of the claim considered.
Conclusion
By considering the ‘characteristics of the Customer’, firms are more likely to reach the right outcome when assessing claims under the CRM Code. Practising active listening and taking the time to fully understand the customer’s situation gives the customer confidence that their case was properly investigated. Any decision should be effectively communicated to the customer, with an explanation of the rationale, so the customer understands why they are, or are not, being reimbursed following a scam. Customers should also know what to do if they disagree with the outcome or want to provide further information.
Second only to delivering fair outcomes is being able to demonstrate that you have done so. This is achieved by firms having consistent and robust record keeping practises, with notes recording what was said by the customer and the rationale for any decision. Supporting evidence should be requested only when it is relevant to the case, to ensure there are not any unnecessary delays in reaching an outcome. QA oversight should focus on both the process elements of the investigation and the standard of customer interaction, with feedback loops and opportunities for development factored in.
By considering the stages of the customer journey described within this thought piece, we hope that firms can continue to develop their existing experience for customers who have fallen victim to an APP scam. If you have any questions about this piece or would like to hear more about Insight & Support, please contact us through the details provided below.
Contact details
Anna Roughley – Head of Insight & Support
annaroughley@lstdb.org.uk – 07392 867 176
Harry Hughes – Senior Insight & Support Manager
harryhughes@lstdb.org.uk – 07387 108 498
[1] LSB, The Contingent Reimbursement Model Code for Authorised Push Payments scams (the CRM Code)
[2] LSB, Authorised Push Payment Scam – Information for Customers on the Voluntary Code
[3] LSB, Reimbursement of a customer following an APP scam (CRM Code)
[4] LSB, R2(1)(c) (the CRM Code)
[5] LSB, General expectations of firms (CRM Code)
[6] LSB, Payment Journey – sending firm (CRM Code)
[7] LSB, Prevention (CRM Code)
[8] LSB, 2.4 Effective Warnings (Review of approach to reimbursement of customers – provision R2(1) (c))
[9] LSB, Customers vulnerable to APP scams (CRM Code)
[10] LSB, Customers Vulnerable to APP scams (CRM Code)
[11] LSB, 2.6 Vulnerability (Review of approach to reimbursement of customers – provision R2(1) (c))
[12] LSB, Exceptions (CRM Code)
[13] LSB, 2.7 Communications (Review of approach to reimbursement of customers – provision R2(1) (c))
[14] LSB, 2.7 Communications (Review of approach to reimbursement of customers – provision R2(1) (c))
Download a PDF of this article here.
