The industry-supported Contingent Reimbursement Model Code seeks to ensure better customer outcomes are at the centre of the fight against Authorised Push Payment fraud. As the regulatory oversight body of the Code, we examine the impact the voluntary Code has had to date, what needs to happen next and why its protections are here to stay.
Emma Lovell, Chief Executive
Authorised Push Payment (APP) scams are increasingly complex, convincing and widespread. And with ever more customers sending and receiving payments online, growing numbers are falling victim to these types of scams.
There has been a significant rise in APP scam cases in recent years. And the victim of the scam is not the only affected party here. These scams can often form part of a wider, serious organised crime issue. Scammers aren’t slowing down, so protections and the fight against authorised push payment fraud need to be stepped up.
The Contingent Reimbursement Model Code (CRM Code) was introduced in 2019 to tackle the problem. The Code – which is governed by the Lending Standards Board (LSB) – sets out consumer protection standards to detect, prevent and respond to APP scams and is the only set of consumer protections specifically for these types of scams.
Our first full review of the Code found it is proving effective in protecting customers from APP scams, when implemented correctly, and since its introduction, over double the amount of victims have been reimbursed. But more needs to be done. In particular, the review revealed gaps in consistent application across signatory firms. The focus now must be to build on the Code’s success and address any shortcomings.
What is the Code? APP scams occur when customers are tricked into authorising a payment to an account they believe belongs to a legitimate payee. The CRM Code sets out consumer protection standards to counter such scams. Under the Code, signatory firms commit to: • Protect customers with procedures to detect, prevent and respond to APP scams. • Prevent accounts being used to launder the proceeds of APP scams. • Reimburse customers who fall victim through no fault of their own.
Work in progress
The Code provides the framework for signatory firms to implement and embed much needed protections for customers from APP scams.
This year, we set out a series of recommendations to ensure the Code, and the protections at the heart of it, continue to work as effectively as possible.
Our review found the Code’s principles enjoy strong support across all stakeholders. Signatory firms understand the Code’s value and the customer protections it provides. Yet consumer awareness remains low, and industry take up has been slower than expected. And where firms have signed up, we’re seeing inconsistencies in both application and outcomes.
Oversight is crucial to the value and effectiveness of any code. Signatory firms sign up to the robust oversight the LSB provides to ensure they can work towards getting it right. This takes time.
Our oversight hasn’t been able to immediately deliver the story we want to hear – that the signatory firms have fully embedded the Code. Critically, however, signatory firms have committed to work towards achieving that goal and work in this space demonstrates their determination to get there for their customers.
Firms want to get their APP scam response right. They know they aren’t there yet, and key executives regularly engage with us to understand how to remedy that. We are also having direct contact with a diverse range of signatory firms’ employees, from senior management to front line staff, as the Code becomes more embedded within the culture of signatory firms.
Collaboration to tackle the increase in scam attempts and reinforce prevention is a growing focus. By sharing insights on why some scams proceed and others are abandoned, firms are honing their prevention measures to ensure fewer customers fall victim. This is not simply a refund code. Scam victims often suffer emotional distress, with feelings of guilt, shame, worry and embarrassment all too common – feelings that can’t be expunged through reimbursement. Effective detection and prevention measures are critical to averting this distress. We must also keep in mind that even when customers have been reimbursed, the original money may have been lost to the scammer, in many instances funding organised crime.That’s why we are currently reviewing the role of the receiving firms in the customer payment journey. Ultimately we need to ensure that these scams are prevented from succeeding in the first place.
The Code’s successes to date show we are on the right track, but greater speed in implementation and embedding is needed.
Further work is required to define the success measures of the Code, too. While the APP scam prevention, detection and reimbursement objectives are clear, there has been no signatory firm or stakeholder-wide consensus on how to determine whether these objectives have been met.
Over the coming months a series of workstreams will begin to define success measures of the Code engaging signatory firms, regulators and industry stakeholders. This will kick off in October with a CEO roundtable for signatory firms.
Getting more firms to sign-up to the Code – which will both increase collaboration and improve current data analysis – will also be crucial. The protections the Code provides are greater than the stats suggest, as we know other firms that have not yet signed up are working towards the Code’s principles. But only by becoming signatories and working collaboratively to define the success measures and to implement the Code in its entirety can the Code’s full potential be realised.
Improving industry best practices
The Code’s influence is clear. For example, the Open Banking Implementation Entity is working to harmonise its standards with the Code so customers using Payment Initiation Service Providers to conduct payments also have protections in the open banking environment. The Payment Systems Regulator’s Managing Director Chris Hemsley also recently observed, the Code “has improved the lives of many victims.”
Industry calls to see reimbursement protection become universal, potentially by making the Code mandatory, are being made. But no decision has yet been reached.
Within signatory firms, we are seeing firm-wide cultural shifts towards ensuring good customer outcomes take root. Significant progress is also being made on the actions from our follow-up review. This work will stand signatories in good stead should the Code become mandatory.
Our own testing and oversight processes will be completed early next year. Since the Code is the only protection customers have against these types of scams, we are focusing on long-term solutions to ensure the measures remain effective.
Now is the time for non-signatory firms to sign up. By further adding to the Code’s momentum, we can ensure industry best practices continue to improve and a growing base of customers can be protected from such scams.