LSB Chief Executive, Emma Lovell, spoke online at the Joint meeting of the ACCC Consumer Consultative Committee (CCC) – ASIC Consumer Consultative Panel (ACCP) in Sydney, Australia this morning about the rise in Authorised Push Payment (APP) scams and the work the LSB has done to tackle them in the UK. You can read Emma’s speech below.
*The notes below may differ from those delivered on the day*
Introduction to the LSB and the Code
Hello, my name is Emma Lovell and I am the Chief Executive at the Lending Standards Board – the LSB. I’m really pleased to have been invited to talk to you today about the rise in Authorised Push Payment scams– or APP scams – and work we have done to challenge them in the UK.
We know that APP scams are a worldwide issue, and so I hope that some of the insights and information I give you today will prove useful in developing further protections for consumers from APP scams in Australia.
To start off, I thought it may be useful to provide you with a little background information about us before I jump straight in.
The LSB is the primary self-regulatory body for the banking and lending industry in the UK. We have a clear goal – to drive fair outcomes for personal and business customers within financial services. We do this through robust, independent oversight of Standards and Codes we set and oversee. Our registered firms comprise the major UK banks and lenders, credit card providers, debt collection agencies and debt purchase firms. Signing up to, and importantly, adhering to the Standards and Codes which sit within our remit is a clear indication that a registered firm is committed to best practice in the treatment of its customers. Among our Standards and Codes is the Contingent Reimbursement Model Code, or CRM Code, which is the only set of protections of its kind for consumers from APP scams.
An APP scam occurs when a customer is tricked into paying an account they believe belongs to a legitimate payee, but in fact, belongs to a scammer. There has been a significant rise in APP scam cases in recent years. Fraudsters are constantly adapting the way in which they scam their innocent victims. They are taking advantage of situations like the Covid 19 pandemic, where people are potentially feeling more isolated and vulnerable. They prey on vulnerabilities, conditioning people to fall victim to their scams through social engineering. Scams are becoming ever more sophisticated, joined up and are constantly evolving in their nature, which makes tackling them a huge challenge.
The one consistent factor of these scams is the monumental impact they have on their victims, often leaving feelings of shame and embarrassment, as well as financial and emotional distress. It is our goal to help protect customers from this distress and we therefore take our role as governors of the CRM Code for APP scams really seriously.
I’m shortly going to delve deeper into the activity surrounding the CRM Code to date, including discussing:
- how the Code came about;
- the vital importance of its prevention measures, which includes our work around effective warnings; and
- measuring the success of the Code.
Within these, I will also discuss some of the challenges that we have seen and faced which may hopefully provide some useful considerations for you as you increase protections for customers.
The introduction and purpose of the Code
So, what is the CRM Code and how did it come about? Well in 2016, a UK consumer body – Which? – submitted a super-complaint to the UK’s Payments Systems Regulator regarding APP scams and concerns over the level of protection for customers who fall victim to them. A steering group was formed, comprising of regulators, consumer champions, financial services providers and other industry representatives. The group was tasked with designing and implementing an industry code, and subsequently the CRM Code was developed and it launched in May 2019.
With the Code in place – an oversight body was needed to monitor ongoing activity. After all, without that independent, robust oversight, how could the industry be sure that the Code was being implemented and adhered to, and good outcomes were being achieved? The LSB became the official governing body of the Code just a few months later in July of that year. Our role is to monitor signatory firms’ adherence to the Code, and where it is not being adhered to, take action immediately, as well as to ensure the Code remains as effective as possible in providing vital protections for customers.
The Code has three primary objectives: to detect, prevent and respond to APP scams and as I have mentioned, it is currently the only set of protections of its kind for customers in the UK.
Banks and other financial services firms sign up to the Code and commit to take a number of steps aimed at protecting customers from APP scams. There are currently ten Code signatories. These firms have committed to:
- take steps to educate their customers about APP scams;
- identify higher risk payments and customers who have an increased risk of becoming a victim of a scam;
- provide effective warnings to customers if the bank identifies an APP scam risk;
- take extra steps to protect customers who might be vulnerable to APP scams;
- talk to customers about payments and even delay or stop payments where there are scam concerns;
- act quickly when a scam is reported;
- take steps to stop fraudsters opening bank accounts; and
- reimburse customers who lose money where they were not to blame for the success of a scam.
This is the first set of protections in the UK that combines both prevention and reimbursement measures, and marked a major milestone in the protection of consumers against APP scams.
The importance of cross-sector collaboration
We all have a role to play in scam prevention and although this importantly remains at the top of the agenda for the financial services sector, scams simply don’t occur at the point of payment. There are multiple different sectors involved in each customer’s payment journey, and therefore there are multiple opportunities to intervene and prevent scams.
This cannot be a fight for the financial services industry to take on alone. That is why we are calling for urgent collaboration from utilities companies, social media platforms and telecoms companies for example, alongside the financial services to make a public commitment that they too, will be held accountable when scams slip through the net. By coming together, we can analyse where the ‘danger spots’ lie within the customer journey and each organisation can take responsibility for intervention at the right point and actively contribute to the solution.
As I mentioned before, the Code is the only form of consumer protection in place, and my first thought to share with this group is engaging more widely than the financial services to bring the whole scam journey into consideration at the outset, as this is, in our view the best chance we have of intervening at the earliest opportunity and protecting customers from the resultant distress of a scam, and stopping these scams in their tracks.
Effective warnings and a customer’s ‘reasonable basis for belief’
I’d like to talk about one of the key prevention measures now in more detail, and that is the effective warnings provision of the Code. This is an essential tool in preventing APP scams, as warnings can trigger a customer to stop and consider whether a payment should be made.
We conducted a thematic review of the effective warnings provision in 2020, and whilst we found that signatory firms had taken this provision as a serious tool in efforts to prevent APP scams taking place, more needed to be done. We found that warnings were not always dynamic or tailored to the type of transaction taking place, and in some instances, warnings were not present at all.
One of the amendments we have since made to the Code is the introduction of a governance and oversight provision. Firms should have the correct governance structures in place, and utilise MI to analyse the effectiveness of warnings and the impact they had on the customer, if at all, at the time of making the payment to help establish which are working most effectively. And then use this information to better shape them.
It is important to note that the social engineering so often used by scammers, together with the evolving sophistication of scams, are convincing enough to make a payment, and the circumstance in which it comes about, appear genuine. This means that often by point-of-payment, the customer is already convinced the payment is legitimate and therefore not even the most tailored or dynamic warning can break the spell they are under.
So although effective warnings are an important tool in preventing scams, they cannot and should not be used as a strict measure of liability. To that end we cannot assess firms individual warnings, it would be impossible to put ourselves in the shoes of the customer at the time they make the payment and we cannot take into account other factors that might have impacted their decisions at their time. This is why the Code requires registered firms firstly assess the effectiveness of their own warnings but also to understand the customer’s ‘reasonable basis for belief’ at the time they made the payment when assessing the customers claim. The CRM Code recognises that a person’s circumstances may make them more susceptible and therefore sets out provisions for firms to adhere to, to recognise and respond to customers in these situations. Asking the customer questions about their individual circumstances at the time of the scam allows signatory firms to make an assessment as to whether it was reasonable for that customer to believe they were making a genuine payment to a genuine payee. Because this is done on a case-by-case basis, the impact of warnings cannot be assessed in isolation.
And so this is an area that requires more work, and constant focus as the scam landscape evolves. In addition to working with signatory firms to ensure they have the right mechanisms in place to design and implement effective warnings, we will shortly be undertaking some detailed work to better understand what makes a warning effective and to provide guiding principles to firms.
How do we measure the success of the Code?
I’d like to move on now to talk about the vital importance of goal setting and defining from the outset what success looks like.
When the Code came into play in 2019, there were no defined success measures. As a consequence, there is currently significant focus on reimbursement figures alone, as this is the only measurable statistic currently in place.
Looking at reimbursement figures alone cannot paint a true picture of the Code’s impact. For example, higher reimbursement figures could actually be an indication that a firm needs to strengthen their prevention measures. So not only is it critical to be able to provide a more rounded picture of the success of the Code against all of its objectives, but that when that is communicated it is clear to the audience exactly what that means to them. This will also help shape future amendments to the Code or indicate areas the industry need to apply more focus on.
Although reimbursement is vital to reversing the financial harm caused by a scam, it cannot prevent or expunge the feelings of distress, shame and embarrassment so often associated with these scams. That’s why the detection and prevention measures outlined in the Code are critical and are the only way that customers can truly be protected from the impact of scams. We are working with the industry on defining the success measures of the Code, to ensure that prevention and detection data can be recorded so we can see the true impact the Code is having.
Seeing the success of the Code will give signatory firms the incentive to continue working hard to adhere to the provisions and ramp up protections, but it will also incentivise non-signatory firms to sign up to the Code and the robust oversight programme that comes along with that registration. A key recommendation in this respect would be to ensure at the outset of any regulation its impact can be measured beyond reimbursement.
Current activity and next steps
So, what are the next steps for us as governors of the Code, for the Code itself, and for our industry in general in this fight against APP scams?
Well last year, having undertaken a full review of the Code, including a public consultation, we set out a series of activities that we have committed to undertaking in order to ensure the Code remains as effective as possible in providing consumer protections.
Much of this activity is already underway. For example, we have produced a new customer information document to help heighten consumer awareness, have held roundtables with senior executives from signatory firms to ensure actions from our reviews are embedded without delay, and in order to drive consistency of application of the Code, we have introduced a new provision which sets out expectations around governance arrangements. This new governance and oversight provision mentioned earlier has been introduced to ensure consistency of application across signatory firms – something that we have found issues with during our reviews.
There have been industry calls to see reimbursement protection become universal, potentially by making the Code mandatory or mandating reimbursement, but a decision has yet to be reached. Mandatory or not – the work that has been done to date has and will continue to protect customers from these devastating scams and will prepare firms for what happens next. And my final recommendation here would be that from the outset, in an areas of new regulation, and based on what we have found, a focussed oversight model should be in place to ensure the provisions are being met and where they are not action is taking swiftly to remedy that. Regulation on its own is not enough.
Further updates to the Code will also be made so a wider range of business models can sign up to its vital protections whilst ensuring a consistent level of protection across the board. The protections the Code provides are likely greater than the stats suggest, as we know other firms that have not yet signed up are working towards the Code’s principles. We make no bones that the Code is robust in its approach – we need it to be so customers are protected – despite this, we are asking firms who can sign up to work towards doing so without delay.
And so before I offer to take any questions, I will briefly summarise our key recommendations:
- Scam protection must go beyond financial services, all sectors such as social media platforms, telecoms and utilities in the customer journey should be held accountable for the part they have to play in preventing scams from reaching financial institutions, as its almost too late at that point.
- Effective warnings are a critical tool in the prevention of scams, but they require constant monitoring and should evolve. They cannot be a strict measure of liability.
- Customer protection should be the key focus here, and it is easy to lose sight of what that really looks like when there is a sole or increased focus on reimbursement. There should absolutely be protections in place for those that do fall victim, but prevention is key and any form of regulation should ensure that preventing customers from falling victim is the at the forefront and brings all parties in to the discussion that can demonstrably help.