Collaboration to tackle the increase in APP scam attempts and reinforce prevention is a growing focus. Anna Roughley spoke at the Collaboration Network conference yesterday on why we must work together in the fight against APP fraud. You can read her full speech below.
*The notes below may differ from those delivered on the day*
Hello, my name is Anna Roughley and I am the Head of Insight at the Lending Standards Board – the LSB. I’m really pleased to have been invited to talk to you today and would welcome any questions you have later and I think we have some time for that towards the end of this session.
I’m here today to talk to you about tackling the challenge of scams, specifically Authorised Push Payment scams – or APP scams. I’m going to discuss challenges such as:
– the sophistication of these types of scams and how they are constantly evolving in nature
– how vulnerabilities can make customers more susceptible to APP scams and why it’s important for firms to recognise these vulnerabilities when responding to customers who have fallen victim
– that there are nine financial services firms signed up to the only set of protections for customers against APP scams and the importance of broadening that participation
– and finally, how other organisations in the payment journey, such as social media companies and utilities companies, also have a role to play in preventing these types of scams.
To start off, I thought it may be useful to provide you with a little background information about us before I talk about scams!
The LSB is the primary self-regulatory body for the banking and lending industry, our mission is to drive fair customer outcomes within financial services. We do this through independent oversight of the Standards and Codes we oversee.
These are,the Standards of Lending Practice for personal customers, the Standards of Lending Practice for business customers which protect SMEs with a turnover of up to £25 million, which were formally recognised by the FCA last year, the Access to Banking Standard aimed at reducing the impact of bank branch closures on customers and local communities, the remedies from the FCA’s Credit Card Market Study and the CRM Code for APP scams – which I’ve come to talk to you about today.
Our registered firms comprise the major UK banks and lenders, credit card providers, debt collection agencies and debt purchase firms. Adherence to the Standards and Codes which sit within our remit is a clear indication that a registered firm is committed to best practice in the treatment of its personal and business customers.
So, as I mentioned, I’m here today to talk to you about tackling the challenge of APP scams. An APP scam occurs when a customer is tricked into paying an account they believe belongs to a legitimate payee, but in fact, belongs to a scammer.
There has been a significant rise in APP scam cases in recent years. We are living through what some would describe as a scamdemic. And the victim of the scam is not the only affected party here. These scams can often form part of a wider, serious organised crime issue. Scammers aren’t slowing down, so protections and the fight against APP fraud need to be stepped up.
Recent statistics from UK Finance show that APP fraud losses in 2020 were £479million -149,946 cases in total. Fraudsters are constantly adapting the way in which they scam their innocent victims. They are taking advantage of situations like the Covid 19 pandemic, where people are potentially feeling more isolated and vulnerable – and preying on those vulnerabilities.
Scammers are conditioning people to fall victim to their scams through social engineering. They are becoming ever more sophisticated, joined up and are constantly evolving in their nature.
With digital banking becoming ever more popular, especially during and post pandemic, one of the challenges the industry is facing is striking the balance between having a smooth payment journey with little friction – whilst also ensuring effective warnings around scams are given to customers and the right steps are taken to ensure people don’t fall victim to a scam.
APP scams can have devastating impacts on their victims, often leaving feelings of shame and embarrassment, as well as financial and emotional distress. We must work together across different sectors to ensure as many customers as possible are protected from these devastating scams.
Types of APP scam
So, what is an APP scam? As I mentioned, an APP scam occurs when a customer is tricked into paying scammers often life changing sums of money. There are many different types of APP scams. They can be split up into different categories:
– Invoice and mandate – these occur when the victim attempts to pay an invoice to a legitimate payee, but the scammer intervenes to convince the victim to redirect the payment to the scammer’s account.
– CEO fraud – where the scammer manages to intervene the payment process by impersonating the CEO of the victim’s organisation to convince them to redirect the payment to the scammer’s account.
– Impersonation – police/bank staff – where the criminal contacts the victim purporting to be from either the police or the victim’s bank and convinces the victim to make a payment.
– Impersonation – other – when acriminal contacts the victim purporting to be from an organisation other than the police or the victim’s bank and asks the victim to make a payment
– Purchase scams– this occurs when the victim pays in advance for goods or services that are never received.
– Investment – when a criminal convinces their victim to move their money into a fictious fund to pay for a fake investment
– Romance – where the victim is convinced to make a payment to a person they have met, often online through social media or dating websites, and with whom they believe they are in a relationship with.
– Advance fees – when a criminal convinces their victim to pay a fee which they claim would result in the release of a much larger payment or high value goods, however no such payment or goods exists.
Some of you here today may well be very familiar with some of the examples above. For example, I’m sure the majority of us have received a scam text from Royal Mail or another delivery company telling us our parcel couldn’t be delivered, or from HMRC telling us we are due a tax refund – these are examples of APP scams. They are often really convincing and difficult to spot.
What is the CRM Code?
So, what is being done to try and stop these scams and the devastating impact they can have? In May 2019, a new Code was introduced by industry – the Contingent Reimbursement Model Code (CRM Code). This Code sets out consumer protection standards to detect, prevent and respond to APP scams. The Code is currently the only set of protections of its kind for customers.
Banks and other financial services firms sign up to the Code and commit to take a number of steps aimed at protecting customers from APP scams. There are currently nine signatories and one firm going through our interim process – whilst we assess their compliance with the Code.
By becoming a signatory, these firms have committed to:
– Taking steps to educate their customers about APP scams
– Identifying higher risk payments and customers who have an increased risk of becoming a victim of a scam
– Providing effective warnings to customers if the bank identifies an APP scam risk
– Taking extra steps to protect customers who might be vulnerable to APP scams
– Talking to customers about payments and even delaying or stopping payments where there are scam concerns
– Acting quickly when a scam is reported to it
– Taking steps to stop fraudsters opening bank accounts
– Reimbursing customers who lose money where they were not to blame for the success of a scam.
Preventing the distress and upset caused by scams is of upmost importance in the Code. Whilst reimbursement is a key element of it reimbursement cannot prevent the distress and upset often associated with scams.
Protecting vulnerable customers
The Code’s protections are for all customers of signatory firms, but there is a real focus on customers who are vulnerable too.
Vulnerability can take many shapes and forms, and the impact may vary in degrees of permanence and presentation. Factors such as life events, physical health, cognitive conditions including, mental health, literacy and numeracy and caring responsibilities can put anyone in a vulnerable situation. The causes of vulnerability do not exist in isolation and may not derive from personal circumstance alone, in reality, there can be a number of factors at play.
In the context of an APP scam, evidence of a vulnerable situation may not necessarily increase the likelihood of, or result in the customer falling victim to, an APP scam. For example, the fact that a customer is suffering with a physical health condition, may not make the customer vulnerable to an APP scam.
However, where there is evidence to suggest that the nature and extent of the customer’s vulnerability is such that it would not have been reasonable for the customer to have protected themselves from falling victim to a scam, they should be reimbursed.
To give you an example, picture a situation where there is a bereavement in a small family business and the person responsible for billing has to take time off as a result. Another member of the team may step in to take care of the billing in their place but may not have as much experience or be under additional pressure due to being a team member down. They could therefore be more vulnerable to a scam, for example, a fake invoice scam – paying it quickly to ensure they stay on top of their work.
Another example could be someone who is experiencing mental health issues who may be feeling isolated from family or friends, so they turn to the internet for support. They may develop a relationship with someone online and end up falling for a romance scam.
In another example, a student may be struggling with their finances at university. They need a cheap laptop for their studies and can’t afford to get a brand new one. They are under a tight deadline and are feeling really stressed and so they make a quick purchase through the internet and the laptop is never received.
You can see here how someone’s situation may make them more susceptible to a scam. The CRM Code recognises this and sets out provisions for firms to adhere to recognise and respond to customers in these situations.
CRM Code activity to date
I’d like to talk to you now about the CRM Code in more detail and what activity has taken place in this space to date to ensure customers are protected from APP scams.
As I mentioned earlier, the Code was introduced by the industry in May 2019 to fill a gap in consumer protections from APP scams. In July 2019, the LSB took over governorship of the CRM Code.
As the oversight body, we are responsible for providing independent oversight of signatory firms to give assurance that the Code is being adhered to, breaches are identified and remedied and that it delivers fair outcomes for consumers. We also refine the Code where necessary to ensure it is as effective as possible.
Our oversight work in this space has included three thematic reviews, focusing on the effective warnings and reimbursement provisions, as you can see here on the timeline. We have also conducted a full review of the Code, including an industry consultation seeking to understand how effective it had been in its first year. Our thematic reviews and full review of the Code have highlighted that when applied correctly, it is working and is protecting customers from APP scams, but more needs to be done.
Earlier in the year, following our review of the Code, we set out a roadmap which outlined our planned activity in this space for 2021. This included making updates to the wording of the Code which were published in April. The updates included the introduction of a new Governance and Oversight provision, aimed at supporting the embedding and ongoing oversight of the Code’s requirements, ensuring that Code related policies and processes are formalised, customer facing staff have greater awareness of the Code, and ultimately, consistency in application is achieved. It aims to help firms develop a CRM culture within their organisation – from senior staff all the way through to front line staff who are dealing directly with customer claims. A poor culture can lead to bad outcomes in a variety of ways, so applying this Governance and Oversight provision and developing this good CRM culture is of vital importance to CRM signatories. Importantly we are already seeing firm-wide cultural shifts towards ensuring good customer outcomes take root since the introduction of this new provision.
Another area of activity set out in our roadmap was launching a further Call for Input in March, which explored the aspects highlighted in the full Code review, and they were:
– That the scope of the Code should more fully reflect the evolving nature and complexity of APP scams to ensure that it is able to remain relevant and in line with developments in the wider payments landscape.
– That the Code should recognise the wider range of participants within the payments industry whilst ensuring that it retains a consistent approach to the standards of protections provided.
– That the Code should more fully reflect the roles and responsibilities of receiving firms in the customer payment journey.
Early analysis from our Call for Input suggests that the risk of APP scams is not evenly distributed amongst payment providers, and it was perceived by some respondents that the Code does not take account of more diverse business models.
Against the backdrop of the evolution of financial services and the payments ecosystem, it is vital that protections are afforded to as many customers as possible.
We will therefore be undertaking work to further review the wording of the Code to ensure that a wider range of firms are able to sign up to it and implement its vital provisions, whilst still retaining a consistent level of consumer protection across the board.
The output of this Call for Input will be published later in the Autumn.
Working together in the fight against APP fraud
Collaboration to tackle the increase in scam attempts and reinforce prevention is a growing focus. By sharing insights on why some scams proceed and others are abandoned, firms are honing their prevention measures to ensure fewer customers fall victim.
Tackling APP fraud goes beyond financial services and it is critical that more work is done to understand the different players within the payments ecosystem, what their role is in respect of the payment journey and how they too can join up with the industry to ensure more customers are protected from APP scams.
Building relationships across the different sectors involved within the payment journey, and critically each of them understanding the role they play in preventing fraud, is of upmost importance. It’s important that we look at the origin of scams all the way through to the end of the payment journey and the impact caused by the scam so we can better identify opportunities that are available to tackle fraud and protect consumers. Once organisations understand their role and the part they play, they can actively contribute to the solution.
Success is always greater when we work together and learn from each other’s experiences. A good example of this in financial services was the introduction of Confirmation of Payee and the CRM Code. Both are separate initiatives but introduce additional protections for consumers looking at different aspects of the payment journey. It evidences that different organisations each have something to contribute in the fight against APP fraud, and when joined up together, the protections for consumers are strengthened.
Moving forward, as well as the activity I spoke about earlier, we are working on how the Code can be applied more broadly across different types of business models in the financial services sector and where organisations are able to sign up to the Code and apply its vital protections – they do.
The protections the Code provides are likely greater than the stats suggest, as we know other firms that have not yet signed up are working towards the Code’s principles and we know that work needs to be done in terms of the data collected.
By broadening participation through updates to the Code and firms who can, becoming signatories, working collaboratively to define the success measures and implementing the Code in its entirety we can see the Code’s full potential be realised.
We are working with the industry to define these success measures, ensuring that we don’t lose sight of the vital importance of prevention and detection measures in the fight against APP scams. Not only so we can see what elements of it are having the most impact but so we are able to ensure that the Code can evolve as is needed over time to ensure it is robust and continues to provide much needed protections for consumers.
This is not simply a refund code. Scam victims often suffer emotional distress, with feelings of guilt, shame, worry and embarrassment all too common – feelings that can’t be expunged through reimbursement. Effective detection and prevention measures are critical to averting this distress. We must also keep in mind that even when customers have been reimbursed, the original money may have been lost to the scammer, in many instances funding organised crime. We are going to undertake work to look deeper into effective warnings to ultimately ensure that these scams are prevented from succeeding in the first place.
Significant progress is being made by signatory firms on the actions from our follow-up review. We know there are industry calls being made to see reimbursement protection become universal, potentially by making the Code mandatory, but no decision has yet been reached. Mandatory or not – the work that has been done to date has and will continue to protect customers from these devastating scams.
Tackling APP scams is, and should remain, a collaborative effort. We look forward to continuing to work with the industry to ensure that consumer protections remain at the top of the agenda.