CRM Code ends after boosting Authorised Push Payment fraud reimbursements

By Puja Sharma

• Contingent Reimbursement Model Code (CRM Code) to be retired on 7 October once new Payment Systems Regulator (PSR) framework for Authorised Push Payment (APP) fraud reimbursement starts
• Overseen by the Lending Standards Board (LSB) and covering over 90% of APP fraud cases, the CRM Code has protected customers since 2019
• In 2023, CRM Code signatories reimbursed 73% of customer APP fraud losses – up from just 23% before the Code was introduced

The Contingent Reimbursement Model (CRM) Code – which puts in place requirements for signatory Payment Service Providers (PSPs) to detect, prevent and reimburse Authorised Push Payment (APP) fraud – will close on 7 October as new statutory rules on APP fraud reimbursement come into effect, the Lending Standards Board (LSB) has confirmed.

Since its introduction in 2019, the CRM Code, which is governed by the LSB, has had a significant, positive impact on the fight against APP scams. This type of fraud involves customers being tricked into authorising a payment to a scammer posing as a trusted individual or organisation.

The CRM Code, which covered over 90% of reported APP fraud cases in 2023, has helped drive up reimbursement rates for victims and improved the financial services sector’s ability to prevent and detect APP fraud, helping to limit the harm that these scams cause consumers.

Emma Lovell, Chief Executive of the LSB said, “The CRM Code has been a milestone improvement in customer protections – vastly increasing the chances of customer reimbursement after an APP scam and having a significant impact on the financial services sector’s efforts to prevent their customers from falling victim to an APP scam in the first place.

“The CRM Code’s focus on prevention and detection, in particular, demonstrates what can be done when financial services firms pull in the same direction and opt to go above and beyond statutory requirements. Crucially, this focus on prevention not only limits harm to customers but stops money reaching criminals too. While there is still much work to be done to tackle APP fraud, the CRM Code’s signatories have delivered better outcomes for their customers over the last five years. We’re proud of the Code’s impact.”

The CRM Code covered ten PSPs, comprising major high street, digital, and challenger banks, lenders and other providers. It was launched in May 2019, with the LSB’s independent oversight starting in July 2019.

Since its introduction, the LSB has monitored signatory PSPs’ implementation of the CRM Code, including specific reviews of signatory PSPs’ approaches to reimbursement and their use of effective warnings to halt payments to fraudsters.

In June 2021, the LSB issued a warning to all CRM Code signatories, requiring all firms to improve the consistency of their reimbursement processes, how they identify vulnerable customers, their use of effective warnings, and their record keeping. Signatory PSPs responded to the warning with significant increases in reimbursement rates as well as decreases in the amount of money stolen through APP fraud.

The CRM Code’s protections have been based on three key pillars: the detection of payments which may have been made as a result of a scam; the prevention of APP fraud; and a requirement for signatories to reimburse customers who fall victim through no fault of their own.

The incoming statutory framework for the reimbursement of APP fraud victims, which will be overseen by the Payment Systems Regulator (PSR) from 7 October, does not contain specific APP fraud prevention or detection requirements, includes the option for PSPs to levy an ‘excess’ fee of up to £100 per claim, and will cap reimbursement at £85,000. The CRM Code does not feature any excess fees or reimbursement caps.

Emma Lovell added, “Reimbursement following a successful scam helps undo the financial impact of fraud on a customer, but reimbursement alone cannot undo the emotional distress so often associated with APP fraud.

“PSPs signed up to the CRM Code have worked hard on putting preventative measures in place since 2019. Even though the new regulatory framework does not include prevention requirements, I’d expect the CRM Code signatories to continue to build on the progress they’ve made, and the sector must ensure that the momentum from the Code is not lost. The Code has helped slow, but not yet reverse growth in the number of APP scams; now is not the time to lose focus. The prevention of APP fraud must remain top of the agenda for all PSPs, otherwise, there is a risk that customer harm may increase under the new framework.

“PSPs that will now be required to reimburse customers for the first time should look to the Code to catch-up on the lessons already learned by signatory firms.”

Key Highlights:

• In 2023, CRM Code signatories reimbursed 73%of customer APP fraud losses – up from just 23% before the Code was introduced.
• The rate at which APP fraud has increased has slowed dramatically, from a runaway 45% year-on-year increase in 2019 to 12% annual growth in 2023.
• The average amount of money stolen per reported APP fraud case has tumbled from £4,200 in 2018 to £1,600 in 2023for customers covered by the CRM Code (and £2,000 for all customers).
• The Financial Ombudsman Service (FOS) has noted that over half the complaints received about APP fraud reimbursement come from customers not covered by the CRM Code – while CRM Code customers’ complaints are more likely to be upheld.