Emma Lovell, Chief Executive, LSB
Every year, around 200,000 people become victims of Authorised Push Payment (APP) fraud – a type of scam which sees people tricked into sending a payment to someone who is not who they claim to be. Fraudsters often pose as the victim’s own bank or members of their family. As with other types of scam, APP fraud can have a devastating emotional or financial impact on victims, while the money sent to the fraudster helps fund criminal activity.
Currently, customers are protected from APP fraud by the Contingent Reimbursement Model (CRM) Code, which is overseen by us, the Lending Standards Board (LSB). The Code ensures financial providers have a consistent approach to reimbursing victims of APP fraud and a consistent approach to preventing and detecting this type of fraud in the first place. Not all UK banks and lenders are signed up to the Code, but it does cover around 90% of UK APP fraud.
Since its introduction in 2019, the Code has helped improve reimbursement rates for APP fraud, while its focus on prevention and detection has helped slow the growth of this type of scam. In the year before the Code was introduced, APP fraud had almost doubled from the previous year; last year, APP fraud only grew 6%. The Financial Ombudsman Service (FOS) has also noted that it now receives more complaints from customers about APP fraud where their financial provider hasn’t signed up to the Code.
Last summer, the Payment Systems Regulator (PSR) announced it would be introducing a new, mandatory requirement for all UK Payment Service Providers to reimburse their customers who become victims of APP fraud. The PSR set out the final details of its approach just before Christmas, confirming that the new mandatory reimbursement framework will begin on 7 October 2024.
The incoming framework has some similarities to the existing Code, but there are important differences too. Some of the key features of the PSR’s proposals include…
- Banks and financial providers can choose to levy an ‘excess’ of up to £100 per claim (there is no excess fee under the CRM Code);
- There will be a maximum reimbursement level of £415,000 – this matches the FOS compensation limit and, while there is no reimbursement limit under the CRM Code, the new limit is still much higher than the average loss involved in an APP scam (£2,340 in 2022);
- All UK Payment Service Providers will be required to reimburse their customers for APP fraud losses, but there will be a ‘standard of consumer caution’ applied which could see reimbursement claims denied. Under this standard, customers might not be reimbursed if the financial provider can demonstrate the customer hasn’t been careful or cooperative enough – customers need to pay attention to warnings about suspected APP fraud attempts from their bank, they should notify their bank about the fraud in good time, they should share information about the fraud with their bank, and they should consent to fraud details being reported to the police. The PSR says failure to comply with just one of these requirements is not enough for a claim to be denied and that ‘the onus will be on the bank to prove that [the customer] acted with gross negligence.’ The exception does not apply to vulnerable customers. Banks and financial providers also have grounds to refuse a claim under the CRM Code, though they have to consider a wider range of factors before doing so.
- Reimbursement costs will be split between the customer’s financial provider and the financial provider used by the fraudster (the ‘receiving’ firm). The CRM Code also places requirements on receiving firms.
Perhaps the key difference between the Code and the new framework is the approach to prevention and detection. Although the PSR expects its reimbursement requirements to spur individual financial providers to take action on prevention and detection, there will be no binding, sector-wide obligation to do so. The Code, by contrast, covers reimbursement but also includes requirements on detection and prevention, as well as the steps financial providers need to take to support, educate, and communicate with their customers affected by APP fraud.
The focus on consistent prevention and detection in the Code is really important as it’s only by stopping APP fraud from happening in the first place that we can stop the irreversible harm it causes. After all, reimbursement might reverse some of the financial consequences of a scam, but it can’t undo the emotional impact fraud can have, it won’t get the money back from fraudsters, and it won’t necessarily repair the trust in vital services that fraud can undermine.
Moreover, the consistent approach to prevention achieved by the Code makes it easier to share information across the sector, provides equal protection to customers whichever financial provider they use, and makes it harder for fraudsters to exploit differences in approach that might otherwise exist between financial providers.
Alongside the PSR’s positive steps on mandatory reimbursement, we think it’s vital that we also build on the progress made on consistent prevention, detection and customer treatment since the introduction of the CRM Code. To make sure this progress does not fall away from October, we’ve begun work on a new Standard focused on best practice for preventing and detecting APP fraud and supporting customers affected by this type of scam. This new Standard will work alongside the new PSR framework from October 2024.
We’ll be consulting with stakeholders on this new Standard throughout the year, and you can keep track of our work here. In the meantime, the CRM Code will remain in place, delivering the consistent approach to APP fraud prevention, detection and reimbursement that it has enabled since 2019.