LSB Head of Insight & Engagement, Anna Roughley, recently joined a panel on at Credit Connect’s Commercial Credit & Collections Conference to discuss the impact of fraud on UK SMEs. Here, she shares a brief introduction to the risks facing SMEs and how the financial services sector can work together to mitigate those risks.
*The notes below may differ from those delivered on the day*
The LSB is the UK’s primary non-statutory regulator for the financial services sector. Our focus is on making sure firms across the sector are always focused on delivering the right outcomes for their consumer or business customers when they are providing products and services. We look out for emerging risks and new areas of harm that might affect consumers or businesses, and we are proactive in developing pioneering standards that will tackle these.
One of the reasons I’ve been asked to speak today is because what’s covered by this panel sits squarely within our remit: tackling fraud and making sure SMEs’ unique needs are catered for by banks and lenders. For the past five years, we’ve overseen the Contingent Reimbursement Model Code – or CRM Code – for Authorised Push Payment fraud (known as APP fraud). This Code requires its signatory firms to put in place APP fraud prevention and detection measures, and to reimburse victims of APP fraud when they’ve lost money through no fault of their own. This code covers consumers and micro-enterprises – I’ll talk more about this shortly.
We also oversee the Standards of Lending Practice for business customers, which are the only regulatory protections of their kind for UK SMEs. Through our work, we see the pernicious impact of APP fraud on SMEs and the risk of lumping SMEs in with personal consumers – which is something that happens too often. As many of you will know, SMEs have your own unique challenges – it’s important that banks and lenders consider these.
In the next few minutes, I’m going to talk about the prevalence of APP fraud for businesses, the consequences it can have, and some of the steps businesses can take to prevent APP fraud from occurring.
APP fraud statistics
I thought it would be helpful to start by highlighting some of the latest data around Authorised Push Payment fraud. This is the type of scam where a fraudster will trick someone into making a payment to them – usually by pretending to be someone that the person making the payment should trust: another business, their bank, or even their own colleagues. I’m sure you all know someone who’s had a text supposedly from a relative asking for money – or you’ve had examples at work where a supplier website has turned out to a fake, or you’ve had to deal with fake invoices that look just like something you were expecting to receive from a real company.
As you might expect, there are far fewer APP scams involving businesses than ordinary consumers – there were around 8,000 cases involving businesses last year, and 225,000 involving ordinary consumers. But, in general, the APP fraud picture is less positive for businesses than it is for consumers. Whereas the amount lost to these scams by consumers has fallen over the last three years – from £500m to £375m – the amount lost by businesses has gone up over the same period, from £77m to £83m.
And businesses also tend to see less money reimbursed by their Payment Services Provider after a scam: for businesses falling victim to APP fraud, the reimbursement rate was the same in 2023 as it was in 2020 – 37%. By contrast, the reimbursement rate for consumers climbed from 47% to 68% over the same period. And for customers covered by the CRM Code’s protections, reimbursement rates have risen from 47% to 73%.
Businesses are more likely to see more money stolen in an APP scam too – and the amount stolen per case isn’t falling for businesses in the same way it is for consumers. In 2020, personal consumers lost an average £2,400 per APP scam – that’s now £1,700. In 2020, businesses lost £7,800 per scam – that’s now £10,800.
There are some key lessons here.
One of these is the importance of prevention and taking every step possible to stop scams from happening in the first place – these steps can include looking for industry protections, or improving internal processes and building awareness of scams within your teams. The CRM Code, which we oversee, places requirements on registered firms to take steps to put prevention and detection measures in place. One of the reasons for the lower reimbursement rate for businesses might be that businesses may be more likely to use a Payment Service Provider not signed up to the CRM Code – particularly given the growing importance of challenger or neo-banks in the SME space. Businesses might also simply be too big to be covered by the Code. Evidence suggests that fraudsters go out of their way to target customers at Payment Service Providers who aren’t signed up to the CRM Code. It’s really important that businesses check what sort of independent protections any finance or payment service provider is offering to them, or to other customers. The evidence shows that independent oversight does make a difference to outcomes, so do check whether a Payment Service Provider is signed up to the CRM Code.
The other reason for the lower reimbursement rate for businesses is that they may find it harder to qualify for reimbursements. When the Code applies, reimbursements are usually required where a customer has lost money through no fault of their own; outside the Code, Payment Service Providers may consider reimbursements on their own terms. Unfortunately, from a business perspective, you may be deemed to be more sophisticated than ordinary consumers – you will be expected to have anti-fraud processes in place. As such, Payment Service Providers may have an expectation that business customers should have been able to spot a scam.
Making sure your internal systems are up to scratch, so you can prove you took all the necessary steps to check a payment was legitimate, will make it harder for a Payment Service Provider to reject a reimbursement claim.
The New Framework
From this autumn, the CRM Code will be replaced with a new statutory framework for APP fraud reimbursement, overseen by the Payment Systems Regulator. The PSR’s framework will require all Payment Service Providers to reimburse eligible customers when they’ve fallen victim to APP fraud through no fault of their own. The new framework will cover the same customer groups as the CRM Code – consumers, charities and microenterprises. But, importantly, the new framework does not place any requirements onto Payment Service Providers regarding prevention and detection of scams. With Payment Service Providers potentially less focused on prevention, it will be more important than ever for businesses to take your own anti-fraud measures seriously.
Tackling Fraud
There are lots of factors that can increase a business’ vulnerability to a scam – whether it’s your processes or your people, or the particular situation your business might find itself in. It’s important that businesses are on the look-out for factors that can increase vulnerability. And it’s important that businesses understand how they might be taken advantage of. Scammers look to exploit emotions; they take advantage of authority and trust; and they rely on creating a sense of urgency. Taking the emotion out of decisions, questioning authority, and slowing things down can help.
Scammers also rely on the cognitive blind spots that can exist around scams and fraud. Too often, we come across situations where a director or a consumer is vulnerable to a scam because they didn’t think of themselves as being the sort of person who would fall victim to one. Anyone – or any business – can be a victim of a scam. Losses from APP fraud can, in turn, cause businesses to become vulnerable. There are plenty of examples of situations where the financial hole created by fraud can lead to a business having problems making debt repayments or covering running costs. Fraud can also cause emotional distress within your own teams, even if the wider financial consequences are limited.
In the absence of higher reimbursement rates for businesses, the emphasis on prevention is vital.
What Other Protections Are There?
As we can see from the APP fraud data and, as I’m sure will be the case, from your own experience, there are big differences in the fraud experience between ordinary consumers and businesses. This makes it all the more important that there are protections in place specifically for businesses.
As I mentioned, as well as the CRM Code, we oversee the Standards of Lending for business customers, which are the only lending protections specifically designed for businesses. Among other things, the Standards include requirements for lenders about how they handle vulnerable customers – including those who might have been victim of a fraud, for example. The Financial Ombudsman Service will also assess complaints about firms against the commitments they’ve made through the Standards.
So, as a final message, I would say: making sure your lenders are signed up to the Standards is a small – but important – step you can take as part of your anti-fraud preparations.