This is the text of the speech as drafted and may differ from the delivered version. This speech was delivered by our Managing Director, Chris Hemsley at the Lending Standards Board’s industry event ‘A virtual view of self-regulation’, providing thoughts on the CRM Code and APP scams.
Hello, I’m Chris Hemsley, the Managing Director of the Payment Systems Regulator. Thanks for asking me to join today’s discussion on this really important subject.
Over the last few years, there has been a noticeable increase in the prevalence of APP scams.
Fraudsters are becoming ever more sophisticated. They continue to adapt their techniques to trick victims into sending money to them. The pandemic has created new opportunities for these criminals – making a terrible situation worse for their victims.
As you know, the PSR has been working with industry on this problem since 2015 - initially through the Payments Strategy Forum which identified solutions to stop these crimes from happening in the first place.
Together with industry and consumer groups, we’ve continued to make progress and I would like to touch on some key milestones we’ve achieved.
The first milestone was the implementation of the industry Contingent Reimbursement Model code (the Code). The Code is an important demonstration to customers that financial organisations take these crimes seriously and will protect them when they have done nothing wrong and yet fall victim to APP scams. For the first time, it meant there were protections available to people - protections which, quite simply, had never been available before.
This is a significant step, that has improved the lives of many victims. And something to be proud of.
Of course, there are still issues with the application of the Code, which I will come on to. But let’s also recognise the progress.
The second key deliverable was Confirmation of Payee (CoP) – the name-checking service designed to help people spot when new payee details aren’t right. Prevention continues to be a key area of focus – because even when a victim is reimbursed through the protections offered by the Code, they still suffer harm and money still goes to fund criminal activities.
While the Code and CoP have made a significant improvement on the situation beforehand, we know that more needs to be done to deliver consistent and better outcomes for the victims of APP scams – and in particular to prevent scams from happening in the first place.
But there’s no silver bullet to do this.
Indeed, this is an inherent and unavoidable feature of the battle against fraud and the harm it causes – we need to adapt and continue to make it harder for criminals. And our approach to protecting victims will need to adapt to improve outcomes.
So, the sad truth is, and reflecting the increasing numbers of APP scams, more work needs to be done.
Of course - it’s hard and we are dealing with sophisticated criminals, but this will continue to be a focus for the PSR - we’re not giving up and we don’t expect industry to either. Everyone who plays a role in the problem has a responsibility to find the solutions.
First, on APP scams there was a good deal of agreement on some important principles.
Looking at the issue of allocating responsibility
- Stakeholders agreed that financial institutions should have incentives to prevent fraud whilst ensuring that customers continue to take sufficient responsibility for their actions.
- The feedback reinforced the important role that receiving banks play in relation to APP scams – scams can only take place with the use of a scammer’s account or a mule account.
- The responses also highlighted the role that those outside of financial services sector need to play – particularly social media firms and those in telecoms.
There was a clear view that these participants should play a greater role.
I agree with this.
I am interested in what we can achieve in terms of setting out transparently and publicly where fraud originates. I support efforts to update our legislative framework to deal with online harms, where they originate.
But, we also need to retain sufficient focus on what we can achieve within our sector, within the current legal frameworks.
Data plays a key role in detecting and preventing scams
There are two levels to this:
- Data to consumers – responses to our call for views indicated general support for greater transparency, but also that any data on APP scams that is published should provide a holistic view of a PSP’s performance – including their role in preventing scams and reimbursing victims. This could incentivise PSPs to prevent scams from happening and help raise standards of reimbursement.
- Data sharing between PSPs - there has also been wide-spread agreement that improved sharing of information by PSPs would improve scam detection and prevention. We are keen to build on existing industry work here.
A final issue is that reimbursement is too uncertain
We recognise that the CRM code has improved outcomes. As I have said, this has been a significant improvement for victims. And should rightly be celebrated.
But the evidence points to a lack of consistency in how the rules are applied. Some believe reimbursement remains too much of a ‘lottery’ for victims.
Indeed, there is continued significant variation of reimbursement across banks. This points to the need for further work to improve outcomes for APP scam victims.
Part of this is the continued work by the LSB to review compliance with the code obligations. And I have talked about the role that transparency can play in improving outcomes here.
We should, however, also remember that there are customers who do not benefit from these protections. Including as their banks do not offer equivalent protection.
We want to see protection becoming universal; which points towards making it mandatory.
We have set out two options for achieving this – both relying on making changes to payment system rules:
The first option (3A) puts the detail of the reimbursement rules into payment system rules.
The second option (3B) would build on the current approach of having a code. It would make it a de facto requirement for PSPs to be members of an approved, reimbursement code.
There has been some confusion on what this might imply in terms of creating a new code.
In short – under this option, the current CRM code would be put on a more formal footing. We would expect that the LSB would seek to secure approval for the CRM Code, moving it away from relying on voluntary commitment.
And I should also stress that this is not a way to reduce protections for customers. Quite the opposite.
We are still working through our assessment of the best way to achieve the outcomes we want to see. But it’s also worth re-stating that we currently do not have the powers to mandate reimbursement and we continue to work closely with government on necessary legislative changes.
Confirmation of Payee
I would also like to touch on Confirmation of Payee. Albeit briefly in the time available.
In 2019, we directed the UK’s six largest banking groups to introduce Confirmation of Payee for Faster Payments and CHAPS transactions by giving Specific Direction 10 (SD10). By July 2020, CoP was available to consumers of the six directed banking groups. A number of other financial institutions have since implemented the service.
Our analysis has shown that CoP has had a positive impact on accidentally misdirected payments and it has made it harder for criminals.
We want to make sure that the CoP protections are available to customers of all banks, building societies and other PSPs. The migration of certain types of APP fraud to PSPs yet to join CoP clearly demonstrates why the service needs to be expanded.
Phase 2 of CoP is a key part of this as it will ensure that access to CoP becomes quicker and more cost effective for smaller PSPs, helping them to join the service.
And recently the SD10 banks have said they are committing to migrate to the Phase 2 environment by the end of the year.
This is a valuable step forward.
And we will respond to their letter shortly and publish our response on our website, but as most of the CoP requests involve the SD10 directed banks, their participation in Phase 2 is essential to minimise any delays to more PSPs joining the service.
We are also considering how best to support the extension of CoP, so that it covers more payment accounts – moving beyond the 90 percent of payments covered today.
In doing so we are considering how we might best use our regulatory powers to support the successful transition to phase 2.
So, there really have been significant developments in how we go about tackling the problem of APP scams.
Thinking about the title of today’s session – and the role of self-regulation, there are some really important examples here. One is the potential value of voluntary measures – put simply, many victims would be worse off without the voluntary code.
Another is that there are limits to how far voluntary measures can go. Sometimes – as with CoP – regulatory requirements can help the sector do things that have broad support.
But there are also areas where mandatory rules are needed. And, I think, our recent experience on APP fraud shows that addressing this issue, first by unlocking the legislative barriers to action, could take what we have today and help us all to take another significant step forward, making it harder for criminals and protecting all victims.