Getting the right outcomes for the victims of APP scams

by Genevieve Marjoribanks, Head of Policy

An authorised push payment (APP) scam happens when someone is tricked into sending money to a fraudster. These crimes can have a devastating effect on those who fall victim. At the PSR, we think that someone who loses money as a result of an APP scam, despite taking reasonable care, should get their money back. 

In February 2018, we established a steering group to develop an industry code to protect people from APP scams. That steering group developed the Contingent Reimbursement Model (CRM) Code which has offered protections to customers of signatory Payment Service Providers (PSPs) – which include the UK’s biggest banks - since 28 May 2019. 

Reimbursing the innocent victims of APP scams is a widely agreed principle of the Code’s signatories and remains a top priority for the PSR. 

The Covid-19 pandemic has not only changed the way many of us make payments but has also left people across the UK more vulnerable to fraud. This means that it has never been more important for the Code to be delivering the best possible outcomes.

Since the Code’s introduction, positive steps have been taken but more still needs to be done and we want to see industry doing everything it can to prevent APP scams and protect consumers.

Protections under the CRM Code

In the world of personal banking and payments, protections for consumers have existed for some time, for example, in the form of chargeback on card payments and the Direct Debit Guarantee. 

The CRM Code adds to those protections. It sets out expectations and standards for PSPs and the circumstances in which customers should be reimbursed. It protects consumers, micro-enterprises and small charities.

Under the Code, signatory PSPs must implement and comply with the Code in a way which supports the reduction in APP scams while increasing the proportion of customers protected from their impact (for example, by preventing scams happening in the first place, repatriating funds or reimbursing victims when they have done nothing wrong) and minimising the disruption to legitimate transactions. 

Prevention not only protects customers, but it reduces industry costs and limits the flow of funds to fraudsters. This is one reason why we have consistently emphasised the need to look after customers, with a high standard of protection against APP scams. 

Implementing the Code 

Over a year on from its introduction, the CRM Code has made a real difference in protecting people making payments from their bank accounts. We can always do more to ensure the best outcomes for consumers though, and there are two main areas where we want to see improvements made.

First, repatriation or reimbursement should occur in the vast majority of APP scam cases assessed under the Code. On average, only around 40%¹ of losses are reimbursed by Code banks. We know UK Finance and Code banks are working to get a clear picture of repatriation volumes. We want to see industry working together to deliver a sustainable, long-term approach to protecting consumers from the consequences of APP scams. This will lead to lower levels of APP scams and higher levels of repatriation and/or reimbursement for innocent victims.

Second, we want to see the establishment of a sustainable, long-term model for reimbursement. While the Code signatory banks have agreed to fund reimbursement in cases where the scams occur through no fault of the bank or customer, some Code signatories are saying that funding has only been provided on an interim basis until the end of this year. 

In whatever way it is arranged, we want to see a long-term funding mechanism put in place as a matter of urgency so that innocent victims can feel confident they will get their money back.

Improving outcomes for the victims of scams

As we see it, the most obvious option for funding reimbursement is by PSPs committing to self-funding these costs. We are happy for those Code signatories who choose to participate in shared funding to continue to do so, subject to their obligations under competition law. 

If the current voluntary approach is to continue, however, we need industry to move away from temporary commitments and towards a permanent solution which focusses on reimbursing defrauded consumers who have done nothing wrong. 

In the short term, we would support the Lending Standards Board (LSB), the body responsible for overseeing the CRM Code, amending the Code to make it clear that self-funding, as well as shared funding, is an option. Such a move would clarify the issue for PSPs, while prioritising the protection of consumers and allowing industry to focus its attention on finding new and innovative ways to raise standards of scam prevention.

The LSB recently issued a consultation document to inform its review of the CRM Code, which includes the future funding of reimbursement. We welcome the review, and are keen to see the outcomes it produces. 

If the voluntary approach under the Code proves unsuccessful, then industry needs to find a way to embed a high standard of consumer protection as the norm. Improving outcomes for victims of scams is an issue that requires an urgent effort from the entire payments sector. 
 
We remain committed to getting the right outcomes for the victims of scams and seeing a sustainable, long-term approach to protecting customers delivered.  

¹This percentage is based on data from UK Finance on the CRM Code, and represents a consolidated view of reimbursement levels across 9 code signatories from October 2019 to May 2020. The results do not include all cases of repatriation. UKF and the Code banks are planning to address this for future reporting.