In 2018 UK losses from Authorized Push Payment (APP) Scams were over £350m, a 50% increase on the previous year, with most of the losses carried by the victim.  In response to the growth in APP Scams the UK introduced the Contingent Reimbursement Model (CRM) Code.

The CRM Code is a voluntary code of practice implemented in the UK in May 2019 by the APP Scams Steering Group (made up of representatives from Consumer Groups and Financial Institutions) to help address and minimize the impact on victims of scams in the UK.

The CRM Code helps establish minimum standards on the main parties who can help prevent scams, namely the victim, the payment sending bank and the payment receiving bank. Where each of these parties meet the required due diligence expectations of the CRM Code, then the victim should be refunded from an industry fund established to cover ‘no blame’ scam reimbursements.  In addition to this, the code also established additional warranted protection for ‘vulnerable customers’ regardless of due diligence expectations.  With most of the larger UK banks having signed up to the CRM Code this should represent a significant step forward in protecting victims from the financial loss if they fall victim to a scam.

Has the CRM Code helped protect consumers from scams?

Yes and No.

On the plus side the introduction of the CRM Code has increased the profile of APP scams, raising awareness and making people more likely to recognize a scam and protect themselves. There has also seemingly been an increase in the number of victims reimbursed by the banks, who were previously not obliged to offer any refund. And the code has encouraged the banks to up-their-game on scams and be more proactive in prevention and detection efforts.  Most evidently through an increase in visible ‘Effective Warnings’ (as referenced in the CRM Code) to provide ‘in-journey’ warnings to customers deemed at risk of making a scam payment.

However, the CRM Code does not seem to have gone far enough to persuade critics that consumers are sufficiently protected.  Partial compliance (not all banks are signed up to the Code) and differing interpretation of the CRM Code by different banks, leads to an inconsistent approach to the treatment of victims.  This means consumers do not always know whether they are protected or not.

There is also a perception that Code participant banks are using the consumer due diligence expectations within the CRM Code to reject victim reimbursements.  The CRM Code states that the victim must not have disregarded warning messages, and recently the UK consumer organization Which? accused the banks of using blanket ‘Effective Warning’ messages to deny refunds.

So, what more could be done?

A lack of data and transparency

While the overall volume and value of APP scam losses is known, there is a lack of data and transparency on the level of victim refunds – so it remains difficult to assess whether the CRM Code changes have increased the proportion of scam cases where the victim is refunded or not.

There also remains no agreement on long-term funding of the ‘no-blame’ pot, the funding route to ensure victims are reimbursed even where each party has fulfilled their minimum due diligence.  The proposed arrangement (a transaction fee on Faster Payments) was rejected in November 2019 and agreement on the current funding only extends until March 2020, bringing the long-term sustainability of the CRM Code into question.

Will the Payment Services Regulator move to introduce stricter regulations?

The CRM Code has led to some significant areas of improvement in protection for consumers against scams, though the remaining issues and criticism of the scheme creates a risk to the banks. If the voluntary CRM Code is not achieving its aim, the Payment Services Regulator may move to introduce compulsory regulations.

In November 2019 MPs from the Commons Treasury Select Committee recommended that the CRM Code be made compulsory and also that the banks should introduce delays to ‘first-time’ beneficiary payments.  Though delaying payments may be a potentially disproportionate response that could risk limiting the scope of Faster Payments for e-commerce and Open Banking innovation.

What more can UK banks do to protect consumers and themselves from regulatory action?

The banks could work to address the above issues, filling in some of the gaps in the CRM Code and adding additional context to improve consumer protection and consistency of approach.  The banks could potentially do more to speed up attempts to recover funds after a scam payment (which remains a manual process and prone to delay or error) and build on their existing consumer education and awareness campaigns (Take 5) to help customers protect themselves.

In addition, banks can – and very likely will – implement and adopt the Confirmation of Payee (COP) initiative which is used to validate the payment recipient when setting up a new Payee. COP is due to be introduced by the end of March 2020.

And finally, banks can use more proactive analytics for risk-based warnings and payment interventions.  Whilst scams remain difficult to prevent and detect using conventional fraud detection approaches, sophisticated machine learning models and behavioral biometrics can bridge the gap and help to protect consumers.

While APP scams represent a major challenge to banks, and critics argue that consumers need to be more accountable, this ignores the increasing sophistication and industrialization of scams by well organized criminal gangs.

Banks who are utilizing equally sophisticated resources, systems, analytics including machine learning models, are surely better placed to respond to the scams threat.  Featurespace has designed the ARIC™ Risk Hub with the primary goal of combatting these crimes and is working with some of the largest UK and global Banks to address fraud and Scams. Download the ARIC™ Risk Hub Brochure to read more.