In 2020, approximately 150,000 fraudulent advanced push payments (APP) cases in the United Kingdom resulted in the equivalent of US$660 million in losses, according to a report from the UK's financial services regulator, the Financial Conduct Authority (FCA). The report also notes that 81 percent of these losses were on personal accounts. APPs are the equivalent of peer-to-peer payments and, for the most part, are irrevocable.
We ran a post in June last year about steps the FCA had taken to address the growing incidence of consumers falling victim to scams and sending funds to the scammers through APPs. As I discussed in that post, one step the FCA took was to initiate the Contingent Reimbursable Model (CRM) Code, which specifies the extent to which a consumer might be liable for financial losses from an APP scam. Under the provisions of the code, according to a press release from UK Finance, "any customer of a bank or payment service provider (PSP) which is signed up to the Code will be fully reimbursed if they fall victim to an APP scam, provided they did everything expected of them under the Code." Although the CRM Code is considered voluntary, the major UK banks, representing 85 percent of all APPs, have adopted it. The CRM Code applies to push payments between UK-domiciled accounts handled by the PSPs.
The code requires that the originating and receiving PSPs provide educational programs to consumers to alert them to such scams and to investigate claims by consumers alleging they were victims of a scam that was beyond their control. Importantly, it also gives the financial institution the authority to delay or stop transactions that it believes are fraudulent to allow for additional investigation. Pay.UK, the industry’s retail payment operator, has also implemented a program that requires the originator to check that the transaction’s payee name matches the name on the account receiving the funds.
So how has the CRM Code worked so far in addressing the APP scam fraud problem? While the 150,000 cases in 2020 represented a 22 percent increase over the previous year, the value of APP losses in 2020 increased only 5 percent. This small increase is attributed to PSPs' efforts to implement more effective monitoring software to detect money mule accounts and other suspicious transactions.
Consumer groups criticize the CRM Code for the uneven reimbursement rates (which the PSPs report anonymously). While the overall reimbursement rate in 2020 was 47 percent, the individual reimbursement rates among the PSPs ranged from 10 percent to 99 percent. The critics maintain that the criteria for determining if a customer is fully or partially at fault and ineligible for full reimbursement are highly subjective. As an example, the CRM Code says, "The customer’s capacity to protect themselves includes their knowledge, skills and capability in engaging with financial services and systems...." But how do the PSPs objectively determine the level of the customer's knowledge, skills, and capability?
In February of this year, the UK’s Payment System Regulator, commonly known as the PSR, issued a request for comment regarding three proposed changes to the CRM Code:
- Mandate that PSPs publish their APP fraud and reimbursement data publicly.
- Require that PSPs develop a standard approach to sharing information about APP scams with the intent to stop them from occurring or spreading.
- Extend the liability protection to all UK-domiciled consumer accounts operating in the United Kingdom to at least a minimal level.
The comment period for these proposals closed in April. We will continue to follow this activity and report the final outcome of this issue when it becomes available.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed