APP fraud: confirmation of payee, developments and trends

In the first half of 2021, £355 million was lost to authorised push payment (APP) fraud. This compares to £208 million in the first half of 2020.[1] As a result, APP fraud losses now exceed card fraud losses for the first time. This significant growth in sums lost to APP fraud comes despite the successful introduction of phase 1 of Confirmation of Payee.

In this article we look at key developments regarding APP fraud, trends and future developments – with a spotlight on the following two recent reports:

• the Lending Standards Board’s (LSB) Call for Input: Findings Report on the Contingent Reimbursement Model Code (the CRM Code) for APP Scams (published on 4 November 2021); and
• the Payment Systems Regulator’s (PSR) Confirmation of Payee: Response to our calls for views CP 21/6 (published on 21 October 2021).

We then look ahead to what else is on the horizon – including the PSR’s follow-up paper on APP Scams.

This article follows on in our payment developments series. For previous articles, see:

• Payment developments: BNPL regulation and consumer purchaser protections – which looked at Treasury’s long-awaited consultation on the regulation of buy-now pay-later; and
• Interbank payments review outcome published – in which we looked at the PSR’s report on the outcome of its review of consumer protection in interbank payments - in light of the ever-increasing popularity of the Faster Payments Service and its importance in the development of many Open Banking initiatives.

The CRM code: The LSB's report

The CRM Code is a voluntary code which was introduced in May 2019 and is overseen by the LSB. It sets out good industry practice for preventing and responding to APP fraud. There are currently nine signatories. Amongst other things, the CRM Code commits the signatories to ensuring that eligible customers are reimbursed where they are not to blame for the scam and have not been grossly negligent. 

The LSB’s Call for Input earlier this year followed on from its full review of the CRM Code in January 2021 and focussed on three areas:

• How the scope of the CRM Code should more fully reflect the evolving nature and complexity of APP scams;
• The need for the CRM Code to recognise the wider range of participants within the payments industry; and
• The need for the CRM Code to fully reflect the roles and responsibilities of the receiving banks in the customer payment journey.

The evolving nature of APP scams

The LSB Report highlights two particular emerging forms of APP scam:

• Friends and family scams: these are multi-generation models and often involve a customer being persuaded to transfer money to a friend or family member, who is then persuaded to transfer those funds (or more) to a mule account. Dealing with these frauds can be more complicated – in terms of both the repatriation of funds and the investigation for reimbursement.
• Cryptocurrency fraud: over the last 12 months, there has been an increase in scams involving cryptocurrency.

The LSB has confirmed that the investigation of friends and family scams does fall within scope of the CRM Code. It intends to update the CRM Code to make this clearer. It also requires efficient communications between firms (and the LSB will look at this with UK Finance).

As for cryptocurrency scams, the LSB has recognised that there is a need for greater clarity on how this type of fraud is recorded so that the scale of the issue can be better understood. They recognise that regulation of cryptocurrency currently sits outside the CRM Code and will not be consistently captured by industry data. The LSB will undertake further work with the industry to move this forward.

Increasing participation in the CRM Code

The LSB has identified a trend in the origination of APP scams moving from signatories to the CRM Code to non- signatories. The LSB says that this development underlines the importance of widening participation in the CRM Code to make it more effective. Similarly (and unsurprisingly), the PSR has also identified a migration of APP scams towards firms that have not yet implemented Confirmation of Payee (which we discuss further below).

Increasing participation in the CRM Code is a key focus area for the LSB. It feels that take-up in the industry has been slower than it would have liked – although it recognises there are challenges to some business models (in particular with electronic money issuers and payment initiation service providers). The LSB will work with the industry to address those challenges, to ensure that a wider range of firms can participate in the CRM Code. Further information on this will follow. The LSB will also seek to increase the number of signatories to the CRM Code by actively engaging with the industry.

A focus on receiving PSPs

The LSB also noted that a majority of industry respondents considered there could be a lack of accountability from some receiving firms in resolving APP cases. This was particularly pronounced where receiving firms were not CRM Code signatories.

Feedback from the review suggested that greater accountability should be placed on receiving banks. The LSB will undertake further work to ensure that a fair balance is struck between receiving and paying firms but it warned that it cannot bind non-signatories to the CRM Code, given its voluntary nature. The LSB noted the strong support for making the CRM Code mandatory (such as via recognition from a regulator or via amendments to payment scheme rules). Introducing mandatory consumer protections is something which the PSR supports (see our comments below) – but is not currently within its power.

The narrative of the CRM Code

The LSB appreciates that the CRM Code has been perceived by some in the industry as a “refund scheme”. The LSB will look to re-set some of that narrative: it recognises that the success of the CRM Code cannot be judged solely by re-imbursement levels and so the LSB will engage with stakeholders to seek views over the coming months on how to measure its success.

Finally, under their Roadmap, in December 2021 the LSB is due to build data requirements into the Code, make final updates to the Code and issue guidance to reflect the outputs. 

We now turn to the PSR’s report on CoP and summarise its key findings.

PSR: Confirmation of payee

Overview

The aim of Confirmation of Payee (CoP) is to reduce APP scams and misdirected payments by checking the name on the recipient’s account.

Phase 1 of CoP was mandated by the PSR and required the largest six banks (Phase 1 Banks) to introduce CoP Phase 1 – with the Phase 1 Banks accounting for 90% of Faster Payment and CHAPS transactions.

CoP is operated by Pay.UK – and it has issued final rules and standards for CoP Phase 2 this year. Phase 2 will be enabled through a dedicated ‘CoP-only’ role profile in Open Banking – to enable wider participation outside the Phase 1 Banks.

Key points

The general consensus is that CoP Phase 1 has had a positive impact on reducing accidently misdirected payments and in preventing (what would otherwise be higher levels of) APP scams. But for its implementation, it is likely that APP fraud may have been higher in the last year.

The PSR therefore wants to see more PSPs join CoP as Phase 2 is rolled out - including those PSPs who do not use the same reference information as Phase 1 Banks. This includes firms that use unique sort codes and Secondary Reference Data.[2]

The PSR has also highlighted:

• There is a migration of APP fraud towards firms that are yet to implement CoP. This suggests that the scheme has been successful and underlines the importance of participation being rolled out to other firms.
• The nature of the scams has evolved, with fraudsters increasingly convincing customers to ignore ‘no match’ warnings - or using the scheme to manipulate victims into sending money to mule accounts with a name match.
• Some feedback suggests that existing warnings during CoP checks might cause customer confusion and that further consistency is needed in messaging.

CoP: what’s next?

• The PSR will engage with Pay.UK and the industry to monitor the commitment by the Phase 1 Banks to being present in Phase 2 by the end of 2021.
• To avoid the parallel running of Phase 1 and Phase 2 (and its associated costs), the PSR wants CoP to be migrated to Phase 2 by March 2022. It will consult later this year on ending the dual running of the phases by this date.
• The PSR will continue to assess whether it should direct firms which are not currently offering CoP to join the service. They will issue a further consultation in early 2022 on this.
• The PSR wants Pay.UK to investigate whether changes are needed to CoP – such as firmer guidance on messaging for new participants.
• The LSB has also confirmed that it will implement relevant provisions of the CRM Code on CoP. It will work with the PSR on Phase 2 – with a view to whether the CRM Code should include provisions to capture Secondary Reference Data.
• Pay.UK and existing firms have agreed to seek to enable CoP checks to be undertaken by the end of June 2022 where the receiving account uses Secondary Reference Data. This will also provide some future proofing of CoP.

What else is on the horizon? 

PSR follow-up paper on APP scams

Earlier this year, the PSR published APP scams: Call for views – which looked at the CRM Code . It said that, although the Code has improved consumer outcomes, its introduction has not led to as much reduction in customer losses as hoped. It believes customers are still bearing a high proportion of those losses, despite the default requirement that they should be reimbursed when they have acted appropriately. It wanted to focus more on deterrence. It is aware of concerns the Code is open to interpretation and difficult to apply in practice, with the resulting increase in the role of the Financial Ombudsman Service in adjudicating disputes.

The Call for views proposed three measures:

• Improving the transparency of outcomes: it proposes to require firms to publish outcomes by firm (rather than aggreged industry figures) and for those to be centrally published).
• Greater collaboration between firms to share information about suspicious transactions: this may include standard shared fraud scoring between sending and receiving PSPs. This would enable receiving PSPs to take action – such as stopping onward transmission of funds or investigating whether the account is a mule account.
• Introducing mandatory protections for customers: in light of the levels of reimbursement to customer (less than 50% under the CRM Code), the PSR wants to see changes to scheme rules or a mandatory new code which is less open to interpretation.

The PSR recognised that it does not have the power to mandate (3) above as it would require changes to the Payment Services Regulations 2017. There are, however, growing calls from some consumer groups for the government to act to enable the PSR to introduce these changes. For example, such groups will refer to the Financial Ombudsman Services’ latest statistics which suggest that over 70% of customers who complained to them about not being refunded had their complaints upheld.

The PSR’s follow up paper was expected by September 2021, and so we anticipate seeing it imminently.

Concluding remarks

The impact on all PSPs as a result of recent developments is likely to be both considerable and costly - particularly taking into account any adjustments to systems in order to implement standardisation, and increasing responsibilities for receiving banks and those firms who hold second generation accounts.

There is a clear direction to increase deterrence as well as reimbursement levels. It is hoped this will reduce the volume of complaints to the Financial Ombudsman Service.

Finally, although both the PSR and the LSB say they take into account the principle that customers should remain responsible for their decisions, some will ask whether enough emphasis is placed on this principle by those bodies. Whatever follows, it is hoped that the PSR continues to recognise that there is a balance to be struck and doesn’t lose sight of the legal requirement of consumers needing to take responsibility for their actions.