Changes to the Contingent Reimbursement Model Code and the continued focus on APP fraud

The Lending Standards Board has changed its Contingent Reimbursement Model Code (CRM Code) which concerns authorised push payment (APP) fraud (a widespread form of fraud in which bank account holders are persuaded to authorise payments from their own account to a fraudster). In this short note, we discuss the changes that have been made to the CRM Code and consider the wider context of recent developments relevant to APP fraud.

Changes to the CRM Code

On 8 February 2023, the Lending Standards Board released a new version of the CRM Code (available here). The CRM Code was introduced in 2019 and is a voluntary code so is not subject to formal enforcement action. However, it sets out good industry practice and requires its 10 signatory firms, which constitute a significant proportion of the UK retail banking sector, to reimburse customers who are victims of APP fraud, subject to certain specifc exceptions.

Since its introduction, the CRM Code has also focused on the prevention of APP fraud, and the recent changes take this further. In particular, two new standards relevant to the prevention and detection of APP fraud before it occurs have been introduced:

• SF2(1)(c) requires that firms have in place appropriate processes to review accounts that are identified as being at higher risk of being used to facilitate APP fraud. Firms must also have policies in place setting out actions they will take to reduce the risk of such accounts being used to facilitate APP fraud and procedures to ensure that appropriate actions are taken in a timely manner.
• SF2(3)(c) requires that firms have in processes place for "profiling" of inbound payments to allow them to prevent the onward movement of funds where there is a suspicion that the funds being credited to an account are the proceeds of APP fraud.

Both of these new standards will be effective from 18 December 2023. Failure to meet these requirements will impact a firm's ability to rely on some of the exceptions provided in the CRM Code to the obligation to reimburse customers who are victims of APP fraud. Signatory firms should therefore consider the preventative processes and procedures they currently have in place to ensure they are compliant with the new standards by 18 December 2023.

The revised CRM Code also provides that the "Confirmation of Payee" standards set out in SF1(3) and SF2(2) will be effective from 28 April 2023 (essentially requiring firms to implement a solution to show customers whether the details associated with a payee account match those entered by the customer making the payment). These have previously been included in the CRM Code but without a commencement date.

The broader context

These changes to the CRM Code are happening alongside other developments of interest to firms for which APP fraud is an ongoing concern.

In late 2022, the Lending Standards Board entered into memoranda of understanding with the Payment Systems Regulator and with the Financial Conduct Authority, which in each case reaffirmed, among other things, their commitment to cooperate in combating fraud and scams.

The Payment Systems Regulator has also been consulting on a proposal which would see mandatory reimbursement for victims of frauds and scams where more than £100 has been stolen (see here). This proposal has been the subject of criticism from the House of Commons Treasury Committee (see here) and it remains to be seen what the next steps will be.

We have also previously written about Philipp v Barclays Bank UK Plc [2022] EWCA Civ 318 which concerns the potential application of the Quincecare duty in the context of an APP fraud (see here). The Supreme Court recently heard oral argument in that matter and we expect judgment may be delivered in the coming months. That judgment may further clarify the scope of firms' obligations to customers who fall victim to APP fraud.

In short, we can expect more developments this year on fraud prevention and customer reimbursement.

Authors: Tom Connor and Justin Browne