The Contingent Reimbursement Model (CRM) Code, which has been instrumental in protecting customers from Authorised Push Payment (APP) fraud since 2019, will be retired on 7 October, as the Payment Systems Regulator (PSR) introduces a new framework for fraud reimbursement. Overseen by the Lending Standards Board (LSB), the CRM Code has covered more than 90% of APP fraud cases and has significantly improved reimbursement rates for victims.
Introduced to tackle APP fraud – where customers are tricked into sending payments to scammers posing as legitimate organisations – the CRM Code has achieved notable success. In 2023, 73% of APP fraud losses for customers covered by the Code were reimbursed by their Payment Service Providers (PSPs), a sharp rise from just 23% prior to the Code’s implementation. The Code’s protections have also slashed the average loss per scam, with figures falling from £4,200 in 2018 to £1,600 for covered customers in 2023.
Under the CRM Code, the growth of APP fraud has slowed dramatically. In 2019, the number of cases was rising by 45% year-on-year, but by 2023, this growth had dropped to 12%. Total losses from APP fraud also saw a notable reduction, with £460 million stolen in 2023, a 20% decrease from the peak in 2021.
The Financial Ombudsman Service (FOS) has highlighted the Code’s impact, noting that over half of the complaints it receives about APP fraud reimbursement come from customers not covered by the Code. Complaints from CRM Code signatories’ customers are more likely to be upheld.
A Milestone for Consumer Protection
Emma Lovell, Chief Executive of the LSB, praised the Code’s impact on customer protection and the financial sector’s efforts to prevent APP scams. “The CRM Code has been a milestone in improving customer protections, vastly increasing the chances of reimbursement after an APP scam,” she said. Lovell also emphasised the importance of the Code’s focus on fraud prevention and detection, which has helped stop money from reaching criminals and reduced harm to customers.
The CRM Code was supported by 10 major high street, digital, and challenger banks, and lenders. Since its launch, the LSB has monitored the implementation of the Code, conducting reviews of PSPs’ reimbursement processes and issuing warnings where necessary. In 2021, the LSB urged signatories to improve consistency in their approaches to reimbursement and the identification of vulnerable customers, resulting in increased reimbursement rates and a reduction in fraud losses.
New Regulatory Framework
From 7 October, the PSR will oversee a new statutory framework for APP fraud reimbursement. However, the new rules differ from the CRM Code, as they do not include specific requirements for fraud prevention or detection. Additionally, under the new framework, PSPs will be allowed to impose an ‘excess’ fee of up to £100 per claim and cap reimbursement at £85,000, both of which were absent from the CRM Code.
Lovell expressed concerns about the changes, stating that while reimbursement is crucial in mitigating the financial impact of fraud, it does not address the emotional distress often associated with APP scams. She urged firms to continue building on the progress made under the CRM Code, warning that without ongoing focus on fraud prevention, customer harm could rise under the new framework.
Looking Ahead
As the CRM Code comes to an end, its legacy will continue to influence the approach taken by the financial services industry. PSPs that are new to APP fraud reimbursement will be expected to learn from the lessons of the Code and build on the momentum it created. With APP fraud still a significant threat, maintaining a focus on prevention remains critical for the sector to protect consumers from further harm.
