What’s in a name? The issue with the CRM Code

2nd August 2022

Bestowing a name on something is one of the most challenging – and perhaps seemingly frivolous – stages of any project: whether that’s naming a new business or yes, creating a set of standards for the financial services sector.

When the Contingent Reimbursement Model Code (the CRM Code) for Authorised Push Payment (APP) scams was introduced and named by the industry in 2019, it was natural that there would be a certain focus on customers’ most immediate concern: whether they would be able to recoup their money in the event they were the victim of an authorised push payment (APP) scam.

The Code and its reimbursement rules marked a major milestone for signatory firms’ customers, a first-of-its-kind safety net should they fall victim to a scam.

A growing number of people are, sadly, becoming victims of APP scams – which occur when someone is deceived into authorising a payment they believe is to a genuine recipient. Scammers’ methods are becoming increasingly sophisticated, as they capitalise on the growing volume of payments being sent and received online.

This means reimbursement should remain a key part of the regulatory narrative. Reimbursement is also understandably high on the Government’s agenda, after new legislation on reimbursement was announced in this year’s Queen’s Speech.

However just as REM (Rapid Eye Movement) sleep is not only about rapid eye movement, but several other factors like intense dreaming and temporary paralysis, the CRM Code, governed by the LSB, is not just about reimbursement.

Evidence shows scams impact victims’ mental health, leaving long-lasting feelings of guilt and shame. Reimbursement cannot reverse this damage; nor does it reverse the fact that the proceeds of scams often fund organised and other serious crime. This means if we rely solely on reimbursement as the cure for APP scams, we are diverting focus from preventing harm and stopping scams in their tracks – by far the desirable outcome.

And so, beyond the commitment of CRM Code signatories to reimburse victims where they were not to blame for the success of a scam, are two vital but oft-overlooked objectives: detection and prevention. The only way to achieve positive outcomes for customers is to spread our collective efforts across all three of the Code’s aims.

Financial services firms that are eligible to sign up to the CRM Code must work towards this as a matter of urgency – to increase collaboration, improve current data analysis and ensure a wider spread of customers are offered protection. Information can and should be shared on why some scams proceed and others are abandoned. Working together could also lead to the creation of a campaign to highlight scams and empower customers to protect themselves.

Although the fight against APP scams has some way to go, the progress made by Code signatories stands them in good stead should the Code become mandatory. Those not signed up simply cannot offer the same level of protection to their customers. The more signatories we have, the more effectively we can ensure industry best practice, and the more customers we can protect.

But the responsibility to prevent scams cannot solely lie with banks and lenders. Often by the point of payment it is too late – social engineering has convinced the customer that the payment is legitimate. Other sectors involved in the scam journey – including utilities, telecommunications, and social media – must step up to the plate, identify how they can intervene and act on this at once.

Only by all sectors playing their part can we truly win the fight against APP scams.

 Emma Lovell, Chief Executive at the Lending Standards Board (LSB)