Lending Standards Board – Written evidence (FDF0050)

 

The Lending Standard Board’s response to the House of Lords Committee on the Fraud Act 2006 and Digital Fraud – Call for Evidence

About the LSB

The Lending Standards Board (LSB) is the primary self-regulatory body for the banking and lending industry, driving fair customer outcomes within financial services through independent oversight.

Our registered firms comprise the major UK banks and lenders, credit card providers, debt collection agencies and debt purchase firms. While the decision to become a registered firm and sign up to all, or some of the Standards and Codes that the LSB oversees, is voluntary, once onboard, firms’ adherence to the  requirements of the Standards and Codes is mandatory.

Adherence to our Standards of Lending Practice and the other codes of practice which sit within our remit is a clear indication that a registered firm is committed to best practice in the treatment of its personal and business customers.

We are responding to the consultation in our capacity as the organisation responsible for the governance and oversight of the Contingent Reimbursement Model Code for Authorised Push Payment Scams (the CRM Code). Our role is to: monitor signatory firms’ implementation and ongoing adherence to the requirements of the Code; ensure its effectiveness; and maintain and refine it, as required.

Our response below is primarily in response to the Committee’s questions on best practice and, in particular, the question of what lessons can be learned from effective policy interventions and schemes both in the UK and overseas (Question 14) and a policy recommendation the Committee should make to the Government (Question 15). We were also asked to address a number of specific points by  the Committee, these have been incorporated into the body of our response below.

Reflecting the LSB’s role as the primary self-regulatory body for the banking and lending industry, our response is focused on our experiences of overseeing the CRM Code and the work undertaken by signatory firms to the Code to prevent, detect and respond to the harm caused to customers by authorised push payment (APP) scams.

The response aims to provide an oversight of:

Should the Committee have any questions on the content of this submission, we would be happy to answer them.

The Contingent Reimbursement Model Code for Authorised Push Payment Scams

The CRM Code was launched on 28 May 2019. It sets out good industry practice for preventing and responding to APP scams. The Code requires that signatory firms put in place measures to detect and prevent APP scams and to reimburse customers where they have fallen victim to an APP scam through no fault of their own.  The Code provides protections against APP scams for a significant proportion of UK consumers with signatory firms accounting for around 90% of bank transfers.

There are currently 10 firms signed up to the CRM Code, which covers 21 UK banking brands. These are:

Since taking on responsibility for the governance and oversight of the Code in 2019, we have undertaken a significant amount of work to ensure its implementation, application and ongoing effectiveness. This has included two themed reviews, with a follow up review on the customer’s reasonable basis for belief published in June 2021. Work is currently underway on a further review, the findings of which will be published in the Summer.

These reviews are in-depth independent reviews that allow us, through information requests, case reviews, and management meetings,  to monitor firms’ adherence to the Code and to set out where improvements are required to ensure that firms are meeting the requirements of the Code. Following a review, we will issue each firm with an individual report and where necessary, a time bound action plan to address any areas of concern identified.

We have also held a public consultation on the Code, the report on which was published in January 2021. Following this consultation, we introduced new governance and oversight provisions into the Code and have updated the practitioner guide, which accompanies the Code, with examples of good practice. We published a further Call for Input in March 2021 and the outcome of this was published in November 2021. In the report, the LSB committed to further update the wording of the Code, update the customer information document to ensure it is as effective as possible in raising consumer awareness, and activate the Confirmation of Payee (CoP) provisions of the Code.[1]

The revised customer information document is now available on the our website. The LSB will also be issuing updates to the Code and activating CoP provisions in late April 2022.

The impact of the CRM Code

The introduction of the CRM Code in 2019 introduced a high industry standard and new consumer protections for customers using Faster Payments. Prior to the introduction of the CRM Code, Payment Service Providers (PSPs) provided little in the way of protections for customers who were, or were at risk of becoming, victims of APP scams. The Code therefore marked a major milestone in increasing customer protections from the harm caused by APP scams.

Since the CRM Code was introduced, the detection and prevention of APP scams has become a key priority for the major UK banks. Banks have rolled out new targeted warnings for customers, most major banks have introduced Confirmation of Payee (this will be a requirement under the CRM Code by April 2023), and CRM Code signatories have policies in place to assess cases of APP scams and to reimburse customers who have fallen victim to an APP scam through no fault of their own.

Industry figures show that between 2019, the year the CRM Code was introduced, and 2020, the proportion of APP scam losses that were reimbursed to victims rose from 25.4% to 43.2%. This meant that, despite a rise in the volume and value of scams reported, the loss to customers fell from around £340 million to around £270 million.[2]

The CRM Code has, therefore, clearly raised protection for customers and put the UK banking industry in a much stronger position to tackle APP scams. While the CRM Code has, undoubtedly, improved outcomes, the LSB is aware through our oversight work  and with key stakeholders, such as the Payment Systems Regulator (PSR), Financial Ombudsman Service (FOS) and consumer organisations, that more needs to be done to protect consumers. To do this we need to ensure that firms are doing everything they reasonably can to prevent customers from falling victim to APP scams. Information on how the LSB is working to do this are set out in further detail below.

Improving the CRM Code and achieving fair customer outcomes

As set out above, the LSB is constantly working to improve the CRM Code and its application by firms. The LSB took on governance of the CRM Code shortly after it launched in 2019 and the processes of ensuring its effective implementation by firms and taking steps to develop and improve the Code have taken place in tandem.

On completing our first full review of the CRM Code in January 2021, the LSB identified the following as priority areas for further work:

         ensuring the Code fully reflects the evolving nature and complexity of APP scams;

         ensuring greater participation and that the Code can support a wider range of participants within the payments industry; and

         making sure the Code fairly reflects the roles and responsibilities of receiving firms.

 

In November 2021, following a further compliance review, a Call for Input, and the introduction of stronger governance requirements into the CRM Code, we committed to introduce further amendments and to begin work to address the more complex issues, such as taking account of Open Banking payments, crypto assets, and more complex payment journeys where these were being employed by scammers to circumnavigate firms’ fraud detection measures. A summary of the work the LSB is currently undertaking is included below.

 

Updates to the CRM Code

On 28 April 2022, the LSB will publish a revised version of the CRM Code. The revisions to the Code are intended to enhance the consumer protections and clarify the requirements on firms signed up to the CRM Code. In summary, they will:

Activate the provisions of the Code that reference Confirmation of Payee. When the Code was launched in 2019, the provisions which reference Confirmation of Payee (CoP) had a holding date in place. As the Committee will be aware, in August 2019, the PSR issued Specific Direction 10 to the UK’s six largest banking groups to implement CoP within the payment journey. As the wording of the Code in relation to CoP reflects regulatory activity which sit outside of the LSB’s remit, we have been closely monitoring developments in the wider regulatory space. In October 2021, the PSR published the outcome of its consultation on CoP providing clarity on the actions it expects industry to take and an overview of how it will support the industry for wider uptake of this service. Now that CoP has moved into phase 2, meaning a broader range of firms can offer this functionality, we have taken steps to activate the relevant provisions of the Code from 28 April. Doing so will mean that all Code signatories will need to have implemented CoP into the payment journey no later than 28 April 2023.

For firms that already have CoP in place, provision R2(1)(b) will become effective along with the other changes on 28 April 2022. This will enable those firms to take account of the customer’s response to a CoP warning when assessing the circumstances surrounding the scam with a view to making a reimbursement decision.

Remove references to ‘requisite level of care’. This wording was referenced in the allocation provisions of the Code and had caused confusion as it seemed to imply the Code set out expectations for how a customer should act when making a payment.[3]  The Code does not bind customers, and therefore the existing wording implied the application of a standard of care test which is not what the Code requires. It provides a framework by which signatory firms must assess all cases within the scope of the Code and sets out requirements such that firms should reimburse customers who had fallen victim to an APP scam, unless the firm chooses to rely on one of the grounds set out in the Code to decline reimbursement. 

Address APP scam cases subject to an investigation by a statutory body. One complex area for firms and customers, is how firms should respond to exceptional cases that might be under investigation by regulators or the police. Recognising the complexity of such cases and the potential impact of any regulatory or police investigations, in circumstances where the outcome of an investigation might reasonably inform the assessment of the customer’s case, new wording has been added so that firms may wait for the outcome of the investigation before reaching a reimbursement decision. Firms must ensure that the customer is provided with a clear explanation as to why their case cannot be assessed within the timeline set out in the Code, and that the case is ringfenced to ensure that once the investigation has been completed, the assessment by the firm can be resumed. We expect firms to keep customers regularly updated on the progress of their claim and, where known, at what point the firm anticipates being able to make a decision on the customer’s case.

Improve how firms communicate the outcome of the assessment process to customers. One area for improvement the LSB noted following previous review work was the communication of information to customers. To reinforce our expectations in this area, we are making clear that firms should, as part of their communication with the customer following the assessment of their case, set out the reason for a reimbursement decision. Where the customer will receive no, or partial, reimbursement, it is essential that customers are provided with a clear explanation of how the decision was reached and informed of the information used to support the decision.

Take account of smaller or non-bank business models. The current signatories to the Code comprise the major UK banks which cover a significant proportion of Faster Payments. Voluntary codes are most effective when they are independently overseen and we continue our work to increase participation in the Code to ensure that its protections extend to a wider range of customers. We have recently onboarded Virgin Money to the Code and continue to actively engage with PSPs with a view to increasing the number of signatory firms. We have also made amendments to the Code to take account of that not all PSPs’ business models are the same. Changes have therefore been made to the language related to data and reporting processes under the Code to reflect that a wider range of PSPs, including Building Societies, can apply the Code in a manner that is appropriate for their business models.

 

Additional LSB work

The LSB is continuing our work to both review the CRM Code and to ensure effective compliance with the Code. This work includes:

A review of the balance of responsibilities between sending and receiving firms. We are undertaking a review of the CRM Code provisions which set out the standards that both sending and receiving firms are expected to apply, and which define how the cost of reimbursement is allocated between sending and receiving firms. As part of this, the LSB is currently undertaking work with firms to explore and test the viability of options which could help improve outcomes for customers. We are also undertaking working to understand in more detail what the current allocations of costs is between sending and receiving firms. The LSB is closely engaged with the PSR on this work.

A review of firms’ implementation of the CRM Code. We have begun reviews across all signatory firms,[4] to assess fully how the CRM Code has embedded since its launch three years ago. It will be a review of the full customer journey and encompass the elements explored through our previous reviews on ‘reasonable basis for belief’ and ‘effective warnings’ together with other requirements, such as those related to vulnerability and aftercare. The findings from this review will be published in the Summer.

Developing policy on complex areas. The nature of APP scams and the payment environment continue to evolve as scammers look to exploit new ways of targeting victims. This includes, for instance, scammers looking to make use of accounts provided by firms not signed up to the Code with weaker protections, scammers making use of crypto asset services or international payments, and scammers trying to avoid firms’ prevention measures by involving the families and friends of victims in sophisticated scams.  The LSB is continuing to explore how the Code can take account of newer types of APP scams such as those involving friends and family and those that involve Open Banking; and we are considering whether we can provide further guidance to firms on how the Code applies in more complex cases, such as those relating to Ponzi schemes or crypto assets.

The LSB recognises that Open Banking has its own Standards and rules in place. The LSB continues to engage with a variety of stakeholders, including the Open Banking Implementation Entity, to explore how the protections of the CRM Code can best apply to payment journeys involving Open Banking. This includes consideration of whether Payment Initiation Service Providers (PISPs) should become CRM Code signatories and consideration of how fraud prevention measures can be included in such payment journeys in an appropriate and risk based way.

The LSB believes that it is important for customers to have consistent levels of protection, irrespective of the firm the customer banks, borrows, or makes payments with. While we continue to engage with interested firms, ensuring a wider industry approach to tackling APP scams also requires input and support from wider stakeholders. We continue to engage with stakeholders such as the PSR and UK Finance on the role they can play in supporting our work to increase adoption of the Code.

Future regulatory and industry developments

The work of the Payment Systems Regulator

The LSB recognises that the PSR, with the support of HM Treasury, is continuing to explore options for mandatory requirements on reimbursement, following its latest consultation on APP scams. We are actively engaged with the regulator to ensure our expertise in the area will feed into any future policy development.[5]

We are supportive of regulatory developments which will seek to ensure a consistent approach and higher standards across PSPs when it comes to tackling APP scams. We are broadly supportive of the direction the PSR is taking to improve customer outcomes. We are, for instance, supportive of the proposals set out in the latest PSR consultation, under measures 1 and 2, to ensure that there is greater transparency around APP scams through the requirement on the 12 largest PSPs to publish comparative data on their performance in relation to APP scam levels and to work to improve intelligence sharing between PSPs to improve scam prevention.

With regard to the PSR’s consideration of options for mandatory reimbursement or a requirement for PSPs to be signatories to a PSR-approved Code, the LSB will support the regulator to ensure the best outcome for customers irrespective of the policy direction the PSR chooses.

The prevention of APP scams is the key priority for the Code and the industry alike. While reimbursement is one element of it (and we are supportive of measures which seek to drive greater consistency in the approach to reimbursement), the Code also contains important consumer protections on the detection and prevention of APP scams. The most effective form of consumer protection is for scams to be prevented from occurring in the first place.

We believe that prevention and reimbursement are complementary dimensions of consumer protection. It is therefore important to retain focus on reducing the occurrence of APP scams, as well as on reimbursing and supporting customers who fall victim to them when they do occur. If the PSR opts for some form of mandatory reimbursement, set out under option 3A of its consultation on APP scams, the LSB would want to understand what commitments would or could remain in place to ensure there is an appropriate focus by firms on preventing APP scams from happening in the first place. In addition, we would want to understand how protections would apply to ‘on us’ transactions and CHAPS payments.

If the PSR opts for a requirement for PSPs to sign up to a PSR-approved code, as set out in option 3B of its consultation, the LSB would look to work closely with the regulator to ensure that the CRM Code could be developed in such a way as to meet the criteria for PSR approval.

While the PSR’s work is ongoing, the LSB will continue with its current work, as elaborated above, to ensure that the CRM Code is as effective as possible in achieving its objectives of reducing the occurrence of APP scams and increasing the proportion of customers protected from the impact of APP scams, through reimbursement and the reduction of scams.

Future industry developments

We recognise that technological changes such as the implementation of Open Banking and Open Finance, the increased popularity of crypto assets as a means of exchange, and the increased ease with which money can be transferred out of the UK, mean that the nature of scams will continue to change. Similarly, we recognise that those involved in the fight against scams and fraud must include a wide range of stakeholders across all industries and all countries.

The scope of the CRM Code is such that it only applies to UK GBP denominated accounts and only PSPs can become signatories. The LSB will continue to work with all interested stakeholders to improve protections for customers across the financial services sector. However, there is a regulatory gap in relation to cryptocurrency, which is an issue that is broader than the LSB’s remit. While we have no immediate plans to extend the scope of the CRM Code, for instance to capture crypto asset service providers, we are continuing to monitor the wider payment environment and will continue to work closely with the PSR and the industry to ensure we can work in tandem to improve outcomes for customers.

Policy recommendation

The LSB believes that we all have a role to play in scam prevention and while this remains at the top of the agenda for the financial services sector, scams do not occur at the point of payment. We believe that it is vital that those organisations that have the opportunity to contribute to intervention, and to scam prevention, take responsibility to help stop scams earlier in the journey.

The Code is the only form of consumer protection in place, and steps should be taken to ensure that the responsibility for prevention of APP scams extends beyond financial services to bring a wider range of stakeholders into play. Early intervention provides greater opportunities to protect customers from the distress caused by scams by reducing their occurrence. However, this cannot be a fight for the financial services industry alone and we believe there is a need for urgent collaboration between utilities companies, social media platforms and telecoms companies, for example, alongside the financial services to make a public commitment that they too, will be held accountable when scams slip through the net.  A more joined up approach would allow for greater analysis to identify where the ‘danger spots’ lie within the customer journey and each organisation to take responsibility for intervention at the right point and actively contribute to the solution.

 

22 April 2022


[1] The Confirmation of Payee (CoP) service is managed by Pay.UK which has developed the rules, standards and guidance that enables the service to run. It is a way of giving customers greater assurance that they are sending their payments to the intended recipient and can help avoid payments being accidentally misdirected.

 

[2] Fraud The Facts 2021, UK Finance

[3] These provisions of the CRM Code set out how, following the assessment of customer’s case, the cost of reimbursement should be allocated across sending and receiving firms.

[4] This review excluded Virgin Money UK as it has recently completed the full onboarding process.

[5] CP12/10 – Authorise Push Payment Scams consultation paper, PSR.