Lending Standards Board – Written evidence (FDF0050)
The Lending Standard Board’s response to the House of Lords Committee on the Fraud Act 2006 and Digital Fraud – Call for Evidence
Should the Committee have any questions on the content of this submission, we would be happy to answer them.
Since taking on responsibility for the governance and oversight of the Code in 2019, we have undertaken a significant amount of work to ensure its implementation, application and ongoing effectiveness. This has included two themed reviews, with a follow up review on the customer’s reasonable basis for belief published in June 2021. Work is currently underway on a further review, the findings of which will be published in the Summer.
These reviews are in-depth independent reviews that allow us, through information requests, case reviews, and management meetings, to monitor firms’ adherence to the Code and to set out where improvements are required to ensure that firms are meeting the requirements of the Code. Following a review, we will issue each firm with an individual report and where necessary, a time bound action plan to address any areas of concern identified.
We have also held a public consultation on the Code, the report on which was published in January 2021. Following this consultation, we introduced new governance and oversight provisions into the Code and have updated the practitioner guide, which accompanies the Code, with examples of good practice. We published a further Call for Input in March 2021 and the outcome of this was published in November 2021. In the report, the LSB committed to further update the wording of the Code, update the customer information document to ensure it is as effective as possible in raising consumer awareness, and activate the Confirmation of Payee (CoP) provisions of the Code.[1]
The revised customer information document is now available on the our website. The LSB will also be issuing updates to the Code and activating CoP provisions in late April 2022.
The impact of the CRM Code
The introduction of the CRM Code in 2019 introduced a high industry standard and new consumer protections for customers using Faster Payments. Prior to the introduction of the CRM Code, Payment Service Providers (PSPs) provided little in the way of protections for customers who were, or were at risk of becoming, victims of APP scams. The Code therefore marked a major milestone in increasing customer protections from the harm caused by APP scams.
Since the CRM Code was introduced, the detection and prevention of APP scams has become a key priority for the major UK banks. Banks have rolled out new targeted warnings for customers, most major banks have introduced Confirmation of Payee (this will be a requirement under the CRM Code by April 2023), and CRM Code signatories have policies in place to assess cases of APP scams and to reimburse customers who have fallen victim to an APP scam through no fault of their own.
Industry figures show that between 2019, the year the CRM Code was introduced, and 2020, the proportion of APP scam losses that were reimbursed to victims rose from 25.4% to 43.2%. This meant that, despite a rise in the volume and value of scams reported, the loss to customers fell from around £340 million to around £270 million.[2]
The CRM Code has, therefore, clearly raised protection for customers and put the UK banking industry in a much stronger position to tackle APP scams. While the CRM Code has, undoubtedly, improved outcomes, the LSB is aware through our oversight work and with key stakeholders, such as the Payment Systems Regulator (PSR), Financial Ombudsman Service (FOS) and consumer organisations, that more needs to be done to protect consumers. To do this we need to ensure that firms are doing everything they reasonably can to prevent customers from falling victim to APP scams. Information on how the LSB is working to do this are set out in further detail below.
Improving the CRM Code and achieving fair customer outcomes
Updates to the CRM Code
On 28 April 2022, the LSB will publish a revised version of the CRM Code. The revisions to the Code are intended to enhance the consumer protections and clarify the requirements on firms signed up to the CRM Code. In summary, they will:
Activate the provisions of the Code that reference Confirmation of Payee. When the Code was launched in 2019, the provisions which reference Confirmation of Payee (CoP) had a holding date in place. As the Committee will be aware, in August 2019, the PSR issued Specific Direction 10 to the UK’s six largest banking groups to implement CoP within the payment journey. As the wording of the Code in relation to CoP reflects regulatory activity which sit outside of the LSB’s remit, we have been closely monitoring developments in the wider regulatory space. In October 2021, the PSR published the outcome of its consultation on CoP providing clarity on the actions it expects industry to take and an overview of how it will support the industry for wider uptake of this service. Now that CoP has moved into phase 2, meaning a broader range of firms can offer this functionality, we have taken steps to activate the relevant provisions of the Code from 28 April. Doing so will mean that all Code signatories will need to have implemented CoP into the payment journey no later than 28 April 2023.
For firms that already have CoP in place, provision R2(1)(b) will become effective along with the other changes on 28 April 2022. This will enable those firms to take account of the customer’s response to a CoP warning when assessing the circumstances surrounding the scam with a view to making a reimbursement decision.
Additional LSB work
The LSB is continuing our work to both review the CRM Code and to ensure effective compliance with the Code. This work includes:
A review of the balance of responsibilities between sending and receiving firms. We are undertaking a review of the CRM Code provisions which set out the standards that both sending and receiving firms are expected to apply, and which define how the cost of reimbursement is allocated between sending and receiving firms. As part of this, the LSB is currently undertaking work with firms to explore and test the viability of options which could help improve outcomes for customers. We are also undertaking working to understand in more detail what the current allocations of costs is between sending and receiving firms. The LSB is closely engaged with the PSR on this work.
A review of firms’ implementation of the CRM Code. We have begun reviews across all signatory firms,[4] to assess fully how the CRM Code has embedded since its launch three years ago. It will be a review of the full customer journey and encompass the elements explored through our previous reviews on ‘reasonable basis for belief’ and ‘effective warnings’ together with other requirements, such as those related to vulnerability and aftercare. The findings from this review will be published in the Summer.
Developing policy on complex areas. The nature of APP scams and the payment environment continue to evolve as scammers look to exploit new ways of targeting victims. This includes, for instance, scammers looking to make use of accounts provided by firms not signed up to the Code with weaker protections, scammers making use of crypto asset services or international payments, and scammers trying to avoid firms’ prevention measures by involving the families and friends of victims in sophisticated scams. The LSB is continuing to explore how the Code can take account of newer types of APP scams such as those involving friends and family and those that involve Open Banking; and we are considering whether we can provide further guidance to firms on how the Code applies in more complex cases, such as those relating to Ponzi schemes or crypto assets.
The LSB recognises that Open Banking has its own Standards and rules in place. The LSB continues to engage with a variety of stakeholders, including the Open Banking Implementation Entity, to explore how the protections of the CRM Code can best apply to payment journeys involving Open Banking. This includes consideration of whether Payment Initiation Service Providers (PISPs) should become CRM Code signatories and consideration of how fraud prevention measures can be included in such payment journeys in an appropriate and risk based way.
The LSB believes that it is important for customers to have consistent levels of protection, irrespective of the firm the customer banks, borrows, or makes payments with. While we continue to engage with interested firms, ensuring a wider industry approach to tackling APP scams also requires input and support from wider stakeholders. We continue to engage with stakeholders such as the PSR and UK Finance on the role they can play in supporting our work to increase adoption of the Code.
Future regulatory and industry developments
The work of the Payment Systems Regulator
The LSB recognises that the PSR, with the support of HM Treasury, is continuing to explore options for mandatory requirements on reimbursement, following its latest consultation on APP scams. We are actively engaged with the regulator to ensure our expertise in the area will feed into any future policy development.[5]
We are supportive of regulatory developments which will seek to ensure a consistent approach and higher standards across PSPs when it comes to tackling APP scams. We are broadly supportive of the direction the PSR is taking to improve customer outcomes. We are, for instance, supportive of the proposals set out in the latest PSR consultation, under measures 1 and 2, to ensure that there is greater transparency around APP scams through the requirement on the 12 largest PSPs to publish comparative data on their performance in relation to APP scam levels and to work to improve intelligence sharing between PSPs to improve scam prevention.
With regard to the PSR’s consideration of options for mandatory reimbursement or a requirement for PSPs to be signatories to a PSR-approved Code, the LSB will support the regulator to ensure the best outcome for customers irrespective of the policy direction the PSR chooses.
The prevention of APP scams is the key priority for the Code and the industry alike. While reimbursement is one element of it (and we are supportive of measures which seek to drive greater consistency in the approach to reimbursement), the Code also contains important consumer protections on the detection and prevention of APP scams. The most effective form of consumer protection is for scams to be prevented from occurring in the first place.
Future industry developments
Policy recommendation
The Code is the only form of consumer protection in place, and steps should be taken to ensure that the responsibility for prevention of APP scams extends beyond financial services to bring a wider range of stakeholders into play. Early intervention provides greater opportunities to protect customers from the distress caused by scams by reducing their occurrence. However, this cannot be a fight for the financial services industry alone and we believe there is a need for urgent collaboration between utilities companies, social media platforms and telecoms companies, for example, alongside the financial services to make a public commitment that they too, will be held accountable when scams slip through the net. A more joined up approach would allow for greater analysis to identify where the ‘danger spots’ lie within the customer journey and each organisation to take responsibility for intervention at the right point and actively contribute to the solution.
22 April 2022
[1] The Confirmation of Payee (CoP) service is managed by Pay.UK which has developed the rules, standards and guidance that enables the service to run. It is a way of giving customers greater assurance that they are sending their payments to the intended recipient and can help avoid payments being accidentally misdirected.
[2] Fraud The Facts 2021, UK Finance
[3] These provisions of the CRM Code set out how, following the assessment of customer’s case, the cost of reimbursement should be allocated across sending and receiving firms.
[4] This review excluded Virgin Money UK as it has recently completed the full onboarding process.
[5] CP12/10 – Authorise Push Payment Scams consultation paper, PSR.