With Barclays Bank recently publishing the figures of refunds it made to customers who fell victim to authorised push payment (APP) fraud, there have been calls for greater transparency and reform to the current (voluntary) reimbursement code.

Authorised Push Payment (APP) Fraud

APP refers to situations where consumers have used a bank transfer to pay for goods or services that are fake/don’t exist and the money is stolen by fraudsters.

The Contingent Reimbursement Model (CRM)

Where money has been stolen in this way by fraudsters, banks can choose to use a voluntary code, introduced in May 2019, called the Contingent Reimbursement Model (CRM).  This code sets out how and by whom consumers who have suffered APP fraud losses are re-imbursed.  Banks that sign up to the code are often the ones to re-imburse victims where the conditions of the code are met.


There are, however, several issues relating to this code and the reimbursement to APP fraud victims that organisations such as consumer champion ‘Which?’ have been pushing to change.  For example:

– An apparent gap in fraud protection and redress for fraud via authorised push payments compared to other forms of payment such as debit and credit cards.

– A lack of transparency by banks and building societies about their reimbursement rates relating to APP fraud. There has been criticism that figures are not being published and/or are not being published on a regular basis.

– A feeling among banks (as outlined recently in a blog post by Starling) that other organisations used by criminals as part of their frauds (e.g. social media companies and telecoms networks) should be taking some responsibility and co-operating with banks to prevent fraud.  For example, social media may be used to advertise the fraud and also to find those who are willing to launder money (money mules) and to buy stolen identity and card data.

The Reality

One way to get a realistic view of what is happening as regards the behaviour towards consumers who are victims of fraud could be to look at the figures by the Lending Standards Board which oversees the CRM code. Their figures show that in the first year of the code’s introduction, banks ruled that 77 per cent of fraud victims were partially or fully to blame for their losses and that customers were fully at fault in 60 per cent of cases.

Which? Wades In

Consumer champion ‘Which?’ has also published concerns online about how banks and building societies have been behaving as regards re-imbursement (or not) and has published its view of the issues that it hopes will “help inform the Lending Standards Board’s one-year review of the CRM Code”.  According to ‘Which?’ these issues are:

– An over-reliance (by the banks) on victims having ignored warnings.

– Unreasonable expectations of how victims should have verified who they were paying.

– A failure to properly assess vulnerability.

– Poor communications (by banks) with victims.

‘Which?’ has called for urgent action to ensure that businesses adhere to the Code (CRM) and has called upon all those organisations signing up to the Code to test warnings to see if they are ‘effective’, make judgements based on what is reasonable on evidence of actual customer behaviour and to train staff in how to identify customers who could be vulnerable to APP fraud. Which? has also called for code signatories to properly explain specific reasons for reimbursement decisions to victims and has called on the Payment Systems Regulator to look at whether or not the voluntary industry code is effective in its current form.

Barclays The First To Publish Details

Barclays Bank recently became the first CRM code signatory to publish its APP fraud reimbursement rates online. According to Barclays, 74 per cent of its customers who suffered APP fraud losses in the first two months of 2021 have now been repaid. This appears to be a reversal of the trend identified by the Lending Standards Board.

Looking Ahead

We all make decisions about what offers seem legitimate to us and who/what to pay money to, however, not every Web user is as experienced or informed with regards to cybercrime, and many web users could also, for many reasons, be described as more vulnerable to fraud. Fraudsters are also becoming more sophisticated and creative in their methods which could, arguably make more consumers more vulnerable to APP fraud.

The banks and building societies have argued, perhaps with some legitimacy, that some responsibility for preventing push payment fraud may lie with other organisations in the chain (e.g. social media companies). However, it appears that, based on Lending Standards Board figures, the apparent lack of transparency in banks and building societies publishing figures about how many customers have been reimbursed for the APP losses may be due to the fact that most consumers have not been re-imbursed and often appear to be blamed for falling victim to fraud.

Looking ahead, it may be necessary, as suggested by ‘Which?’ and recommended by the Finance and the Treasury Select Committee, for the current voluntary CRM code to become mandatory with the hope that regulatory oversight could bring better reimbursement outcomes for consumers and greater transparency from banks and building societies. It may also be helpful for more of a collaborative approach to be taken among all links in the chain used by fraudsters to tackle the problem.