On 28 September 2018 the authorised push payment (APP) scams steering group published its draft voluntary contingent reimbursement model (CRM). The consultation is open until 5pm on Thursday 15 November 2018 with the intention that the CRM will come into effect in early 2019. APP scams have been the subject of significant comment in the media and the consultation seeks to introduce measures that will tackle the problem and provide a measure of protection for victims by requiring banks to provide compensation.

APP scams occur when fraudsters entice or trick victims into sending them payments. This is done in a number of ways and includes deceiving the victim into thinking that they are sending funds to a legitimate business or mis-stating account details on fraudulent invoices. With the introduction of services such as Faster Payments, the scammed funds are quickly gone and almost impossible to recover.

Draft code

The CRM is underpinned by overarching provisions, which encourage firms to act to reduce APP scams and protect victims, while minimising disruption to so-called "legitimate payments". The CRM also sets general expectations for firms, by requiring them to participate in awareness campaigns, provide APP statistics and have processes and procedures in place to help with victim aftercare.

Standards

The key provisions in the CRM are the standards set for firms and the requirements to reimburse victims of APP fraud.

The standards cover three main areas: detection, prevention and response. The requirements differ according to whether the firm is acting as a "sending" or a "receiving" party in the transaction.

Detection

The CRM encourages firms to improve their transactional analytics and employee training to better identify customers and payment authorisations that run a higher risk of perpetrating or becoming the victims of APP fraud.

Prevention

The prevention standards aim to help customers protect themselves from APP scams. The CRM requires firms to take "reasonable steps" to protect their customers from APP fraud and provide them with "effective warnings" at key stages in the payment journey. The prevention standards also require firms to comply with existing customer due diligence and identification processes to prevent accounts from being opened for criminal purposes and use "reasonable steps" to detect potentially fraudulent account holders.

Response

The CRM requires firms to take reasonable steps to delay or freeze payments suspected to be fraudulent and even repatriate the funds to the payer.

Reimbursement of APP fraud victims

The presumption contained in the CRM is that when a customer has been the victim of an APP fraud, firms should reimburse the customer. There are limited exceptions to this rule and include customers ignoring "effective warnings" given by a firm, recklessly sharing access to their personal security credentials and being grossly negligent.

Complaints to the Financial Ombudsman Service (FOS)

The CRM requires firms to handle complaints and notify customers within 15 business days (35 business days if there are exceptional circumstances). Where the firm refuses to reimburse a customer, the customer may make a complaint to the FOS.

Comments on the CRM

There is no doubt that APP fraud is a huge problem. The approach adopted in the CRM, however, is likely to give rise to a number of legal and practical issues for both firms and customers.

Lack of legal certainty

  • The CRM, as currently drafted, is likely to create uncertainty which may lead to an increase in disputes between customers and their banks.
  • When assessing whether to compensate victims, firms are required to consider whether the customer's actions would have had a material effect on preventing the APP fraud taking place. Firms must also judge whether they themselves have complied with standards set out in the CRM. The evaluation of evidence and the weight to be attached is clearly going to be a difficult exercise and one open to challenge.
  • All firms are already required to comply with the customer due diligence and monitoring requirements set out in anti-money laundering legislation. Under the CRM, receiving firms are required to take further reasonable steps to (i) detect accounts being used for APP fraud and (ii) prevent accounts from being used to launder the proceeds of APP fraud. Without additional industry guidance it will be a matter of debate whether a firm has satisfied these requirements. The danger is that a zero tolerance approach will be adopted and banks will be expected to indemnify victims. 

Requirement to freeze or repatriate funds

  • Under the CRM, banks are required to protect customers whilst at the same time minimising disruption to legitimate payments. To this end the CRM states that reasonable steps should be taken to freeze funds that may be the proceeds of APP fraud and to repatriate them. This exercise may be fraught with difficulties given that the steps required to be taken could constitute a breach of contract and could give rise to a claim in damages, if the customer turns out not to be a fraudster or victim.
  • Under the Proceeds of Crime Act 2002 (POCA 2002) firms already face a requirement to freeze transactions that they suspect are linked to money laundering. In these circumstances firms can rely on the provisions of POCA 2002 to defend themselves against actions from disgruntled customers, who may have suffered losses arising from a firm's failure to carry out a transaction. It is not clear that the draft code would afford firms with any level of protection where customers have had their accounts frozen.

Lack of limitation or caps on compensation

  • The CRM, as currently drafted, does not include a time limit on the detection or reporting of fraud, nor does it cap the value of compensation. Although the scheme is not retroactive, this will, in due course, expose banks to claims relating to historic fraud and, potentially, vast compensation claims. 

Conclusion

There is clearly merit in seeking to establish processes that protect victims of APP fraud and particular assistance should be afforded to vulnerable customers. The CRM is the result of a comprehensive review of the subject and reflects a genuine desire to protect and assist victims. It remains to be seen, however, whether the CRM will achieve that objective. As currently drafted the CRM presents firms and victims with a number of practical and legal issues. The consultation process will be critical to ensure that these issues are identified and addressed and do not lead to a massive increase in disputes between banks and customers.

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.