Today marks the two year anniversary of the Contingent Reimbursement Model (CRM) Code. Here’s how it’s worked in practice, plus a round-up of FAQs.
The Contingent Reimbursement Model (CRM) Code sets out how banks should approach prevention of scam payments and reimbursement of victims. At the time, the Code was a landmark piece of work – a document written by consumer groups and industry to address some of the key concerns that we had raised in our super complaint in 2016.
It spelled out for the first time in one place how victims should be treated and when and why they should be reimbursed by their bank.
Some things have improved since the Code was introduced. Average reimbursement rates have risen from around 20% pre-Code to around 45% and banks have invested more heavily in warnings on their apps and online banking systems.
Some have introduced (either voluntarily or after being directed by the regulator) systems such as Confirmation of Payee to help people spot when they may be making a payment to the wrong account. We have welcomed such improvements and pushed banks who are lagging behind to start taking similar action.
In other areas, however, things have been less rosy. As we and others like the Financial Ombudsman Service have noted on multiple occasions, the voluntary nature of the Code and the lack of proper oversight by the regulator has resulted in a haphazard and inconsistent implementation by signatories.
Reimbursement rates, though higher than they were two years ago, are not as high as the regulator expects they should be and vary wildly between firms – with some reimbursing over 50% of victims, and others reimbursing fewer than 10%.
This data is still anonymous, too, meaning that customers have no idea how their bank approaches reimbursement of victims. Other data, such as the level of bank transfer scams by bank, is not published at all.
£700k lost every day to scammers
Today we have published research showing that, on average, an astonishing £700k was lost every day to scammers between the introduction of the Code and the end of 2020.
That’s the equivalent of around £491 – or the cost of a new iPhone XR – every minute. It is clear that both prevention of APP fraud, and reimbursement of those who’ve been deceived by sophisticated fraudsters, must improve.
We will continue to push for the voluntary Code to be replaced by a mandatory set of protections, and we are pushing the regulator to ensure it comes out strongly in favour of this in its upcoming consultation.
In the meantime, we have been busy pressuring the banks to be transparent about their reimbursement rates – and next week we will be publishing which banks have committed to publishing data and which have refused.
Scams campaign FAQs
As this is an anniversary piece for Which? Conversation, I thought I’d take the opportunity not only to update you on the campaign, but also to reply to some of the many comments and questions you have asked about scams over the years.
Q: Why should my money be used to reimburse people who have fallen victim to these scams?
Much like taxes, the money your bank earns in interest, overdraft fees, and other charges are used to fund a wide range of services.
Although the amount of money reimbursed in 2020 across all banks under the Code – £147m – is a sizeable amount, it represents a drop in the ocean compared to the money earned by banks each year. While the costs borne by banks may be passed onto consumers, we think that the burden of scams should be shouldered more broadly rather than falling entirely on victims.
Q: Shouldn’t people take responsibility for falling for these scams?
It can be difficult to appreciate how sophisticated and realistic these scams can be when you haven’t been a victim yourself. Some are carbon copies of legitimate investment websites; others intercept legitimate email or text exchanged with banks, solicitors, builders and others; others present themselves as legitimate marketplaces or online sellers when in reality they are selling nothing but a scam.
Many of us see scams every day, and it’s easy to dismiss people who fall victim to them as foolish or stupid. However, the ones we spot as scams are often the ones which are obviously a scam – they are littered with spelling mistakes or have an obviously fake email address, for example. But by and large these are not the ones that many victims actually fall for.
Other payment schemes have rules that protect consumers against fraudulent payments, including mechanisms for payments to be challenged and reversed. Faster payments – the system that bank transfer scams take place on – does not have such protections. The CRM Code aims to help plug this gap, but it remains voluntary.
There are certain circumstances where people have been ‘grossly negligent’ and in these circumstances we have always said that they should not necessarily be reimbursed.
Q: Won’t reimbursing people who have been scammed inevitably make them more careless in their transactions, knowing that if they lose money the rest of us will ‘see them right’?
We haven’t seen any evidence of this. Nobody wants to be a victim of a scam – not only because of the potential financial losses, but also the emotional impact. The CRM Code does not guarantee reimbursement (and we have never argued for 100% reimbursement), and so there remains strong incentives for consumers to avoid financial loss.
Indeed, it is possible that the opposite is true – people who fall victim to a scam are likely to have a heightened awareness of when they may possibly be being scammed again in the future.
TSB has said that even where it reimburses more than 99% of victims, it has not seen issues with customer behaviour – and in fact they believe it has helped lead to more open conversations with victims.
Q: Why should banks be held responsible for their customer’s actions? Haven’t they just carried out their instructions?
Banks have a responsibility to take action to prevent scam payments. After all, fraudsters use bank accounts and the payment systems that banks offer in order to commit bank transfer fraud.
Banks hold a lot of knowledge – about the prevalence of certain scams, the way scammers operate, and how their customers make payments. We believe it is reasonable, therefore, that banks assume responsibility rather than all of the responsibility being placed on the individual.
If you have any further questions for me please do let me know in the comments – I’ll do my best to get back to as many as I can.