Does the Contingent Reimbursement Model Stop Push Payment Scams?
Regarding fraud, financial institutions generally prefer self-regulatory initiatives for managing and mitigating losses. This is common to most businesses; self-regulation is preferable to outside oversight.
The Contingent Reimbursement Model is a recent example of this phenomenon in the UK. But, does it actually deliver? Let’s find out.
Recommended reading
- Issuer vs Acquirer: What’s the Difference?
- Merchant Identification Number: How to Find Your Merchant ID
- My Bank Account is Under Investigation? What’s Going On?!
- VAR Sheets: Get All Your Documents Ready in 4 Basic Steps
- Internet Processing: Understanding the eCommerce Process
- Is AI the Key to Improved Services for Younger Generations?
Push vs. Pull Pyments
The Contingent Reimbursement Model seeks to correct issues that arise during the push payment process. So, before going any further, it's important to touch on the differences between “push” and “pull” payments.
The phrase “push payment” differentiates a buyer-initiated payment from a supplier-initiated one. The two payment methods differ in the following ways:
“Pull” Payments
Merchant requests payment from the buyer.
Buyer authorizes payment, and the merchant submits payment for clearing.
Issuer releases funds to cover the authorized amount.
Merchant acquirer receives funds.
“Push” Payments
Merchant provides a request for payment to the buyer.
Buyer initiates payment to the merchant.
Buyer authorizes payment, submitting directly for clearing.
Merchant acquirer receives funds.
Of course, fraudsters are resourceful, and quickly developed new tactics to take advantage of push payments. In the last five years, we've seen a surge in cases of push payment fraud, with scammers using push payments to cheat users out of their funds. The CRM was developed in response to this.
What is the Contingent Reimbursement Model?
- Contingent Reimbursement Model
The Contingent Reimbursement Model (CRM) is a UK payments initiative intended to reimburse victims of authorized push payment fraud. In essence, the CRM is a reserve of cash that signatories to the Code agree to fund. The reserve can then be used to reimburse victims of APP fraud attacks.
[noun]/* kən • tin • jənt • rē • im • bərs • ment • mä • dl/
The consumer protections enshrined under the code took effect in the UK on May 28, 2019. Many signatories introduced their unique long-term funding mechanisms for the CRM fund on January 1, 2020. It features three overarching objectives:
- Reduce occurrences of authorized push payment fraud.
- Protect customers from APP fraud by enabling reimbursement of fraud victims.
- Minimize disruption of legitimate payments.
Despite these claims, many customers have felt the CRM initiative falls short of its promises. We’ll get into more detail on this below. For now, though, let’s take a closer look at the pros—and the cons—of push payment adoption, and see why the CRM was necessary in the first place.
Pros & Cons of Push Payments
A key advantage to the authorized push payment method is that the buyer doesn’t reveal any sensitive information to the merchant. Instead, the merchant receives the funds from the transaction without ever handling the cardholder’s information. There are several advantages to this:
No new technology is free of risk. As payments evolve, fraudsters will find new ways to abuse the process.
That all sounds great…right? Well, of course, the authorized push payment concept isn’t without flaws. Authorized push payment fraud (or simply “APP” fraud) is a fast-growing new threat source designed to manipulate this payment method.
Over the past decade, there has been rapid growth in APP fraud. Fraudsters are using social engineering techniques to trick people or representatives of businesses into sending money from their bank accounts to a fraudster. This is causing billions of dollars in potential liabilities.
Learn more about APP FraudWhat Does the CRM Code Cover?
Prior to 2020, deciding liability for APP scams was generally left to the banks. This meant that a bank could approve or deny reimbursement for fraud on a whim. As you might imagine, without a regulating framework to govern that process, many consumers were left holding the bill for fraud that was already beyond their control.
Due to consumer and regulatory pressure, banks supplied a faster payment method but failed to increase protections for those payments. The Contingent Reimbursement Model was instituted to rectify a general loss of security resulting from these real-time payments.
This voluntary code provides consumers with a reimbursement mechanism when they’re victimized by APP fraud. If a customer is tricked into authorizing a payment to an account they believe belongs to a legitimate payee, but which is actually a fraudster, the CRM allows for that cardholder to be reimbursed.
The CRM is not simply a pit of free money for anyone claiming to be a victim of fraud, though. It also gives banks the means to reject reimbursement if there is evidence of collusion or first-party fraud.
Recent CRM Code Updates
Initial response to the Contingent Reimbursement Model was mixed. In response, the financial institutions have committed to several updates intended to allay public concern about any conflicting interests.
On 28 April 2022, the UK Lending Standards Board published a revised version of the CRM code. The revisions to the code are intended to enhance the consumer protections and clarify the requirements for firms signed up to the CRM. These include:
#1 | Activation of Payee Provisions
When the Contingent Reimbursement Model was launched in 2019, the provisions which reference Confirmation of Payee (CoP) had a holding date in place.
In October 2021, the Payment Systems Regulator published the outcome of its consultation on CoP. They provided clarity on the actions they expected the industry to take and an overview of how they would support the industry for wider uptake of this service. Now that the CoP has moved into phase 2, the relevant provisions of the Code will be activated by April 2023. Code signatories must implement CoP into the payment journey no later than April 28, 2023.
#2 | Removal of “Requisite Level of Care”
This terminology caused a lot of confusion between banks and consumers, as it seemed to affect how consumers should behave during a payment. The CRM code is not binding for customers, thus the term ‘requisite level of care’ is to be removed in April 2023.
It should be noted that the CRM represents a framework through which signatory firms are required to reimburse consumers who APP scams have victimized. If reimbursement is to be declined, signatory bodies must adhere to the requirements laid out in the CRM code.
#3 | Address APP Fraud Investigations
The way in which firms should respond in the event of criminal fraud cases under investigation by banks and law enforcement bodies had also been a gray area in the CRM code. Now, in the event of unfavorable discoveries pending investigation, new language has been added to give the banks time to await the outcome before reimbursement is rendered.
This ensures that consumers are provided with a written explanation of decisions pending investigation, a reasonable timeframe for final review, and notification of the approval or denial of the reimbursement claim. If the customer is denied outright or receives only partial reimbursement, the bank must provide the information that led to such a decision.
#4 | Broader PSP Inclusion
Voluntary codes like CRM are most effective across a wide range of participating users. This allows for a certain degree of independent oversight and also improved communication throughout the payments ecosystem. Therefore, the broader the reach, the greater the benefit.
Including more personal service providers (PSPs) like Virgin Money and others will increase the CRM code's dexterity and encourage innovation. To that end, many mobile wallet and cryptocurrency payment providers are being considered for inclusion in the CRM framework.
As of 2022, there are currently 10 major firms (and their subsidiaries) signed up to the CRM Code, which covers 21 UK banking brands, including:
- Barclays Bank UK
- The Co-Operative Bank
- HSBC UK
- Lloyds Banking Group
- Metro Bank
- Nationwide Building Society
- NatWest Bank
- Santander UK
Whenever implementing a new process, it’s typical that some adjustments will be necessary. These moves are a step in the right direction. However, despite these updates, CRM is still not a “one-size-fits-all” solution, regardless of its promise.
Why Hasn't Fraud Slowed Down?
The Fraud — the Facts 2021 Report revealed that in the first half of 2021, a total of £355.3 million in losses were apportioned to automated push payment scams. This represents an increase of over 70% in contrast with 2020 figures from the same period.
These statistics imply that the Contingent Reimbursement Model experiment does not deliver on its promise to reduce APP fraud. Instead, APP fraud has actually increased year-over-year since CRM inception.
Merchants, too, are often the target of fraud, from acts of criminal fraud to friendly fraud that individual consumers instigate. The difference being that there is no internal framework that unilaterally protects merchants in the event of fraud. There is even less protection offered for chargebacks.
If banks are serious about limiting fraud, more comprehensive strategies are required. The CRM is a good first step, but there are still a lot of shortcomings present.
Realities of the Contingent Reimbursement Model
As mentioned in the first section, there have been a lot of problems with customers’ claims for reimbursement having not been met on time…or ever, for that matter. Many consumers feel banks still aren’t doing enough to compensate consumers who have been victimized by APP fraud as a result of the payment options that banks enable.
Banks left themselves an out in the form of denied reimbursements due to “customer negligence” and other counter-claims. As a result, many consumers argue that they are first exposed to fraud, and then punished for it.
To illustrate this point, a September 2021 Finextra report found that most reimbursement claims had been denied, leaving consumers to assume liability in up to 90% of the cases filed. In the UK, when these cases are remanded to the Financial Ombudsman Service (FOS), 73% of them between 2020 and 2021 were ruled in the customer’s favor. This repudiates bank claims of wholesale customer negligence.
It’s true that both banks and consumers enjoy the speed and convenience of real-time payments. However, only one of them bears responsibility for ensuring the security of the payment process.
The debate between banks and consumers over fraud liability demands nuance. In fact, every player in the payment system should bear some responsibility for security best practices, including consumers, merchants, and financial institutions.
Fraud Mitigation Should Come First
Ultimately, this Contingent Reimbursement Model ensures that consumers are partially insulated from fraud losses. While a valuable addition, the contingent reimbursement model doesn’t actually prevent any fraud. Thus, the CRM Code doesn’t fully live up to its first overarching objective: to reduce APP fraud attacks.
CRM could be a good starting point. However, we need to continue pushing forward in developing methods to counter APP fraud and other scams as part of a broader fraud mitigation strategy.
APP fraud may be quite different from standard card fraud. That said, mitigating new and developing loss sources should be part of any multilayer fraud strategy. Otherwise, we risk allowing fraud to overwhelm the payments sector entirely. That’s why the Contingent Reimbursement Model Code should not be the final answer.
FAQs
What is the Contingent Reimbursement Model?
The Contingent Reimbursement Model (CRM) is a UK payments initiative intended to reimburse victims of authorized push payment fraud (APP fraud). In essence, the CRM is a reserve of cash that signatories to the Code agree to fund. The reserve can then be used to reimburse victims of APP fraud attacks.
When did the CRM Code go into effect?
The consumer protections enshrined under the code took effect in the UK on May 28, 2019. Many signatories introduced their individual long-term funding mechanisms for the CRM fund on January 1, 2020.
What is a push payment?
The phrase “push payment” is used to differentiate a buyer-initiated payment from a supplier-initiated one. With push payments, the merchant provides a request for payment to the buyer. The buyer then authorizes payment, submitting it directly for clearing, and the merchant acquirer receives the funds.
Why use push payments?
A key advantage to the authorized push payment method is that the buyer doesn’t reveal any sensitive information to the merchant. Instead, the merchant receives the funds from the transaction without ever handling the cardholder’s information.
Does CRM stop APP fraud?
In a word, no. CRM ensures that consumers are mostly insulated from fraud losses. While a valuable addition, the contingent reimbursement model doesn’t actually prevent any fraud. Thus, the CRM Code doesn’t fully live up to its first overarching objective: to reduce authorized push payment fraud attacks.
Which Banks Support CRM?
As of 2022, there are currently 10 major firms (and their subsidiaries) signed up to the CRM Code, which covers 21 UK banking brands. Barclays, HSBC, Lloyds Banking Group, and Santander are among the biggest names.
