Payment firm trying desperately to get under the CReM bar

This is the eighth and final blog in our series on the Contingent Reimbursement Model code (“CReM”) that purports to offer customers strong protection against certain types of Authorised Push Payment Fraud, or “APPF”.

This one concerns the “expectations” and “standards” that firms should abide by, if they are signatories to the code. Firms have to live up to “expectations” and aspire to “standards”, whilst customers have “responsibilities”.

This asymmetry of language says it all really, but we should still delve into the detail.

We have both “General expectations for firms” and then the more specific “Standards for firms” which is broken down into those for sending firms and those for receiving firms.

The “General expectations for firms” can be classed as “hygiene factor” and things that firms ought to be doing in the normal course of business anyway, and probably are – in that case there is no extra effort for them. Of course these things would be unnecessary if firms processed customers’ payments in line with their payment orders.

The introduction to the specific standards section (“SF”) reads as follows:

“These provisions set out the standards that Firms should meet. If Firms fail to meet these standards, they may be responsible for meeting the cost of reimbursing, in accordance with R1, a Customer who has fallen victim to an APP scam.

The assessment of whether a Firm has met a standard or not should involve consideration of whether compliance with that standard would have had a material effect on preventing the APP scam that took place.”

The implications are:

  • firms may not be responsible for meeting the cost of reimbursing, in accordance with R1, a Customer who has fallen victim to an APP scam;
  • given that firms are the arbiter of their own conduct, the chances that a standard will not be met, and that the firm declares that its failure to comply had a material effect on a case, will be low: they can ignore the standards and make up their mind about reimbursing the customer as each case comes along.

The specific standards for sending firms (“SF1”) permit far too much discretion and leeway in the definitions of their responsibilities. There are too many examples of the standard of firms’ actions being “reasonable” (a subjective and low bar), of “should” instead of “must”, and of the firms being the primary arbiter of their own actions:

  • SF1.1: “Sending Firms should take reasonable steps to protect their Customers from APP scams”;
  • SF1.1.a: “Firms should establish transactional data and customer behaviour analytics..” (which they will probably be doing as part of their compliance with EBA Regulatory Technical Standards on Strong Customer Authentication and Common & Secure Communication anyway);
  • SF1.1.b: “Firms should train their employees..”;
  • SF1.2.a: “Firms should take reasonable steps to make their Customers aware of general actions that could be taken to reduce the risk of falling victim to an APP scam”, and who will be the arbiter of “reasonableness”?
  • SF1.2.d: “Effective Warnings should meet the following criteria” but they do not have to;
  • SF1.3: “Firms should implement Confirmation of Payee in a way that the Customer can understand”, but they do not have to.

The specific standards for receiving firms (“SF2”) are little more than a partial restatement of firms’ obligations under applicable law. However, their inclusion in the CReM has the effect of socialising the concept that these responsibilities may be voluntary because the CReM is a voluntary code, when in reality the responsibilities are absolute and closely defined.

The SF2 introduction states that “Receiving Firms should take reasonable steps to prevent accounts from being used to launder the proceeds of APP scams. This should include procedures to prevent, detect and respond to the receipt of funds from APP scams. Where the receiving Firm identifies funds where there are concerns that they may be the proceeds of an APP scam, it should freeze the funds and respond in a timely manner.”

These are existing responsibilities of firms and not specific to APPF: they are general responsibilities under legislation such as the Money Laundering Regulations and the Proceeds of Crime Act.

A statement such as the one in SF2.1.a that “Firms must open accounts in line with legal and regulatory requirements on Customer Due Diligence (CDD) using identification processes and documentation that are recommended by industry guidance” is redundant; it is certainly not a special dispensation by firms towards victims of APPF.

In fact the economy of expression in these statements serves rather to understate firms’ obligations compared to where they are set under applicable law.

Finally, in amongst the “motherhood-and-apple-pie” list of obvious actions that firm should follow when dealing with a claim under the CReM, we have an interference in the customer’s absolute right to raise their case to the Financial Ombudsman Service, namely in R4.3: “Following notification of a reimbursement decision, if the Customer is dissatisfied with the outcome and wishes to raise a DISP complaint, Firms should ensure that conclusion of the customer’s case is not unnecessarily delayed and allow them to raise a case with the Financial Ombudsman Service should they wish/need to do so”.

Firms have no right to stop eligible customers raising a case, so there should be no mention of “allow them to”: the insertion of this illusion infringes customers’ rights in that it socialises the concept in an Industry code that firms have a say in the matter.

The firms have offered nothing in the standards they are volunteering to follow that they are not obliged to do under applicable law, or that they are not already doing as “motherhood-and-apple-pie” Business-as-Usual processes. Indeed, including such actions in a voluntary code sprinkles a certain magic dust over them, making these actions appear to be specific to APPF when they are general, and making them appear new and voluntary, when they are existing and obligatory.

This serves to obscure that firms’ obligations may already go further than what they are volunteering to do in this code, and throws sand in customers’ eyes as to what their rights are.

The formulation of the CReM should have started with firms’ existing obligations as a baseline, and built further voluntary actions by firms on top of this “acquis”. Instead firms have got away with volunteering to do less than the baseline.