This is the second blog out of eight in our series on the Contingent Reimbursement Model code (“CReM”) that purports to offer customers (also known as Payment Service Users or “PSUs”) strong protection against certain types of Authorised Push Payment Fraud, or “APPF”.
This one is on the types of fraud covered by the CReM.
APPF comes in two main flavours:
- The fraudsters gull a person’s eBanking credentials from them and use the credentials to make push payments from the victim’s account to their own;
- The fraudsters deceive the victim into making a payment supposedly to a legitimate beneficiary, but the Sort Code and Account number are for an account held in a different name and controlled by the fraudsters.
The CReM does not cover the first type, presumably because it is now accepted – pursuant to a recent decision of the Financial Ombudsman Service in favour of a consumer – that such a payment was actually unauthorised by the victim, despite having been authorised with the victim’s credentials.
In these circumstances the victim is entitled to reimbursement in full as per Article 75.3.b. of the PSRs unless their firm can prove against them that they either “acted fraudulently or failed with intent or gross negligence to comply” with their “obligations in relation to payment instruments and personalised security credentials”.
Determining what behaviours constitute a failure with intent or gross negligence is now the dispute in this area, and not whether the payment was authorised or not.
Excluding this first type of APPF from the CReM has the effect of distancing the customer’s belatedly-established rights under it from the customer’s rights under the second main type. They should be the same, in our view, and the reason this is not so currently is byzantine, and should have been changed by the CReM if the CReM were to have any value.
The stumbling block is that case law was established under the regime of the previous version of the Payment Services Regulations (“PSRs”), which went onto the statute book in 2009, pursuant to the EU’s Payment Services Directive 1 of 2007.
Of course it would be extremely bad news for firms if that protection did apply, because:
- The protection would apply to all past, current and future cases;
- “Acted fraudulently or failed with intent or gross negligence” is a stringent test for making the customer responsible for the loss, and the firms would have to eat the loss in all but a very few cases;
- The burden of proof is on the firm.
This second type of APPF is extremely prevalent in the UK thanks to firms not checking that the name given by a payer in their payment is the same one as is associated in the books of the beneficiary firm with the stated Sort Code and Account Number.
This deficiency, embedded in the UK’s Faster Payments scheme in particular, has been costing consumers and businesses many millions of pounds – life-changing amounts in many instances.
This “wrong name” type of fraud is one of two types covered by the CReM and is described in para DS1.2.a.i as: “The Customer intended to transfer funds to another person, but was instead deceived into transferring the funds to a different person” i.e. the data in the payment was incoherent with the data associated with the account at the beneficiary firm.
Indeed, while the CReM does not cover one of the main types of payment fraud, it does purport to cover a situation which is not a payment fraud at all but simply a fraud, as described in para DS1.2.a.ii: “The Customer transferred funds to another person for what they believed were legitimate purposes but which were in fact fraudulent”. The inference here is that the data in the payment was fully coherent with the data associated with the account at the beneficiary firm.
The inclusion of this type of case in the CReM has several outcomes, and they are not good for those customers that have suffered from “wrong name” fraud or for those who have a bank account but are not a fraud victim at all:
- If the CReM is going to be funded by account holders as a whole (as is UK Finance’s intention), it makes them liable for matters that are absolutely nothing to do with them. This is inequitable. The primary avenue of redress for the victim of an ordinary fraud should be the police and law enforcement agencies, not other users of the services that were employed to bring the fraud about;
- Obligations can be laid on customers and get-outs constructed for firms in the CReM for which some argument can be made when we are discussing ordinary fraud but which are not justifiable when discussing the “wrong name” type of payment fraud;
- Laying such obligations on customers and allowing get-outs for firms across both types of case serves to undermine the rights that the customer has in law regarding the “wrong name” type and which exist thanks to the PSRs, or – put more simply – the CReM throws sand in the customer’s eyes.