The UK’s Payment Systems Regulator has announced the final version of the Contingent Reimbursement Model code (“CReM”) with the usual fanfare. This is the code, a year or more in the preparation, that purports to offer customers (also known as Payment Service Users or “PSUs”) strong protection against certain types of Authorised Push Payment Fraud, or “APPF” – the boom area for payment fraud.
It is also a keystone in the Payment Systems Regulator’s response (or should we say medley of responses) to the Which? supercomplaint on APPF from 2016: in the meantime consumers and businesses have been losing money at the rate of £1 million a day.
The CReM covers two types of fraud but one of them is just a fraud, for the completion of which money flows, and not involving interference with eBanking systems, customer credentials or payment order details.
This conflation of ordinary fraud with payment fraud has the effect of undermining victim protection on “wrong name” fraud, the only type of payment fraud covered by the CReM.
The CReM lays superfluous responsibilities upon the customer that are not in the Payment Services Regulations 2017 (the “PSRs”), it allows “firms” (i.e. Payment Service Providers or “PSPs”, being both banks and non-banks) to veil their absolute, legal obligations as voluntary actions, and it infringes customers’ rights to access the Financial Ombudsman Service.
It is not surprising that UK Finance, on behalf of the firms, should welcome this code as it excludes half of victims, ameliorates the firms’ position vis a vis the rest, does not cause the firms to make legally binding contractual commitments, throws sand in the eyes of customers regarding their baseline rights in law, limits firms’ financial commitment to only 7 months’ of claims, and then allows firms to place the entire financial burden onto all their customers.
The underlying problems in firms’ IT infrastructures and payment schemes remain unresolved.