Policy research paper

Reimbursement for authorised push payment fraud

Just over a year since the launch of the UK’s first set of standards detailing how to treat victims of authorised push payment (APP) – or bank transfer – fraud, we outline consumers’ experiences and make recommendations as to how to improve the system further
2 min read
Advocacy Team
Person using credit card and smart phone to make push payment

Which?’s 2016 super-complaint highlighted the glaring gap in fraud protection and redress for fraud via authorised push payments compared to other forms of payment such as debit and credit cards. The voluntary Contingent Reimbursement Model (CRM) Code introduced in May 2019 is designed to give victims the chance of fairer and more consistent redress. Which? welcomed the Code as a significant step forward.

We hope that this report will help inform the Lending Standards Board’s one-year review of the CRM Code. We outline the key issues affecting victims:

  • An over-reliance on victims having ignored warnings
  • Unreasonable expectations of how victims should have verified who they were paying
  • A failure to properly assess vulnerability 
  • Poor communications with victims

Urgent action is needed to ensure firms adhere to the Code. We call on all firms that have signed up to the CRM Code to:

  • Test warnings to see if they are ‘effective’• Base their judgements of what is reasonable on evidence of actual customer behaviour
  • Train all relevant staff in how to identify customers who could be or may have been vulnerable to APP fraud
  • Provide victims with specific reasons to explain reimbursement decisions

We also call on the Payment Systems Regulator to evaluate the effectiveness of the voluntary industry code that it proposed. 

Which? believes that the evidence over the past year shows that the CRM Code should be made mandatory. Regulatory oversight of how firms treat victims with regards to reimbursement is much more likely to lead to fairer and more consistent outcomes than we have seen under a voluntary approach. It can also force all payment providers to reimburse victims, where appropriate. UK Finance and the Treasury Select Committee have both also called for the Code to be made mandatory.

The Payment Systems Regulator should have the powers and the appetite to act to make reimbursement mandatory. We want the government to clarify whether this is the case, and if necessary direct the action it expects the regulator to take.

Download our full report

pdf (498 KB)

There is a file available for download. (pdf498 KB). This file is available for download at .