Online scams are growing at an alarming rate, impacting consumers financially and emotionally; however, the UK's Contingent Reimbursement Model may help address this issue
Consumers in the United Kingdom lost £4 billion GBP to fraud in 2022, according to Money, a U.K. financial consumer website. And according to U.K. Finance, which only reports on scam reported to banks, criminals stole a total of £609.8 million through scams in the first half of 2022 alone. However, true numbers are likely much higher as it is estimated that less than 7% of scams are reported to authorities.
The core question is, which entities are liable for the financial losses suffered by victims of scams or fraudulent activity? Although there is some personal responsibility, the financial institutions bear some responsibility, especially around noticing patterns and preventing fraudulent activity.
One interesting aspect of fraud patterns, for example, is that due to the sophisticated fraud controls within U.K. banks, cybercriminals tend to introduce the most sophisticated fraud modes of operation in the U.K., which then proliferate to the rest of the modern banking world. Such is also the case with these online scams. When cybercriminals turned from sophisticated account takeover fraud to a means of social engineering via online scams, they started in the U.K.
In 2016, the situation became so bad that Which? — a consumer watchdog organization in the U.K. — submitted a super-complaint to the Payment Systems Regulator (PSR). Which?’s complaint claimed that when consumers are tricked into transferring money to a fraudster via an authorized push payment (such as when the consumer instructs their bank to send money to the criminal) there is not an appropriate level of protection compared to other types of payments.
Which? pushed for banks to change their conduct to reduce consumer harm from scams that trick people into authorizing push payments to a fraudster and requested legislation to ensure that more is done to manage the risks from these types of scams. The PSR did not end up driving regulation, but it did admit that more needs to be done.
That came into play in May 2019 when the Contingent Reimbursement Model (CRM) was introduced in the form of an initiative designed to reimburse victims of authorized push payment fraud (APP fraud). This model is also nicknamed the “Code” because it is a voluntary code that can be used by banks which opt-in to participating in the initiative.
Since its launch in 2019, the CRM has been successfully providing a more streamlined and efficient way of compensating victims of APP fraud. Some banks have deployed additional capabilities such as confirmation of payment (CoP), a name-checking service designed to compare the payee given to the consumer with the name on the account. Implementation of the CRM also pushed for better identification and classification of APP fraud, which drives better understanding of the size of the problem. Among participants in the CRM are the largest banks in the U.K.
Between the first half of 2020 and the second half of 2022, a total of almost £500 million has been reimbursed to victims of APP fraud under the CRM, according to the latest figures released by U.K. Finance. This number represents 50% of the nearing £1 billion in losses that were evaluated and is a significant increase compared to the previous reimbursement models, which often resulted in victims having to bear the cost of the losses themselves.
The following diagram represents cases assessed using the voluntary code:
Due to the proliferation of these scams, the U.K.’s HM Treasury announced in May 2022, that it would legislate to allow the PSR to require victim reimbursement for APP scams, including bank impersonation scams, romance scams, and more. The PSR has released the first draft in September 2022 and is now working to finalize the regulation.
The main objectives of this legislation are to require reimbursement in all but exceptional cases, to improve the level of protection for APP scam victims, and finally, to incentivize banks and building societies (similar to credit unions in the United States) to prevent APP scams — because responsibility for allowing fraudulent payments is the responsibility of both the sending and receiving banks or building societies.
There is a lot of discussion around the proposed draft and a need to reconcile issues outlined by the House of Commons, which is part of the parliament in the U.K., such as whether there will be a minimum amount for reimbursement, which organization will enforce reimbursement, and what types of payments should be included — such as faster payments (which are included today and represent 85% of scam losses) or others as well.
Ultimately, there is a push to resolve open issues and enforce legislation in 2023. U.K. Finance has said in its recent reports on scams in the U.K. that there needs to be more collaboration with the telecommunications industry and tech providers, as well as a push for further data sharing with other sectors to stop fraud before it reaches the financial sector.
Overall, regardless of liability, financial institutions and other industries should invest more in fighting online scams from both a process and technology perspective in order to better protect consumers and stop illicit actors from taking advantage of the system.
