The world of financial transactions is in the midst of a major transformation. Initially introduced in May 2019 in the United Kingdom, the Contingent Reimbursement Model (CRM) emerged as a voluntary code, offering reimbursement to victims of Authorised Push Payment (APP) fraud. Since its introduction, ten prominent banks have pledged allegiance to the code, covering 85% of Faster Payments, the UK’s real-time payments system. 

However, as of 2022, there remains a gap. 15% of such payments remain unaccounted for, leaving victims without expected reimbursements. As a result, the U.K.’s Payment System Regulator (PSR) unveiled a policy statement aiming to broaden the CRM Code’s reach. This has triggered a fraud liability shift. This change arrived as a response to £485.2 million in losses due to APP fraud in the U.K, or $589.6 million USD.

Now, any Payment Service Provider (PSP) involved in fraudulent Faster Payments could be subject to reimbursement requirements. This shift places approximately 1,500 additional PSPs under the regulation’s umbrella. So, a payment service provider is now more responsible for complying with regulations and implementing or improving fraud management strategies. 

Understanding the Contingent Reimbursement Model for a Payment Service Provider

It’s not just direct participants in faster payments. Indirect PSPs now fall within the CRM Code’s expanded purview. Indirect PSPs operate via agreements with direct participants or through open banking. This includes entities like building societies, credit unions, and payment institutions. Both sending and receiving firms will be splitting the costs of reimbursement 50/50, meaning even more PSPs will have to quickly adhere to regulations. 

One of the specific requirements by the PSR is the usage of Confirmation of Payee, the name-checking service that provides one possible defense against APP fraud. This is considered two-factor authentication and a KYC/entity-monitoring strategy in the United States, allowing payment providers to better adhere to regulations and protect their customers. 

Other changes to be implemented include an updated time limit for both claims and reimbursement of victims, removing minimum threshold for claims, a maximum level of reimbursement, and clarity on exceptions. One such exception will be in cases of first-party fraud in which the customer has filed a false claim, fraudulent chargeback, or other intentional fraud. 

While this shift marks progress, a recent conference revealed a knowledge gap. Several PSPs, currently unaffected by the CRM Code, seemed oblivious to their impending inclusion. Yet, with these changes set to roll out in 2024, PSPs have a window of opportunity to adapt, strategize, and align with the new requirements.

Closing the Gap: Payment Service Providers are Preparing

Proactive steps are already observable among PSPs. Efforts are underway to identify and eliminate accounts susceptible to mule activity. This initiative aligns with the PSR’s overarching objective of curtailing fraud, even ahead of the revised reimbursement mandates.

A renewed focus on fraud detection and reinforced security measures is palpable among PSPs. The emphasis is not just on monitoring outgoing transactions but also on scrutinizing inbound payments. The capability to withhold suspicious payments has become crucial with the liability shift toward financial services. Should fraud be confirmed, these held funds become instrumental in victim reimbursement, alleviating the PSP’s financial burden.

For PSPs, preparation is key. Checking scope under the updated requirements, addressing potential mule accounts, and enhancing fraud detection mechanisms are pivotal steps. There’s also a need to grasp operational impacts and anticipate the increased capacity to manage reimbursement processes efficiently. Additionally, creating and strengthening partnerships will be incredibly impactful. With partnership, PSPs can benefit from collective intelligence to inform their fraud detection models.

Are You Ready for the Fraud Liability Shift?

In anticipation of the expanded CRM Code, PSPs must brace for potential increased losses and reputational risks, especially for those unprepared. However, as these new mandates unfold, a reduction in APP fraud and bolstered confidence in faster payments are expected outcomes. This promises a competitive edge for compliant entities. 

The clarion call is clear — now is the moment for PSPs to prepare, adapt, and strengthen their defenses against APP fraud. The countdown to 2024 has begun.

Schedule a call today with one of our solutions consultants to learn how you can arm your business against digital financial crime while achieving compliance.