From Voluntary Codes to Mandatory Reimbursement
Initially introduced in 2019, the Contingent Reimbursement Model (CRM Code) was a voluntary framework under which participating Payment Service Providers (PSPs) reimbursed APP fraud victims if certain conditions were met. By 2023, signatories of the CRM Code accounted for over 90% of reported APP fraud cases. Yet, the voluntary nature led to inconsistencies and gaps in victim compensation.
Recognising this, the Payment Systems Regulator (PSR) has introduced a mandatory reimbursement regime effective from 7 October 2024. This new framework standardises protection, requiring all PSPs to reimburse victims of APP fraud involving Faster Payments or CHAPS. Costs will be shared equally between sending and receiving PSPs, managed through a central reimbursement system developed by Pay.UK.
Eligibility and Reimbursement Conditions
The new rules cover individuals, small businesses (fewer than 10 employees, turnover under £2 million), and charities (annual income under £1 million). International payments are excluded, and a maximum reimbursement cap of £85,000 applies—though PSPs may exceed this voluntarily.
Reimbursement may be denied if:
- The customer knowingly participated in the fraud.
- Gross negligence, such as serious recklessness, is evident.
- The customer failed the Consumer Standard of Caution by ignoring warnings, delaying scam reports, or not cooperating with PSPs.
Notably, vulnerable customers are exempt from these conditions and must be reimbursed in all cases. PSPs may also apply a £100 excess, though again, this does not apply to vulnerable customers.
Victims must be reimbursed within five business days, with a “Stop the Clock” option for complex cases. A 35-business-day long-stop ensures timely resolution. Although an earlier proposed cap of £415,000 was reduced to £85,000, it still covers most cases and aligns with the Financial Services Compensation Scheme (FSCS) limit.
New Powers to Delay Suspicious Payments
To prevent fraud before it occurs, PSPs are also gaining more flexibility. Under new regulations effective from 30 October 2024, PSPs can delay payments for up to four business days if there are reasonable grounds to suspect fraud. This change addresses previous limitations that left little time to intervene before funds were lost.
New requirements clarify how customers must be informed of delays and address liability for any resulting charges. Updated guidance from the FCA is expected by the end of 2025 to help PSPs implement these provisions effectively.
Conclusion: Progress, but Not Without Challenges
These reforms mark a significant step forward in fraud victim protection. They introduce stronger safeguards, create uniformity in compensation, and give PSPs more tools to detect fraud early. However, challenges remain—particularly for smaller fintechs that must now balance innovation with robust risk controls. As these measures take effect, their success will ultimately depend on ongoing monitoring, data sharing, and industry collaboration.