It is becoming increasingly common for people to be tricked into authorising a payment to an account that they believe belongs to a legitimate payee, but is in fact controlled by a scammer. Such scams are becoming very sophisticated, with fraudsters hacking into emails between suppliers and customers and when the time is due for payment, asking the customer to pay into an account purportedly held by the supplier but in fact held by the fraudster.
Such scams are a type of “authorised push payment” or APP scam – an authorised push payment is when people request their bank or building society (also known as a payment services provider, or PSP) to make a payment from their account to another account. UK Finance reported 84,624 incidents of APP scams during 2018 with gross losses of £354.3 million.
It can be very difficult to recover the money – the money paid into the account is quickly transferred to various other accounts, often abroad, and withdrawn. Prompt action is required and injunctive relief may need to be sought to require the banks to give details of the account holder and to freeze any money still in the account.
However some victims may now be able to take advantage of a voluntary code, called the Contingent Reimbursement Model Code for Authorised Push Payment Scams (CRM Code). The CRM Code, for which the Lending Standards Board is the governance and oversight body, sets out to reduce the number of APP scams but also commits participating banks (and other types of PSP) to reimbursing customers in certain circumstances. To be reimbursed under the CRM Code, the customer must be:
- an individual who is acting for purposes other than a trade, business or profession; or
- a micro-enterprise, being an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million; or
- a charity with an annual income of less than £1 million.
Under the CRM Code, a qualifying customer will be reimbursed unless the PSP can establish that any of the specified exceptions apply, which largely relate to the customer ignoring certain warnings from the PSP, or not having a reasonable basis for believing the payee was genuine, or being grossly negligent, or (if a micro-enterprise or charity), not following its own internal procedures for approval of payments which if followed would have prevented the scam. If a qualifying customer is not happy with how its bank has responded under the CRM Code, it can complain to the Financial Ombudsman Service.