Global menu

Our global pages


Room for improvement - LSB publishes report on signatory firms’ application of CRM Code

  • United Kingdom
  • Financial services disputes and investigations
  • Litigation and dispute management



Incidents of authorised push payment (“APP”) fraud have increased significantly in recent years. UK Finance estimates that £479 million was lost to APP scams across 150,000 cases in 2020.

The Contingent Reimbursement Model Code (“CRM”) was introduced in 2019. It is a voluntary code, with overarching objectives to reduce the occurrence of APP scams, increase the proportion of customers protected from the impact of APP scams (by reimbursing customers and reducing the number of APP scams) and to minimise disruption to legitimate payment journeys.

There are 9 signatories to the CRM, representing 20 brands, including most of the major high-street banks and building societies. The CRM covers more than 85% of payments made by Faster Payments.  

The CRM provides that customers falling victim to APP scams should generally be reimbursed unless one or more of a limited number of exceptions apply. The exceptions include where a customer ignores an effective warning which would have had a material effect on preventing the APP scam, and where a customer makes a payment without having a reasonable basis for believing that they were (i) paying who they expected to pay; (ii) paying for genuine goods; and/or (iii) transacting with a legitimate person or business. The CRM also adopts a position that customers should be reimbursed if they are vulnerable to APP scams (meaning it would not be reasonable to expect the customer to have protected themselves from the APP scam).

The Lending Standards Board (“LSB”) is the independent governing body of the CRM. In April 2020, the LSB issued a thematic review of signatory firms’ approach to reimbursing customers and, in particular, the application of the reasonable basis for belief exception. This was accompanied by recommendations to each firm. The LSB’s most recent report, described as a ‘warning’ to CRM signatories, is a follow-up to that thematic review, assessing progress against the recommendations made in the earlier report and identifying further areas for improvement. 

The Summary Report

The key points from the report are as follows:

1.    Reasonable basis for belief

The report states that firms take an inconsistent approach to requesting evidence from customers in support of their claim, meaning relevant evidence can be missed. It is critical of firms for placing an emphasis on customers having met a reasonable standard of care. Decisions not to reimburse should be based on a full assessment of the circumstances, rather than on whether a customer has met certain pre-determined standards.  The ‘reasonableness bar’ is being set too high by firms, with the level of knowledge the customer is expected to have, or the number of checks the customer is expected to carry out, being excessive and/or unreasonable.

Areas for improvement: Customers should be informed more clearly about what the assessment process entails, and firms need to be realistic when it comes to their expectations of ‘reasonableness’. The correct test for firms to apply is the reasonable basis for belief test set out in the CRM, and not a standard of care test which requires customers to meet a certain standard in order to be reimbursed.

2.    Effective warnings

Many firms continue to use the provision of a warning as a strict liability measure, rather than assessing the effectiveness of the warning on the customer’s decision to make a payment. As a result, the circumstances surrounding the payment (particularly the customer’s characteristics and the sophistication of the scam) are not always considered alongside the provision of a warning. There was also a lack of questioning to understand why a warning may not have been acted on.

Areas for improvement: Warnings should not be treated as a strict liability measure. Firms should consider how best to evidence the warnings provided and whether the warning is appropriate in terms of content and timing. Investigation processes should also be improved so that firms understand why the customer proceeded to make the payment after receiving a warning.

3.    Vulnerability

The report notes an overall improvement in firms’ approach to, and identification of, customer vulnerability. However, there is further improvement to be made. A key area for improvement is identifying vulnerability through appropriate questioning when vulnerability is not obvious or when relevant information is not initially forthcoming from the customer.

Areas for improvement:  Firms should review their vulnerability training to ensure customer circumstances, which may give rise to vulnerability, are drawn out through questioning and fully considered. Where a customer raises information likely to impact their ability to protect themselves from a scam, it should be passed to the investigator for inclusion in the assessment (and to enable an immediate reimbursement). Firms should review and update their vulnerable customer policies to ensure they are aligned to the requirements of the CRM.

4.    Other areas for improvement

The report identifies a lack of understanding by front line employees of the CRM, what it is meant to achieve, and what is expected of firms in order to meet the requirements of the CRM. Outcome conversations between firms and customers were found to focus on the failure to repatriate funds from the receiving bank rather than the outcome of the liability assessment. Similarly, outcome letters were often templated, lacking sufficient detail as to the rationale behind the outcome. The report also highlights that reimbursement decisions often fall outside the timeframe of 15 days stipulated by the CRM (35 days in exceptional circumstances).


Alongside the publication of the report, the LSB has issued firm-specific reports and written to the chief executive of each of the signatory firms. Gradings issued to firms at the time of the thematic review have been updated; some firms have been downgraded while others remained static.

The LSB concludes that there are systemic failings in the implementation of the reasonable basis for belief exceptions, with significant work required by the industry. As the independent governing body of the CRM, the LSB emphasises that the CRM requires customers to be reimbursed where they fall victim to an APP scam through no fault of their own.

Firms may find the report and its recommendations makes challenging reading. The LSB report, however, aligns to the FOS’ approach to determining complaints from customers who have been refused reimbursement under the CRM. There may be a sense that the bar for what constitutes a customer’s reasonable basis for belief is set too low, with no consequences for customers who fail to act on APP fraud warnings highlighted  by firms in the payment journey. Firms may also feel that the overarching objective of minimising disruption to legitimate payment journeys is often overlooked when assessing how firms have implemented the CRM.

If you would like further guidance on the possible impact of the LSB report, or any issues relating to APP fraud and/or the CRM, please get in touch.