February 14 • 2023

UK Regulator essentially mandates real time inbound payment profiling for fraud   

Cybercrime is low risk, low investment, and high return. Not surprisingly, illegal financial gain is one of the biggest reasons for cyber-attacks. The result is a predicted USD 10 Trillion of damages by 2025. Our vision is to change that.

Written by Rob Tharle, Head of Product

Yesterday 8 Feb 2023, the Lending Standards Board (LSB), who regulates the Contingent Reimbursement Model (CRM) in the UK, published updated rules. For an overview of the CRM please read my blog here, but in summary it is a pseudo regulation (its voluntary, but has 20 banks signed up covering the majority of consumers in the UK) and has helped increased the reimbursement rate to victims to around 50% of Authorised Push Payment (APP) fraud losses.  

 The current requirements under the CRM can be summarised as: 

Sending firms 

Receiving firms 

As I wrote here the Payment Services Regulator (PSR) is consulting on going further than the voluntary CRM. In the meantime the LSB has put forward extensions from 18 December 2023. In addition to the current controls above, it adds two additional linked elements for receiving firms: 


SF2(1) c  

Firms should have in place appropriate processes to review accounts that are identified as being at higher risk of being used to facilitate APP scams. Firms should have in place policies which set out what actions should be taken to reduce the risk of these accounts being used to facilitate APP scams and should ensure that appropriate actions are taken in a timely manner.  


SF2(3) c  


Firms should have in place profiling for inbound payments to allow firms to prevent the onward movement of funds where there is a suspicion that the funds being credited to an account are the proceeds of an APP scam. 



What do these mean in practice?  


Firms now have to have processes in place to deal with accounts identified as at high risk of being used to facilitate scams on an ongoing basis . This covers all types of customer accounts, not just those opened specifically to be a mule, but accounts sold on or where account holders fall for job scams.  


This involves more staff to review these alerts, have mechanisms to reduce the ability of abuse and processes to exit customers. 


The more significant change is the inbound payment profiling. Whilst it doesn’t state that the profiling needs to be undertaken in real time, the reality is to be able to prevent the onward movement of funds, real time profiling is required.  


This means that most firms can’t relay in their batch AML TM to work here. Therefore firms need to under real time inbound profiling for Mules/APP as well as checking on an regular and risk based basis approach. It will also need to interface well with outbound payment profiling systems. This is a significant investment in tooling and operations to deal with the alerts. 


Such profiling needs to be multi-dimensional, but needs to include checking both sending and receiving accounts against databases of known mule accounts, as given the number of hops from the first mule to further mules, either or both accounts could be mules. Again this should be in real or near real time to keep up to the, given the sheer volume of mules. 


As mule accounts are still not closed that quickly, the quicker firms report APP frauds to each other the better. 

Of course these checks should be not just the IBAN, but associated persona data too, such as names, emails and phone numbers. 


Whilst small they will have a significant impact on those firms signed up to the CRM.  


Assuming sending firms are meeting all their current controls receiving firms not implementing controls to meet these two new points could mean the receiving firm taking 100% of the APP scam. Therefore, they will have greatly increased liability. For some firms this could be millions of pounds. 


It is also the case that receiving firms will need these controls in their arsenal to keep liability down under the PSR’s proposed regime, which may or may not be in force before 18 December 2023. 



The UK is moving toward having the strongest reimbursement regime with the financial incentives on firms to do more to stop the frauds from happening in the first place. We are seeing other countries take steps in this direction too. 


CYBERA are able to help across sending and receiving firms for both prevention, through checking against our CYBERCRIME WATCHLIST, and with victim support including reporting to law enforcement and beneficiary institutions on a global basis. Reach out to understand how our solutions help meet the CRM controls and help protect you and your customers.