CRM Code UK Explained — APP Fraud Refunds Before 7 Oct 2024
The Contingent Reimbursement Model (CRM) Code was the UK’s voluntary scheme governing Authorised Push Payment fraud refunds from 28 May 2019 until the statutory PSR Mandatory Reimbursement Scheme replaced it on 7 October 2024. If you were scammed by bank transfer before that date, the CRM Code is what your bank’s response is judged against. Here’s how it works.
Last reviewed: 13 May 2026 · ScamSupport research
The CRM Code in one paragraph
The CRM Code was a voluntary industry agreement launched by UK Finance under the oversight of the Lending Standards Board, requiring signatory banks to reimburse APP fraud victims unless an explicit exception applied. It was the precursor to the statutory PSR scheme. Crucially: it was voluntary (not all banks signed up), it had broader and more subjective exception grounds than PSR, and FOS treated bank compliance with the Code as just one factor in the “fair and reasonable” test. For transfers made before 7 October 2024, the CRM Code is the framework. For transfers from that date forward, the statutory PSR Mandatory Reimbursement Scheme applies.
Which banks signed the CRM Code
The CRM Code was joined by major UK banking groups including:
Barclays, Bank of Scotland (Lloyds Banking Group), HSBC, Lloyds, M&S Bank, Metro Bank, Nationwide, NatWest, Royal Bank of Scotland, Santander UK, Starling, The Co-operative Bank, TSB, Virgin Money (and the brands under those groups)
Some fintechs joined later (e.g. Monzo, Revolut)
Smaller building societies, some challenger banks, and many e-money institutions did not sign the Code — meaning their pre-Oct-2024 conduct is not judged against CRM standards at all, though FOS may still apply broader fairness principles
If your bank wasn’t a signatory, the route to refund is via FOS’s broader fairness test, citing the FCA Principles for Businesses, FCA Consumer Duty (where applicable), and any relevant Banking Standards Board guidance.
What the CRM Code required
Signatory banks committed to:
Reimburse victims of APP fraud by default, unless one of the specified exceptions applied.
Reimburse within reasonable time: there was no fixed deadline like the PSR’s 5 working days, but FOS generally treated material delays as unreasonable.
Provide a clear written explanation if reimbursement was refused, citing the specific exception ground.
Apply “requisite level of care” as the consumer-side standard, NOT “gross negligence”. This was the most-disputed concept under the Code.
Implement effective fraud prevention: Confirmation of Payee, scam warnings, transaction limits, etc. Bank failures here often supported consumer claims.
The exception grounds (where banks tried to refuse)
The CRM Code allowed banks to refuse reimbursement on these grounds:
The customer ignored an “effective warning”: the bank gave a specific, clear, fraud-relevant warning at the moment of the transaction, and the customer proceeded anyway. “Effective” was tested by FOS — generic warnings failed.
The customer made the payment without “requisite level of care”: the central exception. The standard required customers to take reasonable steps to verify the recipient and the purpose. FOS interpreted this with substantial leniency, especially in romance, investment, and tech-support scams.
The payment was made for an obviously illegal purpose: rare in scam context but legally available.
The customer’s involvement in the fraud: where the customer was complicit (e.g. money mule). Distinct from victim cases.
The customer obstructed the fraud investigation: failure to provide information requested by the bank within a reasonable time.
How “requisite level of care” differs from “gross negligence”
This is the central legal difference between CRM and the new PSR scheme:
Under CRM (pre-Oct 2024): banks could refuse if the customer failed to meet the “requisite level of care”. This was a moderately high standard but not the highest. FOS rulings interpreted it leniently for emotional / urgent / sophisticated scams.
Under PSR (post-Oct 2024): banks can only refuse for “gross negligence”. This is a substantially higher bar. Customers are reimbursed more reliably under PSR than under CRM.
Practical effect: a 2023 romance scam claim that was refused under CRM might still be accepted today on the same facts under PSR. CRM-era claims that are still in dispute should be escalated to FOS — FOS’s reasoning has shifted with the regulatory landscape and even pre-Oct-2024 cases are now decided against a backdrop of the statutory standard.
The 8-week and 6-month deadlines
Like all UK financial complaints:
You have 6 years from the transaction date (England and Wales; 5 years Scotland) to start a complaint, OR 3 years from when you reasonably became aware of the issue.
You must formally complain to the bank first. The bank has 8 weeks to respond with a final response letter.
From the date of the final response letter, you have 6 months to escalate to FOS.
If the bank fails to respond within 8 weeks, you can go to FOS immediately.
Use the PSR Claim Wizard (framed for CRM cases too)
Use our PSR Claim Wizard → — even though the name references PSR, the wizard’s output is configurable for CRM Code cases too. Set the transaction date and the wizard frames the claim under whichever scheme applies. CRM-era cases are still actively decided by FOS using current standards.
Common bank refusal patterns under CRM (and how FOS responds)
“You didn’t take requisite care — you should have done more checks.”
The most common refusal. FOS’s position: requisite care is judged in context. Sophisticated scams (especially impersonation, romance, investment) often don’t support “you should have done more” refusals. Push back citing FOS decision database evidence.
“The bank gave you an effective warning.”
FOS evaluates the warning case-by-case. Generic in-app warnings (“Confirm Payee” banners, “Is this a payment to someone you know?”) generally don’t pass the “effective” test — they have to specifically and clearly relate to the type of scam at hand.
“We’re not a CRM signatory so the Code doesn’t apply.”
Even non-signatory banks are bound by FCA Principles for Businesses (PRIN), particularly the obligation to treat customers fairly. FOS can apply broader fairness tests to non-signatory cases.
“The transaction was before [date of bank’s signing].”
Banks joined the CRM at different times. If your transaction predates your bank’s signature, the Code technically doesn’t apply. But FOS can still apply general fairness principles.
If the bank refuses your CRM-era claim
Get the refusal in writing. Request a formal final response letter citing the specific exception ground.
Escalate to FOS. Free, binding on the bank, regularly orders refunds the bank refused. See our FOS complaint guide.
Pair with chargeback or Section 75 if applicable: if any part of the transaction went via credit or debit card before the bank-transfer leg, parallel routes apply.
If FOS rules against you and the loss is substantial: consider SRA-regulated civil litigation. CRM-era cases over £25,000 are sometimes pursued in the Small Claims Track or Fast Track.
What FOS typically awards on CRM cases
The full lost amount, up to FOS’s monetary cap.
8% interest on the lost amount from the date the bank should have reimbursed.
Distress and inconvenience compensation: typically £100–£1,500.
Action by the bank: removal of fraud markers, account remediation, apology, etc.
Common scenarios
Romance scam 2022 — bank refused on “requisite care” grounds
Strong FOS case. Romance scams are a classic FOS-overturns-CRM-refusal scenario. Emotional manipulation, sophisticated grooming, and the absence of specific bank warnings about romance fraud at the time of payment frequently lead to FOS ordering refunds.
Investment scam 2023 with fake FCA-regulated firm — bank refused
FCA Warning List entry is decisive evidence. The bank facilitated payment to a confirmed unauthorised firm. FOS regularly orders refunds in these cases.
Tech support scam 2021 — small bank, not a CRM signatory
Even without CRM, FCA PRIN applies. FOS evaluates the bank’s conduct broadly, including whether their fraud-detection systems should have flagged unusual outgoing payments.
Pre-Oct 2024 case still in active dispute today
The current FOS standard reflects the new statutory landscape. Pre-Oct-2024 claims being decided in 2025 or later have meaningfully better prospects than they did at the time of the original refusal.