/ Money

Banks cannot delay tackling fraud: my letter to Stephen Jones

With £434 per minute lost to authorised push payment (APP) scams, I’ve written to UK Finance CEO, Stephen Jones, to outline our critical steps required to halt their growth.

Dear Mr Jones,

Which?’s 2016 super-complaint called for urgent intervention to better protect consumers from bank transfer scams. The APP Scams Code of Conduct is a positive step forward, and Which? is keen to see it successfully implemented by banks following its launch next week.

Whether people are conned out of a few hundred, or many thousands of pounds, the impact of scams can be devastating.

Scammers are using increasingly sophisticated tactics that are harder to spot, and every day innocent victims continue to lose life changing sums of money through no fault of their own.

Your recent figures show that £434 every minute is lost to scams in the UK, equivalent to £625,000 every day. It remains clear that your members are best placed to identify and take measures to reduce the risk of fraud.

Through the APP Scams Steering Group, Which? has argued that an overall reduction in scams and the swift reimbursement of all victims who lose money through no fault of their own are both critical measures of the Code’s overall success.

Critical steps required for success

In addition, however, we believe that the actions set out below are also critical steps required to successfully halt the growth of APP scams:

– Banks must promise to protect their customers by signing up to the Voluntary Code as it launches on 28 May 2019, and the PSR must commit to conducting a one year review of its implementation

– Banks must implement Confirmation of Payee, which can cut scams in half, no later than its proposed new deadline of March 2020

– No blameless scam victim should ever be denied reimbursement again, and full refunds should be issued swiftly

– Banks must show they are serious about protecting consumers and immdediately publish their joint timetable to agree a long-term funding solution for no blame refunds

– Individual banks must publish scam victim and reimbursement figures of a regular basis

Banks can provide greater protections

Responsibility should be allocated to those best placed to manage the risk of fraudsters using bank accounts and payment systems to facilitate their scam.

TSB’s recent announcement to offer a full Fraud Refund Guarantee demonstrates that banks can act to provide much greater protections to their customers than will be offered through the Voluntary Code.

Given this, we urge all UK Finance members to implement the Code immediately and to begin offering significantly more comprehensive protection to their customers in-line with TSB’s Fraud Refund Guarantee.

Until these steps are taken, the devastating impact of bank transfer scams will continue to cause growing financial and emotional harm to UK consumers.

Yours sincerely,

Anabel Hoult, Which? Chief Executive.

Comments

Hi all, as I’m sure you’ll notice, our press release gives the figure lost per minute as £674:

https://press.which.co.uk/whichpressreleases/new-industry-code-must-deliver-says-which-as-674-a-minute-is-lost-to-bank-transfer-scams/

The reason for this is that the press release uses the overall loss figure for consumers and businesses (£674), while Anabel’s letter only references the consumer figure (£434). The Code will only cover the consumer losses, and a selection of small businesses.

Hope this helps clarify.

It might be worth clarifying that APP stands for Authorised push payment. Quite a bit about it all here

Have amended the intro to make this clear. Thanks Ian.

For some inexplicable reason, George, someone had marked your response down. I’ve reverted it, but the thumbs system is really not fit for purpose.

And now they’ve marked it down again.

“No blameless scam victim should ever be denied reimbursement again, and fill refunds should be issued swiftly“.

It is this principle that I have difficulty with. when is someone totally “blameless” (unwitting or even irresponsible might be better descriptors). A “victim” is a party to the scam by responding to it, however unwittingly. So in some cases, maybe many, they have some responsibility (blame is a word best applied to the scam perpetrator, I feel). So unless the bank has responsibility by, for example, allowing known scammers to open accounts for illegal purposes, or incompetently or negligently facilitating criminal transactions, then I do not see how they are to blame. So if we compensate some of these people it is as a goodwill gesture, taken from the potential income of other customers. The danger with this approach is it relieves some people of the responsibility of being careful with their financial affairs in the knowledge if all goes wrong someone else will reimburse them.

Improving bank account security through the Code and Confirmation of Payee will be a great help but I do not think the lack of these should be used to penalise banks (and therefore their responsible customers). Many scams do not involve a falsified payee (see the bitcoin scam) but simple deception; CoP would not help in that situation.

It all seems to hinge on who defines ‘blameless’ and how. That sentence caught my eye, too, but I suspect it’s going to lead to a lot of disputes.

Whether or not we blame the bank or the victim or both or neither, we’re still losing money to scammers.

As we always have and always will. Not something we can stop. Crooks will always find ways of robbing us, one way or another.

We pay around £1billion a year in extortion in the form of excessive parking penalties 🙂 . That’s four times what is lost in APP “scams”. That doesn’t seem to be a cause for concern 🙁

Christopher Evans says:
23 May 2019

Banks are to blame for letting scammers have current accounts! Therefore they should always refund the innocent. They should check that current account applicants are bone fide …

A proof reader strikes: “and fill refunds should be issued swiftly” SP “fill” –> “full”

It needs someone to filfull that role.

Thanks, it’s been fixed.

You need a new spell checker George..
and immdediately publish

While the banks continue to delay implementing Confirmation of Payee, they should accept liability for any authorised push payment fraud.

https://www.bbc.co.uk/news/business-47231337

Why is that? According to the PSR the banks are not delaying CoP.
If banks advised all customers making online transfers to new payees to transfer £1 first, then check with the real recipient that it has been received, we might have fewer APP problems.

One of the most common ways scammers find to acquire ‘fake’ bank accounts is by buying them from students. From the Guardian “Students are selling their bank accounts – giving someone else their account details such as logons – for as little as £50 to £100, often as they are finishing university and heading abroad for a period. These accounts are then used by fraudsters to evade the strict checking procedures when individuals try to open an account”

It gets worse. “Frustratingly, there are few mechanisms for banks to communicate with each other. “In the US, there is a web portal for banks to contact each other on these issues. Here, it’s just email, a security specialist adds. “Sometimes we are even told to use a fax.”

But the Police must bear some responsibility. “In one bank’s financial crime unit at its London offices just off London’s so-called “Silicon Roundabout”, a man is known as Fraudster No 1. I was shown his picture, name, full address (in south-west London), Facebook page and even photographs of the luxury goods he has snaffled with money looted from other people’s accounts and ostentatiously posted on Instagram. The bank has shared all these details with the police. Yet this man has not been apprehended. Why? Because, much to the frustration of the bank’s fraud team, the police are not interested because the sum stolen – £40,000 – is deemed not large enough to bother the authorities.

There’s plenty of blame to go around.

Malcolm, the banks are indeed delaying implementing Confirmation of Payee. This would stop most of these frauds at the outset.

I work in banking, albeit not retail banking, but nevertheless on projects to implement new online functionality. Where the functionality is regulatory, they don’t miss deadlines, but where the functionality is discretionary, they often drag their heels and miss their self-imposed deadlines. I have no doubt that the same has happened in this case, and is probably caused by just one of the large banks being slower than the rest.

The PSR seem content. Do you have evidence that they have no right to be? I have asked Which? a number of times to get “expert” input on this topic and clear up whether the banks are delaying this deliberately – if so what purpose does that serve – and whether the introduction of CoP is simple, or complex. They have not done this.

NFH, all I’m looking for in these Convos is for real and complete facts and information to be given so we can make a properly considered judgement. Usually it is lacking and only one s9ode of the issue is emphasised.

Malcolm, nobody said said that the banks are delaying implementing Confirmation of Payee deliberately. They will fail to implement it by the originally planned date of July 2019, so they should bear any losses caused by their failure between July 2019 and the ultimate implementation date.

If a student account suddenly becomes unusual in transaction or amount, this should ring alarm bells. There has to be a signature attached to scam accounts – : Opened possibly with little funding; amounts of money coming and going rapidly, especially the sequence between the two; some correlation between victim and scammer in terms of how money enters the account; the type of transfer and the typical victim. A good computer system should, at least identify likely rogue accounts for further investigation.
Malcolm has a point in that a scam only works if the victim transfers money wrongly or gives out banking details when they shouldn’t. The victims do have to make a mistake in order to be defrauded. There are not many times (reported here on Which Conversation) when a scam is so fool proof that anyone might be caught regardless of their financial savvy. However, unlike Malcolm, I do believe that banks have a social duty to their customers as well as being strict financial institutions and business orientated. Each customer should have a profile and stepping outside that should be noticed. That profile should also rate the behaviour of customers and their likelihood of making errors. Banks check customers for debt and overdraft, this is just an extension of that. Then, of course, these fraudsters need to be caught and until they are, the problem will continue. The amount stolen every minute is simply staggering. Some are getting very rich and spending that on bombs and machine guns among other things.

I believe banks should offer accounts to customers at different levels so they are better matched to the customer’s abilities – maybe limiting payments, maybe restricting the way new payees can be added, maybe for some transactions requiring additional authorisation.

As far as NFH’s suggestion is concerned, if the timescale for implementation of CoP is not being deliberately delayed but is necessary to get the system right then I see no responsibility for the banks to have to bear any losses. If customers transfer a small amount first to check the authenticity of a new account then many problems from APPs can be avoided.

Malcolm, time “to get the system right” is not a valid excuse for delaying implementing Confirmation of Payee. The banks have had plenty of time, yet they are missing the deadline through incompetence. As I said previously, the banks would have met the deadline if it had been a hard regulatory deadline, but they didn’t put sufficient effort into this. Although the delay is not deliberate, it is nevertheless incompetent. Therefore the banks should bear losses until they implement this functionality.

NFH, perhaps you or someone would provide evidence to support this. The post from Ian seems to show the complexity of current changes in banking that are relevant.

We need to get the system right, otherwise it will become a dog’s breakfast. I don’t want half-baked solutions. The banks have not downgraded their security in this process, as far as I know, so I see absolutley no reason for them to be penalised unless they have been negligent or incompetent in dealing with specific customer losses. As I said earlier, customers can do a lot to protect themselves from scammers, and their own mistakes, by transferring a token sum and checking its safe arrival. Protecting against fraud or mistake is a two-sided issue.

However, we all have varying views and experiences to enrich topics. I’d like to see Which? enrich this one by compiling an impartial and expert input on whether the banks are being deliberately difficult in implementing change.

I think using the word “delay” implies something could have been done quicker but was deliberately held back. In the sense “to cause someone or something to be slow or late” what might be the cause?

Malcolm, the banks agreed last year to the original 1st July 2019 implementation date. What has changed between then and now, other than incompetently failing to build the functionality within the agreed timescales?

It is “what has changed” that I am interested in. As has been reported “The PSR subsequently opened a consultation in November on whether regulatory intervention is needed to require PSPs to implement the confirmation of payee reforms. The consultation closed on 4 January this year.

In a statement, the PSR said it is “still working through the responses” received to its consultation “so no decisions on timing have been made”. It said it wants the confirmation of payee reforms “brought in as soon as possible” but to also ensure “that when it is introduced, it is an effective way to stop this crime taking place”“.

The PSR is a part of this and, if it is behaving correctly as a regulator, it is incumbent on it to ensure that the change is properly introduced.

The Payment Systems Regulator explains the timescale:
https://www.psr.org.uk/sites/default/files/media/PDF/PSR-CP-19-4-CoP-specific-direction-consultation-May-2019.pdf
1.4 In November 2018, we consulted on giving a general direction for payment service providers (PSPs) to implement CoP. We proposed giving a direction mandating that all PSPs be capable of receiving and responding to CoP requests by 1 April 2019 and that they send CoP requests by 1 July 2019. We received 43 responses to our consultation.

1.5 Most respondents, fully or in principle, supported the PSR giving a direction. However, some important issues concerning the scope and design of the proposed direction were raised. The main issues were difficulties meeting the proposed implementation deadlines, the impacts on different types of PSP, and the perceived lack of stability of Pay.UK’s standards and guidance on CoP.

1.6 After carefully considering the feedback to our previous consultation, we have refined our approach. We now propose giving a specific direction to the PSPs in the six largest banking groups that offer their UK account holders access to the Faster Payments Scheme (FPS) and CHAPS. The six largest groups are the Lloyds Group, Barclays Group, HSBC Group, Royal Bank of Scotland Group, Santander Group and Nationwide Building Society.

1.7 We therefore propose giving a specific direction to the following PSPs that are, or sit within, these banking groups: Bank of Scotland plc, Barclays Bank UK plc, Barclays Bank plc, Cater Allen Limited, Coutts and Company, HSBC Bank plc, HSBC UK Bank plc, Lloyds Bank plc, Nationwide Building Society, National Westminster Bank plc, Royal Bank of Scotland plc, Santander UK plc and Ulster Bank Limited

1.8 We have recognised that the previous implementation deadlines would be unachievable. We now propose that the directed PSPs introduce CoP according to the following time frame: • From 31 December 2019: Directed PSPs must respond to CoP requests. • From 31 March 2020: Directed PSPs must send CoP requests and present responses to their customers.”

Have you ever looked at your bank statement and seen a payment to someone you don’t recognise? Then on further investigation realise you know who the payee is but is not recognisable as a name you might have given as a reference.

That tells me that some form of CoP already exists but is not being used for customers benefit.

If I phone my bank to make a payment, they already check the sort code. I recently made a payment to a building society and my bank gave me the name there and then of the clearing bank.

It does seem feet are being dragged here. Why?

It will cost money to implement Confirmation of Payee, and that’s probably the main reason for the delay. In my view it is unprofessional and maybe even negligent for banks to ignore details of the payee when transferring money.

I see no evidence so far for that. Maybe it is an unfounded frustration, but if it has real foundation then it would be helpful to others to cite it. As far as I can see the regulator has not reached that conclusion.

The Payment Systems Regulator has consulted on the introduction of CoP; I have not read the responses but they can be found here. Maybe they will support or confound criticisms. Maybe Which? could review them?
https://www.psr.org.uk/psr-publications/consultations/responses-to-consultation-on-general-direction-cop

It would be useful if Which? provided a balanced resume that is fair to all parties involved to allow arguments and discussions to proceed on an informed basis.

I’ve read quite a bit of that document and the responses from banks do seem to indicate:
a) expense
b) time frame (related to expense)
c) a ‘why should we have to do it?’ attitude. (related to expense)

From chatting to a pal pretty high up in system design in a major bank (no – I’m not naming it!) it does become clear that a very straightforward implementation of COP could be actioned within a couple of months. Essentially, the subroutines already exist, so no originality would be required, other than copying and adapting the existing subroutines slightly.

In effect, it would only involve adding one more data field: surname. Problems do arise when you include first names, initials, titles and colour of tie, but then the default would be something along the lines of ‘Sorry; something you have specified is incorrect.”

In terms of cost being the main item, Wave is, I think, correct. Sample responses:

1. Implementation costs are not known but expected to be very high due to infrastructure dependencies.
2. we cannot comment on the cost of implementation at industry level.
3. Cost estimates in section 7.13 do not align with our internal estimates of how much this will cost to implement.

There’s also some interesting comments regarding the proposed opt-out facility:

1,. Some consumers may want to opt out of CoP at the bank/PSP’s discretion. However, there is a risk that if a bank/PSP doesn’t have a robust opt out process in place (with strict due diligence), CoP may end up benefiting fraudsters.

Of perhaps greater concern is the response from the Association of Independent Risk & Fraud Advisors

1. The COP programme is NOT A SOLUTION to the fraud problem, is NOT something that is likely to realise any financial benefit or to address anything but a perceived customer issue.

They also list potential existing issues:

a) Poor controls in payee banks over onboarding customers and in identification of the ‘true’ customers
b) Payee banks/organisations that do not compare payee details with the accounts involved: even when the transactions may be considered higher risks (see PSD2
customer authentication requirements) validation, whereas the receiving money requirements of the Money Laundering law receive less attention.
d) Payee banks/organisations treat all transactions whatever the value, account longevity, account type, expected transaction volumes, historical transactional history.
e) Banks/organisations who accept payments instructions for on-payment of transactions / consolidation of funds / dissemination of funds without raising suspicions. i.e. failing to KNOW-THE-CUSTOMER, and to understand the nature of the transactions where these are fraudulent.
f) An absence of challenge when handling these transactions that are clearly fraudulent.
g) A reliance upon a defence of “can’t disclose due to GDPR/UK Data Protection issues” when challenged, rather than co-operating in accordance with the ‘crime
prevention’ exemptions in these laws.
h) An absence of clear co-operation across the sector (strategically and operationally), as had/has previously been the case within the anti-fraud community within
the UK Payments industry prior to the reorganisation of the sector.
i) Initiatives such as these being co-ordinated within the sector by media/public and industry relations specialists rather than banking / risks representatives from
the payments sector.
j) A lack of available analytics about the problems and issues as evident in this consultation: i.e. where is the money paid to for these scams (organisations /
countries / same-name account-names, individuals or companies; are there commonalities of payees, where is the money THEN paid to thereafter – and so forth to the final destinations; how much is tracked to the end-point and recovered, whet mechanisms are there for tracking and recovering etc.
k) No recovery mechanisms as above in (j).
l) There is no fraudster mapping, no understanding of the fraudsters’ networks, the key (‘Mr Big’) ultimate perpetrators if through organised crime.
m) No name & shame programme for the guilty parties
n) No fining mechanism of the guilty payment institutions by/from regulator or pseudo -regulator industry body.
o) No current ‘chargeback mechanisms’ to reapportion the losses.
p) No announcements or analytics on the fines, chargebacks and/or recovery mechanisms; about the recoveries, prosecutions and operations.
q) No on-going working party and action / strategy taking bodies.
r) An absence of understanding of the issues and the need for action by and within the PSR / FSA and Pay.UK to drive and address an appropriate agenda.
s) The absence of a regulator that addresses the marker rather than operating ONLY as an “economic regulator”.

There are some 170 pages of responses, so a lot of reading, but there’s a definite feeling of the banks shuffling their feet on this one and advancing all sorts of reasons why introducing COP isn’t a good idea.

It’s more than a bit reminiscent of Yes, Minster scripts in some ways…

I agree. Looking at the above there seem to be a lot of words and not much substance. Someone with a little financial nous could rewrite that and refine the list so that it read as a list of actions needed and not excuses why nothing can be done. As a to do list, banks could focus on delivering instead of holding hands up in despair. Thanks for the summary and the work in reproducing it. I also agree that Which? has a role here to jolly things along.

The attitude of the Association of Independent Fraud and Risk Advisors (AIFRA) might be encapsulated in their response to this proposition from the PSR:

” CoP is the industry-agreed way of ensuring that names of recipients are checked before payments are sent so the payer can be confident that the payee is who they expect it to be.

The response from AIFRA:
This is not the industry-agreed way.
– This was not agreed by the PSR working groups for Fraud and Finance Crime. See the working group’s report.
– This has not been agreed by the payment institutions.
– This has been driven forward as a knee jerk reaction to the Which? super-complaint with an absence of understanding or ideas on how to address the problem.
– The majority of people on the working group are consumer representatives, relationship management, lobbyists and others that do not represent the industry.

The payment Systems Regulator summarises the responses to its consultation https://www.psr.org.uk/sites/default/files/media/PDF/PSR-CP-19-4-CoP-specific-direction-consultation-May-2019.pdf with a selection as follows:

– A strong majority of respondents, fully or in principle, supported the PSR giving a direction
– Most respondents said all PSPs should be given a direction but there were concerns about smaller PSPs
– Most respondents were in favour of requiring the same PSPs to both respond to and send CoP requests
– Most respondents supported applying CoP to both new and changed payment mandates
– Stakeholders had mixed views on allowing end users to opt out of CoP
– Most respondents favoured CoP covering both individual and business accounts

Stakeholders said they needed more time to implement CoP
– 2.100 Although many PSPs supported the PSR giving a direction requiring CoP, only three stakeholders supported our proposed dates.
– 2.101 Most respondents said the dates were too challenging or impossible to meet. Many said they were already engaged in a heavy programme of regulatory change related to Open Banking, the Second Payments Services Directive and the UK’s exit from the European Union. These changes would make it difficult to implement CoP by the proposed deadlines.
– 2.102 Fourteen respondents were concerned that the April and July deadlines would not allow enough time to test their CoP services. PSPs said they want to avoid a situation where CoP is rolled out to customers too soon with major updates required after implementation.

Views on our assessment of CoP’s costs
– 4.11 We asked stakeholders to provide their views on whether our assessment of CoP’s costs was right.
– 4.12 Four respondents said the costs were underestimated. One respondent highlighted that we had not included some costs, such as the cost of reissuing customer terms and conditions where a reissue has not already been scheduled. Another respondent said customer queries were likely to increase as CoP would add friction to the payment process. This would have an impact on wider business functions, such as call centres and branches, increasing costs.
– Our response: we have refined our costs estimate in response to stakeholder feedback and data provided by PSPs

In terms of cost being the main item” it seems to me that, with the forthcoming introduction of the Code of Practice that will require banks to refund clients more readily, the banks will see the benefit of reducing fraudulent transactions as this will both benefit their clients and directly benefit the banks in reduced compensation. So their investment will produce a worthwhile cost benefit.

One major bank said ”As we said above, we are still considering our final costs for CoP however, we believe that the estimated industry cost involved in implementing CoP (£200m) is low if this is to cover all PSPs participating in CHAPS and FPS (direct and indirect). Of particular note should be the outcome of question 5. Adoption across all channels, if mandated by the directions, will drive significant cost for PSPs.

This was a pertinent comment:
” An assumption should be included that the benefits dwindle over time as scammers adapt and find other ways to defraud customers via methods where CoP is not effective. Whilst this doesn’t challenge the assertion that CoP could help prevent 90% of APP scams where the name entered does not match the account details, it does acknowledge that the efforts of fraudsters is likely to increasingly focus on activities that avoid CoP detection, or indeed that they are likely to increase their activity in order to maintain the same level of profit. For this reason, a 90% prevention rate does not necessarily equate to a 90% reduction in losses.

A number of scams already involve payment via means that banking CoP cannot verify. One example of this is payment via gift cards.

Nonetheless, if properly implemented, CoP will be a useful step forward. If nothing else, it will help to reduce errors caused by mistyping destination account numbers.

The most benefits of CoP will be from honest mistakes which is probably why the banks are not rushing to implement it as honest mistakes are easier to rectify.

But, you just know scam victims will come here saying ‘I told the fraudster the name didn’t match, but he was so convincing and told me it was OK, so I went ahead and transferred the money….’

I’m unsure why the banks couldn’t, at the very least, implement the simple extra surname check. Okay; it would only cover direct bank account transfers but it would be simple to do and address the issue that seems to be the most contentious.

alfa, I agree that CoP alone will not stop scammers and con men from getting their hands on other folks’ money.

New rules on cancellations and refunds might help. In turn, those might require an end to the instant clearing of electronic transfers. For example, if one could recall any such payment for up to 7 days afterwards, that would help when scams are revealed just after the event.

Presumably the PSR is looking at doing a more all-encompassing scheme rather than in bits. Personally I’d be happy to wait if the final systems works reliably.

If Derek P is correct in the mis-typing problem then maybe banks should advise all on-line customers to do a test transfer to check the integrity of a new account as an interim measure.

Stephen Jones, chief executive of the trade body UK Finance, told the Treasury Select Committee on Wednesday that he expects it will be some time in 2020 before the new system will be operational.

“It is quite a complex IT and process change,” Jones said. “We are working hand in glove with [the PSR] on a timetable to ensure to that that is put in place across the industry and I expect that that will be capable of being rolled out across the vast majority of payment services providers some time next year.”

Jones said implementing the confirmation of payee system represents “a big change at a time of a lot of change” which banks are “required to implement”, but insisted the project has not been “deprioritised”.

Susan Allen, head of retail business banking at Santander UK, said that in addition to the confirmation of payee initiative, payment institutions are in the process of updating their systems to account for a variety of other regulatory-driven reforms, including making changes to comply with the EU’s second Payment Services Directive (PSD2), the UK’s open banking regime and to address remedies imposed by the Competition and Markets Authority (CMA) following its high cost of credit review.

“All of these changes touch the payment systems so we have to look at sequencing them very carefully so at the same time we don’t create an operational risk to the payment systems,” Allen said. “We have a finite pool of people in the UK who really understand and can work on those systems and we are having to sequence those changes.”

She said that implementing the changes required under the confirmation of payee initiative is “a bit more complex than it sounds”. Payment institutions have to make changes across all their customer channels, including online and mobile services, ensure that changes “link into the payment systems”, and make further system alterations “to be able to receive messages in from the other banks and then present them back to the customers in whatever channel the customer chooses”, Allen said.

Technical standards for the ‘confirmation of payee’ service were published by Pay.UK, the body tasked with designing and implementing new payments architecture in the UK, in October last year. At the time Pay.UK said the service would kick-in when businesses or consumers are setting up a new payment, or amending an existing one.

Under those standards, payment service providers (PSPs) will check the name on the account of the person or organisation to be paid and either confirm the details are correct, ask the payee to check the details are correct if the name provided is similar, or advise the customer that the details are wrong.

The PSR subsequently opened a consultation in November on whether regulatory intervention is needed to require PSPs to implement the confirmation of payee reforms. The consultation closed on 4 January this year.

In a statement, the PSR said it is “still working through the responses” received to its consultation “so no decisions on timing have been made”. It said it wants the confirmation of payee reforms “brought in as soon as possible” but to also ensure “that when it is introduced, it is an effective way to stop this crime taking place”

In its evidence session on economic crime on Wednesday the Treasury Select Committee heard about how competition issues could influence when a deadline for implementing confirmation of payee systems is set for.

Stephen Jones of UK Finance said: “Whilst large and sophisticated institutions have got the resource to do what is required internally a number of the middle and smaller payments institutions do rely on third parties to deliver a solution to implement and actually what we are trying to do is encourage those third parties to come forward to deliver competitive solutions which can then be implemented by smaller PSPs.”

“That’s another factor which we have to take into account in recommending a timetable for the whole system because if we go too fast we will end up with a two-tier system where only the big institutions are able to offer ‘confirmation of payee’ and then customers are forced to make a choice between mid-sized and smaller institutions who we want to encourage for competitive reasons but who haven’t got the resource to do it as fast as the big institutions so there is quite a tension there in terms of execution,” he said.

Chris Rhodes, chief product and propositions officer at Nationwide Building Society, said: “There has got to be a critical mass of institutions able to test and then implement at the same time.”

According to UK Finance figures, £145m of losses suffered by UK bank customers in the first six months of 2018 were attributable to APP scams. The trade body previously said there were almost 44,000 reported cases of APP frauds in 2017 spawning losses totalling £236 million to businesses and consumers.

Banking and payments law expert Henry Burkitt of Pinsent Masons, the law firm behind Out-Law.com, said: “We understand that a number of the banks have been struggling to keep pace with the exponential rate of change of payments infrastructure, for example in consolidation of the retail payment schemes into Pay.UK, implementation of open banking, structural reorganisation requirements as a result of Brexit, PSD2 and structural reform, and that ‘confirmation of payee’ timing has slipped as a result.”

“We look forward to the outcome of the PSR’s consultation and clarity on the timing of implementation,” he said.

Reading what’s being said, it seems that the reasons for the delay are:

1. The banks don’t easily communicate with each other – possibly the biggest problem.
2. They’re trying to bring in a lot of changes in a comparatively short time
3. They don’t want to rush it, because they’ll be liable if they get it wrong.
4. There are insufficient system programmers who intuitively understand what’s needed.

Making those changes and avoiding the GDPR pitfalls can’t be easy. At the most basic level any implementation of COP will require two highly competitive entities to cooperate. But there are echoes of these potential issues in the world of computing.

During last year’s ticketmaster hack a small new bank – Monzo – piped up to say its internal fraud detection systems had “spotted signs” as early as April, blocking a number of cards that had also been used at Ticketmaster. They warned Ticketmaster, who were then told by their own bank nothing was wrong. It took Ticketmaster until June to admit there’d been a massive theft of card details.

It strikes me that implementing COP should perhaps have been enforced only after banks had been compelled to exchange information on a regular basis.

Interesting insights. I wish Which? published such information. Whether or not we accept the reasoning it is better to have the views and information from all involved, rather than simply pursue a one-sided argument. Then we are better placed to reach our own decision and discuss on an better basis.

Steve Winder says:
23 May 2019

I am of the opinion that it’s mainly the older generation who get “Conned” the most as they are more likely to comply with what is told them as it was the way they were brought up–more trusting etc. & don’t the fraudsters know it!

Stuart Cromie says:
23 May 2019

As well as asking the Banks to help, a lot more pressure should be put on the Government. The department ACTION FRAUD is almost like a fraud itself as it does nothing. Just read (Trust Pilot) Also the Data Protection Act need to be updated in the UK. In America you can look up a persons criminal record yet here the same person can keep up with their scams

Ian Scowen says:
23 May 2019

Could you please publish which Banks have signed up to, or intend too sign up to this voluntary APP agreements next week.
It would be useful if we were aware of those banks that exceeded the code and then we can change banks to those that do safe guard us.

Ian S

See Which? News: https://press.which.co.uk/whichpressreleases/new-industry-code-must-deliver-says-which-as-674-a-minute-is-lost-to-bank-transfer-scams/

“The following banks have committed to signing up to the Code

Barclays
Lloyds Banking Group
HSBC
Metro Bank
Royal Bank of Scotland
Natwest
Santander
Nationwide

Have to say my bank queried a bank transfer I made on Tuesday because it was to someone new and for quite a large amount. Even though it was supposed to go out immediately they held on to it until contacting me the following day. Can’t fault them.

Pauline, which bank was that?

Amanda Hatch says:
23 May 2019

Last week I was a victim of hacking. I belong to Nationwide building society. They refunded the money. Stopped my. card and I was able to draw out cash at a branch. I’m extremely happy with the way they treat their customers and I am lucky that I bank with them.
Amanda

Amanda, good to hear of the outcome to a bad experience. I know others banking with Nationwide with similar good service.

Bob says:
23 May 2019

The scammers will make easy money from this, just get a somebody linked to the scammer to transfer money and then claimed that they have been scammed.
The account name must be linked to the transfer name so that will hopefully stop money being transferred to a scammer, but apparently this is likely to take two years before this comes into effect.
It is easy to say beware of transferring money, but some people must be taken in.

The first line of attack, to reduce the incident of financial fraud, is a new Fraud Act that would transfer the burden of proof onto the accused to prove to the satisfaction of the court that their transactions with the plaintiff were honest and legal. All the accused’s assets would be sequestered by the Court and subject to costs until the accused had satisified the Courts of their innocence.
Secondly, any company, individual or orgnisation found guilty of fraudulent behaviour would immediately loose the protection of Limited Liability. Both the Directors and shareholders would be fully liable for any resultant costs and damages.
And please don’t whine that such measures are punitive – this was exactly the situation in the early 1800s when industrial pioneers such as George and Robert Stephenson, Mathew Murray, James Nasmyth, Isambard Kingdom Brunel and many others built this country into the Workshop of the World!

the big 4 banks are closing more and more branches, if you find one open they only have 1 cashier working, you quoe up for anything upto 45 minutes just to talk to a person about your own bank account, if you then ask for a statement, that cashier is now not aloud to print it as they have for years, now you have to wait for someone else to come out from the back office, that can take another 30 minutes plus, they are a joke.
the area manager says people dont use banks any more, complete rubbish, they are making customers go to post office as they dont have to pay for staff or pay rent, yet they are making millions out of our money, yet they have stopped offering a service, so why dont we all only leave the bare minium of money in our accounts, then they wont have our money to invested earning money they should be paying us for banking our money, they should be all turned into non profit organistions.
all they want to give us are cards you cant read after a week, they want us to tap,tap and tap again, they have to be charging us for all these taps, after all they dont do it for love.
in the last year 11 banks have closed, each bank had up to 4 members of staff, they were all made unemployed, these is happening all over the uk, and we are all letting them get away with this, they put adverts on tv saying that they care, i dont believe they no the meaning of the word, so they will never stick to anything, so whats the point.

Robert Taylor says:
23 May 2019

Why not use blockchain?

Janice says:
23 May 2019

As a victim of bank fraud, I would like to see in due course that banks will back date claims so more victims can recover their losses, if PPI can be backdated, so should bank fraud. I even sent mine to the Financial Ombudsman and was turned down.

I Purchased an item and sent a deposit via my bank The seller was a scammer and did not have anything to sell I had the scammers bank account and mobile number.
i went to my bank the next day and was told they could no retrieve my money??
i Also told the police but they didn’t want to know i could not even get a crime report number
The british police are not fit for purpose. I told my Bank manager why don’t you do the same as paypal were you can get your money back ?? credit card people do the same
What is up with these ??? Makes me think who is the biggest scammers

John says:
23 May 2019

Some very good friend of mine – both over eighty – were ‘conned’ out of over £24,000 !
It was the usual one.. the scammer’s purporting to be from B.T !
The argument, by their bank. was that my friends had “volunteered” their bank details without duress.
What a joke !
Doesn’t Section 1 of the 1968 Theft Act apply anymore !
‘A person is guilty of theft if he dishonestly appropriates property belonging to another with intention to permanently deprive the other of it.’
End Of !

Colleen Gibb says:
23 May 2019

I was the victim of a scam several years ago. Drawn into the promise of a ‘home based’ income earning project, I signed up and then took additional extras .. paying with my credit card, before I realised that the whole scheme was a little ”too good to be true”. I phoned my Financial Institution albeit quite late on a Saturday night, and explained what had happened and asked them to stop payment and reverse payment should it have gone through. This was agreed by the financial official who confirmed that ithe transaction had been stopped as requested. The following week, I checked my account only to find that all payments had been made through my Credit Card. In discussion with the Manager of the Financial Institution, I was informed that my Credit Card should have been cancelled by the financial official .. unfortunately this had not been the case and so the Chinese scammers were able to simply withdraw the money from my Card. It is critical that Financial institutions become more aware of their responsibility in stopping fraud.

Some “victims” of fraud have only themselves to blame. They join up to schemes which offer a return on investment which is so high that alarm bells should ring. It is not the Banks’ fault that some people have been swindled, but their own stupidity/greed.

I realise my views may be unpalatable to some people, it is not always the fault of the Bank.