/ Money

Improving protections for victims of APP fraud

We’ve been campaigning to improve protections for victims of authorised push payment (APP) scams for more than four years – here’s our progress so far, and our concerns.

Our campaign has resulted in hard won benefits for people – including the landmark Contingent Reimbursement Model Code introduced in 2019.

This voluntary set of guidelines was the first document to set out formal protections for APP scam victims. It committed signatories to improve fraud protections and provided guidance on how victims should be treated and reimbursed.

Authorised push payment (APP) – or bank transfer – scams are scams where a person is tricked into making a payment to someone who they think is a legitimate recipient (could be a business, a formal body like a bank or a solicitor, or an individual), but who turns out to be a scammer.

It was thanks to Which?’s super-complaint in 2016 that the Code was introduced, and it currently covers the vast majority of the industry. Since its creation we have kept a close eye on how signatories have interpreted and implemented it to make sure that it is working for victims.

Although the Code was introduced in May 2019, APP scams continue to be a major issue today with the latest figures suggesting that around 350 people fall victim to them every day with hundreds of thousands of pounds being lost. In the first six months of 2020 more than £200m was stolen.

Is the Code being undermined?

We have become increasingly concerned over the last 18 months that banks signed up to the Code are interpreting and implementing it in a way which is undermining its effectiveness.

Thanks to the work of our policy, investigations, and Money Helpline teams we have been able to identify numerous ways and hundreds of examples where banks are letting down victims. These include:

🔸 Banks relying on having shown a victim a warning before they made an online payment, despite not producing any evidence that these warnings work

🔸 Banks not properly assessing whether a victim was more susceptible to being scammed (for example due to a pre-existing mental health condition or going through bereavement), or not taking into account evidence provided to them by the victim

🔸 Banks treating victims as fraud experts and expecting them to have taken unreasonable steps to question the scammer or verify who they were paying

Reimbursement rates of victims also remain worryingly low, at an average of about 45%. Figures published by the regulator last year suggested that some firms’ full reimbursement levels have been in the single figures.

Industry has been able to get away with this haphazard implementation of the Code due to the lack of proper regulatory oversight. In our view, the PSR’s approach has been slow and has lacked the decisiveness that is needed for such a potentially life-changing issue.

Implementation of the Code

The evidence that the voluntary Code isn’t working as it should be has been well known for well over a year, yet the PSR has continually looked to others – particularly industry – to bring forward solutions and to fix the issues, rather than making the tough decisions itself.

It handed the day-to-day running of the Code over to the Lending Standards Board, an industry-funded group with no formal regulatory powers. And it has failed to set out a clear, decisive regulatory framework and direction of travel to move us towards a system of mandatory protections.

Last month, the PSR published its latest call for views on APP scams which again suggested that the industry needs to improve, but failed to give a clear indication that swift changes would be forthcoming.

There are some promising ideas in there – particularly around publishing transparent data on the reimbursement rates of firms, but the pace of action – publishing this document followed by another consultation in the autumn – is causing harm to victims who desperately need certainty and support.

We will continue to work constructively with the PSR on this issue. It is vitally important, however, that they work quickly and decisively to create a mandatory set of protections for victims which can replace the voluntary Code.

If they need more powers in order to do what is needed then the government needs to give these to them as quickly as possible. 

We want to continue to build our understanding of how victims are being failed by the current system. If you’ve been a victim of an APP scam and need support or would like to share your story, please let us know in the comments.

If you’ve prefer to do so privately we can be reached via Which? Conversation’s mailbox here.


I have had email from Which? today asking me “We want to know whether you want your bank to publish it’s reimbursement rates for victims of bank transfer scams?“. Yes/no/don’t know, but no opportunity to say why. Although much has been discussed in Convos but not mentioned.

The campaign plea includes “But why, almost five years after Which?’s super-complaint that highlighted just how sophisticated these scams can be, are so many victims still being told it was all their fault?“. If Which? read Convo comments they might get some views on that question.

Indeed – and, yet again, where is the money for all these refunds supposed to come from?

Derek, this image showing the best savings rates available compared to the much praised TSB probably explains where refund money is coming from and why it is very unfair to the real innocent people being denied interest on their savings to pay victims who in many cases are 100% responsible for their losses. Thanks to Which?, TSB customers now get next to nothing on their savings and I just hope all the financial institutions don’t sign up and follow suit.

As Which? put compensation first, perhaps they should compensate everyone who is losing interest on their savings.

It doesn’t seem a simple issue. Putting aside the fact that I don’t believe anyone, anywhere understands international macro economics it does seem there are a lot of factors at play, as this article from the USA-based New York Times suggests:

In the evolution of the U.S. economy over the past four decades, one fact stands out as especially puzzling: the large and fairly steady decline in interest rates.

Consider what has happened to three key benchmarks. In September 1981, the 10-year Treasury note yielded over 15 percent. Today, it yields less than 1 percent. Over the same period, the critical short-term rate set by the Federal Reserve, the federal funds rate, has fallen to nearly zero from about 16 percent, and the rate on 30-year mortgages has dropped below 3 percent from over 18 percent.

What accounts for this decline, and what does it imply for personal and public decision-making? Some answers are clear, but many more are elusive.

One reason for the interest rate decline is a drop in inflation expectations. As the economist Irving Fisher noted almost a century ago, when bond investors expect high inflation, they anticipate that repayment will be made in significantly less valuable dollars, and they demand a higher interest rate to compensate. When expected inflation falls, as it has over the past 40 years, interest rates typically do as well.

But according the University of Michigan’s survey of consumers, expected inflation fell 4.3 percentage points from September 1981 to September 2020, explaining only about a third of the decline in interest rates. The remaining question is why inflation-adjusted interest rates — what economists call real interest rates — have declined so substantially.

The Fed aims to set interest rates at levels that will produce full employment and stable prices. This level is sometimes called the natural rate of interest. The natural rate is determined not by the central bank but by deeper market forces that govern people’s supply of savings and businesses’ demand for capital. When the Fed sets low rates, it is acting more like a messenger, telling us that the economy needs them to maintain equilibrium.

My impression is that interest rates are generally low at present, irrespective of whether they are offered by banks that have signed up to the voluntary code for handling claims for reimbursement. Are there other factors involved such as the fact that banks have a legal responsibility under Section 75 of the Consumer Credit Act for purchases of goods and services? This is now better publicised than in the past. Banks also lose money when customers default on debts. It would be interesting to take these and other factors into consideration rather than assuming that poor interest rates are the result of compensation of victims of fraud.

I’m not keen on compensating people who have been careless and I do hope that the banks do look at each case objectively. In the past couple of years, banks have put in a great deal of effort to protect their customers, which is very encouraging. I hope that this will help us all and wonder why this was not in place earlier.

I wonder what the views of other Which? members are regarding the issue of compensation.

”If your bank is signed up to the code, it should reimburse you the money, as long as you can show you’ve paid attention to warnings it provided before making the transfer, had a reasonable basis for believing that the the person you were paying was genuine, or are considered vulnerable.

While I have sympathy with those who take every precaution I do have a problem with the premise that if the customer is relatively blameless, the bank must be blamed and forced tocompensate.. Both can be equally blameless; it is, of course, the fraudster who is to blame. So using the banks to automatically compensate for a crime is neither right, nor healthy; it is just a sticking plaster that rewards the irresponsible as well as other victims.

We should be looking at ways of minimising the losses people can make, whether through their own lack of competence or not. This includes tailored bank accounts. It does not included taking money from me and paying it to many when it is not appropriate.

By all means hold banks to account when they have been negligent. But we must also hold victims to account when they, too, have been negligent.

We could say that the banks are being held to ransom by the fraudsters, thus effectively committing two crimes in each case.

Much more effort needs to be put into finding the means to identify, trap and stop the fraudsters and then deprive them of the proceeds of their crimes as well as making them repay the community for their offences through appropriate penal sentences.

I know I am at odds with the Which? view that most defrauded bank customers should be refunded by their banks. Why? Well, I do not see why we should regard banks as the automatic guarantor whenever we make a mistaken financial transaction unless, that is, the bank has been negligent or knows a transaction is being made with a fraudulent person.

It starts with the language. Which? continually use the term “banks blame customers”, an emotive word designed to place sympathy, whereas I regard banks as looking at responsibility, irresponsibility or carelessness.

Why should someone who has not taken due care, whether they do so knowingly or are not aware of what happens in the real world, simply expect to be repaid – except by recovering funds from the perpetrator? A great danger of an entitlement to a refund is to encourage some people to be more reckless than they otherwise might, knowing they are unlikely to lose.

Take an investment opportunity. It might look too good to be true, or it might pay off well. So go for it and if it fails, just get your bank to give back your money. A pensioner is quoted as investing £160 000 in Grandefex that turned out to be an investment scam. More “reviews” (for what they are worth, but they should have raised concerns ) were bad than good. What competence did the investor have to decide a place to invest such a large amount of money – seemingly none. And yet Which? want it all repaid. Did the bank know it was a scam? Did the investor ask his bank for advice before parting with the money? Where is the bank responsible?

Another example they give is a mother receiving a Whatsapp message from her “daughter” asking for a £400 bill to be paid with the rather implausible excuse that she cannot use her phone because she was changing provider and her number would not work for the transaction. Why did the mother not respond by Whatsapp first as most of us might before sending money. Why was the bank responsible for someone falling for a fraudulent Whatsapp message?

I simply believe this Which? approach is wrong, is unfair on all the banks’ customers who will have to provide refunds, and does nothing to promote customer responsibility or awareness.

This topic is repeated endlessly, with commenters from all sides, including many worthwhile and constructive suggestions (in my view) as to how people could be better protected from making unsound financial decisions. Yet not a word of these from Which?; they are simply ignored.

I want to see the security of online transactions improved so people are better protected – from themselves as well as from fraudsters. I want to see banks held to account when they should have known a customer was acting improperly or exposed to fraud, and when they have been negligent in performing a transaction.

But I also want to see constructive proposals at how better security can be achieved, not just the usual lazy “something must be done” approach that, inevitably, shifts the focus on to an easy target – a financial institution.

Come on Which?. Take a fair and balanced approach but, more important, investigate with others who may have better knowledge of what is possible, and report to us on how to improve the situation. Dishing out refunds as the default is no sustainable way forward.


malcolm r says:Today 10:53

I know I am at odds with the Which? view that most defrauded bank customers should be refunded by their banks.

I don’t believe Which? has actually said “most defrauded bank customers should be refunded by their banks”. I think what they’ve been saying is that there’s little or no consistency between how banks determine who is culpable and should be refunded.

From reading the headers to the various topics about this it does seem that all Which? is asking for is a level playing field. And currently it is certainly illogical: some banks are refusing refunds on 90%+ or scams, whilst others are in the 40% area.

I agree with John about increasing efforts to stop scammers, but I’ve also long believed we can’t trust the banks to all do the right thing. They need to be faced with legislation to force them to work together-competitors or not.

My difference seems to be around the attribution of responsibility. I have said regularly that where a bank has responsibility, wholly or partly, there should be full or partial repayment. But it seems, in my view, from many of the cases presented by Which? that the complainant has acted unwisely, incompetently or irresponsibly, yet Which? insist they should be repaid. Perhaps that is just a difference in my view of personal accountability; I would accept that.

Low fraud reimbursement rates Despite the worthy intentions of the code, losses to APP fraud remain high (£479m in 2020) while reimbursement rates are shockingly low. Banks found victims at least partly responsible for their losses in 77% of cases assessed in the first 14 months of the code. Two banks found the customer fully liable in more than nine in 10 decisions.” I would ask why “shockingly low” is used, as if these victims could not possibly be, in part, responsible for their part in the loss.

Read more: https://www.which.co.uk/news/2021/09/which-calls-for-an-end-to-banks-blaming-fraud-victims/ – Which?

What I really want to see is a soundly based discussion of what we can all do – banks, customers, the relevant systems administrators – to reduce fraud. As I said above, many suggestions have been made in previous Convos that are simply ignored by Which?, as are investigations into genuine realistic remedies. Which? will no doubt be popular with some for their “helpful” stance but that does not solve the underlying problem. I would hope Which? would do better than just continually repeat the same mantra by getting stuck in to some real work, with all those others who can contribute.

I think there is a case for an independent adjudication process to determine, systematically and consistently, the relative liabilities of the bank and the customer. This has been suggested from time to time but Which? has never, so far as I am aware, given the idea any support or sought to achieve it. Which? can speak to the Regulator; we — as individuals — cannot.

I agree about a proper investigation into each case of a fraudulent transaction to determine each party’s responsibility. The likely problems are three fold – the time it will take to thoroughly investigate, who should fund an investigation (should the loser?), and at what level a full investigation should be instigated – there are many small ones that would likely clog up the system.

For small transgressions in some matters, when a customer makes a complaint for example, the banks normally yield as it seems easier to provide compensation than fund the cost of the time it would take to come to a reasoned decision. I suspect this will be one of the disadvantages of a mandatory CRM – unwarranted but easy repayments at the expense of other customers.

However, for significant amounts a proper investigation should be mandatory otherwise I consider unwise behaviour will continue.