/ Money

Scam protection: FCA proposals will boost complaining power

The FCA has announced proposals to give victims of bank transfer scams more scope to make a complaint, and increase the powers of the Financial Ombudsman Service.

We’ve been campaigning for better protection since launching our super-complaint in September 2016. Under current regulations, you have no right to complain to the bank that received your funds if you think it hasn’t taken sufficient action, but this will soon change.

The proposed changes will also allow victims to escalate complaints to the Financial Ombudsman Service, so this is undoubtedly a step in the right direction.

Sophisticated fraudsters

Victims of this type of money transfer scam have told us that it can be a real struggle to get their complaints heard and to find out what has happened to their missing cash.

This is extremely distressing for people who have often lost life-changing sums to these increasingly sophisticated fraudsters.

We welcome the FCA’s announcement that gives victims new rights to ensure that the recipient banks and building societies are fully engaged in the complaints process and gives them the right to take their case to the Financial Ombudsman if they feel they have been treated unfairly.

Improving protection

In response to our 2016 super-complaint, the PSR set out an action plan to encourage great co-operation between banks, introduce anti-fraud measures and give victims more power to recover their funds. It also announced a contingent reimbursement scheme.

A ‘confirmation of payee’ tool is also due to be rolled out later this year, which will require banks to check the name provided on the transfer against its account records. If it doesn’t match, the customer will be alerted.

These developments and today’s proposals are welcome steps forward as we continue to call for the government, regulators and businesses to do as much as possible to safeguard us all from scams.

We don’t want to see banks getting let off the hook and scammers getting away with fraud. Agree? You can sign our campaign here.


This is very encouraging but I wonder if it will enable those who have lost money for no real fault of their own to recover their money. Any thoughts on this, Richard?

Obviously it is our responsibility to look after our money but why have banks been allowed to operate without ‘confirmation of payee’ or an alternative system in place?

Why have banks and other organisations handling money been allowed to put links in emails when it is known that fraudsters can use these for phishing? Any responsible organisation should not do this, but simply ask customers to log into their account.

RIchard Woodman says:
28 June 2018

The problem I think partly lies with the way the banks choose to interpret the data protection laws which means they don’t have to release information about the people who set up the fraudulent accounts. Maybe start with that and then the banks should have at least one less excuse.

Jacqueline M. Williams says:
28 June 2018

I use a bank in order to protect my money. Surely banks are obliged to keep up to date with modern technology so that we, the customers, who create the bank, are protected from fraudsters. Best wishes, Jacqueline M. Williams

The difficulty arises when you instruct your bank to move your money to someone else. You are responsible for issuing that instruction and your bank is obliged to do as you ask them. If the bank knows the transaction is fraudulent then they carry responsibility, but even fraudsters accounts will probably be used for normal transactions.

Lizzie says:
29 June 2018

As a victim of exactly this type of fraud I have found it staggering that a criminal’s data protection takes precisdence over my right to find out what happened and seek justice.

I addition I think banks need to allow people to set limits on bank transfers and there should be a responsibility on the bank to recognise when an amount greatly out of proportion with the customers normal pattern of banking is transferred and they’d should need to seek further authorisation before the money is transferred.

Obviously it is our responsibility to look after our money but when banks don’t have sufficient safety measures in place to do the same it then becomes their fault and they should, by default have to refund losses

No one should be able to bank transfer money to anyone who has opened a new account in the last 3/6 months till banks no that there using the account legitimately, not them opening it and large amounts of bank tranfair going on in it, i have been scascammed it was only for £40 for a garden bench, i reported it to santander and they said we will try and recover it back!! Then said they could not trace it ffs they must have known were it went to as it was taken out my account grrrrr

Peter says:
29 June 2018

I have come across the problem from the opposite end. On three recent occasions I have received payments into my account with no identifying data about the sender. The name was blank and there was no account or sort code. Each time I have pursued this with my bank – not least because I suspected these might be tax-declarable income. Each time I was told that they were unable to identify the sender. I find this astonishing: I suspect that if the sum were in the millions they might be more interested. But for the average customer they just don’t appear to want to resolve it. But it leaves me feeling slightly guilty that I may be receiving cash that is not mine.

If I transfer money to a new account my bank recognises this and asks highlights their pice on acting under duress and sends a one time pass code

KarlH says:
29 June 2018

Np guilt here. If the bank still claim that the windfall of unexpected cash is yours, enjoy it. You have taken appropriate steps to investigate the credit

This comment was removed at the request of the user

David Yates says:
29 June 2018

Totally agree with your suggestion that banks should NOT use links in any communication. It is misleading and encourages people to think a scam email with link is the norm.

Thanks Richard. Obviously it is necessary for us all to exercise care in financial matters but we can reasonably expect the companies to adopt best practice. At one time we could reasonably expect banks to check signatures on cheques and now we can reasonably expect confirmation of payee or an alternative system to be in place from the start.

It would be encouraging to hear about how some of those who have posted on Which? Convo have managed to recover money lost through no fault of their own.

If Which? can raise more awareness of inappropriate email links used in correspondence and help put an end to this practice that would be a great step forward.

The Financial Ombudsman is financed by financial institutions including banks and the only time I dealt with them was a waste of time, so I wouldn’t expect too much recompense through them. They also work extremely slowly.

Just claiming compensation is not good enough as fraudsters get away with the proceeds and the rest of us end up paying.

What we need is an active bank fraud investigation service that you don’t have to jump through hoops to access. It would be in the interest of the banks to fund and openly participate in such a scheme as they and their customers will be the winners in the end.

AMEX have recently introduced a good scheme. When making an online purchase, they send a one-off code, valid for 10 minutes to my email address and mobile phone. Once I enter the code, my purchase is complete. At last a system without a silly password I have to reset every time I use it because I can’t remember it.

Something similar could be introduced by the banks before transferring large amounts of money. If all contact details have been recently changed, then the account should be flagged as possible fraudulent activity and it is up to the bank to confirm the changes are valid before transferring unusual large amounts of money.

But little will change unless the receiving bank or the last bank to handle the funds in the UK is held liable for accepting and repaying fraudulent funds.

This comment was removed at the request of the user

I’m pleased to see the FCA widening the path to trying to get redress and welcome the forthcoming introduction of Confirmation of Payee. Reading through the reports on this it seems clear this is not the simple additional step that some seem to assume.

If a bank is negligent in the transfer of money that results in a customer’s loss, they should make that good – plus any consequential costs. If a customer is negligent in transferring money then they must bear that responsibility.

The introduction of Payee is only going to protect those who have made an honest mistake when making a transfer. I would imagine those types of funds are mostly recoverable. You hear of people finding money in their accounts by mistake that is then taken back, so it does happen.

It will not protect victims of scams as a scammer will use whatever Payee name an account is set up in.

But the campaign is all about victims of scams, not honest mistakes.

Going by many of the posts that victims report here, the Financial Ombudsman would find most of them negligent so they would receive nothing.

Time after time you read “as soon as I put the phone down I realised….”.

If banks were to give these people a couple of hours before confirming unusual or large transactions by phone and email, there would be a lot less victims.

I would be very happy if there was a delay before large transactions were actioned. I find it encouraging when my credit card company contacts me to check large transactions on an infrequently used credit card.

I’m not clear what delaying a transaction would achieve, but there may be a good reason? If you instigate a transaction are you likely to have second thoughts and do some more research? I wonder what would prompt this? However, you can delay your own bank transfer transactions.

I consider one piece of good advice currently is to transfer £1 to the intended recipient, check with them it has arrived, then transfer the balance from their stored account information. Maybe there should be an official option to do this.

Scammers will operate in all different ways – courier sent to collect cash that you draw from your bank because “someone in the bank is stealing and the police want you to help check fingerprints”. Or someone who grossly overcharges for unnecessarily undertaking building work.

Maybe there should be a social fund to help those who suffer great hardship from scams that they have fallen for, but I do not see it as the responsibility of bank customers to hand back money to the victims of crime – because it is our money that will be used, of course, not some magic pot.

The banks and other organisations taking payment could have made it a requirement for test payments, at least for larger sums. I’ve done this for years but cannot recall being instructed to do this.

I suspect many businesses might find this time consuming if used for every transaction of significant size. I think, however, it would be a good suggestion for banks to include this advice on their payments page so the payer is reminded of the value of doing this when making a payment to someone new for the first time. Once the payee’s details, stored in your account, have been verified then there should be no need to keep repeating the process.

Hopefully the need for this precaution will disappear when Confirmation of Payee is introduced – although I wonder what scammers will then find to handle that?

How exactly is Confirmation of Payee going to stop scammers?

They are hardly likely to use their real names on receiving accounts. Victims will be paying and confirming whatever dodgy name has been set up and given to them.

There are many types of scam, but for victims who are pressurised into quick bank transfers, delaying a transaction gives them to consider what they have done, so time to stop the payment.

At least having the option to delay payment should save some people from fraud. If it’s my money I would like to be in control and not just fit in with what is most convenient for the banks.

A person or company you are paying will have a name registered to the account matching the correct sort code and account number. I presume if the name you gave does not match then the bank will query your transfer. One proposal I saw was that when you set up a payment using the numbers the bank would send you the name of the account they corresponded to; only if you confirmed that this was correct would they process the transfer. An alternative was for the payer to enter what they believe is the legal name and the banks tells them if this is not so.

I doubt scammers will open a new account to simulate every business name they decide to use.

Responsibility does rest with the payer to ensure they use the banking system appropriately, and if they are not confident they should pay by other means. This presupposes the banks are taking reasonable protective precautions.

Scammers open multiple accounts, they have to as each account might only have a single use for scamming and removing funds.

February 2018: A gang who set up over 100 fake bank accounts with their own equipment to create false documents:

June 2018: Money Mail uncover another gang who opened 82 bank accounts using fake IDS and utility bills:

And there will be many more that have already been used and closed.

July 2015: Figures from Experian showed that 89 out of every 10,000 requests for a current account were made by imposters:

Scammers will give victims the false name on the account. They will not immediately know they are paying into one of those scammer accounts. If they then Confirm Payee which will match………. money gone!

I’m not clear what you can achieve by delaying a payment. What will happen if you delay payment for 1 day, say? Will someone do more background checks to ensure the payment is appropriate? That should be done before they pay.

However, I’m sure you have good reasons.

My bank allows me to set the time at which I make a payment – instantly, or delayed by a specified amount.

They might set up bank accounts in false names, but if the name of the account, and sort code / account number do not match that of, say, your solicitor then the scam should fail. I presume that in future, when you wish to make a payment to someone you will require not only the account reference numbers but also the exact name in which the account is held.

What people must learn is not to respond to emails or other communications regarding payments unless they are sure of their origin. An email or phone call to the real organisation concerned is all it takes. Unfortunately some things have to be the responsibility of the payer to verify.

For many victims, the penny drops that they have been scammed a short time later, when they have had time to think about the large amount of money they have just been sweet-talked into parting with. Whether they Confirm Payee or not, within minutes the money will be gone.

We are talking about bank transfer scams here and that is why a delay is needed, so there is time to stop funds being transferred.

As I said, my bank allows me to nominate the time it takes to make a payment, so it can be delayed by the payer. I have not explored how easy it is to cancel such a payment, admittedly, but this should give the payer the breathing space they might need. We would not want every payment delayed because the vast majority will be to legitimate recipients, and wanted to be moved quickly under the faster payments scheme. How would the bank decide which payments should be withheld and just how long would people need before they were released? My guess is many people will not have those second thoughts until perhaps they talk to others, much later.

I think the setting up of bank accounts needs to be vetted more thoroughly and banks need to warn people of the dangers of transferring money to new recipients without proper thought. How much further could the banks go to protect people from themselves? Maybe vulnerable people should have restrictions placed upon what they can do with their online accounts.

Onyi A says:
28 June 2018

The banks are complicit in these scams. When the incidence is reported to them, they are reluctant to join in the investigations that will help catch the culprits, in spite of the evidence being available i.e. the criminals depositing money in their accounts. This is encouraging news, but the question still remains whether this policy will see the light of day

Helen Watkins says:
28 June 2018

I think I’ve just been scammed …luckily not by too much £51 ….it was a complete web site set up which obvious has now disappeaed….it has certainly made me far more wary infuture

Lee Lee says:
28 June 2018

Report it to Action Fraud asap. They may be able to trace it?

Banks should be quicker to identify unusual activity on an account. There could be a system whereby unusual activity freezes the account until verification is sought from the holder. I am sure mist people would accept a few hours slower processing to be safer from scammers.

I should be interested to know how “unusual activity” is to be detected. My current account with the Nationwide runs along fairly predictably for month after month but then I might need to make a payment transfer to cover a credit card bill after making a substantial purchase. I select a date for the transfer a few days before the payment deadline so the last thing I want is for that to be held up while they try to contact me. Perhaps they would recognise that my transfer is going to another bank that I’ve previously transferred money to and let it through. But why should the commitment of the payment not be under my sole control? I don’t want bank staff or computers looking at my transaction profile and seeing whether anything unusual might be occurring. It’s none of their business to start with and it’s going to add costs to the operation of personal bank accounts for very little justification.

As has been said many times, people have to take responsibility for their own payment instructions, use the correct payee name, account number and sort code, and ignore any unverified requests for diversion of their payment. If they are not comfortable with that responsibility then they should not use on-line banking to make substantial funds transfers.

Gerald says:
28 June 2018

Until you make the banks utterly and completely responsible for the safe transfer of other peoples money they will continue to do nothing to change their systems to prevent fraud, and will do nothing to prevent fraudsters setting up accounts.

About bloody time, but then the banks are scammers themselves, think of PPI

Peter Roberts says:
28 June 2018

I also think the banks should be forced to declare each and every case of fraud that is carried out, and the exact amounts involved. We all know that they deliberately withhold the full extent of fraud because it is truly awful.

I was a scam victim approx. 10 years ago. The bank I dealt with at the time actually transferred the money for me in branch. Once the scam became apparent the bank in question did absolutely nothing to help me & I’m still paying the money back to this date. Not sure if I should mention the bank in question.

This comment was removed at the request of the user

It is not clear from your post whether you instructed your bank to carry out a transfer for you in branch. Banks respond to account holders’ instructions, and account holders need to be sure of what they are doing. If the bank did not know it was a scam I do not see how they can be expected to take responsibility. But then, I may have misunderstood your situation as your post lacks detail.

Banks should automatically verify all large or unusual transactions with the account holder. My bank was quick enough to stop a legitimate payment on my credit card when I went to collect a pre-arranged hire car from Heathrow some years ago which caused me some embarrassment. Naturally I was using a hire car in a strange location, where else would I use it? I did manage to get it sorted out, but it took some time. If only they were as proficient in every case.

So true! I’ve had to call to unblock a card so many times in order to then go through the transaction process again – it’s even happened when I was abroad and had no other access to money. However the bank I’ve been with for 20 years or so failed to notice blatantly fraudulent transactions on my account – and the fraud dept said they couldn’t stop the ‘pending’ transactions so I was defrauded £4000 and they did absolutely zero about it and I’d argue they might have been able to stop the ‘pending’ transactions otherwise what is that step in the process for – why does it exist?

Colin says:
29 June 2018

This sort of additional protection could be offered as an option to all bank account holders – I’d certainly opt in if I could, and I think it should be the default position for elderly or vulnerable customers.
The banks hold a great deal of data on our spending habits, so can easily identify unusual activity such as larger-than-usual payments or multiple payments over a short time. Very few customers would object to being asked to confirm if an exceptional transaction is genuine.
Vigilance on the part of my bank spotted and prevented fraudulent activity on my credit card (an expensive purchase in a foreign country that I’ve never visited), although the amount of that attempted fraud was a small fraction of the sums that are often lost to bank fraudsters. The difference is, of course, that the credit card provider is liable to pay for credit card fraud, while usually the customer is held liable for bank fraud.

Malcolm says:
28 June 2018

All bank transfers, as well as “card holder not present” credit and debit card transactions should be subject to two factor authentication.

suspicious payments should be delayed until verified. It would actually save banks money, not to mention their customers. Computers now are clever enough to ‘spot’ a dodgy sale. If for example, I was in say Liverpool but live 100 miles away, and made a purchase or ATM use, then my mobile is in my pocket, ask for verification ??? I don’t mind, its my money, their security.

Banks have been far to remiss in their dealings with scammers. Tightening up their responsibilties goes so far but simply having banks repay more victims, means the scammers still get away with it. The internet providers should make it impossible to create these scams. Every transaction should be traceable.

Not sure without reading everything if this has been covered but shouldn’t the banks do far more ‘due diligence’ when an account is set up to ensure they have sufficient documentation/identification? I run a small business and if a supplier advises of a change of banks I always ring up to confirm this is correct before paying. Same with a new supplier – I always ring to check the bank info – and I take the phone number off the official website!
I also agree with the small deposit payment – I have done this a number of times when making a large payment to anyone.

Andy Jackson says:
28 June 2018

Receiving banks seem, to my mind, to be facilizing fraud by protecting the identity of the person receiving the scammed money. This is often to disguise the fact that they the Bank haven’t done due diligence on the identity of the scammer or facilitator.

In short the Banks are guilty of fraud under the law of joint enterprise, but just deny liabity

@rpiggin, Richard, it would be most useful if Which? gave links to the relevant “official” documents on Push Payments and Confirmation of Payee so readers could perhaps see exactly what is being proposed and why. I couldn’t see these in the intro, but may have missed them. presumably these emanate from the Payment Systems Regulator and the Financial Conduct Authority. Perhaps useful stuff is published by the BBA?

It would also be helpful if, having reintroduced this topic, Which? experts contributed answers to some of the questions and criticisms raised. It would help the Convo develop in a constructive and instructive way.

Thanks Richard. It would be useful to attach a list of relevant links to Convos so those interested can look at the details.

There is a good discussion, in depth, in my view on a contingent reimbursment model in this document
that also updates the original Nov 16 document.

I think Which? should help people undertstand not only the problem but also that the simple solutions put forward are not necessarily that simple to execute. Take out a little of the frustration. A good example is the welcome introduction of Confirmation of Payee – not an overnight job, is it?

This comment was removed at the request of the user

A simple text to your mobile phone to confirm it is you making the transaction 🧐

Surely the FCA needs to be more proactive in tracking down scammers and/or quicker in reacting when notified of possible scammers. With issues in the past, such as pension miss-selling, endowment and sub-prime mortgages etc., they always seem to be reactive.

I received several emails one day in June 2017 confirming money transfers I’d made via Western Union except I hadn’t made any. I called both my bank, Halifax, and Western Union immediately to tell them that I hadn’t made the transactions – someone else had. I did have a Western Union account and had made the mistake of saving my bank card details on my account – of course this is supposed to be secure. I looked at my bank account online and the transactions were ‘pending’ and hadn’t appeared in the list of completed transactions at this point but when I spoke to Halifax, and even the fraud team, they said there was nothing they could do. Likewise Western Union acknowledged zero responsibility for the fact that someone from overseas had managed to hack my WU account and make transfers adding up to £4000. The rapid succession of the transfers and the fact that they tried to spam the last transaction several times but were stopped because the max transaction amount had been reached should have triggered some kind of alert that the behaviour was probably fraudulent but they clearly have no such system in place or do not monitor it sufficiently. And Halifax’s policy is that if you save your bank card details somewhere you’re basically giving that person/company free reigh to do whatever they want with the details and assume no responsibility there. The lesson to learn here is never save your card details anywhere and yet we’re led to believe that this is a safe and secure thing to do and most e-commerce sites encourage this. I got none of the money back – and none of them care a jot or take any responsibility for our money and identity that they’re supposed to be securing for us. It’s disgusting – big business has all the power as ever – and the man and woman on the street are exploited and powerless. I contacted the financial ombudsman but they couldn’t help because the online business is registered in Austria and not the UK so I contacted them online but never heard anything and in the end gave up because I felt so powerless and most of the people I spoke to were less than helpful and I’d lost money that I’d made plans for so the whole thing was a bit depressing – and I decided to let it go rather than obsess over it – and I feel that these are the two options in such cases either you obsess over it and fight (lots effort and potential stress and anxiety) or you just accept it’s gone and get on with your life and think that if the police ever pick up your case – it’ll be a bonus rather than par for the course. Sad but true. We are utterly powerless. The process with fraud is to report via Action Fraud, which I did, and they pass it on to the National Fraud Investigation Bureau but unless they have sufficient leads they don’t even pass it on to the police and Western Union told me that they would investigate the case as soon as they heard from the police but of course they know that’s very unlikely to happen and that they’re probably going to get away with this. I’d love to know what the statistics are for fraud via Western Union. In fact I’m wondering if I could do an FOI on that – is that data I could request from Western Union? Would they be obliged to supply it?