/ Money

Scams super-complaint: will banks now protect us from scams?

Bank transfer scams

Back in September, we made a super-complaint to the Payment Systems Regulator (PSR), calling on it to do more to protect people from being tricked into transferring money to a fraudster. Today, the regulator responded – but will its plan be enough?

In short, it has agreed with us that scams involving bank transfers are a serious problem, and one that’s growing.

Evidence from our online scams reporting tool gave additional insight into how big an issue it is likely to be. Hundreds of people told us stories of how they, or someone they knew, have collectively lost over £5.5m due to bank transfer scams.

The regulator has told banks that they need to do more to protect their customers. It has said that banks need to improve the way they respond to bank transfer scams, and do more to identify fraudulent payments. But is it enough?

Scams super-complaint

We don’t disagree with some of what’s being proposed by the regulator – improvements to banks systems and security are very much needed.

However, people might be surprised to know that not all banks currently do some of the things the PSR is now asking of them. And yet, in not so many words, the regulator has said that it’s now over to the banks to see if they can improve things and they’ll check in later next year.

But having admitted that bank transfer scams are such a concern, this doesn’t seem good enough.

For us, the problem comes down to whether the banks are incentivised enough to stop bank transfer scams. The regulator has said that it’s not yet convinced it needs to make banks more liable. So, for now, consumers targeted by sophisticated scammers will continue to bear all the loss, unlike if they’d been tricked into making a payment by credit card.

There’s little evidence to suggest that banks will suddenly and swiftly up their game to meet what’s needed – although, we hope they do and we’ll support them to do so.

But, their inaction to date, and the fact that they’ve needed Which? and then the regulator to intervene to tell them what more they need to do, points to the need for a much stronger approach.

The PSR hasn’t ruled out looking at changing rules to make sure that liability sits in the right place. Obviously, this needs to be looked at carefully, and we’ll continue to push them to address this in the New Year.

Next steps

Without putting more liability onto banks, which would give them clear incentive to quickly put in place better systems to prevent people losing money to bank transfer scams, we’re not convinced we’ll see enough progress.

And in the meantime, people will continue to lose life-changing amounts of money to scams which they could not reasonably be expected to protect themselves from.

What do you make of the PSR’s response? Do you think it goes far enough? Do you trust the banks to do all they can to protect their customers from scams, when the losses don’t hit their own bottom line?

4caster says:
19 December 2016

With online “faster payments” and all BACS payments, the banks should check that the name of the payee matches the sort code and account number.
With cheques, the originator’s bank should check that that signature matches their specimen signature, and that cheque which require more than one signature have the required number of signatures.
For in-branch withdrawals, banks should require identification. Gloria Honeyford of a 5-figure sum when Santander failed to identify someone who walked in and requested an account change.

Barbara Stone says:
20 December 2016

Yes, that’s what you might call one of your typical global disasters. “Gloria Honeyford” (aka Joe Bloggs) walks in from an oil company and demands a new status; the suits can only make sense of it by jumping to a foregone conclusion – given their stake in it, how it would now best serve their own interests.

I have lost trust in the banks and the regulator. They should be better than the basic set of regulations, performing above the necessary, going above and beyond. Instead they are ruthless, law breaking, fixed on profit and unregulated.

credit cards and banks have the technology. many years back they phoned us to ask if we had tried to draw £200 pounds out of the banks and several occasions. as it was yes. I got the pin number wrong.
So why is a similar system not in place. It seem to be a case of the bank manger tells the boss he can save money by sacking lots of people. these those people where cared for and monitered customers spending patterns. if its their money they get worried if its ours tough. take more care. No No they have to now shoulder responcibility. re employ addittional stafe .to moniter safe guards.

Barry Forrest says:
10 January 2017

All organisations handling our money are moving more and more services online. Fine – but to protect our assets we are being asked to use more and more complex security. I already have 3 of these calculator like devices to generate sign on codes before I can carry out a transaction – they don’t exactly fit in my wallet! Many of the elderly, and I’m going that way, simply cannot understand how to avoid scams, etc. They need something simple to remove the necessity to remember multiple PINs, Passwords, userIDs, etc. Perhaps an electronic equivalent of a “house key” needs to be developed. If the technology was to be shared across and common with all the financial institutions it should be possible to make things safer and less complex for the user and less expensive for the financial institutions as it would be a “shared” development, maintenance cost and security cost.

John Willman says:
22 January 2017

Banks that receive scammed money and can’t retrieve it have failed in the regulatory requirement to ‘Know Your Customer’ and should be liable to make good the loss. I’m surprised that Which? hasn’t pointed this out.

The other comments are good and worthwhile but the criminals have the option of succeeding in their crimes or if they fail they can try again. In general the criminals do not go to gaol for attempting to commit a crime. I say the police have to catch them. Maybe encourage members of the public to come forward with the evidence to catch the criminals red handed.

The payment Systems Regulator has today published the next step in its look at this problem. https://www.psr.org.uk/psr-publications/news-announcements/PSR-sets-out-to-identify-pso-role-to-tackle-scams

The PSR documents leading up to the Terms of Reference are not the most digestible of tracts but the terms of reference themselves are quite well written and seem comprehensive if a little laboured in parts as they seek to cover all the bases. It’s a good first step and although neutral in tone I do detect a willingness to put the banking industry in a position where it will take new actions in order to prevent Authorised Push Payment [APP] scams – that is where an intended payment is diverted fraudulently to a malicious party – and to see what the policy should be on recovery of the missing money. The PSR will be looking at systems in other countries to identify relevant practices to defeat scams and also at other business sectors [telecoms is quoted] where fraud is identified to see what counter-measures could be introduced into the banking system. The terms of reference are due to be approved after a consultation process by the end of March 2017 with a report timetabled for the second half of the year. While the PSR credits Which? for the necessity to undertake the inquiry in pursuance of its super-complaint it doesn’t explicitly accept that it would not have done anything but for Which?’s intervention; such is the doctrine of regulatory bodies.

There seems no intent to make automatic refunds to defrauded people, unless the bank has been negligent, but work seems likely to be directed at getting more success in recovering such payments from the miscreants and their accounts.