/ Money

How one woman made a £26,000 mistake

The word 'oops!'

I recently read the story of a person who lost tens of thousands of pounds, all down to a small, unfortunate mistake. It got me to thinking – are the safeguards in place for internet banking really stringent enough?

In a nutshell, the story was about a person who’d set up a monthly transfer of £1,000 from their current account into a joint savings account. However, the person had typed one digit of the account number they were transferring to incorrectly, causing the money to be sent to a complete stranger’s account.

A very expensive mistake

After two years the error was finally discovered. By then, more than £26,000 had been paid to the lucky recipient, who now maintains that all the money has been spent and cannot be repaid.

Neither bank will pay the money back to the account holder, as they maintain that the mistake was the customer’s. They also claim there’s a risk of fraud if repayments are made to people who accidentally credit the wrong accounts.

The account holder entered her surname along with the sort code and account number when setting up the direct debit. But when banks transfer money, only the sort code and account number are referenced. If the banks had compared the names on the accounts, they may have noticed the mistake.

Where does responsibility lie?

I found myself in a situation recently where I had to use telephone banking as my online service was down. I was fine remembering my customer number and partial PIN, but struggled to remember the telephone-password I’d set up ages ago. So I was bounced out, highlighting great security, but a reminder for me to find some way to help me keep on top of multiple passwords.

With the banks, there’s a bit of a grey area when people lose out as a result of an honest mistake and instances such as this clearly have to be reviewed on a case-by-case basis.

So, should we take more responsibility for the details we provide when managing our finances, or it is down to the banks to devise foolproof systems that will prevent the type of situations outlined above?


Why did the person who set up the £1000 per month transfer not check that the money was being received by the intended recipient after the first monthly payment?


1 month – unfortunate – 2 years – foolish – Not much sympathy here I’m afraid…


I read this on Saturday and was a little surprised. The Guardian suggested that the end of paper statements doesn’t help – as an aside that’s a bit rich from a paper which is fast trying to get out of print – I wouldn’t have read the piece at all of it was online only.

Anyway I was a little surprised because they managed to carry on for a couple of years without missing a £1000 a month.We’re not the most organised of household budgeters, and our join income is considerably more then theirs, but alarm bells would ring pretty fast (as in curt note from the bank re: overdraft) if there was £1000 a month less in the system than we expected.


This just reinforces the need to keep a regular eye on your finances. I have used Microsoft Money software (sadly, I think, no longer available) to keep track of my finances, and to reconcile them against statements – whether paper or online. I take regular paper bank statements wherever I can.

Is there another decent money software package around?


Moneydashboard online?


I just use a spreadsheet. My NatWest account allows export of data in csv format, which will import into spreadsheets etc.

Aubrey says:
15 February 2013

Quicken 2000 (and presumably later versions) works with Windows 8 and with Vista but Quicken, like Microsoft Money, is not now available in the UK. I found a Quicken 2000 disc on ebay for less than £10 and am using that.


It can happen the other way around as well. I noted a Direct Debit had been attempted on three occasions, from an account of mine that was semi-dormant. There being insufficient funds in the account to cover the direct debit, the bank levied charges and interest amounting to over £50.00. The error occurred because some one incorrectly put my account number on a direct debit mandate rather than their own. When I noticed the error the bank were very quick to sort things out and restore my account to it’s former position. I was very concerned that this had happened and made a formal complaint to the bank. I duly received a letter explaining that it was not the fault of the bank and as far as they were concerned they had fufilled all of their obligations and the matter was closed. Further investigation, by myself, confirmed that fact that the bank were fully absolved from further obligation or scrutiny.
So it seems that banks are not obliged to check or confirm details when direct debits are set up on their client’s accounts. The banks only obligation is to correct the errors once discovered. This seems a far from perfect situation. I use this particular bank account for travel money only as it offers an excellent rate of exchange on ATM withdrawals whilst in the Eurozone. I preload it with a few hundred pounds before departure and make cash withdrawals as needed. If I had been abroad at the time of this error I could well have been caught short of cash and placed in a very awkward situation. It is my view that the Direct Debit function requires further safeguards to prevent such occurrences.


It seems your experience is echoed in the following news item on http://www.bbc.co.uk/news/business-24085200
Fortunately, I always try to check my statements.
It is outrageous that anyone correctly quoting another person”s account code and sort code should be able to set up a direct debit from their account.
Coomon sense dictates that it is the fault of the bank – it appears to be negligence.
Is it possible for banks to be charged with being an accessory to theft?
A WHICH campaign to stop this misuse of the direct debit system could prove to be very effective.


What concerns me about this is that BACS refuse to divulge the person’s name who set up the (mistaken or fraudulent) direct debit on the grounds of data protection. It seems to me that if theft is suspected that information should be given to someone. If banks must always reimburse someone for misappropriation of their funds, then maybe the bank should be given the offender’s details so they can pursue them legally. What is the legal position, Which?
My daughter had a similar experience with PayPal – around £600 of purchases were made on here account using her debit card details. The goods bought were delivered to an individual’s address, so presumably they could be identified. Nationwide immediately reimbursed her and blocked the PayPal account, and (eventually) PayPal reimbursed the account. Was anyone prosecuted – no idea. Many of these fauds are too small to warrant the effort – easier to pay up. A sad indictment on our attitude to crime.


Lets be entirely honest about the BACS system. Originally all mandates were sent to the Branch which held the account and on the initial DD it would have a marker on it and the branch staff would then check that they held the DD mandate. If they did not hold the mandate or the signature was not of their customer than the payment would be blocked.

So security was good. The Banks in their cartel body the British Bankers Association decided it was acceptable [and hugely cheaper] simply to take the line that wrongly passed DD could be reclaimed form the originator. The stores/utilities also saved money on processing DDs.

All would seem fine however it does rather ignore the knock-on effects when the system is open to deliberate abuse. As pointed out you may be holiday when rogue DD’s appear and suddenly find yourself stranded.

So what could the abuse be. It may be simply filling in deliberately someones bank details to obtain an instant discount, malicious action, or more worryingly organisations where contract staff or permanent staff put your bank details on say a utility bill for a friend. Honest; errors happen.

We have two unauthorised DD both from a utility company paid from our account for significant amounts. In neither case was the utility company prepared to say how on two separate occasions they managed to get it wrong. If , as I suspect, staff are able to infiltrate details into the system then the Company are hardly likely to admit to it. Overall they are collecting money from somewhere so on balance rather than throw suspicion on the DD system they stay mum.

Whilst shipping bits of paper about is expensive with digital scanning one might think checking on- line signatures to first debits on a new DD would be wise for banks and the originators. However if their costings say “problems” are cheaper than changing the system nothing will happen.

Whilst it may appear to be a wonderful thing to have instant access to your Accounts on-line you should bear in mind that the Banks are busy trying to shift the onus to customers on checking transactions, and benefit even more from the cheapness of electronic transactions. Perhaps more importantly there is no way to ensure complete safety of your on-line transactions.


I check my balances closely at least once a week – they are effectively itemised on my First Direct accounts – Once, six years ago there was a debit of £3.50 that I couldn’t account for – checked with FD and had it refunded – but three days later a £300 debit was incurred from the same company – We changed the credit card and I received a refund as I had informed RD. It pays to check often – and it is so easy with my internet accounts.


Seems to me that a legal action should be taken against the “lucky” or more bluntly dishonest customer. After all spending £24,000 so far whats a few thousand more for a civil action. I would be surprised if with the likelihood of a bankruptcy the miscreant did not have some friends to rally around and perhaps pay a percentage of the £24,000.

BTW assuming the Banks will not have divulged the lucky recipients details one only has the word of the miscreants bank that the money is unlikely to be recovered. Who knows the Bank may have been recovering debt and have a vested interest in the matter. There is also the matter of whether the Bank should have been on enquiry if the transaction is out of norm for the account. This is a Money Laundering requirement.

Whilst the women has been foolish the action of the recipients bank needs scrutiny. Incidentally the payment from field in a Standing Order should be shown – it is meant to be and certainly shows on my statements. Can the Bank explain why this information is now not transmitted? After all for a club with many members it is vital to have this information if payment is by S/O.


Normally, I believe, money inadvertently credited to the wrong account is legally recoverable so it seems strange that it cannot be in this case, unless the recipient has no assets. I would have thought then they could be prosecuted for theft – it’s a bit like finding money dropped in the street. It is not the bank’s responsibility, it is the customers, and they should take any legal action and pay for it.
Which? I would have thought you could provide the legal situation regarding this sort of event as part of this converstaion.

George says:
15 February 2013

Do bank account numbers not contain a check digit or digits so that simple typos can be spotted automatically? If not, why not? It is elementary data design.


Yes there is a check digit. It is a function of sort code branch number and the allocated range and is not foolproof.


It’s difficult to believe that we don’t have a foolproof system in the 21st century. After all, we managed to land on the moon in 1969.

Until we have sorted out the problem, perhaps we need to confirm transfer of larger sums of money according in whatever way is necessary to avoid this sort of mistake.


A follow-up letter in the Guardian today points out the modulus 11 system of generating numbers which makes it near enough impossible to make a mistake by transposing or mistyping digits. A note to that says that RBS uses mod 11 but that’s there’s no common system amongst UK banks.

I find this astonishing. You can’t make a mistake with 16 digit credit card numbers which use mod 10 – that’s why most e-commerce sites reject incorrect 16 digit credit card numbers without even submitting them to the provider – the underlying javascript in the web page heads them off at the pass.

It wouldn’t be all that difficult for the banks to get sort out a common standard; no doubt the bother of changing everyone’s account numbers and issuing new cards and cheque books is all to much for them.


This was of course a legitimate transaction as far as the system was concerned. Transferring money with a sort code and account number is quite normal. Perhaps, in future, if account holders had customer numbers as well as names and that number was also input the system would be more foolproof. Or perhaps entering your account number twice could weed out mistakes.


Mistakes in numbers can easily be repeated, so that would only help with some errors. Using names with numbers would be a great help.

Martin says:
16 February 2013

I find this story unbelievable! When a standing order has been overpaid into my account, by a bank, in error, they have quickly issued a letter demanding repayment. If the person making the transfer completed the form, including the name, then the bank was at fault. Does the bank clearly state that a name is not required?

For banks to hide behind data protection so that the recipient is not identified is silly. Demand the information. If not given the bank is complicit in theft.

What happens when the cash machine pays out £100 instead of the £10 requested?

These are excuses. Theft should be reported to the police.

Need I go on?


It would seem that a name is not required – simply a sort code and account number. If so, the customer has made a mistake, not the bank, and should be responsible for pursuing the return of the money (hopefully with the bank’s assistance). It is compounded by not checking the money has been transferred to where they intended. I have to say that when I transfer money between accounts, I check it has gone through a.s.a.p. and with a new account transfer a nominal amount just to check all is well.

Vijay S says:
16 February 2013

I am always concerned about typing the wrong account number or sort code. Often I will transfer a small amount (£10) and check this has reached my new destination account before transferring a large sum. As it is quite easy to make a mistake in typing the account number or sort code, I strongly feel that the banks should also provide a facility to check the name or a surname associated with the account. The transfer should not take place if the name or the surname do not match.


Which? could ask the banks why they do not include this check. Facts would be very useful.

Gerard Phelan says:
16 February 2013

If the bank provided a facility that provided the name associated with an account, then some unworthy people would use it to provide themselves with the information needed to more easily steal from accounts, since they would have more information.


Gerald – this information is already provided on your cheque. It is not a specific security issue.


Apparently modulus 10 is not perfect protection.

When accounts were Branch based the 6 digit Branch number was the first check and then a 7 or 8 digit account number would be the next check. Accounts that did not exist could not be allocated credits and would turn up on the following day on an exception report and need to be found and a proper account number applied or the payment returned to the originating Bank.

It was important that that the name of the recipient and of the sender were included to check for errors. Let us be honest Banks in general are not interested in anything other than processing transactions as cheaply as possible and avoiding involvement in non-routine payments.

As an ex-banker I would very much question assertions such as the originator details are not shown, the recipient cannot repay, – the Banks over recent years have proved more and more inept and ready to lie, Witness the card regular payments that apparently could not be stopped when customers requested even two years after the law has been passed.


I cannot believe that this was left to drop by the bank’s customer.
Both her bank and the recipient bank ( identifiable by the sort code)
are behaving abominably . complaints to both banks and to the
regulator are required so that the thief who stole her money can be identified
and prosecuted.
Mind you “laissez faire” seems to rule her financial outlook.


The mistake was the customer’s, not the banks, and as the “lucky” recipient withdrew the money from ATMs the bank is unable to recover the money from their bank account (which apparently they would otherwise do). The customer therefore needs to pursue this by taking action against the recipient; they can obtain the name of the recipient by means of a court order, that permits the bank to release details. Whether she can recover any money would depend on their assets presumably, although a criminal action may also be a possibility.
Surely Which you have a view on this from a legal perspective, not an emotional one. Will you share it with us?

G.Wilson says:
18 February 2013

This happened to me when having money transferred into my account from one Bank to a building society by a tenant. I had given two digets wrong in the account number. The bank would not help and we were going round in circles until I delivered a letter to the Manager at the building society who phoned me immediately. She said although the account numbers given was for a live account the name on the account was different to mine and she arranged to have the money credited to my account by the end of the days trading.
As you can imagine after several months of worry I was very grateful.

Juliet Blackburn says:
15 May 2013

Proper fair trading rules need to be developed both for the internet and the banks. No-one has time to read all the terms and conditions of online companies, you just tick the box. This means that the terms and conditions can be unfair and hand the bank or internet trader all the advantages over the consumer. Ryanair’s website comes to mind here. It would be better to have a national legal fair set of terms and conditions which people could learn about in school if necessary. Any firm wishing to trade in UK must therefore obey these conditions which can be legally enforced.


My wife bought a Nook e-reader. You had to agree the terms and conditions before you could use the device beyond the opening screen. The terms ran to 432 pages. Interestingly they did not make you tick you had read each page or anything so I suppose everyone – bar myself – does not scroll down page by page …. and then back page by page to press the Agreement button which is not where one might logically think it should appear at the end of the Agreement.

Nick M says: