/ Money

PayUK must ensure that blameless scam victims are protected

The CEO of UK Finance and I have written to Pay.UK to urge it to back a vital scams reimbursement funding proposal. Here’s our letter to its chair, Ms Melanie Johnson.

Update 28/11/2019

PayUK has now rejected the proposal that we set out last month in the letter below.

However, the industry trade body has now announced a three month extension to the current scheme funded by the major banks. The scheme will be extended to March 2020.

This agreement is merely a stopgap that highlights the industry’s failure to secure vital long-term reimbursement for innocent victims of devastating transfer fraud.

It’s clear that a voluntary, industry-led approach to protecting scam victims is not enough.

The next government must work with the regulator to make the code and reimbursement mandatory – to finally ensure millions of people are no longer at risk of losing life-changing sums of money.

Original letter (08/10/2019)

Dear Ms Johnson,

This joint letter from Which?, the largest consumer organisation in the UK, and UK Finance, on behalf of HSBC, Santander, Barclays, Lloyds, Metro, Nationwide and RBS follows the Pay.UK Call for Information and is in support of the Faster Payment Scheme (FPS) Change Request.

Authorised Push Payment (APP) fraud is a crime which can have a devastating impact on its victims, which is why protecting consumers is a priority for us all.

The launch of the voluntary Contingent Reimbursement Model Code in May set a new standard of consumer protection from this type of fraud, with a commitment from signatory firms to reimburse victims provided the customer has met the standards expected of them under the Code.

The Code was produced by the APP Scams Steering Group, which was composed of representatives from consumer groups, the finance industry, government bodies and regulators.

‘No blame’ fund

The proposal set out in the Change Request for an FPS CRM fee will provide a long-term, sustainable funding system for the reimbursement of victims of APP scams under the voluntary Code in situations where both the customer and payment service provider (PSP) have done everything expected of them, known as a ‘no blame’ situation.

Funds gained from the FPS fee will be held centrally in a ‘no blame’ fund.

If the Pay.UK board fails to pass the Change Request, many victims of APP scams could once again risk losing their life savings to this devastating crime.

Following consultation on seven funding options, with responses received from 34 stakeholders, including many Pay.UK participants, the Steering Group agreed that the FPS model is the best method to ensure that reimbursement for blameless victims continues beyond the end of this year.

As well as providing reimbursement in a ‘no blame’ situation for customers of PSPs which are signatories to the Code, the proposed model represents the only long-term funding option that also guarantees customers will be covered if their PSP is not a signatory.

If a customer is a victim of an APP fraud and their PSP is not signed up to the Code, they will be able to take their case to the Financial Ombudsman Service which will have the power to refer the PSP to the ‘no blame’ fund to reimburse the customer.

Reducing APP scams

The proposed fee would provide a financial incentive for the firms involved in push payments to individually and collectively reduce APP scams, above and beyond the minimum requirements in the Code.

The protection that the fee offers consumers could also benefit payment providers and Pay.UK by strengthening trust among consumers in the Faster Payments Service.

The Faster Payments Service was designed for speed and convenience. Unfortunately, sensible pro-customer and pro-growth measures are being exploited by criminals.

Latest data from UK Finance shows that in the first six months on 2019, 95per cent of all APP fraud involved a customer making a Faster Payment. Therefore, it is important for Pay.UK to consider the part it can play in the fight against this growing fraud, by recognising that it has the power to take decisive action to protect end users.

The FPS Change Request, submitted to Pay.UK in June, provides a mechanism to achieve this consumer protection.

As well as being the decision of the APP Scams Steering Group, the Change Request also demonstrably fits with Pay.UK’s strategic objectives. Specifically, these include being “end user focussed” and “acting as a catalyst for change in the payments industry; addressing threats; and supporting industry-wide initiatives.

Protecting consumers

The fight against rising APP fraud has become an issue for society to tackle. Pay.UK is supporting these efforts with its work to introduce the Confirmation of Payee service.

Careful consideration of the case for the CRM FPS Fee is now needed, as Pay.UK assesses the responses to its Call for Information.

This well-thought through and widely supported option is proportionate to payment providers of different sizes, consistent with the APP Scams Steering Group proposals, and widely supported by consumer bodies and much of the financial industry.

We urge the Pay.UK board to accept this proposal, and put the protection of consumers at the heart of its decision.

Yours sincerely,

Anabel Hoult, CEO of Which?

Stephen Jones, CEO of UK Finance.


I was scammed out of six grand . A solicitor sent me his bank details and someone intercepted the email and changed the account details and sort code.
The solicitor insists it was not his email that had been hacked . The Tsb and fca dont want to know .
It’s unfair as I followed the solicitors instructions .
Hacked off is to say the least!!!

Christopher, sorry to hear you were scammed. I trust you reported this to the police and to Action Fraud.

As I assume you must have received a fraudulent email at a time when you owed money to your solicitors, it does sound likely that someone was hacked somewhere along the route of that email. That said, finding out how and where would not be simple and would require specialist skills.

On these pages, we’ve heard other stories of hacked emails being used to defraud folk out of their money. From all of this, it seems that any emails requesting large one-off payments should be seen as suspect and that recipients should always consider additional verification of their payees details before any money is sent.

One of the first rules you learn in cybersecurity is never divulging details of bank accounts, debit or, credit cards. Unless you know the email is completely secure and using PGP keys, and no one as copies of the keys.

I would never send anyone an email with any personal identification details contained within it. Spoofing email addresses is nothing new, it catches many people off guard. But the widest cybercrime is still done via spam and links that capture information from you.

Our government should provide FREE classes in cybersecurity, and show just how vulnerable the average person really is! Better still create a programme for viewing on Tv, so people can understand what goes on behind in the cyberworld.

A recommendation for any future bank transfers. Always send a small amount through to someone to setup the correct details i.e 1p or £1. That way you can directly contact the individual or organisation and verify it has gone through correctly, if it hasn’t you haven’t left yourself seriously out of pocket.

That is a good tip and widely communicated, Tom, but it is not so easy to do with payments to companies where confirmation of the initial payment is not readily available.

Luckily, most major creditors like banks, building societies, credit cards, utilities, stores and such like do not change their bank account details without written notice through the post [not via e-mail] so there is less risk in making Faster Payment Service transfers to them.

Where companies have changed their bank details they usually run both the old and new accounts in parallel for s period and have transfer arrangements in place if both accounts are with the same bank. The golden rule is never to act on an e-mail to change the destination of a payment; always check with the payee directly.

29 November 2019

As a professional in finance, I advise all clients to make a tentative payment first of a small odd amount, say £5.21, and follow this up with a telephone call to the recipient to confirm funds received before you pay the balance.

This comment was removed at the request of the user

Duncan, I think you are right not to trust Linux. After all, Linux is the most popular OS for corporate data servers. So whenever we hear that yet another corporation has been hacked, like as not that means a Linux server has been hacked.

Many thanks to all, for this important information, support and opportunity.
Great work, again.

I can tell you that there are discussions ongoing about this in the banks and there isn’t an endless pot of money… it’s likely that customers will be charged a fee for a high value online transaction from next year. So I do not support what this magazine is doing because now the problem falls on everyone, and everyone will have to pay. I don’t think your magazine has thought this through properly.

Peter Moseley says:
20 October 2019

I had a visit out of the blue one day a number of years ago by a bailiff asking for£150 that I did not owe. I did not pay. when I applied for a mortgage some time after I was refused. My solicitor advised me to pay or I could not get a mortgage. So I reluctantly paid.(I was told it would cost me 10k to clear my name) I had been taken to court without my knowledge had a CCJ made against me. English Justice!

This comment was removed at the request of the user

Frankly this attitude of not reimbursing people caught by these scammers is showing these criminals the green light. It is really high time that the international community and the financial world got their heads around this issue, when I speak of the International community, I am talking about the United Nations to encourage more co-operation and positive action to track these vile international criminals who pray on these people beyond their on shores. It is not beyond the possibility and has been proved that scammers have used the funds stolen to support international terror groups, especially those from the Middle East. Also if arrested, more robust penalties and I am not suggesting the death penalty by any means but incommunicado with those they are involved as implied, this means no access by computers or telephone except to contact their relatives. I for one, am not sure that this government has been thinking straight by suggesting that prisoners in this country should have access to conventional phones in their cells. This will merely encourage criminals to set up bogus businesses to scam innocent victims from their cells to finance other major crimes.

Fredi says:
25 October 2019

Not reimbursing victims is showing these criminals green light? On the contrary, if people are reimbursed it reinforces the feeling of performing a victimless crime. People just think about covering their own losses while blaming everyone else for falling a victim of scams whereas it’s exactly them and them only who are to blame.

This comment was removed at the request of the user

I agree with Fredl here.

duncan, I do not think Fredl is absolving the perpetrators, but saying the victims are not free from responsibility for their actions nor necessarily blameless. I may be wrong! 🙁

There is a danger that by taking away customers’ responsibility some, maybe many, will not take the care they should and give thought to what they do if they know they will be reimbursed anyway. There is also the danger that those who are slightly clever will perpetrate scams in collusion with a customer. We must somehow strike a balance. We must also remember it is our – the customers’ – money that will fund any reimbursements.

Not sure why America figures in this. They seem adept at wriggling out of responsibility for crimes.

Nationwide have this on their site. https://www.nationwide.co.uk/fraudaware. It was shown on an email from them which, I presume, all online banking customers receive.

The internet web servers who provide these services which allow these criminals to hack folks’ emails and computers should take full responsibility for ALL the costs incurred and monies lost!! AND THE RECEIVING BANKS WHO HAVE ALLOWED THESE CRIMINALS TO SET UP THESE FRAUDULENT RECIPIENT BANK ACCOUNTS!!! Yes they should BOTH take FULL responsibility for allowing these criminals to use their services and provisions!! Both Servers and Recipient Banks if they HAVE TO PAY BACK MONIES STOLEN would be much more vigilant and careful of whom they allow to use their internt and/or Banking service provisions!!

This comment was removed at the request of the user

I’ve followed correct procedures after financial advisor employee of bank assurance investment funds safe in second month account completely empty of all investment funds £21,950 to online bingo site based in Malta and account opened with just visa debit card details. Which the fca clearly state if funds customers own savings and victim of identity fraud just card details needed then bank must refund lost funds immediately.Branch manager reporting fraudulent transactions on account and identity fraud to security personnel and complaints asking how security personnel were fully aware of transactions occurring and chose to approve each transaction instead of contacting customer once to check he was one making slightly unusual transaction on his account 75 transactions to online bingo and security personnel approving each transaction till Account completely empty in just three hours eighteen minutes and monitoring showing abuse and every transaction of £500 every ten minutes so branch manager gave me internal statements showing abuse and transactions that security personnel chose to approve . I waited two years five reports which cab legal personnel stated all incorrect as they clearly avoided any evidence statements facts on case which clearly changes the outcome of case and should be investigated.

Stephen Murphy says:
9 November 2019

Action fraud are a waste of tax payers money.I lost twenty five thousand pounds through my lack of knowledge on phone scammers.My own fault,but the banks did not help.No due diligence on their behalf.Action fraud accepted my report and said,Thank you!That was that!Report was made in 2015/16.

Brian Hardy says:
28 November 2019

If I open a bank account I have to jump through hoops to ensure that I am not a money launderer. How are the criminals managing to open the accounts that receive this money? The banks can’t be doing their job properly and should be fined heavily under the money laundering legislation. Maybe the banks need to set up a database of information used to open accounts, so that fradulent activity can be spotted early.

One way I’ve heard of is that the crooks pay students to open an account for them (using proper credentials) – and then the student gives them access to make withdrawals of funds that the criminals get put in there. Not too unlike using a VPN…

My mum was scammed out of £24000 earlier this year. She is 77 and ill and this has exacerbated her health hugely. I reported it to fraud Uk and the financial ombudsman. Gave all the accounts that money was sent to and was told we could get the uk ones back but nothing has happened. Her bank was brilliant at first but then blocked her from using her own account online. This was good at first but now my mother is left feeling stupid and ashamed. The bank won’t unblock her yet. With the majority of her life savings gone now I am so worried for her.
It’s like these support companies have forgotten about her and I’m not well either so haven’t been able to follow up on it for a while now

You are not alone. My daughter had to go to bank to pay for her items and shipping in the morning. But when I came home after work and looked at the papers I noticed something odd. We called The Fraud Line and told us to call back in the morning at 8am – what!!! So at 8am we called them and 9am at bank to report same thing. Cashier said money reserved but not paid yet so there should be no problem. Then she gets message from Lloyd’s Bank that they could not stop payment. If bank cannot act on fraud what chances do customers have. It looks like UK banks are working with fraudsters. 8 months now since she contact Financial Ombudsman but no response. Useless lot.

I really don’t understand how these scams can’t be stopped, there must be a paper trail or an electronic trail, whereby anybody who transfers money on line can be caught if the will is there to do it.

This comment was removed at the request of the user

More needs to be done to stop these b*******s, they are scum. I like to watch the clever sods reverse thee scam on youtube, so funny, but this needs sorting, after all we do not run the net do we, but them that do, well muppets.

This comment was removed at the request of the user

I was scammed 2014 with a man pretending to be from my bank. I was told I had to go to my bank. I had just broken my foot, was in pain. They could not have known that and were very convincing with an app to change phone. Banks should reimburse us. It was not our fault. Perhaps if banks had to reimburse us they would make more effort to protect their customers

AAAli says:
5 December 2019

What is the point of Fraud Line when they cannot stop Fraud. Also if money hasn’t left your account when you report Fraud why the bank cannot freeze your account until matter is solve. Let the Fraudster bring proof you owe them that money like invoices etc. This happened recently to someone I know with Lloyd’s Bank and they went ahead and paid the Fraudster later in the day after she reported to Fraud Line and went to Bank and cashier told her money is reserved but not paid so there should be no problem. Imagine her shock when she got a letter from Lloyd’s saying they couldn’t stop payment then blame the Customer after following all Fraud procedures. And Financial Ombudsmans have not responded in almost 8 months.

A couple of years ago I adapted a Christmas song for Which? (at their request) to be performed at Paddington Station as a response to the ongoing issue being experienced by commuters on Southern and South West rail.

Owing to time delays it was unable to be performed live – which would have been ideal – but the reason I’m posting this in here is because Joe Lycett recently did what Which? might have done, but for the victims of scamming.

In this video we see how Joe’s methods eventually secured an £8k refund to a lady defrauded of £11k by extremely resourceful scammers.

Let me know when you want to try again, Which?. It certainly works.

I do not like to see people defrauded. However, there has been plenty of publicity about similar scams – not responding to requests to move money to a safe account, not assuming calls are genuine or the numbers are legitimate, and not doing anything in response to incoming calls or emails. Get in touch with your bank through the phone number you have.

Claire’s sister immediately spotted this scam.

Fraudsters are successful because they are convincing – just as they are in all forms of activity. I do not see that banks, or anyone else, should recompense for a lack of awareness or responsibility, or someone simply falling for a confidence trick. Not, that is, unless they have had some part to play, through negligence for example. Because it is you and I who provide the money for these refunds.

The danger of automatically refunding money like this is twofold. One, it reduces the need for personal responsibility (don’t worry, if you don’t take care we’ll make sure you are not out of pocket). Two, it increases the possibility of people colluding to defraud a bank by setting up their own scam.

Clearly. it is an emotive topic. Once money has been lost it can cause great hardship. So maybe we need to put controls in the way some people are allowed to use their accounts. Limiting the amounts that can be transferred to much less than normal, with some additional security measure (like the bank asking why you are doing it). Delaying transfers to give the bank the opportunity to check. Rather than resorting to indiscriminate compensation I’d suggest we need to examine ways to help avoid fraud or, at least, limit its damage.

I suspect what was very interesting about that case is how Joe was able to fool so many people – people one might imagine would be well versed in scamming – that he was the boss.

”It was hoped that the introduction of a voluntary industry code in May 2019 would ensure that all blameless victims get their money back, finally reversing the trend of people being left out of pocket.
But Which? has heard from a number of people who say they have been denied reimbursement unfairly – with a worrying trend emerging of banks relying on fraud warnings to justify not refunding customers. These decisions from banks fly in the face of the voluntary code most banks have signed up to, which pledges to reimburse all blameless victims.

I think this approach is worrying. First, the victims are not “blameless” in many cases, just “victims”. They have responded to requests to transfer money to particular accounts; the banks do not instigate that but follow their client’s instruction. The “victims” may be ill-informed or irresponsible or, simply duped, but have some responsibility in the transaction.

The banks do not “rely” in fraud warnings. If this were the case as fraudsters devise new frauds, before any warning can be given, they would presumably be expected to pay out every time until a total public warning were broadcast. Banks also rely on common sense, responsibility to do due checks, before simply making a payment, and most particularly with very large sums of money.

Do people leave their house with windows open and doors unlocked, leave their keys in their car, let others use their card by giving them the PIN? All things we are “warned against” but should we rely on, or pretend, not having noted the warnings when claiming for a loss?

We (bank customers) all pay for reimbursements and, when a bank has shown responsibility and negligence, should expect redress. We should also expect our fellow customers to do the same. The danger of compensating in a one-sided way is it may open up even more opportunities for fraud, where the customer simply colludes with a third party to appear to have been scammed.

We should also expect banks to continually improve their security, although it can never be perfect; “confirmation of payee” should make a substantial contribution.

I suggest that the banks have been negligent by not having Confirmation of Payee in place when it became possible to do online transfers. Likewise, they should have used the name of the payee for cheque payments. Please don’t just blame customers for negligence.

As I understand it, introducing “confirmation of payee” is not the simple change some think. It would be useful if Which? sought expert input to inform us on such matters.

I do not use the word “blame”. I suggest customers also have responsibilities.

I also reacted in response to what I see as a one-sided press release. I would prefer to see properly argued and balanced information coming from Which? but appreciate that such an approach would not stir up a media response. So, like politicians, best to present an unbalanced argument to get the headlines. See also “cash landscape on the verge of collapse”.

I maintain that Confirmation of Payee or an equivalent system should have been place from the start.

In the absence of this system, all banks could have advised or required customers to make small test payments to new payees, but that has not happened, and it often this is not possible.

Compensation should depend on the blame that can be attributed to the customer and the company, which means assessment of individual cases. In the case of mis-sold it seems that the industry handed out money unnecessarily as a result of failure to check that claims were valid. I wonder how many customers knowingly made fraudulent claims. What about the legal services that pestered us all to make claims?

If customers are really blameless then why should they not be compensated?

If customers are really blameless then why should they not be compensated?“. Because there are many occasions when no one is to “blame”, except the perpetrator of the fraud. It is they who should be pursued and if they cannot be caught then I see no reason to pass the cost on to another “blameless” party. I do not want my hard-earned money to be used to provide compensation unless the other party has been let down by their bank’s total or partial negligence.

Confirmation of Payee has been prompted by the rise in fraud and was probably not a necessary check at the outset; in many years of online banking I don’t recall a serious problem, nor with cheques. I have a doctorate in hindsight but it is not helpful.

Making a test payment is widely practised and an example of using caution and common sense, particularly in case of a keying error (I cannot see a way of blaming the bank if I mistype but I can double check myself as a precaution). It has been mentioned many times here. Have Which? publicised it in a press release?

The increase in fraud has certainly resulted in the pressure to introduce Confirmation of Payee but the need to prevent misdirected payments existed in the days when we were using cheques rather than online payments.

It it is good practice to make a small test payment, why did banks not make this compulsory or even keep reminding their customers? I gave an example last year of it being impossible to open a cash ISA without depositing the full amount. I did not mention the company, but Alfa made a correct guess.

We seem to agree that retailers must behave professionally and honour their requirements under the Consumer Rights Act, Malcolm, but I want our banks to behave professionally too.

When I was teaching, if there was any doubt relating to assessment, the student (effectively the customer) was given the benefit of any doubt in cases of uncertainty (e.g. ambiguity of exam questions). Fortunately, that did not happen very often.

I’d like to make it quite clear that I don’t see any case for compensation for carelessness such as divulging a password. I’ve suggested that these should be renamed ‘secret password’ to emphasise that they must not be passed on.

I have asked Which? before to ask those with in-depth knowledge of this (and other issues) to contribute so we can all better appreciate what might not be simple issues to resolve. Part of the role of Convos is to debate and give our opinions but I’d like them also to educate.

Perhaps the best solution would be to have some input from the banks and their regulator, so that we can have first hand information.

In a couple of months, Confirmation of Payee will be in place unless there are further delays.

Precisely what I’ve suggested. But expert and informed comment from the main interested parties to get a balanced report.

One of my banks has written to me today telling me they about to introduce CoP and what I should do.

“If customers are really blameless then why should they not be compensated?“. Because there are many occasions when no one is to “blame”, except the perpetrator of the fraud. It is they who should be pursued and if they cannot be caught then I see no reason to pass the cost on to another “blameless” party.

I read that and started thinking about it. It’s true we live in a society where apportioning blame is currently in fashion. But Malcolm raises an interesting point when he says there are many occasions when no one is to “blame”, except the perpetrator of the fraud.

I wonder if that’s true? In basic terms if I’m walking down the street and someone appears and grabs my avocado-stuffed shopping bag, is anyone to blame? The person who nicked my hard-won avocados and is now doubtless stuffing his crime-etched face with them has committed a crime. But I’m willing to bet he didn’t simply walk out one day and decide to become a criminal.

I’m not familiar with the rules for becoming a fully fledged criminal, but one assumes there some sort of apprenticeship, perhaps seminars, a training course, internship with a skilled blagger, perhaps and then graduation day, where I may enter the world of crime a fully skilled and certified criminal.

Prior to this, however, I would be willing to place a small bet that our qualified ne’er do well has also learnt his craft at local schools, at the knee of his devoted, if criminally inclined, mother and possibly even in the nursery, where his first steps on the road to thiefdom might well have been nicking the other baby’s dummy or, as our Colonial cousins might say – pacifier.

On the other side of the coin (or perhaps not) the Police have the job of preventing crime and apprehending the felons. So if our skilled avocado snatcher is free, running around nicking everyone’s avocados then presumably the police are failing.

So it appears that blame can be shared around quite a bit. The miscreant’s parents, siblings, the nursery, school, school teachers, the local bobby, the current police, the judiciary, the church (it’s fashionable to blame the church,now), the Royal Family, TV, Radio, Comics, the interweb, Films – hmmm.

The problem isn’t that no one’s to blame; it’s that there are too many to blame. But could it be that curiously ethereal, superlunary edifice called Society? If that’s the case, then everyone who voted is to blame, since it’s we who elect those who make policy. In that case compensation should be paid from public funds.

That raises the other thorny question, around which everyone skates. Sending money to the wrong account when it’s a single misplaced digit in a series of 8 can be considered a forgivable error. Should they be given compensation?

Transferring money to a new account on the advice of a fraudster is slightly different, however. Should those victims be denied compensation? It’s very tempting to think none of us would ever be duped but those of us who post frequently are pretty savvy about these new fangled computer things, so we’re constantly on the look out for unusual calls and visits. Why, only last week I managed to pin an obviously criminal character to the ground with my blunderbuss, after giving them a good thrashing. Pretending they were nuns collecting for the blind. Ha! They’ll not try that again.

No, I suspect we now live in a world that is little different to how it’s always been, with one big exception: speed. Everything can happen faster, now (except my morning coffee, which takes an eternity) but the devious, piratical desperados that formerly took a while to see their nefarious plans through to evil fruition can now do it all in the blink of a few key presses.

So I suspect what it comes down to is how we feel we should treat those in society who are, by virtue of advancing years and deteriorating faculties, more vulnerable to the high-speed villainy of today.

One last thought: do we need ‘instant transfers’? Seem it wasn’t that long ago that it would take around three days for money to reach another account. We adapted to that quite easily. After all, we’d never known it any different. So perhaps it could be argued that the banks are almost always to blame most of all, because in their furious rush to compete with one another in speed and their apparent inability to check we’ve actually sent the money to the correct account, they’re letting their customers down. Badly.

Is scam protection an insurable risk, and if so, can one take out insurance to cover losses that the bank doesn’t reimburse? If it is, then the cost of same should be an indication of what the professionals see as the risks to an individual. And if it is a significantly expensive policy, the banks should do more!

I have just made a payment using the Faster Payments Service through on-line banking and noticed that the Nationwide Building Society has posted details of how their new Confirmation of Payee process is going to work.

In some cases it might be necessary to amend the account details of existing listed payees so that the names accord with the names on the account.

It will also be necessary to indicate whether the payee is a personal or a business account. For a personal account, the full first and last names of the account holder will be required [not abbreviations or nick names]. For a business account the full name of the business corresponding to the account concerned will be required.

The system will indicate whether there is a match, a close match, not a match, or if the name is unrecognised. There are various steps and additional checks depending on the information supplied.

Some procedures are still under development.