/ Money

PayUK must ensure that blameless scam victims are protected

The CEO of UK Finance and I have written to Pay.UK to urge it to back a vital scams reimbursement funding proposal. Here’s our letter to its chair, Ms Melanie Johnson.

Update 28/11/2019

PayUK has now rejected the proposal that we set out last month in the letter below.

However, the industry trade body has now announced a three month extension to the current scheme funded by the major banks. The scheme will be extended to March 2020.

This agreement is merely a stopgap that highlights the industry’s failure to secure vital long-term reimbursement for innocent victims of devastating transfer fraud.

It’s clear that a voluntary, industry-led approach to protecting scam victims is not enough.

The next government must work with the regulator to make the code and reimbursement mandatory – to finally ensure millions of people are no longer at risk of losing life-changing sums of money.

Original letter (08/10/2019)

Dear Ms Johnson,

This joint letter from Which?, the largest consumer organisation in the UK, and UK Finance, on behalf of HSBC, Santander, Barclays, Lloyds, Metro, Nationwide and RBS follows the Pay.UK Call for Information and is in support of the Faster Payment Scheme (FPS) Change Request.

Authorised Push Payment (APP) fraud is a crime which can have a devastating impact on its victims, which is why protecting consumers is a priority for us all.

The launch of the voluntary Contingent Reimbursement Model Code in May set a new standard of consumer protection from this type of fraud, with a commitment from signatory firms to reimburse victims provided the customer has met the standards expected of them under the Code.

The Code was produced by the APP Scams Steering Group, which was composed of representatives from consumer groups, the finance industry, government bodies and regulators.

‘No blame’ fund

The proposal set out in the Change Request for an FPS CRM fee will provide a long-term, sustainable funding system for the reimbursement of victims of APP scams under the voluntary Code in situations where both the customer and payment service provider (PSP) have done everything expected of them, known as a ‘no blame’ situation.

Funds gained from the FPS fee will be held centrally in a ‘no blame’ fund.

If the Pay.UK board fails to pass the Change Request, many victims of APP scams could once again risk losing their life savings to this devastating crime.

Following consultation on seven funding options, with responses received from 34 stakeholders, including many Pay.UK participants, the Steering Group agreed that the FPS model is the best method to ensure that reimbursement for blameless victims continues beyond the end of this year.

As well as providing reimbursement in a ‘no blame’ situation for customers of PSPs which are signatories to the Code, the proposed model represents the only long-term funding option that also guarantees customers will be covered if their PSP is not a signatory.

If a customer is a victim of an APP fraud and their PSP is not signed up to the Code, they will be able to take their case to the Financial Ombudsman Service which will have the power to refer the PSP to the ‘no blame’ fund to reimburse the customer.

Reducing APP scams

The proposed fee would provide a financial incentive for the firms involved in push payments to individually and collectively reduce APP scams, above and beyond the minimum requirements in the Code.

The protection that the fee offers consumers could also benefit payment providers and Pay.UK by strengthening trust among consumers in the Faster Payments Service.

The Faster Payments Service was designed for speed and convenience. Unfortunately, sensible pro-customer and pro-growth measures are being exploited by criminals.

Latest data from UK Finance shows that in the first six months on 2019, 95per cent of all APP fraud involved a customer making a Faster Payment. Therefore, it is important for Pay.UK to consider the part it can play in the fight against this growing fraud, by recognising that it has the power to take decisive action to protect end users.

The FPS Change Request, submitted to Pay.UK in June, provides a mechanism to achieve this consumer protection.

As well as being the decision of the APP Scams Steering Group, the Change Request also demonstrably fits with Pay.UK’s strategic objectives. Specifically, these include being “end user focussed” and “acting as a catalyst for change in the payments industry; addressing threats; and supporting industry-wide initiatives.

Protecting consumers

The fight against rising APP fraud has become an issue for society to tackle. Pay.UK is supporting these efforts with its work to introduce the Confirmation of Payee service.

Careful consideration of the case for the CRM FPS Fee is now needed, as Pay.UK assesses the responses to its Call for Information.

This well-thought through and widely supported option is proportionate to payment providers of different sizes, consistent with the APP Scams Steering Group proposals, and widely supported by consumer bodies and much of the financial industry.

We urge the Pay.UK board to accept this proposal, and put the protection of consumers at the heart of its decision.

Yours sincerely,

Anabel Hoult, CEO of Which?

Stephen Jones, CEO of UK Finance.

Comments
Christopher spacey says:
15 October 2019

I was scammed out of six grand . A solicitor sent me his bank details and someone intercepted the email and changed the account details and sort code.
The solicitor insists it was not his email that had been hacked . The Tsb and fca dont want to know .
It’s unfair as I followed the solicitors instructions .
Hacked off is to say the least!!!

DerekP says:
15 October 2019

Christopher, sorry to hear you were scammed. I trust you reported this to the police and to Action Fraud.

As I assume you must have received a fraudulent email at a time when you owed money to your solicitors, it does sound likely that someone was hacked somewhere along the route of that email. That said, finding out how and where would not be simple and would require specialist skills.

On these pages, we’ve heard other stories of hacked emails being used to defraud folk out of their money. From all of this, it seems that any emails requesting large one-off payments should be seen as suspect and that recipients should always consider additional verification of their payees details before any money is sent.

SteveH says:
18 October 2019

One of the first rules you learn in cybersecurity is never divulging details of bank accounts, debit or, credit cards. Unless you know the email is completely secure and using PGP keys, and no one as copies of the keys.

I would never send anyone an email with any personal identification details contained within it. Spoofing email addresses is nothing new, it catches many people off guard. But the widest cybercrime is still done via spam and links that capture information from you.

Our government should provide FREE classes in cybersecurity, and show just how vulnerable the average person really is! Better still create a programme for viewing on Tv, so people can understand what goes on behind in the cyberworld.

A recommendation for any future bank transfers. Always send a small amount through to someone to setup the correct details i.e 1p or £1. That way you can directly contact the individual or organisation and verify it has gone through correctly, if it hasn’t you haven’t left yourself seriously out of pocket.

That is a good tip and widely communicated, Tom, but it is not so easy to do with payments to companies where confirmation of the initial payment is not readily available.

Luckily, most major creditors like banks, building societies, credit cards, utilities, stores and such like do not change their bank account details without written notice through the post [not via e-mail] so there is less risk in making Faster Payment Service transfers to them.

Where companies have changed their bank details they usually run both the old and new accounts in parallel for s period and have transfer arrangements in place if both accounts are with the same bank. The golden rule is never to act on an e-mail to change the destination of a payment; always check with the payee directly.

SAM MERCHANT says:
29 November 2019

As a professional in finance, I advise all clients to make a tentative payment first of a small odd amount, say £5.21, and follow this up with a telephone call to the recipient to confirm funds received before you pay the balance.

Its possible a key logger has been installed on your computer ,no longer do you need to get access to the computer it can be done remotely , that’s just ONE way out of a whole range of methods like spoofed websites and others, I am looking at a hackers website where they give all the info on hacking emails but don’t ask me to post it.
I have no trouble getting hacking info so even young kids could do it who are well up on computer programming .
My worry for you Christopher is that you might have a malware programme implanted on your computer I don’t even trust Linux and have blocked several programmes that use remote calling this required blocking daemons as port blocking did not stop avahi /bonjour /Samba/ RTP/etc , I lose running a printer for a start and several good programmes including remote access which also means they can contact you but you cant win both ways.
I put them into never ending repeat so I do not lose too many programmes they just hit a brick wall.

Duncan, I think you are right not to trust Linux. After all, Linux is the most popular OS for corporate data servers. So whenever we hear that yet another corporation has been hacked, like as not that means a Linux server has been hacked.

Carmel Costello says:
15 October 2019

Many thanks to all, for this important information, support and opportunity.
Great work, again.

I can tell you that there are discussions ongoing about this in the banks and there isn’t an endless pot of money… it’s likely that customers will be charged a fee for a high value online transaction from next year. So I do not support what this magazine is doing because now the problem falls on everyone, and everyone will have to pay. I don’t think your magazine has thought this through properly.

Peter Moseley says:
20 October 2019

I had a visit out of the blue one day a number of years ago by a bailiff asking for£150 that I did not owe. I did not pay. when I applied for a mortgage some time after I was refused. My solicitor advised me to pay or I could not get a mortgage. So I reluctantly paid.(I was told it would cost me 10k to clear my name) I had been taken to court without my knowledge had a CCJ made against me. English Justice!

Peter in the future read this link of the Debt Advisory Service UK-scroll down to–if you don’t think the CCJ is right and read-
https://www.debtadvisorycentre.co.uk/blog/how-to-dispute-a-county-court-judgment-ccj-0-4013-0

Fiona E.Johnston says:
22 October 2019

Frankly this attitude of not reimbursing people caught by these scammers is showing these criminals the green light. It is really high time that the international community and the financial world got their heads around this issue, when I speak of the International community, I am talking about the United Nations to encourage more co-operation and positive action to track these vile international criminals who pray on these people beyond their on shores. It is not beyond the possibility and has been proved that scammers have used the funds stolen to support international terror groups, especially those from the Middle East. Also if arrested, more robust penalties and I am not suggesting the death penalty by any means but incommunicado with those they are involved as implied, this means no access by computers or telephone except to contact their relatives. I for one, am not sure that this government has been thinking straight by suggesting that prisoners in this country should have access to conventional phones in their cells. This will merely encourage criminals to set up bogus businesses to scam innocent victims from their cells to finance other major crimes.

Fredi says:
25 October 2019

Not reimbursing victims is showing these criminals green light? On the contrary, if people are reimbursed it reinforces the feeling of performing a victimless crime. People just think about covering their own losses while blaming everyone else for falling a victim of scams whereas it’s exactly them and them only who are to blame.

Interesting Fredi but not a position I readily accept .
Retribution for a crime committed is the corner stone of US Law and this country lowering the meaning of the word “criminal action ” would need a lawyer to prove insanity or self defence, if you are stopped by the police for a traffic offence and say – “I did not know officer” will engender the well known reply – “ignorance of the law is no excuse ” ,in other words a “laissez faire ” approach is not acceptable unless a judge has pity on the criminal .
Most of the public I have met on my long years on this earth want retribution regardless of how a third party feels and even social niceties are not on the mind of the victim or their relatives .
No I am with the Americans on this –do the crime –do the time some in this country will forgive a lot but they are of a humanitarian instinct on issues of this type or a devout Christian or some eastern religious faith .
This is a distinctly capitalist society syndrome helped by globalisation of long distance commercial sales techniques which are very dubious to say the least and you cannot “make excuses” for modern business practices if they have a resulting dark side.

I agree with Fredl here.

duncan, I do not think Fredl is absolving the perpetrators, but saying the victims are not free from responsibility for their actions nor necessarily blameless. I may be wrong! 🙁

There is a danger that by taking away customers’ responsibility some, maybe many, will not take the care they should and give thought to what they do if they know they will be reimbursed anyway. There is also the danger that those who are slightly clever will perpetrate scams in collusion with a customer. We must somehow strike a balance. We must also remember it is our – the customers’ – money that will fund any reimbursements.

Not sure why America figures in this. They seem adept at wriggling out of responsibility for crimes.

Nationwide have this on their site. https://www.nationwide.co.uk/fraudaware. It was shown on an email from them which, I presume, all online banking customers receive.

Responsibility says:
25 October 2019

The internet web servers who provide these services which allow these criminals to hack folks’ emails and computers should take full responsibility for ALL the costs incurred and monies lost!! AND THE RECEIVING BANKS WHO HAVE ALLOWED THESE CRIMINALS TO SET UP THESE FRAUDULENT RECIPIENT BANK ACCOUNTS!!! Yes they should BOTH take FULL responsibility for allowing these criminals to use their services and provisions!! Both Servers and Recipient Banks if they HAVE TO PAY BACK MONIES STOLEN would be much more vigilant and careful of whom they allow to use their internt and/or Banking service provisions!!

In America the web companies providing block virtual telephone numbers to criminals who scam the public are forced to provide US Federal Authorities with their customers details.
This in turn allows US covert operations to take place to gather evidence against then they arrest the criminals who are tried , convicted ,jailed for a long time ( US Law comes down heavily on this type of thing ) heavily fined (very heavily ) and compensation awarded to the recipients of the scam .

Problem is this costs a lot of money and a wide range of human resources which this country says it cant afford to do unless its something major in the amount of cash and somebody prominent in the public eye is involved.

I’ve followed correct procedures after financial advisor employee of bank assurance investment funds safe in second month account completely empty of all investment funds £21,950 to online bingo site based in Malta and account opened with just visa debit card details. Which the fca clearly state if funds customers own savings and victim of identity fraud just card details needed then bank must refund lost funds immediately.Branch manager reporting fraudulent transactions on account and identity fraud to security personnel and complaints asking how security personnel were fully aware of transactions occurring and chose to approve each transaction instead of contacting customer once to check he was one making slightly unusual transaction on his account 75 transactions to online bingo and security personnel approving each transaction till Account completely empty in just three hours eighteen minutes and monitoring showing abuse and every transaction of £500 every ten minutes so branch manager gave me internal statements showing abuse and transactions that security personnel chose to approve . I waited two years five reports which cab legal personnel stated all incorrect as they clearly avoided any evidence statements facts on case which clearly changes the outcome of case and should be investigated.

Stephen Murphy says:
9 November 2019

Action fraud are a waste of tax payers money.I lost twenty five thousand pounds through my lack of knowledge on phone scammers.My own fault,but the banks did not help.No due diligence on their behalf.Action fraud accepted my report and said,Thank you!That was that!Report was made in 2015/16.

Brian Hardy says:
28 November 2019

If I open a bank account I have to jump through hoops to ensure that I am not a money launderer. How are the criminals managing to open the accounts that receive this money? The banks can’t be doing their job properly and should be fined heavily under the money laundering legislation. Maybe the banks need to set up a database of information used to open accounts, so that fradulent activity can be spotted early.

One way I’ve heard of is that the crooks pay students to open an account for them (using proper credentials) – and then the student gives them access to make withdrawals of funds that the criminals get put in there. Not too unlike using a VPN…

Sam Bond says:
28 November 2019

My mum was scammed out of £24000 earlier this year. She is 77 and ill and this has exacerbated her health hugely. I reported it to fraud Uk and the financial ombudsman. Gave all the accounts that money was sent to and was told we could get the uk ones back but nothing has happened. Her bank was brilliant at first but then blocked her from using her own account online. This was good at first but now my mother is left feeling stupid and ashamed. The bank won’t unblock her yet. With the majority of her life savings gone now I am so worried for her.
It’s like these support companies have forgotten about her and I’m not well either so haven’t been able to follow up on it for a while now

You are not alone. My daughter had to go to bank to pay for her items and shipping in the morning. But when I came home after work and looked at the papers I noticed something odd. We called The Fraud Line and told us to call back in the morning at 8am – what!!! So at 8am we called them and 9am at bank to report same thing. Cashier said money reserved but not paid yet so there should be no problem. Then she gets message from Lloyd’s Bank that they could not stop payment. If bank cannot act on fraud what chances do customers have. It looks like UK banks are working with fraudsters. 8 months now since she contact Financial Ombudsman but no response. Useless lot.

Adrian Young says:
28 November 2019

I really don’t understand how these scams can’t be stopped, there must be a paper trail or an electronic trail, whereby anybody who transfers money on line can be caught if the will is there to do it.

Adrian -here is the Guardian,s point of view –

https://www.theguardian.com/money/2018/jul/07/heres-how-scammers-get-away-with-it
Caller ID is unsafe , your banks fraud dept. can be spoofed , UK authorities are too slow at tracing back the scammers due to red tape-cost and lack of “manpower “.
Once the money leaves the bank it is transferred into several overseas bank accounts which are closed in quick succession.
The latest method only needs –
1-your cell phone number (easily obtained )
2- A bank account with a proper money transfer organisation/system
3-you assuming that its really the bank on the phone
4-doesnt need your ATM card
This is happening as we speak in the USA , I don’t want to post full details of bank scams as it might help scammers but its not hard to set up digitally .
On the other hand the US government security authorities will after a certain number of scams of the same type take place –
1- force the companies supplying the spoofed/virtual numbers to give out their customers details –then covert spying on them gathering evidence – then 2 am in the morning- door smashed in FBI etc nab the crooks – jailed – long sentences -very heavy fines – and payback to those who lost money – businesses closed down etc .
No flies on Americans -no– sorry we cant help UK style .
Nobody going through the US prison system ever wants to return- rotten food – attacks physical and sexual unless you have a lot of money or are somebody with influence.

shaun says:
29 November 2019

More needs to be done to stop these b*******s, they are scum. I like to watch the clever sods reverse thee scam on youtube, so funny, but this needs sorting, after all we do not run the net do we, but them that do, well muppets.

Shaun its the banks that haven’t caught up to the latest scamming practices or if they have they don’t put enough resources into fixing it, its always an “after fix ” you cant blame the actual operation of the Web its just a modern facility that provides a way of life for most people now .
Scammers/hackers are always ahead of the latest online protection that’s why big companies and even governments try to recruit them.
World governments promoted the “Cashless Society ” long before they were ready for all its pitfalls.

Anne Hill says:
30 November 2019

I was scammed 2014 with a man pretending to be from my bank. I was told I had to go to my bank. I had just broken my foot, was in pain. They could not have known that and were very convincing with an app to change phone. Banks should reimburse us. It was not our fault. Perhaps if banks had to reimburse us they would make more effort to protect their customers

AAAli says:
5 December 2019

What is the point of Fraud Line when they cannot stop Fraud. Also if money hasn’t left your account when you report Fraud why the bank cannot freeze your account until matter is solve. Let the Fraudster bring proof you owe them that money like invoices etc. This happened recently to someone I know with Lloyd’s Bank and they went ahead and paid the Fraudster later in the day after she reported to Fraud Line and went to Bank and cashier told her money is reserved but not paid so there should be no problem. Imagine her shock when she got a letter from Lloyd’s saying they couldn’t stop payment then blame the Customer after following all Fraud procedures. And Financial Ombudsmans have not responded in almost 8 months.

A couple of years ago I adapted a Christmas song for Which? (at their request) to be performed at Paddington Station as a response to the ongoing issue being experienced by commuters on Southern and South West rail.

Owing to time delays it was unable to be performed live – which would have been ideal – but the reason I’m posting this in here is because Joe Lycett recently did what Which? might have done, but for the victims of scamming.

In this video we see how Joe’s methods eventually secured an £8k refund to a lady defrauded of £11k by extremely resourceful scammers.

Let me know when you want to try again, Which?. It certainly works.

I do not like to see people defrauded. However, there has been plenty of publicity about similar scams – not responding to requests to move money to a safe account, not assuming calls are genuine or the numbers are legitimate, and not doing anything in response to incoming calls or emails. Get in touch with your bank through the phone number you have.

Claire’s sister immediately spotted this scam.

Fraudsters are successful because they are convincing – just as they are in all forms of activity. I do not see that banks, or anyone else, should recompense for a lack of awareness or responsibility, or someone simply falling for a confidence trick. Not, that is, unless they have had some part to play, through negligence for example. Because it is you and I who provide the money for these refunds.

The danger of automatically refunding money like this is twofold. One, it reduces the need for personal responsibility (don’t worry, if you don’t take care we’ll make sure you are not out of pocket). Two, it increases the possibility of people colluding to defraud a bank by setting up their own scam.

Clearly. it is an emotive topic. Once money has been lost it can cause great hardship. So maybe we need to put controls in the way some people are allowed to use their accounts. Limiting the amounts that can be transferred to much less than normal, with some additional security measure (like the bank asking why you are doing it). Delaying transfers to give the bank the opportunity to check. Rather than resorting to indiscriminate compensation I’d suggest we need to examine ways to help avoid fraud or, at least, limit its damage.

I suspect what was very interesting about that case is how Joe was able to fool so many people – people one might imagine would be well versed in scamming – that he was the boss.