/ Money

PayUK must ensure that blameless scam victims are protected

The CEO of UK Finance and I have written to Pay.UK to urge it to back a vital scams reimbursement funding proposal. Here’s our letter to its chair, Ms Melanie Johnson.

Update 28/11/2019

PayUK has now rejected the proposal that we set out last month in the letter below.

However, the industry trade body has now announced a three month extension to the current scheme funded by the major banks. The scheme will be extended to March 2020.

This agreement is merely a stopgap that highlights the industry’s failure to secure vital long-term reimbursement for innocent victims of devastating transfer fraud.

It’s clear that a voluntary, industry-led approach to protecting scam victims is not enough.

The next government must work with the regulator to make the code and reimbursement mandatory – to finally ensure millions of people are no longer at risk of losing life-changing sums of money.

Original letter (08/10/2019)

Dear Ms Johnson,

This joint letter from Which?, the largest consumer organisation in the UK, and UK Finance, on behalf of HSBC, Santander, Barclays, Lloyds, Metro, Nationwide and RBS follows the Pay.UK Call for Information and is in support of the Faster Payment Scheme (FPS) Change Request.

Authorised Push Payment (APP) fraud is a crime which can have a devastating impact on its victims, which is why protecting consumers is a priority for us all.

The launch of the voluntary Contingent Reimbursement Model Code in May set a new standard of consumer protection from this type of fraud, with a commitment from signatory firms to reimburse victims provided the customer has met the standards expected of them under the Code.

The Code was produced by the APP Scams Steering Group, which was composed of representatives from consumer groups, the finance industry, government bodies and regulators.

‘No blame’ fund

The proposal set out in the Change Request for an FPS CRM fee will provide a long-term, sustainable funding system for the reimbursement of victims of APP scams under the voluntary Code in situations where both the customer and payment service provider (PSP) have done everything expected of them, known as a ‘no blame’ situation.

Funds gained from the FPS fee will be held centrally in a ‘no blame’ fund.

If the Pay.UK board fails to pass the Change Request, many victims of APP scams could once again risk losing their life savings to this devastating crime.

Following consultation on seven funding options, with responses received from 34 stakeholders, including many Pay.UK participants, the Steering Group agreed that the FPS model is the best method to ensure that reimbursement for blameless victims continues beyond the end of this year.

As well as providing reimbursement in a ‘no blame’ situation for customers of PSPs which are signatories to the Code, the proposed model represents the only long-term funding option that also guarantees customers will be covered if their PSP is not a signatory.

If a customer is a victim of an APP fraud and their PSP is not signed up to the Code, they will be able to take their case to the Financial Ombudsman Service which will have the power to refer the PSP to the ‘no blame’ fund to reimburse the customer.

Reducing APP scams

The proposed fee would provide a financial incentive for the firms involved in push payments to individually and collectively reduce APP scams, above and beyond the minimum requirements in the Code.

The protection that the fee offers consumers could also benefit payment providers and Pay.UK by strengthening trust among consumers in the Faster Payments Service.

The Faster Payments Service was designed for speed and convenience. Unfortunately, sensible pro-customer and pro-growth measures are being exploited by criminals.

Latest data from UK Finance shows that in the first six months on 2019, 95per cent of all APP fraud involved a customer making a Faster Payment. Therefore, it is important for Pay.UK to consider the part it can play in the fight against this growing fraud, by recognising that it has the power to take decisive action to protect end users.

The FPS Change Request, submitted to Pay.UK in June, provides a mechanism to achieve this consumer protection.

As well as being the decision of the APP Scams Steering Group, the Change Request also demonstrably fits with Pay.UK’s strategic objectives. Specifically, these include being “end user focussed” and “acting as a catalyst for change in the payments industry; addressing threats; and supporting industry-wide initiatives.

Protecting consumers

The fight against rising APP fraud has become an issue for society to tackle. Pay.UK is supporting these efforts with its work to introduce the Confirmation of Payee service.

Careful consideration of the case for the CRM FPS Fee is now needed, as Pay.UK assesses the responses to its Call for Information.

This well-thought through and widely supported option is proportionate to payment providers of different sizes, consistent with the APP Scams Steering Group proposals, and widely supported by consumer bodies and much of the financial industry.

We urge the Pay.UK board to accept this proposal, and put the protection of consumers at the heart of its decision.

Yours sincerely,

Anabel Hoult, CEO of Which?

Stephen Jones, CEO of UK Finance.

Comments

I am fully behind Which ? action in this regard and the responsibility lies with the digital globalization of commercial transactions to stop the public from finding the real locations of online /email business offers .
This is fully approved by the UK/USA governments and is the future de facto means of selling and buying .
The problem is the Web is not safe , is full of hackers/scammers etc who are so well up on hacking that as soon as a new public protection app is introduced in a week its hacked .
Read up on “Fileless ” Malware for a start , it therefore is the responsibility of those in charge of us to do the right thing if they wont stop it and that means compensation approved at government level otherwise their globalization dreams will be severely dented due to lack of public confidence .

Daily am I sent malware alerts from many companies /tech websites on the latest malware and scams from the USA and Europe , its never ending , dont underestimate the hackers and don’t overestimate those who produce programmes to protect us —NONE of them can guarantee 100 % protection !

I would also be fully behind the proposal providing that it is made clear that the banks must fund it and not simply add it on to the customers charges.

The Intro makes clear that the general compensation fund and the reserve fund for scams involving Ombudsman cases will have to be provided through a levy on transactions proportionate to the scale of the business. The cost must therefore become an unavoidable operating expense for which I can see no compensatory savings and will ultimately fall to be met from customers through higher charges or lower interest rates; it would be good if it could be funded through increased efficiency or from profits but that would probably mean closing more branches and cash machines. We must be careful what we wish for.

ADAM BUGAJEWSKI says:
8 October 2019

help us to abolish leasehold!!!

Keith Canham says:
8 October 2019

Why

I take it you agree with those in the north of the UK Adam-
the Abolition of Feudal Tenure (Scotland ) Act 2000 and the Tenements (Scotland ) Act 2004 which effectively brought leasehold to an end in Scotland .
Also the Long Leases (Scotland ) Act 2012 automatically converted remaining long leases to OUTRIGHT ownership .

the same happened in Poland this year, why not the rest of the UK follows it?

There is a dedicated Conversation on specific problems with leasehold tenure. See –
https://conversation.which.co.uk/money/leasehold-housing-scandal-doubling-ground-rent/

Adam has not identified his particular objection; there are numerous issues but for many people it provides a good mechanism for providing a roof over their heads and I would say that a majority of modern rental properties today are leasehold. What we need to get rid of is bad freeholders and management companies.

Graham Pearson says:
8 October 2019

Scams like these are putting a heavy burden on innocent people and it isn’t nice for that to happen. It’s about time the idiots who commit such offences are arrested, remanded in custody, fined heavily, ordered to pay legal costs to their victims and locked away.

Much better to put money into stopping fraudsters and making them pay rather than leave them free to keep scamming and make us pay.

C Cumming says:
8 October 2019

I am fully behind this, having been the victim of two scam websites, and being told by my bank that as I paid it, there was nothing they could do about reimbursing me from the failure of the sites to deliver the goods.

I am glad that UK Finance and Which? have joined up to press so strongly for the change in consumer protection through the CRM code applying to the FPS [Faster Payment Service] money transfer process being delivered permanently. The reasons given are all sound and should brook no hesitation.

Every else one I know is wary of using the process and will not do so, but they are worried that it could progressively become unavoidable as firms insist on it as a way of receiving payment for work done or add a surcharge for those who wish to pay by alternative means. This is more serious than the threat to cash itself.

I have been a user of the FPS since it was introduced but I know someone who came within a whisker of losing a large sum of money but for the intervention of their bank and this has made me more cautious and reluctant to use the service for anything other than large organisations like banks, local authorities and HMRC who would not write to request a change of payment destination.

My friend was having some work done to his house and employed a builder who had done work for him previously. They knew each other well and there was mutual trust. A short time into the latest work my friend received an e-mail requesting a payment on account to a new bank account number explaining that a cash-flow problem had temporarily disabled access to his regular account. This was in response to an e-mail about some fittings to be installed and promising payment as and when required. The e-mail my friend received referred to other comments about timescales and materials. But it was not from the builder. It looked like it – the e-mail had the same origination address, it was set out in the same way as the builder’s correspondence, it used a similar style and language, and to all intents and purposes it looked genuine . . . so he executed the transfer as an authorised push payment using the FPS. The next day my friend received a telephone call from his bank [Nationwide] who had intercepted the payment and held it back for verification on the grounds that the customer had never made a payment to the same account before, the amount involved was a big round number, and that it appeared to be suspicious. My friend was annoyed at what he considered unjustified interference and possibly upsetting the friendly relationship with his builder and he got rather angry with them. The building society asked him to check with the builder before they would release the money. He could not believe he had been duped but spoke to his builder immediately who denied he had sent an e-mail asking for a payment, but agreeing that the e-mail would easily pass for one of his own. He then confirmed back to Nationwide that an attempt at fraud had taken place. The money at risk was returned to his account; he was so grateful to the building society and sorry for objecting to their intervention. He was in shock and disbelief for some time afterwards. Apparently, the scammers had hacked into the builder’s e-mail account and were able to mimic the correspondence style and make references that my friend thought only he and his builder would know about. This was triggered by the key word “payment” in the correspondence. Software is used to pick up this word when it appears in a chain of e-mails to and from the builder and then the scammers pounce. The builder seemed unconcerned and said the same thing had happened with another client, not appreciating that his own e-mail account had been the likely source. So long as the fraudsters don’t do it too often they can probably get away with it and the builder would be unaware. Good job the bank was on the alert and put that call through to their customer.

This just shows, as Duncan says, that the internet is awash with hackers and scams and that nothing should be trusted unless you know it is true by personal verification. They even lurk on personal e-mail addresses waiting for the trigger word to appear, and they will disguise their contact so it looks 100% genuine. I don’t know what happened next but I am hoping Nationwide informed the nominated receiving bank and that they froze the account. With luck they did more than that and identified the account holder and reported it for criminal investigation.

Given that this fraud is so easy to perpetrate and so easy to fall victim to it is vital that the voluntary model code is made permanent so that all bank customers can have protection, albeit within the limitations of the code [i.e the ‘no blame’ situation]. Why blow up a bank vault when you can sit at home and drain the customers dry?

Puss says:
8 October 2019

Your friend should have checked with the builder before sending the money.
If you reimburse people who send money to a criminal account what’s to stop criminals from sending money to one of their friend criminals and then claiming the’ve been conned and getting the bank to reimburse them?

Yes, Puss, he realises that now, but he trusted the e-mail and wanted to help him out. It happened over a weekend so the builder was not around. I have seen the e-mail – you would never believe it was a scam. Who expects a scam? I hope people are a bit wiser now.

Your second point is concerning and has been raised before in this context. I assume that if a refund is claimed there would be exhaustive investigations into the customers on both sides of the transaction to make sure that they have both met “the standards expected of them under the Code”. That would not be infallible but once their card had been marked I doubt whether they could try it again and get lucky.

Although there are many honest builders, having met some very dodgy ones, I wouldn’t put it past some of them to pass on emails for fraudulent use.

It does seem to be those in the building trade that this type of fraud originates the most.

I had that suspicion myself, Alfa, but didn’t tell my friend. I would have told the builder to change his e-mail address and log-in passwords, etc, – especially after he admitted it had happened before – but denial is a strange emotion.

On the other hand, I am amazed at how many people think they are immune from deception. My friend is no fool and has all his wits about him but he was lulled by the crafty e-mail into sympathy with his builder’s predicament and fell for the scam. He was saved by the much-derided banks. I can’t be sure I would not have done the same thing in the same circumstances despite everything I have read in Which?

Kamran Khan says:
8 October 2019

This should be normal practice.
It’s a disgrace banks have taken so long to put this practice into place.
Just think of the poor souls who suffered, after being scammed, not knowing if they would be reimbursed or left to rot with the scammers fraudulent debt around their necks. No doubt some did rot.
The banks would not have lost a single penny as their Indemnity Insurance covers for things like scams.
The Government should have stepped in sooner to protect our public, just as the Government stepped in rapidly to protect the Banks during the financial crisis a decade ago and gave them tens of billions of pounds of the public taxpayers money to keep them afloat despite the Banks being grossly negligent and mis-selling everything to the public. The irony of it all is disgraceful.

Paul Phillips says:
8 October 2019

I urge all banks to look after their customers and reimburse those who have fallen foul of these people who have no care and no hearts regarding their rip offs. Please banks, if you are making a profit support those who have suffered financially.

Robert says:
8 October 2019

I am worried that the refund process becomes yet another avenue for scams. And the customer base is paying – not the banks.

If you punish the offender properly a lot of these offence would stop (and I don’t mean a slap on the wrist)

S Suthern says:
8 October 2019

The older people need to be protected from the people who doing the scams

Mike W says:
8 October 2019

There should be a mechanism by which the victims bank can claw back the money from the scammers bank and it is then up to that bank to get their money back from the scammers. That way banks may be a bit more careful when allowing criminals to open accounts.

Rosalind says:
8 October 2019

On the subject of banks & telephone fraud, as long as banks are allowed to telephone their customers with personal (NOT business) accounts, there will always be scams. If it were unlawful for banks to telephone personal account customers, & this fact was widely known, there would not be the number of scams there are today. There is absolutely no reason for a bank to telephone a personal account customer: if a bank has anything to say to her/him, it can write a letter – which was the way it was done years ago. WHICH should be proposing & campaigning for this.

Puss says:
8 October 2019

There are times when a bank needs to call a customer.I had my bank call me one day to check if a card purchase was really made by me.It was a lot quicker than writing.

Agreed. I was called by my bank to check whether I had booked a hotel room in New York and put £30 on a phone top-up with my card. Neither were my transactions, and the card was blocked. I welcomed the call.

Anthony Edmund Deaves says:
8 October 2019

Many years ago I was done out of five hundred pounds on Ebay for a laptop,
I am disable person and five hundred is a lot money back in the early 2000’s .
I got sweet All from HSBC as they said was my own fault.
Then year a I was nearly done out all my main account via someone scimming my card at petrol station this time the bank did refund me.
The banks have a responsibility to thier customers.

erica says:
8 October 2019

I am fully behind this but slightly wary that banks might use it as an excuse to add charges to all bank transfers.

W.Rogers. says:
8 October 2019

What about the £Millions, if not £Billions, supposedly left in the unpaid PPI funds that was contributed to by most of the major banks? What has happened to them? These funds must still be in existence even though now closed. They could become a joint fund to fight scammers and compensate victims.

I think you will find that these were not actually funds but ‘financial provisions’, money identified and set aside to meet claims but not actually spent. There is no pot of gold at the end of this rainbow, I’m afraid, and many of the banks have exceeded their original provisions and now have to lay out even more of your money and mine.

The real scandal is that the banks operated the PPI selling racket so casually and carelessly that they could not defend themselves against unwarranted claims for compensation and have had to pay out billions for no good reason. At least that money has gone back into the economy but only at a huge cost to bank customers generally.

Henry Edwards says:
8 October 2019

I walked into a bank after a holiday abroad I hade in my hand a JapY that cost me £50 50,000y all around the walls was notices asking you to watch out for scams and to protect your money the bank gave me £34 if that is not a scam what is.

Got to give you a thumbs up on that Henry – Post of the Day !

Philip Robson says:
8 October 2019

I am fully behind the idea that banks should be held to account for customers who are defrauded through no fault of their own. Banks are forever trying to distance themselves from their customers by closing branches and forcing users to use computer banking.
The banks must be blamed
if their systems are fallable
and not robust enough.

Should have used Paypal, they would have probably given the same exchange rate and then taken 3% handling fee!

Fat chance of Paypal doing anything in the customer’s interest, their own is their only concern I suspect.

Colm Maguire says:
8 October 2019

I don’t agree that all customers should be refunded for their foolishness. The money will not come out of thin air and either comes from customers paying hidden fees or pensions funds getting les dividends. There is not free lunch or victimless source of money.

Michael Oldman says:
8 October 2019

Banks save money if a transfer is used rather than say a cheque. So they should fund any repayment scheme out of their savings.

One problem on a transfer is that the name of the payee does not come up before the transfer is processed. I am not convinced that banks do enough checking when a new account is set up, that it is not similar in name to another account.

Also account numbers are not check digited so that an error in entering would not go through.

Perhaps some form of 2 factor authentication of accounts could be devised, whereby on receiving the invoice, you contact a known supplier number to get a code to put with the transfer. This would need to be done every time you set up a new payee, but only once, if it is a regular payee.

The Faster Payment Service – where 95% of this fraud comes from – already requires two-factor authentication: (1) Bank Sort Code (2) Account Number. What we have been waiting for is three-factor authentication by cross referencing the payee’s name as shown on the account. This has been planned for a long time but is being held up because of technical difficulties with bank system compatibilities. There is also the problem that the name on a trader’s bank account is not necessarily the same as the name on the van or even the invoice, but there is an easy answer to that: if it is not correct the transfer is blocked; people would soon sort it out. Two tries only, though!