/ Money

Update: what more can be done to minimise the harm caused by bank transfer scams?

Bank transfer scams

Following our super-complaint last year, the Payment Systems Regulator (PSR) has set out its approach to tackle the problem of bank transfer scams. But will these plans go far enough?

As we pointed out last year, unlike with the protections in place for other payment methods, such as credit or debit cards, those who fall victim to a scam when transferring money from their bank account will find that they aren’t protected.

The PSR has already agreed with us that banks could to do more to protect their customers.

And in its response to our super-complaint last year, it suggested that banks need to improve the way they respond to bank transfer scams, and do more to identify fraudulent payments.

It also proposed a package of work for the industry to take forward.

This included developing common standards to collect data, an approach to responding to instances of reported scams, and proposals for better sharing of information.

Terms of Reference

Under the PSR’s proposed plans announced today, the regulator will examine how other countries approach preventing and responding to this type of scam.

It will also compare how the payments industry tackles other types of scams and fraud, such as those involving payments made by credit or debit card.

In particular, it’s looking at what more the bodies who manage the payment systems (like Faster Payments) can do to protect consumers.

It’s also considering whether banks themselves could be required to do more, if they want to use these payment systems for their customers.

We’re pleased to see the PSR’s commitment to tackling the significant consumer harm caused by bank transfer fraud.

We strongly believe banks need to do more to protect their customers.

Currently there’s little incentive on them to put in place better safeguards, and banks have failed to adequately respond to the problem to date, despite seeing their own customers losing life changing sums of money.

Next steps

We need the PSR to take action, propose new measures and look at banks’ liability when it comes to sophisticated payment scams.

Which? will be responding to the PSR’s proposed approach by the deadline of 21 March.

But, in the meantime, there is nothing stopping the banks from taking a lead and setting out how they are going to ensure that consumers aren’t left out of pocket.


Banks are due to report back to the PSR later this summer, and we expect to see clear and meaningful progress.

If they fail to deliver, then the regulator must step in and require the industry to put in place better measures and checks to prevent customers from losing money to bank transfer scams.

Update: 4 April 2017

Following its consultation, the Payment Systems Regulator (PSR) has published the final Terms of Reference for its program of work to tackle bank transfer scams.

The PSR listened to feedback from Which?, as well as others, and accepted many of our points, including ensuring that:

  • the focus is on seeing better outcomes for consumers;
  • any proposals consider the way that scammers quickly adapt their methods and are future proofed; and
  • there is a clear timetable that starts to deliver real change for consumers quickly.

We will be watching closely to ensure that the PSR sticks to its timetable and makes swift progress.

There is still a massive gap in the protection for victims of transfer scams and there is more that banks can be doing themselves.

It’s now six months since we first raised the alarm, and we’ve not seen many changes from banks in terms of how they’re preventing customers from losing money.

We’re keen to hear from you – have you noticed your bank doing anything differently to protect people from scams? What do you think of the PSR’s approach? Would you like banks to be doing more?

Comments
Profile photo of DavidButler
Member

Firstly my two banks have recently taken to sending me emails. I do not trust internet communications at all having experienced scam attempts – almost daily a while ago. This is not for vulnerable members of society and they should be protected from these innovations by those of us that have a voice. Secondly we have very poor internet connectivity in this rural area and it often drops out – so cannot rely on getting messages. Thirdly our local branch has closed and this will mean a 20 minute drive to the next cash-point by car, we have only 3 buses a day and rely on friendly drivers. The people that make these decisions seem to be city experienced and rural inexperienced.

Profile photo of Ian
Member

A cautionary note: it’s a really good idea to bookmark the URL for your bank and to avoid typing it in or ever following one in an email. There are a lot of criminals who make a living out of duping folk into visiting fake sites that look uncannily like the real thing. Here’s an example of some of the most worrying:

Profile photo of wavechange
Member

I don’t understand why anyone was allowed to register these domains, where the URL is so similar to that of the well known company. I hope they have all been taken down.

Profile photo of Ian
Member

Domain registration is largely automated, and I suspect humans are barely involved. And the answer to your question is, I suspect, no. The original article is here:

https://www.theregister.co.uk/2017/05/03/bank_cyber_squat/

Member
Francis Beardsell says:
31 May 2017

What certainly doesn’t help, is the huge number and variations of Top Level Domains that are available something like 1,500+. IF there was a standard whereby only registered financial institutions could only get a specific domaine (e.g. .bank – similar to .edu), then the risk of fraudulent web addresses would be removed.

Member
Eddy Weatherill says:
16 May 2017

So far, banks have sat on their hands whenever possible following BBA agenda’s because they have been able to do so – regulators have allowed banks to change at their pace whilst allowing scammers to deprive many older people of their savings and their ability to remain independent. Banks have always been quick to make changes which suited them – but not very quick when it’s for the customer’s benefit. PPI and the sale of an unsuitable but very profitable bank product is just one illustration – which took too many years for compensation payouts although regulators could have prevented PPI sales much earlier. It makes a mockery of the FCA Principles -particularly the most important Principle – that of treating customers fairly. – Eddy Weatherill Chief Executive IBAS

Profile photo of DavidCHLeeds
Member

Bank transfer scams: the receiving bank must re-imburse the victim, since the bank has allowed a fraudulent account to be opened. In addition, a statutory fine equal to the swindled sum would concentrate the minds of the shareholders and the banks’ managements.

Profile photo of DrDMSharp
Member

Just as one can recover money when purchases are made with a credit card, so banks should cover the customer risk from credit transfer and other such scams.
The banks have saved money by closing branches and pushing people to paperless transactions, and interfacing with customers online.
It is not in their interest to compensate customers from consequent frauds. But until they are made responsible, and stop putting all the emphasis for caution upon their customers, they will blithely carry on as they are.

Profile photo of Beryl
Member

Banks underestimate the sophistication and skill of the scammers.

In my case the telephone conversation began with the emphasis very much focused on switching to online banking, in order to detract from the real underlying objective by attempting to engage with me in a cordial and trusting interaction, which then gradually progressed onwards to the advantages of switching to a different account with more lucrative returns. Once achieved, she then quite suddenly with some conviction asked “shall I do it now? The whole time I really thought I was talking to the person she said she was. It was my intuition and prior knowledge of telephone banking scams that I was able to respond with a resounding “NO” to her request.

I am convinced this was an inside job as the person on the other end of the line was well versed in banking sales procedures and who obviously had access to my accounts. Banks will always put their own reputation before that of their customers due to the ongoing competition that exists within the financial marketplace.

Profile photo of malcolm r
Member

Banks underestimate the sophistication and skill of the scammers.” I don’t think so, Beryl. But as in any crime, the criminals look at existing security and can devise a cunning way around it. Keeping one step ahead.

Profile photo of DavidCage
Member

You do not have to be one step ahead of a system that assumes that a restriction necessary when a mainframe had 16K of wire core memory and a disk drive 120 K bytes so just using the account number to save on bit count and a check on the account name is an expensive luxury. They have now had well over 25 years to admit that this is no longer a reasonable short cut and only the way they have scammed the customers into believing it is their fault for the losses for being so careless makes them so cavalier as to continue this extremely high risk strategy on account transfer security.

Profile photo of DavidCage
Member

Just about all the scams I have looked at were only possible and not painfully obvious to the person scammed because the name appeared perfectly plausible but the account number was that of the scammer’s account.
Make the banks liable for any scam if the name and account number did not match as this proves a negligence that is beyond carelessness and into the totally criminally irresponsible.
Also I cannot understand how it is not possible for the banks to recover the money from any account if the account passes the legal requirement for acceptability under the anti terrorists and criminal money laundering laws. Surely the account holder has to be known or they could not state it was not a terrorist or criminal one.

Profile photo of Beryl
Member

I agree with your sentiments David, banks do not always refund lost money without first establishing whether the customer had been negligent by agreeing to transfer money into what you are led to believe is your own account, which is the reason why I still maintain they underestimate the sophistication and skill of the scammer.

Member
MR MICHAEL OGDEN says:
28 September 2017

I bank with HSBC. They have a limit of £10,000 per day for any payment. This has been inconvenient at times but I can see why it is there.

Profile photo of Alex Whittle
Member

Just a reminder, if you are worried about scams, or concerned for vulnerable relatives please feel free to have a look at our new guide all abut you can protect elderly relatives from being scammed.

http://www.which.co.uk/consumer-rights/advice/protect-elderly-relative-from-scams

Profile photo of Olivia
Member

To me the solution for bank customers who are victims is very simple and does not rest with tgeir banks but with the oerpetrators’ banks. When you report, in detail, to your bank, the process by which you have parted with your money, the rule should be, that the information be passed on to the perpetrator’s bank and for the perpetrator’s bank to deduct the fraudulent sum of money from the perpetrator’s account and return it to the victim’s bank.

Where the perpetrator has tranferred the money to another bank or credit card account, the process should be the same, for the stolen money to be returned to the financial institution from which it was transferred. Where the perpatrator has withdrawn or spent some or all of the fraudulently acquired money, the rule should be that the financial institution from which the money was withdrawn or spent, should file a report with the police for fraud or theft.

When the matter is taken to court as a crime, attched to that charge should be an order to repay the money to the victim within a specified time, after which the court would seize assets equivalent to the money owing. If the perpetrator has played smart and got rid of or hidden his/her assets, then the rule should be for him/her to get a long jail sentence. The jail sentence should not be reflective of the amount of money stolen but all sentences should be reflective of the act of deception, itself. That is, there should be a mandatory fixed jail term and a very long one that reflects victims’ emotional, financial, psychological and mental suffering. As far as I am concerned and I am sure every victim feels the same way, every perpetrator should be given a life sentence to prevent anyone else ever becoming a victim of the perpetrator again and to reflect how serious the authorities see this crime, which has become so common that councils are defrauded, the Treasury is defrauded.