/ Money

Update: what more can be done to minimise the harm caused by bank transfer scams?

Bank transfer scams

Following our super-complaint last year, the Payment Systems Regulator (PSR) has set out its approach to tackle the problem of bank transfer scams. But will these plans go far enough?

As we pointed out last year, unlike with the protections in place for other payment methods, such as credit or debit cards, those who fall victim to a scam when transferring money from their bank account will find that they aren’t protected.

The PSR has already agreed with us that banks could to do more to protect their customers.

And in its response to our super-complaint last year, it suggested that banks need to improve the way they respond to bank transfer scams, and do more to identify fraudulent payments.

It also proposed a package of work for the industry to take forward.

This included developing common standards to collect data, an approach to responding to instances of reported scams, and proposals for better sharing of information.

Terms of Reference

Under the PSR’s proposed plans announced today, the regulator will examine how other countries approach preventing and responding to this type of scam.

It will also compare how the payments industry tackles other types of scams and fraud, such as those involving payments made by credit or debit card.

In particular, it’s looking at what more the bodies who manage the payment systems (like Faster Payments) can do to protect consumers.

It’s also considering whether banks themselves could be required to do more, if they want to use these payment systems for their customers.

We’re pleased to see the PSR’s commitment to tackling the significant consumer harm caused by bank transfer fraud.

We strongly believe banks need to do more to protect their customers.

Currently there’s little incentive on them to put in place better safeguards, and banks have failed to adequately respond to the problem to date, despite seeing their own customers losing life changing sums of money.

Next steps

We need the PSR to take action, propose new measures and look at banks’ liability when it comes to sophisticated payment scams.

Which? will be responding to the PSR’s proposed approach by the deadline of 21 March.

But, in the meantime, there is nothing stopping the banks from taking a lead and setting out how they are going to ensure that consumers aren’t left out of pocket.

Banks are due to report back to the PSR later this summer, and we expect to see clear and meaningful progress.

If they fail to deliver, then the regulator must step in and require the industry to put in place better measures and checks to prevent customers from losing money to bank transfer scams.

Update: 4 April 2017

Following its consultation, the Payment Systems Regulator (PSR) has published the final Terms of Reference for its program of work to tackle bank transfer scams.

The PSR listened to feedback from Which?, as well as others, and accepted many of our points, including ensuring that:

  • the focus is on seeing better outcomes for consumers;
  • any proposals consider the way that scammers quickly adapt their methods and are future proofed; and
  • there is a clear timetable that starts to deliver real change for consumers quickly.

We will be watching closely to ensure that the PSR sticks to its timetable and makes swift progress.

There is still a massive gap in the protection for victims of transfer scams and there is more that banks can be doing themselves.

It’s now six months since we first raised the alarm, and we’ve not seen many changes from banks in terms of how they’re preventing customers from losing money.

We’re keen to hear from you – have you noticed your bank doing anything differently to protect people from scams? What do you think of the PSR’s approach? Would you like banks to be doing more?


Firstly my two banks have recently taken to sending me emails. I do not trust internet communications at all having experienced scam attempts – almost daily a while ago. This is not for vulnerable members of society and they should be protected from these innovations by those of us that have a voice. Secondly we have very poor internet connectivity in this rural area and it often drops out – so cannot rely on getting messages. Thirdly our local branch has closed and this will mean a 20 minute drive to the next cash-point by car, we have only 3 buses a day and rely on friendly drivers. The people that make these decisions seem to be city experienced and rural inexperienced.


A cautionary note: it’s a really good idea to bookmark the URL for your bank and to avoid typing it in or ever following one in an email. There are a lot of criminals who make a living out of duping folk into visiting fake sites that look uncannily like the real thing. Here’s an example of some of the most worrying:


I don’t understand why anyone was allowed to register these domains, where the URL is so similar to that of the well known company. I hope they have all been taken down.


Domain registration is largely automated, and I suspect humans are barely involved. And the answer to your question is, I suspect, no. The original article is here:


Francis Beardsell says:
31 May 2017

What certainly doesn’t help, is the huge number and variations of Top Level Domains that are available something like 1,500+. IF there was a standard whereby only registered financial institutions could only get a specific domaine (e.g. .bank – similar to .edu), then the risk of fraudulent web addresses would be removed.

Eddy Weatherill says:
16 May 2017

So far, banks have sat on their hands whenever possible following BBA agenda’s because they have been able to do so – regulators have allowed banks to change at their pace whilst allowing scammers to deprive many older people of their savings and their ability to remain independent. Banks have always been quick to make changes which suited them – but not very quick when it’s for the customer’s benefit. PPI and the sale of an unsuitable but very profitable bank product is just one illustration – which took too many years for compensation payouts although regulators could have prevented PPI sales much earlier. It makes a mockery of the FCA Principles -particularly the most important Principle – that of treating customers fairly. – Eddy Weatherill Chief Executive IBAS


Bank transfer scams: the receiving bank must re-imburse the victim, since the bank has allowed a fraudulent account to be opened. In addition, a statutory fine equal to the swindled sum would concentrate the minds of the shareholders and the banks’ managements.


Just as one can recover money when purchases are made with a credit card, so banks should cover the customer risk from credit transfer and other such scams.
The banks have saved money by closing branches and pushing people to paperless transactions, and interfacing with customers online.
It is not in their interest to compensate customers from consequent frauds. But until they are made responsible, and stop putting all the emphasis for caution upon their customers, they will blithely carry on as they are.


Banks underestimate the sophistication and skill of the scammers.

In my case the telephone conversation began with the emphasis very much focused on switching to online banking, in order to detract from the real underlying objective by attempting to engage with me in a cordial and trusting interaction, which then gradually progressed onwards to the advantages of switching to a different account with more lucrative returns. Once achieved, she then quite suddenly with some conviction asked “shall I do it now? The whole time I really thought I was talking to the person she said she was. It was my intuition and prior knowledge of telephone banking scams that I was able to respond with a resounding “NO” to her request.

I am convinced this was an inside job as the person on the other end of the line was well versed in banking sales procedures and who obviously had access to my accounts. Banks will always put their own reputation before that of their customers due to the ongoing competition that exists within the financial marketplace.


Banks underestimate the sophistication and skill of the scammers.” I don’t think so, Beryl. But as in any crime, the criminals look at existing security and can devise a cunning way around it. Keeping one step ahead.


You do not have to be one step ahead of a system that assumes that a restriction necessary when a mainframe had 16K of wire core memory and a disk drive 120 K bytes so just using the account number to save on bit count and a check on the account name is an expensive luxury. They have now had well over 25 years to admit that this is no longer a reasonable short cut and only the way they have scammed the customers into believing it is their fault for the losses for being so careless makes them so cavalier as to continue this extremely high risk strategy on account transfer security.


Just about all the scams I have looked at were only possible and not painfully obvious to the person scammed because the name appeared perfectly plausible but the account number was that of the scammer’s account.
Make the banks liable for any scam if the name and account number did not match as this proves a negligence that is beyond carelessness and into the totally criminally irresponsible.
Also I cannot understand how it is not possible for the banks to recover the money from any account if the account passes the legal requirement for acceptability under the anti terrorists and criminal money laundering laws. Surely the account holder has to be known or they could not state it was not a terrorist or criminal one.