/ Money

Update: what more can be done to minimise the harm caused by bank transfer scams?

Bank transfer scams

Following our super-complaint last year, the Payment Systems Regulator (PSR) has set out its approach to tackle the problem of bank transfer scams. But will these plans go far enough?

As we pointed out last year, unlike with the protections in place for other payment methods, such as credit or debit cards, those who fall victim to a scam when transferring money from their bank account will find that they aren’t protected.

The PSR has already agreed with us that banks could to do more to protect their customers.

And in its response to our super-complaint last year, it suggested that banks need to improve the way they respond to bank transfer scams, and do more to identify fraudulent payments.

It also proposed a package of work for the industry to take forward.

This included developing common standards to collect data, an approach to responding to instances of reported scams, and proposals for better sharing of information.

Terms of Reference

Under the PSR’s proposed plans announced today, the regulator will examine how other countries approach preventing and responding to this type of scam.

It will also compare how the payments industry tackles other types of scams and fraud, such as those involving payments made by credit or debit card.

In particular, it’s looking at what more the bodies who manage the payment systems (like Faster Payments) can do to protect consumers.

It’s also considering whether banks themselves could be required to do more, if they want to use these payment systems for their customers.

We’re pleased to see the PSR’s commitment to tackling the significant consumer harm caused by bank transfer fraud.

We strongly believe banks need to do more to protect their customers.

Currently there’s little incentive on them to put in place better safeguards, and banks have failed to adequately respond to the problem to date, despite seeing their own customers losing life changing sums of money.

Next steps

We need the PSR to take action, propose new measures and look at banks’ liability when it comes to sophisticated payment scams.

Which? will be responding to the PSR’s proposed approach by the deadline of 21 March.

But, in the meantime, there is nothing stopping the banks from taking a lead and setting out how they are going to ensure that consumers aren’t left out of pocket.

Banks are due to report back to the PSR later this summer, and we expect to see clear and meaningful progress.

If they fail to deliver, then the regulator must step in and require the industry to put in place better measures and checks to prevent customers from losing money to bank transfer scams.

Update: 4 April 2017

Following its consultation, the Payment Systems Regulator (PSR) has published the final Terms of Reference for its program of work to tackle bank transfer scams.

The PSR listened to feedback from Which?, as well as others, and accepted many of our points, including ensuring that:

  • the focus is on seeing better outcomes for consumers;
  • any proposals consider the way that scammers quickly adapt their methods and are future proofed; and
  • there is a clear timetable that starts to deliver real change for consumers quickly.

We will be watching closely to ensure that the PSR sticks to its timetable and makes swift progress.

There is still a massive gap in the protection for victims of transfer scams and there is more that banks can be doing themselves.

It’s now six months since we first raised the alarm, and we’ve not seen many changes from banks in terms of how they’re preventing customers from losing money.

We’re keen to hear from you – have you noticed your bank doing anything differently to protect people from scams? What do you think of the PSR’s approach? Would you like banks to be doing more?

Catherine Deery says:
6 April 2017

My Santander bank in Penrith made sure that I was sending money for a eBay purchase to a bona fide trader, I am seventy off and appreciated the help and advice.

Graham Fairhall says:
6 April 2017

Perhaps for a transfer over a certain amount ( which could be agreed with the customer in advance ) then a quick check by e-mail, mobile phone might be a sensible idea. My credit card company operate a similar policy with spending patterns outside a normal range and on overseas use unless I notify them otherwise.
If I am responsible for money going astray ( by typing in error a wrong sort code/acc number ) then that is my problem, and I would not expect the bank to re-imburse me.

If I have to send any large amount anywhere. I send a small number of pence first and then check with the expected recipient to see if it has arrived in their bank account. I even did this for a payment to my brother who had given me his bank details, just to ensure that I had typed in the correct information. I saved the information in my account so I could easily transfer the balance.

David Thomas says:
7 April 2017

Great idea! I will adopt that policy

Carol Wilson says:
23 April 2017

I like your thinking! Great idea

D.O'Connell says:
6 April 2017

NATIONWIDE has altered and increased the log in procedure for our current account,

I would like UK banks to notify people when the account number of the ‘receiving’ account does not match the name of the account holder. In this way the person transferring money would know that they were a victim of a scam. In Germany and France this is done so why can’t it be done in the UK?

David Williams says:
6 April 2017

I use two Banks.
1. HSBC for all main transactions ,to receive my Pension payments and for me to carry out living transactions.
2. Santander, to pay my domestic SO’s (Gas-Electricity. Council Tax etc).. also to give me interest on my capital invested.
Referring only to the HSBC I noticed that in the last 6 months to one year; particular surveillance has been focussed on VISA and Master Card Payments. In particular I have received five or six mobile messages requesting that I contact a security office ( given Number ) to respond to questions about certain accounts that have appeared to be dubious. My Personal ID procedure has been upgraded and on two occasions a card has been blocked then replacements issued.
The conversation with the office has always be on a friendly / advisory basis.
I am pleased by the way these changes with others have been introduced.

There is only one way to ensure our communications with the bank are secure and that is face to face, at the bank. Unfortunately technology is taking us away from this, and the more links we put in the communication chain, the more insecure our data becomes. One way we could improve matters ( for online customers ), is to ensure that the banks only send us ONE message, and that is ” there is important infomation in the notes in your secure account. ” We would then have to access our account and read the message list. No other communication by telephone, email, text, letter or pigeon should be considered to be legitimate.

Ros Florence says:
6 April 2017

My bank ask if I know who I am sending money to before I send it

This comment was removed at the request of the user

Elaine says:
6 April 2017

My bank said that data protection prevents them from saying if an account name and number don’t match. So if I want to pay John Smith and mistype the account number and it goes to Mr Jones that’s all my fault. I don’t see why they cant just flag up ‘The name and account number don’t match, please check both items carefully?’

If a bank has opened an account for fraudsters to move money into, they should be liable for all the people robbed by them. It is so hard to open an account it suggests that help from bank employees who have the authority to authorise opening could be a problem in some instances?

If you mis-type the account number, then of course it is your fault – surely you cannot blame someone else. The banks do not match name and account; the name is simply for your information as to who you paid the money to. Until a method of linking account name to the transaction is developed – and this seems less easy then people assume – we are stuck with a two-level payment reference. The PSR are working on this. I transfer £1 until I have confirmation the transaction went to the right person.

Geoff says:
8 April 2017

If banks ask for name AND number then it is not unreasonable for the bank customer to assume that the detail is cross-checked.

Banks must stop closing branches, if people have any worry about an email, a phone call or any other contact, they should visit their branch or phone their branch to discuss, before doing anything else.

Banks close branches when insufficient people use them. If people used them more…..a chicken and egg situation. I’d like to see “combined branches” where one place had representatives from different banks to cut costs.

David Thomas says:
7 April 2017

I disagree, Banks close branches to save money.

Gloria Collings says:
6 April 2017

I also made a recent Bank Transfer with Santander – Evesham – and they asked several questions, checking that I knew the person the money was being sent to.

It is equally clear that the use of internet is as big a part of the problem as the financial institutions. The internet companies also need to do their job properly and need to be policing these scammers.

I recently needed to transfer £2695 to a garage for a second hand car purchase. When I attempted to send the money a message on screen told me I need to phone a number to my bank. I was in a hurry so was a bit miffed being asked a load of personal security details remember family name pet cat town of birth etc which went on for at least 15 minutes. I was also asked if I knew what a scam was and if I could recall any. Thankfully I passed the test on request sending the money I had to authorise the funds after a call from the bank asked me to say or tap in the on screen number.. I was pleased the bank was being watchful but I think there ought to be a simpler way. My bank was Halifax.

Geoff says:
8 April 2017

For large purchases such as a car then use your debit card at the time you collect the car from the dealer – that way they don’t get the money until you have the keys in your hand.

I can recommend my bank Svenska Handelsbanken. It is a Swedish bank with a significant high street presence in the UK http://handelsbanken.co.uk.
It is everything that the English high street banks are not. It is ethical, it is personal [everyone has a personal account manager: not just millionairs] and it is extremely safe. Their internet security procedures are a bit tedious at first, but when you learn them, they are water tight, in fact unbreakable. Try them, and you will wonder why you ever bothered with English high street banks. Still, they don’t have a way of protecting the customer from a wrong bank transfer [done in error, or due to scam] – so I’d welcome legislation that would protect customers.

Keith Whitty says:
7 April 2017

Barclay’s are stopping my payments until I return a text to release the funds on unusual or new payments. I was also offered compensation when they refused to refund a payment 3mins after I made it, realising I was being scammed. Their staff were ridiculous when I first reported the issue and it took a 6months the to be compensated when it could have taken 5mins.

June Nelson says:
7 April 2017

My, TSB, bank behaved in exemplary fashion; blocking my card after two unusual foreign transactions. They telephoned me and when I assured them that the transactions were as intended my card was unblocked immediately

There are a number of positive steps banks could take to stop, or lower the ease with which the banks have facilitated the fleecing of the credulous, aged and vulnerable . This will require joint action by more companies than just the banks. The banks are just the tip of the spear.
– Allow customers to block at the branch any transfers from their accounts outside of DD’s and standing orders, and place limits on these amounts of so that if they are breached the customer must come into the branch and authorise the payment.
– Carry out better checks on DD’s and standing orders.
– Train the bank staff instead of sticking poorly trained staff in branches and call centres.
– Man the bank fraud departments at week ends,24 banking started decades ago. Yet the fraud prevention departments shut up shop for the week-end. The Friday afternoon scam is a well know FACT. The scammers recognise and exploit the fact that the fraud prevention staff stop work on Friday and only resume on Monday. Whereas the scammers and thieves work week-ends.
– Mandate high staffing levels in the fraud departments, by law. We have regulations on adequate balance sheet capital, why not on adequate fraud prevention staffing?
– Ensure that payments from accounts MUST have
i. the sort code
ii. Account number
Iii. Name .. this last additional check would help.
=If the customer is making a payment over £3,000 they MUST visit the branch before the transfer to authorise the payment.
-For payments over £3,000 the banks must phone the customer and explain the risks of being scammed.
Insist that the telephone companies change their systems so that when a person puts down a telephone the line is cut, and the scammer cannot keep the line open.
-Fine the banks millions for failing to protect their customers.
-Link executive bonuses to levels of customer financial losses. “What gets measured gets managed!”

These are some changes but as they are branch centred I doubt that the regulator, parliament, MP’s or the banks will be keen on implementing them.

Marilyn Sheffield says:
7 April 2017

When we lived in Dubai the bank sent an automatic text when a payment had been made, so we could easily contact them if it wasn’t us. It worked as someone used my credit card details to buy car parts in Italy. The bank eventually refunded the money.

My bank always rings me to check any new transaction before it authorises payment. This is a good thing as I always know where my money is going. If there is any strange activity in my account I would always be rest assured the fraud team would I form me Immediately.

sue allenby says:
7 April 2017

Any unusual activity should be followed up by email or text to the customer. A reply from the customer should be mandatory. If the customer is over 60, the contact should include a phone call if there is not response from virtual contact.

Why over 60? there are plenty of people under 60 that are’nt glued permanently to their smartphones and a great deal of people over 60 who use smartphones and are internet savvy. There are plenty of people who are intelligent to know better who get caught out by scammers, common sense seems to be a rare commodity these days in people of ALL ages.