/ Money

Update: what more can be done to minimise the harm caused by bank transfer scams?

Bank transfer scams

Following our super-complaint last year, the Payment Systems Regulator (PSR) has set out its approach to tackle the problem of bank transfer scams. But will these plans go far enough?

As we pointed out last year, unlike with the protections in place for other payment methods, such as credit or debit cards, those who fall victim to a scam when transferring money from their bank account will find that they aren’t protected.

The PSR has already agreed with us that banks could to do more to protect their customers.

And in its response to our super-complaint last year, it suggested that banks need to improve the way they respond to bank transfer scams, and do more to identify fraudulent payments.

It also proposed a package of work for the industry to take forward.

This included developing common standards to collect data, an approach to responding to instances of reported scams, and proposals for better sharing of information.

Terms of Reference

Under the PSR’s proposed plans announced today, the regulator will examine how other countries approach preventing and responding to this type of scam.

It will also compare how the payments industry tackles other types of scams and fraud, such as those involving payments made by credit or debit card.

In particular, it’s looking at what more the bodies who manage the payment systems (like Faster Payments) can do to protect consumers.

It’s also considering whether banks themselves could be required to do more, if they want to use these payment systems for their customers.

We’re pleased to see the PSR’s commitment to tackling the significant consumer harm caused by bank transfer fraud.

We strongly believe banks need to do more to protect their customers.

Currently there’s little incentive on them to put in place better safeguards, and banks have failed to adequately respond to the problem to date, despite seeing their own customers losing life changing sums of money.

Next steps

We need the PSR to take action, propose new measures and look at banks’ liability when it comes to sophisticated payment scams.

Which? will be responding to the PSR’s proposed approach by the deadline of 21 March.

But, in the meantime, there is nothing stopping the banks from taking a lead and setting out how they are going to ensure that consumers aren’t left out of pocket.

Banks are due to report back to the PSR later this summer, and we expect to see clear and meaningful progress.

If they fail to deliver, then the regulator must step in and require the industry to put in place better measures and checks to prevent customers from losing money to bank transfer scams.

Update: 4 April 2017

Following its consultation, the Payment Systems Regulator (PSR) has published the final Terms of Reference for its program of work to tackle bank transfer scams.

The PSR listened to feedback from Which?, as well as others, and accepted many of our points, including ensuring that:

  • the focus is on seeing better outcomes for consumers;
  • any proposals consider the way that scammers quickly adapt their methods and are future proofed; and
  • there is a clear timetable that starts to deliver real change for consumers quickly.

We will be watching closely to ensure that the PSR sticks to its timetable and makes swift progress.

There is still a massive gap in the protection for victims of transfer scams and there is more that banks can be doing themselves.

It’s now six months since we first raised the alarm, and we’ve not seen many changes from banks in terms of how they’re preventing customers from losing money.

We’re keen to hear from you – have you noticed your bank doing anything differently to protect people from scams? What do you think of the PSR’s approach? Would you like banks to be doing more?


Yrs later and still in the dark and life is unbearable. I have come to realise ” one mustn’t complain ” …. best just put up and shut up. …

Not sure this counts, however my bank Halifax seconds after i had
made a purchase at a cost of £26 plus on line i had a text from the
Halifax asking me to confirm i carried out the transaction, never
happened afore pretty dam good i thought.

I am with Santander. I have internet banking and use it – wouldn’t be without it. However when I want to transfer a large some of several thousand i.e. self assessed tax bill, gift money to decrease estate I go to the branch to do this. Every time I have had to produce photographed ID (passport) and the staff member has read to me a statement to make me think if it might be fraud. I always tell the staff member the reason for the transfer.

Last time I did this I had quite a long conversation with the staff member who intimated that often they suspect that the transfer may be suspect but there is not much they can do about it. To my mind there should be 2 gateways: Does the name on the account to which the money is transferred match what the person transferring thinks it should be
there should be a cooling off period so that a fraudulent transfer could be pulled back

In the days of cheques the cheque would take at least 3 days to ‘clear’ and could be ‘stopped’ within that period. Also (and I worked in a bank during the early 70’s) we checked each cheque coming into branch to make sure that the payee matched the account – pretty sure on that. But cheques were paid in via a credit payin slip over the counter. If payee did not match account then cheque was rejected and sent back to the bank of the payee!

So maybe the old ways have a lesson to be learnt…..

David O'Brien says:
7 April 2017

The initiative to final check must be with the banks. A lot of scams are old but often fresh to their victims and there are easily accessed databases of e mail addresses , phone numbers (usually proxies) etc that are habitually used for scamming. I would think 80% or more could be detected by bank staff with a little knowledge and experience. If it has whiskers, a pointed nose, a worm like tail and squeaks it is a rat but often experience enables one “to smell the rat”.

In view of the number of naughties carried out by any number of banks in any number of their transactions (I give you RSB Coutts as but one pretty horific example) and yet almost zero prosecutions in the UK, unlike other countries, they will only see it as being in their own interests to behave and put client interests FIRST will be when the law puts responsibilty on senior staff AND directors, no matter which minion caused the situation. That is why senior staff and directors get paid SO MUCH MORE. I certainly had to accept that reality (in the real world) as the CEO of various national and inter’al NFP orgs. Why not banks?

Jaclyn Beckwith says:
7 April 2017

We all get emails from our banks, how are we all to know whether to open them or not?
Many of us open them to a scam or hackers.
I think we all need to know to keep us safe.
Thankyou Jaclyn

Liam Lynch says:
7 April 2017

Open more branches instead of closing them, which would allow people to deal directly with their bank and reduce reliance on machines or online transactions which are in turn more susceptible to scams.

When a bank customer makes a transaction of more than £100 to Mr A or B or C the payment should be held automatically in a secure account for a period of say three days before the funds are released to requested the payee this will give the customer a cooling off period, very help full when being pressurised to move funds to other accounts by scammers.

The whole point of the Faster Payment Service is to do what it says on the label. If a three-day waiting period is introduced that would defeat the purpose of the service. As with doing most things in life, care is needed but it is not a difficult transaction and millions of them go through every day without a problem. As has repeatedly been advised, for the first payment to a new payee it would be a good idea to put through a test transfer of a nominal amount [£1] and await confirmation from the payee that it has arrived in the correct account. That proves that the sort code and account number used will put the payment in the right place. After that, the balance can safely be transferred and all further payments to that account will be good.

Other payment services are available from banks for those wanting higher levels of security and are prepared to accept a small time delay [and a bank charge], and cheques can still be used, so slowing down the Faster Payment Service is not an acceptable solution.

It would be interesting to know how many of the millions of daily transfers are currently being affected by fraudulent diversion. I can understand how people can be deceived by a scam e-mail asking them to pay money into a different account to that originally notified but that has been very well-publicised now and I would expect alarm bells to ring, especially for big sums; people have been strongly advised after receiving such a request to obtain confirmation from the intended destination of the funds before carrying out the transaction.

Yes, my bank is more thorough in taking an interest in reasons why or if large transactions are being proposed; invariably, a senior operator is also involved in checking the transfer or withdrawal.

Scams are important, but even more so is actually having a branch you can visit. In Sheffield my bank Hsbc now only has 3 branches in the whole of Sheffield. I started to use branches in nearby Derbyshire. Mu nearest branches were Dronfield and Bakewell. These have now closed also. If I want to use a branch I either have to travel into Sheffield city entre or Chesterfield in Derbyshire . Both would take up to three quarters of an hour on public transport each way. Banks appear to have forgotten that they are supposed to be offering a service to customers. Complaints come back with the usual “use your local [post office ” (also closed) or use online banking. This is another area for a Which Campaign. You are now penalised if you do not wish to use online banking.

The Midland Bank must be shuddering in its grave, Alysoun, but I suppose it would have eventually become a victim of the same competition and loss of customers.

One of the biggest scams is allowing payments to online gambling companies from joint personal and business accounts. This is fraud and banks ignore the devastation it causes. I have yet to find a person who sets up a joint account for gambling purposes; it is implicit that a joint account is for managing household finances or business finances, not for engaging in ‘high risk ‘ activities not in keeping with the purpose of a joint account. With joint personal accounts this is financial domestic abuse and is being aided by banks . With business accounts this is fraud ( Police statement), helped by a bank .

With respect, I don’t think it is the bank’s business to question an instruction given by an authorised holder of a joint account be it a personal or trade account. All parties to a joint account are jointly and severally liable for all transactions passing through it.

Nick says:
10 April 2017

If the Banks were made liable for any losses incurred due to criminal activity, I think that would be an easy change to implement in the Banking Code. It would cause an instant tightening of the regulations, in my opinion.

It might also lead to an increase in criminal activity, of course.

Lloyds have started to send warning SMS for transfers above £90 or so it seems. Asking me to verify if I did authorise the transfer. Which I didn’t do in two cases, and the bank discovered there were more.

Steve Muir says:
12 April 2017

I would like to see the banks made jointly liable for any fraud via bank transfer. If they were liable for 50% that would be a strong incentive for them to find ways to protect both their customer and themselves.

I cannot see how banks can possibly protect anyone from the frauds that are perpetrated by criminals sending out false e-mails changing the payee details. The banks already carry warnings about this on their on-line payment transfer forms. Some of the cases involve hundreds of thousands of pounds [the balance of a property purchase sum] transferred to the wrong account in consequence of a criminal act using information obtained from the property conveyancer’s office. In such a case, compensation must come from the conveyancer because either their system was not secure or inside information was used, for both of which they are responsible and should have professional liability insurance. I do not see why account-holders’ funds should be used to cover such losses.

A second-line tactic is to use two accounts: a main one and a ‘hopper’. If I need to make an uncertain payment I make sure I have a little more than required in the ‘hopper’ and pay via that. If that account is compromised I can only lose a couple of quid from it – which shows I need to close it and open another one for the same purpose.

Alison Garmonsway says:
17 April 2017

Banks should stop promoting cashless society and contactless payment. Banks should reimburse customers who lose money to fraud otherwise there is no incentive for the banks to increase security or for banks to ensure fraud is fully investigated and criminals prosecuted.

My Bank, First Direct, have introduced voice recognition which is used in conjunction with private details that they have in their files.

I think that the current Lloyds policy of charging interest on the interest a month after you cleared the bill is possibly breaking the law.

As I understand it, if you clear the entire bill on one month, no further billing will apply.

Paying the outstanding amount due does not clear all the accumulating interest on the debt up to that date so I believe that it is a legitimate charge. If lenders forgo that it is a concession.

Martin says:
24 April 2017

Bank fraud? Online? Offline? The Trojan horse scam is promoted by Lloyds’ practices.

My wife received an email containing this:
“3 taps and you’re up and running
Please click here if you are having problems viewing this email.
We want you to recognise a fraudulent email if you receive one, so Lloyds Bank will always greet you personally, using your title, last name and the last four digits of your account number: xxxx”

But anyone can know your title, last name and the last four digits of your account number! We use them all over the place, and on cheques!!! Here, Lloyds chose to include a link! A link!!! If this was a phishing email, the link could be to a complete webpage that looks just like Lloyds, smells just like Lloyds and may infect your computer and steal your security information as you use it.

Lloyds? Shame upon you.

I bank with Santander. I have a £250 agreed overdraft facility which I am charged £1 per day if I use it. On occasions the resultant charge has caused an excess for which I am charged an additional £2 per day. I have been charged £90 for each of the last 2 months in addition to normal interest charges. I thought there was legislation against this kind of THEFT.

Stamphorse, unfortunately this practice seems to be perfectly legal. Other Convo topics on overdraft charges go into more details…