/ Money

Update: stopping bank transfer scams – what would meaningful action look like?

Our research has found that people are still losing life-changing sums of money to fraudsters exploiting bank transfer payments. So, how much longer should we wait for effective action from industry?

Update: 28/02/19

Several major banks have signed up to a new code that will ensure refunds for thousands of victims of bank transfer scams.

In a huge win for our campaign, seven major banks have signed the code that ensures refunds for victims of bank transfer scams, and greater protection for all their customers. The banks who have signed up are:

■ Barclays

■ Lloyds Banking Group

■  HSBC

■ Metro Bank

■ Royal Bank of Scotland

■ Santander

■ Nationwide

These banks will begin a new reimbursement scheme for customers who have lost money through bank transfer scams on 28 May this year.

The new code requires banks, building societies and other payment services providers to put more measures in place to protect customers from bank transfer fraud – and, crucially, enables victims of this type of scam to get their losses refunded by their bank if they have done nothing wrong. But the code is only voluntary.

There’s still more work to be done. In the last two years alone £400m has been lost to bank transfer scams – and we want customers of all banks to be protected.

We’ll be turning up the pressure on the banks who haven’t signed up to the code in the coming months to demand they get on board and protect their customers.

Stop scams

Two years ago, as part of our super-complaint to the Payment Systems Regulator, we collected evidence from nearly 600 victims of fraud who told us they’d collectively lost over £5.5m to bank transfer scams.

Five months on from the PSR’s response saying that they’d found evidence that banks could be doing more, we’ve been checking to see if anything has changed.

We’ve found that people are still exposed when it comes to bank transfer scams, with many losing significant sums of money.

Despite fraudsters continuing to exploit bank transfer scams, we’ve not seen enough evidence that banks are making progress to protect their customers.

Roger and his wife lost £2,000 to a scammer posing as their gardener:

And cases like Roger’s are far from unique. In fact, our latest research reveals that one in 10 people in the UK had made a bank transfer, or knew someone that had made a payment, that later turned out to be to a fraudster. And of those people who had lost money to bank transfer scams, more than half had been victims in the last six months.


Huge sums of money are being lost to these fraudsters, and we found that nearly four in 10 didn’t get any money back at all.

So, today we’ve written to banks calling for them to clearly outline what action they are taking to safeguard consumers from bank transfer scams.

Bank scams

When it comes to banking the general expectation is that banks will look after you as their customer and your money too. But with so many continuing to lose such large sums of money to fraudsters exploiting the system, it’s clear more needs to be done.

The industry, regulator and next government need to urgently take action to tackle financial fraud. We want the next government to set out an ambitious plan to ensure that financial institutions do more to protect consumers from bank transfer scams.

We need your help to do this – please share your scams experiences with us and help keep the pressure on to deliver this change.

Tell us your scams story

Confirmation of Payee plans announced

Update, 11 December: The Payments Strategy Forum has outlined plans for a new payments system architecture in the UK.

One area that the Forum has been examining is ‘Confirmation of Payee’. Currently, when you make a payment to someone the bank will check that the account number and sort code you provide matches the ones on the account you wish to pay.

Throughout our scams campaign, we’ve heard of lots of stories where victims of scams have lost huge sums of money where they have believed they are making genuine payments for things like conveyancing fees or building work, but instead they are using bogus bank details sent to them by scammers.

The Forum has outlined that customers wishing to make a bank transfer will have to now enter the exact name on the account, as well as the other details. This would mean that when you transfer funds to another account the system would also need to confirm the name of the account you are paying matches the name you’ve provided.

If the transfer is to a person, the confirmation system will check to verify if the details are a match or not. If the transfer is a business, the confirmation system will return with the name, address and registration number of the company so that the consumer can check it.

The hope is that this confirmation system will encourage customers to verify details before transferring any money and also help to tackle one aspect of bank transfer scams.

The system will be available from December 2018, although it will be voluntary as to whether your bank offers it to you when you make a payment

We’ve been calling for confirmation of payee for some time now, so while we welcome its introduction, we believe it’s important that banks quickly act to introduce this measure to help protect their customers from scams.

Our Money expert, Gareth Shaw, said:

‘Hundreds of millions of pounds are being lost to these increasingly complex scams, so introducing confirmation of payee is a vital step towards boosting consumer protection.

‘With consumers still at risk of losing-life changing sums of money, banks must now urgently adopt these proposals.’

Update: 18/10/2018

A new ‘confirmation of payee’ service is on its way in 2019 to combat bank transfer scams.

Customers are to be warned if the name of someone they’re trying to pay does not match the account details. With losses to this type of fraud increasing drastically, it’s clear that this measure can’t come soon enough.

While we await its introduction, it’s crucial that an agreement is reached on the funding mechanism to reimburse all victims of bank transfer fraud who have been left out of pocket through no fault of their own.

Update: 25/09/2018

According to UK finance, the trade body that represents the banking industry, fraud victims have lost more than £145m this year to scams that leave them with no legal way of getting their money back. Just 20% of losses have been recovered.

In the first six months of the year, there were around 34,000 cases of ‘authorised push payment fraud’ (bank transfer scams). Losses averaged around £4,260.

Details of a reimbursement scheme are due to be published this week. Gareth, Shaw, Head of Which? Money Online said:

“It’s now two years since our super-complaint highlighted the lack of protection for victims of bank transfer scams, but these shocking figures show just how widespread the problem still is.

Banks’ efforts to date have been woefully insufficient and they have not done enough to protect their customers, who continue to lose life-changing sums of money to ever-more sophisticated crooks.

The Payment Systems Regulator has rightly committed to introducing a reimbursement scheme for victims. It’s about time that banks step up and properly compensate customers who have lost money through no fault of their own.”

Update: 28/02/2018

Win! The regulator has confirmed plans and timeframe for scams reimbursement scheme. Following its consultation on a reimbursement scheme for victims of bank transfer scams, the Payments Systems Regulator (PSR) has today confirmed that it will press ahead with plans to better protect scams victims.

It has also announced the formation of a steering group to design the code that will underpin the reimbursement scheme, setting out the members as well as the key principles and objectives of the group for the next six months. Forming this steering group alongside Which? are Age UK, Toynbee Hall, and representatives from the banking and tech industries.

The group will deliver an interim set of rules by the end of September. These will then be consulted on with a final set agreed by the end of the year.

However, from September, the Financial Ombudsman Service (FOS) will be able to use the draft code when determining new consumer complaints about authorised push payment scams.

We welcome today’s announcement as a step in the right direction. We hope that this will help to ensure the reimbursement scheme properly compensates victims who have been left out of pocket through no fault of their own.

However, the industry must also use other measures to better protect consumers at the point of transfer to stop such scams happening in the first place. These measures could include confirmation of payee, which would add an additional check before a bank transfer is made.

Do you want your bank to sign up to Confirmation of Payee to help protect you from bank transfer scams? What should the banks to do to protect their customers from losing money to bank transfers? Do you think the next government should tackle scams and financial fraud?

Comments

The safeguards should be in place not to allow large amount s to leave accounts of its customers get a grip banks

When making an online payment the payee’s account name not just the sort code and account number should be shown. It is very easy to enter a digit incorrectly but if you are able to see the payee is correct that would avoid errors and potentially fraudulent accounts.

This is being looked at but is not the simple solution it might seem. The PSR are investigating and details are on their website (if I remember correctly – this has been reported in an earlier Convo on this topic).

In the meantime, our banks could be protecting us from the most common errors by using International Bank Account Numbers. We have been told by someone working in banking that they are used in many countries. They contain a couple of check digits that allow the most common errors to be picked up.

It is worth looking at the PSR site because IBAN numbers are also not the simple solution, I understand.

There might be a better system in development but IBAN has been in use for years and does deal with the most common problems including simple transposition of digits. Check digits have been used extensively in computing for decades.

If payments are misdirected because of simple errors that could have been picked up using IBAN, the banks should recompense the customer.

If car manufacturers failed to install an important safety feature because they were designing a better one, we would not be impressed.

“The IBAN is comprised of:
The complete identifier, original bank code and account number, plus the additional characters. IBAN implementation has facilitated improvements in the quality of information exchanged between parties involved in European cross-border payments helping reduce errors and delays.

“The IBAN is calculated in such a way that it provides a guard against the accidental transposition of its characters/numbers and it can be checked or validated using our IBAN checker. However its validation does not guarantee that the bank code or account number is correct, nor does it guarantee that the account actually exists, or is live. “

It would be useful if an expert could comment on whether any of these quick fixes would be effective.

My bank has provided me with an IBAN and a BIC, but I have no idea if they are used in the UK. Yes we need some expert input, preferably in a relevant Conversation rather than one on scams.

As far as I know IBANs are for overseas bank transfers. All accounts have them, don’t they? As they were raised here in connection with supposedly helping avoid scams I’d like to hear from someone who can help us understand their value, or not, in this regard.

From what I have read elsewhere, IBANs are not yet universal, and I doubt that they are used in cheque transactions where only the account number and sort code are shown.

The scammers are breaking the law – it is NOT the bank’s fault. Do people expect Ford to recompense them if their car is stolen?

That’s true, Dr. Maxted. Though the banks sell a service, not a physical product. My bank’s credit card arm, though, is quick to block my high-value transactions if their ‘intelligent software’ reports that it is unusual and confirmation is needed. Why not the bank?

The answer, I suspect, is that as a credit card provider, the bank is likely to have to pay the money back if the transaction was fraudulent – this has happened to me twice. However, for bank transfers, there is no obligation, so there is no potential loss to the bank. With all the arguments above allowed for, loss of profit seems to be the motivator.

And legislation to make banks adopt their credit card system for transfers would solve the problem.

COLIN HANLEY says:
16 May 2017

Only an idiot would bank online.

I am one of the very many idiots who bank online without any problem. It is extremely convenient but you need to exercise caution and use common sense.

Wot malcolm said 🙂

The Banks seem to do as they please, how many times in the past , I hear the words Self Regulate, they are a rule onto themselves, they need to be held to be to task for there non actions.

As banks function via the “public” I feel that they should push for either apt banking or governmental checking measures on relevant financial organisation which are local/UK “based” . Surely this could be done rather simply and cheaply by using encrypted data relating to ALL national financial transactions – OK this may “slow” things down a bit (even as long as a microsecond), but surely governments exist to HELP & PROTECT the citizens —– etc. etc. etc. .

Everybody is being pushed into using the internet, and some of us older ones are having an awful lot of hassle, which we do not want at our age.

Sue says:
16 May 2017

Banks should be forced to include the name of the account holder along side the account number and name and number should tally before any transfer can be made, this would make it more difficult for scammers to phone people and get them to move money from one account to another since the name on the account would have to match the customer, if the name did not match the transfer would be prevented. It would also reduce man in the middle scams as the scam account would have to have an identical name to that of the original payee.
The banks are just lazy and greedy they do not want to update their computers to include extra cross referencing data (costs too much) which would greatly reduce fraud, profit and Board remuneration always takes precedence over protecting bank customers. In short they do not care unless and until it hits them financially in the pocket. We need the Government to insist they change their systems to combat fraud if they want to retain their banking licenses.

I wholeheartedly agree with all previous comments.

I think that it would help if banks gave you a password which they would quote in all telephone calls to you, so that you know it’s them and not a scammer.

Santander seem to think that putting a customer’s Log-in ID number in full on their statements is NOT a security risk. Their argument is that there is a three stage security system and that is only the first level.
I don’t know if other banks do the same.
This appears to me to be highly insecure as bank statements are a fundamental form of ID requested by various organisations such as DWP, Councils, etc.

Action ‘pour encourager les autres’, but perhaps not as strong as with Admiral Byng in 1757.
But as clear and positive!

No one should lose money by typing in just one digit incorrectly. The banks hide behind “confidentiality” to say they can’t recover the money. Surely the account number and name should agree for a transaction is completed.

Wilf says:
16 May 2017

Banks know were the money goes so they should be forced to shut scammers down.
A simple way is put a 3 day delay on transfers and make checks if amount over £1,000 surely this would give people time to check.

Bruce Buswell says:
16 May 2017

I believe that any newly-opened account in the UK should be treated with caution by the banks, perhaps by instituting a delay of several days between any large sum being paid in and withdrawn. That’s in the UK. If they have to do the same for all accounts, to cover identity theft, well it makes us all safer.

And where money is to be transferred out of the UK, then similar delay, escrow perhaps, should apply.

I think some more information on what happens when people are scammed would be helpful. All this information does is to worry me, but I have no idea how scams work. My account is online but it is a read only – I can’t transfer money online, I have to phone the bank in order to do so, and that cannot be changed online either. But asking customers what to do – Which, if we were all experts in this, we wouldn’t need the banks to up their game, would we? All very egalitarian and vox-poppy, but I would prefer Which to find some proper experts, come up with some sensible solutions, and then harness people like us to campaign for those solutions to be implemented. All you are going to get from this kind of forum is a ragbag of suggestions, some of which will be good and some of which will just display our ignorance.

Barclays Bank lost me thousands by releasing funds which I had transferred to one of their “customers”, even when I phoned the bank to ask them not to do so as soon as I found out it was a scam. They would not entertain me as I was not one of their clients and the scammer withdrew the money. Thank you Barclays for allowing any Tom, Dick & Harry to open an account without any checks.

Its a two way thing Customers must also be much more alert and very careful how they use and interact with their accounts.
Tales of people giving pins over the phone etc are not the fault of Banks it is people being careless or even stupid.

Banks and Building society’s need to have very robust safety systems too. There must be a way to track funds and the destination should be blocked if not to an authorised account.

Cedric Mungall says:
16 May 2017

When a Bank Transfer is being made, the name of the owner of the account the money is being transferred to should appear on the transaction.
This would be a step in raising any suspicion at the time of transfer if the name is unknown to the person making the transfer.

If fraudsters are clever enough to persuade banks that they should open an account it’s hardly surprising they fool ordinary members of the public. The onus should be entirely on the banks to ensure that fraudsters cannot open accounts. When they fail in this, they should always be responsible for refunding money stolen from their customers.