/ Money

Update: stopping bank transfer scams – what would meaningful action look like?

Our research has found that people are still losing life-changing sums of money to fraudsters exploiting bank transfer payments. So, how much longer should we wait for effective action from industry?

Update: 28/02/19

Several major banks have signed up to a new code that will ensure refunds for thousands of victims of bank transfer scams.

In a huge win for our campaign, seven major banks have signed the code that ensures refunds for victims of bank transfer scams, and greater protection for all their customers. The banks who have signed up are:

■ Barclays

■ Lloyds Banking Group


■ Metro Bank

■ Royal Bank of Scotland

■ Santander

■ Nationwide

These banks will begin a new reimbursement scheme for customers who have lost money through bank transfer scams on 28 May this year.

The new code requires banks, building societies and other payment services providers to put more measures in place to protect customers from bank transfer fraud – and, crucially, enables victims of this type of scam to get their losses refunded by their bank if they have done nothing wrong. But the code is only voluntary.

There’s still more work to be done. In the last two years alone £400m has been lost to bank transfer scams – and we want customers of all banks to be protected.

We’ll be turning up the pressure on the banks who haven’t signed up to the code in the coming months to demand they get on board and protect their customers.

Stop scams

Two years ago, as part of our super-complaint to the Payment Systems Regulator, we collected evidence from nearly 600 victims of fraud who told us they’d collectively lost over £5.5m to bank transfer scams.

Five months on from the PSR’s response saying that they’d found evidence that banks could be doing more, we’ve been checking to see if anything has changed.

We’ve found that people are still exposed when it comes to bank transfer scams, with many losing significant sums of money.

Despite fraudsters continuing to exploit bank transfer scams, we’ve not seen enough evidence that banks are making progress to protect their customers.

Roger and his wife lost £2,000 to a scammer posing as their gardener:

And cases like Roger’s are far from unique. In fact, our latest research reveals that one in 10 people in the UK had made a bank transfer, or knew someone that had made a payment, that later turned out to be to a fraudster. And of those people who had lost money to bank transfer scams, more than half had been victims in the last six months.

Huge sums of money are being lost to these fraudsters, and we found that nearly four in 10 didn’t get any money back at all.

So, today we’ve written to banks calling for them to clearly outline what action they are taking to safeguard consumers from bank transfer scams.

Bank scams

When it comes to banking the general expectation is that banks will look after you as their customer and your money too. But with so many continuing to lose such large sums of money to fraudsters exploiting the system, it’s clear more needs to be done.

The industry, regulator and next government need to urgently take action to tackle financial fraud. We want the next government to set out an ambitious plan to ensure that financial institutions do more to protect consumers from bank transfer scams.

We need your help to do this – please share your scams experiences with us and help keep the pressure on to deliver this change.

Tell us your scams story

Confirmation of Payee plans announced

Update, 11 December: The Payments Strategy Forum has outlined plans for a new payments system architecture in the UK.

One area that the Forum has been examining is ‘Confirmation of Payee’. Currently, when you make a payment to someone the bank will check that the account number and sort code you provide matches the ones on the account you wish to pay.

Throughout our scams campaign, we’ve heard of lots of stories where victims of scams have lost huge sums of money where they have believed they are making genuine payments for things like conveyancing fees or building work, but instead they are using bogus bank details sent to them by scammers.

The Forum has outlined that customers wishing to make a bank transfer will have to now enter the exact name on the account, as well as the other details. This would mean that when you transfer funds to another account the system would also need to confirm the name of the account you are paying matches the name you’ve provided.

If the transfer is to a person, the confirmation system will check to verify if the details are a match or not. If the transfer is a business, the confirmation system will return with the name, address and registration number of the company so that the consumer can check it.

The hope is that this confirmation system will encourage customers to verify details before transferring any money and also help to tackle one aspect of bank transfer scams.

The system will be available from December 2018, although it will be voluntary as to whether your bank offers it to you when you make a payment

We’ve been calling for confirmation of payee for some time now, so while we welcome its introduction, we believe it’s important that banks quickly act to introduce this measure to help protect their customers from scams.

Our Money expert, Gareth Shaw, said:

‘Hundreds of millions of pounds are being lost to these increasingly complex scams, so introducing confirmation of payee is a vital step towards boosting consumer protection.

‘With consumers still at risk of losing-life changing sums of money, banks must now urgently adopt these proposals.’

Update: 18/10/2018

A new ‘confirmation of payee’ service is on its way in 2019 to combat bank transfer scams.

Customers are to be warned if the name of someone they’re trying to pay does not match the account details. With losses to this type of fraud increasing drastically, it’s clear that this measure can’t come soon enough.

While we await its introduction, it’s crucial that an agreement is reached on the funding mechanism to reimburse all victims of bank transfer fraud who have been left out of pocket through no fault of their own.

Update: 25/09/2018

According to UK finance, the trade body that represents the banking industry, fraud victims have lost more than £145m this year to scams that leave them with no legal way of getting their money back. Just 20% of losses have been recovered.

In the first six months of the year, there were around 34,000 cases of ‘authorised push payment fraud’ (bank transfer scams). Losses averaged around £4,260.

Details of a reimbursement scheme are due to be published this week. Gareth, Shaw, Head of Which? Money Online said:

“It’s now two years since our super-complaint highlighted the lack of protection for victims of bank transfer scams, but these shocking figures show just how widespread the problem still is.

Banks’ efforts to date have been woefully insufficient and they have not done enough to protect their customers, who continue to lose life-changing sums of money to ever-more sophisticated crooks.

The Payment Systems Regulator has rightly committed to introducing a reimbursement scheme for victims. It’s about time that banks step up and properly compensate customers who have lost money through no fault of their own.”

Update: 28/02/2018

Win! The regulator has confirmed plans and timeframe for scams reimbursement scheme. Following its consultation on a reimbursement scheme for victims of bank transfer scams, the Payments Systems Regulator (PSR) has today confirmed that it will press ahead with plans to better protect scams victims.

It has also announced the formation of a steering group to design the code that will underpin the reimbursement scheme, setting out the members as well as the key principles and objectives of the group for the next six months. Forming this steering group alongside Which? are Age UK, Toynbee Hall, and representatives from the banking and tech industries.

The group will deliver an interim set of rules by the end of September. These will then be consulted on with a final set agreed by the end of the year.

However, from September, the Financial Ombudsman Service (FOS) will be able to use the draft code when determining new consumer complaints about authorised push payment scams.

We welcome today’s announcement as a step in the right direction. We hope that this will help to ensure the reimbursement scheme properly compensates victims who have been left out of pocket through no fault of their own.

However, the industry must also use other measures to better protect consumers at the point of transfer to stop such scams happening in the first place. These measures could include confirmation of payee, which would add an additional check before a bank transfer is made.

Do you want your bank to sign up to Confirmation of Payee to help protect you from bank transfer scams? What should the banks to do to protect their customers from losing money to bank transfers? Do you think the next government should tackle scams and financial fraud?

DavidG says:
18 December 2017

It should not be beyond the wit of man (or even the banks) to implement this reasonable measure.

This is long overdue. The sooner it is up and running the better.

Impossible for them to act quickly all things that should be done immediately at once if not sooner take a long long time This will HAVE to be discussed over and over for a long time so that all objections are talked about for evermore Has anything of an urgent nature ever been done as quickly as it should have been done? Can anyone remember please ??

Graham says:
18 December 2017

The average person does not have the skills to examine websites or email headers to uncover potential fraud and Banks need to take greater care to create more safeguards for their customer and to protect them. Payee confirmation would be a sensible and painless addition to the systems.

Geoff Gibbs says:
18 December 2017

I agree with the common sense comments mad by others. Sometimes in today’s mad world we miss the simple solutions.

Patricia in Scotland says:
18 December 2017

I know my firm of solicitors were worried after a house sale to transfer money to my siblings and to me and wanted confirmation that transfers had been managed OK. So if professional bodies are worried when they are dealing with client’s money it is more than time something was done to make things safer and less able to hack into accounts or have scams to look similar to real accounts when electronically transferring significant sums of money. No one wants to go back to the tedious and slow system that we had before when it took so many days for banks to clear cheques!

It’s about time the bank’s got their a**e’s in gear.

Poor poor poor ‘Pop’ media type opinion seeking

I this an unbiased Which enquiry or a popularist media fix?

P M Tharratt says:
19 December 2017

All banks should agree to this proposal as soon as possible, not wait for another year. All banks should also install the money route identification for large amounts so that a transfer can be frozen before it reaches a potential fraudster’s account.

You say above “will have to now enter the exact name on the account” – the system should display the payee account name for confirmation – I would not want to have to enter EXACTLY the details. The account name could be a very slightly different spelling or punctuation, initials etc. – there are so many possible permutations.

Good customer service is good business this plan will protect customers.

Anthony says:
19 December 2017

It occurs to me that these scammers/thieves open a bank account and when the transfer is made the account is then closed and no trace of them can be found. Surely the bank has a duty of care to insist on authentic identification before a bank account can be opened so any fraudulent behaviour can be later traced.

Richard Jones says:
19 December 2017

The problem is real and in some cases the consequences are disastrous. The solution is technically simple.

“Confirmation” should require the acceptance of both payer and payee for significant sums of money with an appropriate delay in payment built in. This could be rather akin to distance selling safeguards.

19 December 2017

Banks have been adopting the easy way out in the past by burying their heads in the sand. Action now!

Surely everyone including banks have the right to expect any transfer of money is paid to whom it is meant to go too!

That’s the kernel of the argument, Kenneth. The banks have been insisting on paying the money to the account details given in the instructions they receive from the payer. In the future they will have to check whether that is what their customer intended. Getting all that data loaded across all the banks [including those not participating in the scheme], and creating and testing the new system, is why it will take a year to implement. It is complicated by it being necessary to present the verification information at the time the funds transfer is being ordered so that the transfer can be made within two hours.

If the customer puts in a sort code and account number, their bank can only expect that is who they meant to send the money to. That responsibility begins with the customer. The new system will greatly reduce the likelihood of an error being made by the customer. I presume that scams will be greatly thwarted as well when an account name is part of the process.

We could start speculating now how scammers will move on – what they will do to circumvent the system. They are probably cleverer than those setting up the system.

There is no doubt it will be a major step forward in improving on-line banking security and thwarting scams. There is a risk, though, that accounts with very similar names – that the customer might not recognise as incorrect – could be set up. A lot now comes down to how the banks authorise the opening and naming of new accounts. I cannot believe that the name on my accounts is unique to me – it relies entirely for discrimination on the account number since the sort code could have several accounts in the same name. The customer must examine all three parts of the new verification process and not just jump to the account name in case an error has occurred within the data reconciliation software.

But if someone tries to intercept a solicitors or builders request for payment, say, they would need to set up very similar account names, probably only useful on the one occasion. That would seem unworkable? And the chances of putting in an account number that has one incorrect digit, and getting an expected name, or similar, seems pretty remote? But the careless will still prevail – we cannot always totally protect people from themselves, or from falling for a scam.

Scams are undoubtedly a challenge because of the ability of the fraudsters to use new approaches to defraud the public. I would like to see independent evidence that dealing with misdirected payments is as difficult as the banks and regulator has claimed.

I well remember when computerise billing was introduced for utility billing and a small proportion of customers received huge bills due to some mistakes. At the time it was claimed that it was not possible to avoid. That was utter tosh since even a simple spreadsheet can be used to flag up anomalously large numbers.

The majority of payments could be processed immediately and those where the payee does not match could be flagged up for investigation.

The PSR report looks in detail at the preferred solutions to a number of issues, not just confirmation of payee. It includes, for example, looking at “pull payments” and whether the payer is to be informed that a direct debit is due, and to confirm to pay rather than have it automatically paid. That might help people hovering near overdraft although I don’t know what the consequence might be of not paying – say a motor insurance.

As far as payee matching is concerned, it seem to me that submitting a payee name by the payer at the outset, and getting an immediate yes or no before they confirm, is of no real inconvenience. It might have the added benefit that you might, for example, be making a payment to entirely the wrong person in error – clicked on the wrong one in your stored list, used the wrong statement say, and this might then act as a useful prompt before you commit
(business account names are returned for check to the payer, as I understand the proposal.)

You only need one fraudulent transfer to get the balance of the purchase price on a house, Malcolm!

Considering how much money the banks make it would be a fraction of their profits to develop a fix. Why are big institutions so reluctant to make changes to help their customers. Wouldn’t it be nice if the banks were proactive. After all we have suffered 10 years of relative stagnation as we – the consumer – have paid off the huge debts that the banks incurred through the sub-prime lending scam. Their fault. Not ours.
Go on banks, get customer focused and ahead of the curve and not behind.

It is About time the banks accepts responsability

Steve L says:
19 December 2017

This is simply a good customer service/protection measure for the banks to address now. It would benefit them and their customers to get on with it quickly.

This should be happening without the need for signing petitions etc. Anything that stops people stealing what isn’t there’s i the first place has to be good doesn’t it?

The only questions I have is why will it take so long and why is it not compulsory

It is probably not compulsory because that would require an Act of Parliament, or at least some Statutory Instruments, which would add to the time required. The hope is that competition and customer pressure will compel conformity.

As I have said above, the implementation period is due to the complexity of the changes to the existing system in adding another layer of verification without destroying the primary feature of the Faster Payment Service.