/ Money

Update: stopping bank transfer scams – what would meaningful action look like?

Our research has found that people are still losing life-changing sums of money to fraudsters exploiting bank transfer payments. So, how much longer should we wait for effective action from industry?

Update: 28/02/19

Several major banks have signed up to a new code that will ensure refunds for thousands of victims of bank transfer scams.

In a huge win for our campaign, seven major banks have signed the code that ensures refunds for victims of bank transfer scams, and greater protection for all their customers. The banks who have signed up are:

■ Barclays

■ Lloyds Banking Group

■  HSBC

■ Metro Bank

■ Royal Bank of Scotland

■ Santander

■ Nationwide

These banks will begin a new reimbursement scheme for customers who have lost money through bank transfer scams on 28 May this year.

The new code requires banks, building societies and other payment services providers to put more measures in place to protect customers from bank transfer fraud – and, crucially, enables victims of this type of scam to get their losses refunded by their bank if they have done nothing wrong. But the code is only voluntary.

There’s still more work to be done. In the last two years alone £400m has been lost to bank transfer scams – and we want customers of all banks to be protected.

We’ll be turning up the pressure on the banks who haven’t signed up to the code in the coming months to demand they get on board and protect their customers.

Stop scams

Two years ago, as part of our super-complaint to the Payment Systems Regulator, we collected evidence from nearly 600 victims of fraud who told us they’d collectively lost over £5.5m to bank transfer scams.

Five months on from the PSR’s response saying that they’d found evidence that banks could be doing more, we’ve been checking to see if anything has changed.

We’ve found that people are still exposed when it comes to bank transfer scams, with many losing significant sums of money.

Despite fraudsters continuing to exploit bank transfer scams, we’ve not seen enough evidence that banks are making progress to protect their customers.

Roger and his wife lost £2,000 to a scammer posing as their gardener:

And cases like Roger’s are far from unique. In fact, our latest research reveals that one in 10 people in the UK had made a bank transfer, or knew someone that had made a payment, that later turned out to be to a fraudster. And of those people who had lost money to bank transfer scams, more than half had been victims in the last six months.


Huge sums of money are being lost to these fraudsters, and we found that nearly four in 10 didn’t get any money back at all.

So, today we’ve written to banks calling for them to clearly outline what action they are taking to safeguard consumers from bank transfer scams.

Bank scams

When it comes to banking the general expectation is that banks will look after you as their customer and your money too. But with so many continuing to lose such large sums of money to fraudsters exploiting the system, it’s clear more needs to be done.

The industry, regulator and next government need to urgently take action to tackle financial fraud. We want the next government to set out an ambitious plan to ensure that financial institutions do more to protect consumers from bank transfer scams.

We need your help to do this – please share your scams experiences with us and help keep the pressure on to deliver this change.

Tell us your scams story

Confirmation of Payee plans announced

Update, 11 December: The Payments Strategy Forum has outlined plans for a new payments system architecture in the UK.

One area that the Forum has been examining is ‘Confirmation of Payee’. Currently, when you make a payment to someone the bank will check that the account number and sort code you provide matches the ones on the account you wish to pay.

Throughout our scams campaign, we’ve heard of lots of stories where victims of scams have lost huge sums of money where they have believed they are making genuine payments for things like conveyancing fees or building work, but instead they are using bogus bank details sent to them by scammers.

The Forum has outlined that customers wishing to make a bank transfer will have to now enter the exact name on the account, as well as the other details. This would mean that when you transfer funds to another account the system would also need to confirm the name of the account you are paying matches the name you’ve provided.

If the transfer is to a person, the confirmation system will check to verify if the details are a match or not. If the transfer is a business, the confirmation system will return with the name, address and registration number of the company so that the consumer can check it.

The hope is that this confirmation system will encourage customers to verify details before transferring any money and also help to tackle one aspect of bank transfer scams.

The system will be available from December 2018, although it will be voluntary as to whether your bank offers it to you when you make a payment

We’ve been calling for confirmation of payee for some time now, so while we welcome its introduction, we believe it’s important that banks quickly act to introduce this measure to help protect their customers from scams.

Our Money expert, Gareth Shaw, said:

‘Hundreds of millions of pounds are being lost to these increasingly complex scams, so introducing confirmation of payee is a vital step towards boosting consumer protection.

‘With consumers still at risk of losing-life changing sums of money, banks must now urgently adopt these proposals.’

Update: 18/10/2018

A new ‘confirmation of payee’ service is on its way in 2019 to combat bank transfer scams.

Customers are to be warned if the name of someone they’re trying to pay does not match the account details. With losses to this type of fraud increasing drastically, it’s clear that this measure can’t come soon enough.

While we await its introduction, it’s crucial that an agreement is reached on the funding mechanism to reimburse all victims of bank transfer fraud who have been left out of pocket through no fault of their own.

Update: 25/09/2018

According to UK finance, the trade body that represents the banking industry, fraud victims have lost more than £145m this year to scams that leave them with no legal way of getting their money back. Just 20% of losses have been recovered.

In the first six months of the year, there were around 34,000 cases of ‘authorised push payment fraud’ (bank transfer scams). Losses averaged around £4,260.

Details of a reimbursement scheme are due to be published this week. Gareth, Shaw, Head of Which? Money Online said:

“It’s now two years since our super-complaint highlighted the lack of protection for victims of bank transfer scams, but these shocking figures show just how widespread the problem still is.

Banks’ efforts to date have been woefully insufficient and they have not done enough to protect their customers, who continue to lose life-changing sums of money to ever-more sophisticated crooks.

The Payment Systems Regulator has rightly committed to introducing a reimbursement scheme for victims. It’s about time that banks step up and properly compensate customers who have lost money through no fault of their own.”

Update: 28/02/2018

Win! The regulator has confirmed plans and timeframe for scams reimbursement scheme. Following its consultation on a reimbursement scheme for victims of bank transfer scams, the Payments Systems Regulator (PSR) has today confirmed that it will press ahead with plans to better protect scams victims.

It has also announced the formation of a steering group to design the code that will underpin the reimbursement scheme, setting out the members as well as the key principles and objectives of the group for the next six months. Forming this steering group alongside Which? are Age UK, Toynbee Hall, and representatives from the banking and tech industries.

The group will deliver an interim set of rules by the end of September. These will then be consulted on with a final set agreed by the end of the year.

However, from September, the Financial Ombudsman Service (FOS) will be able to use the draft code when determining new consumer complaints about authorised push payment scams.

We welcome today’s announcement as a step in the right direction. We hope that this will help to ensure the reimbursement scheme properly compensates victims who have been left out of pocket through no fault of their own.

However, the industry must also use other measures to better protect consumers at the point of transfer to stop such scams happening in the first place. These measures could include confirmation of payee, which would add an additional check before a bank transfer is made.

Do you want your bank to sign up to Confirmation of Payee to help protect you from bank transfer scams? What should the banks to do to protect their customers from losing money to bank transfers? Do you think the next government should tackle scams and financial fraud?

Comments

Years ago, back in the 60’s when I was a bank clerk, before computerisation, Account Payee, Account number and Sort Code were all checked for exact match and if it didn’t match EXACTLY the credit or debit would be ‘bounced’.
I NEVER do a BACS transfer without putting the EXACT payee account name on the transfer. At least by doing this you have ‘some’ redress with you bank if it goes to the wrong account. I know most people don’t bother these days as it’s not strictly necessary but without the payee’s name on the transfer you don’t stand any chance of compensation.

Unfortunately, this isn’t true. Even if you put exact name but the account and sort code you put in belongs to another person banks make the transfer and won’t accept liability. With BACS or online transfers the only thing that has to match are bank account and sort code details. Effectively you are paying a bank account, not a person – hence “which” campaign for payee confirmation.
It’s safer for now to issue cheques, at least you know the actual person you want to pay can cash it. The whole banking industry needs a serious overhaul. It really isn’t fit for purpose anymore.

Confirmation of Payee appears not as simple as it might seem. However ways of doing this have been consulted on extensively and the New Payment System Operator is charged with its delivery:

The NPSO is working to define the rules and standards for a Confirmation of Payee (CoP) service. During June and July 2018 we held a series of roundtables, consumer focus groups and structured interviews with end users of payment services, consumer representative bodies, charities and corporates, trade bodies, government departments, payment services providers, and more. This engagement has helped to test and validate that the CoP proposition will deliver the end user outcomes envisaged in the Payments Strategy Forum’s Blueprint.

Payment Service Providers (PSPs) will be in control of implementing the feature into their customers’ payment journeys to enhance a payer’s control, trust and confidence, and we have been working throughout 2018 with PSPs from across the industry to craft the proposition and support the technical development of the CoP solution.

We are on track with this activity, which will facilitate the creation of a Confirmation of Payee capability for the market – these outputs will be used to inform the CoP proposition and guidelines, which will be published during early October 2018.

Hopefully we will soon see what should have been achieved years ago.

This might also help prevent people paying out to scam HMRC claims. If banks not only check with the payee but also check the receivers details the poor vulnerable people like the lady who recently had a frightening telephone call shortly after her husband died telling her that a court action was being taken to seize her home for non payment of tax might be saved losing a lot of money

Picking up on the earlier mention of a cashless society, has anyone given thought to the countless charities that rely on income from coffee mornings, sales of work, bring and buys, raffles, etc. etc. How are people supposed to pay for items at these events? Also, what about smaller clubs badminton, choirs, craft groups etc. I heard from someone trying to open a bank account for one of these recently. The Post Office manager told her she couldn’t open one there and she’d already tried at least one bank without success. Is this the start of banks refusing to work with cash. I recently tried to pay in a sum of cash amounting to approx £150 mostly in £2.00 coins. I was told to come back when I’d put it in the relevant bags and although the’d seen the cash and should have been able to tell roughly how many were needed, I was not to take in more than ten bags. Definitely a move to stop handling cash. I worked in a bank for many years and counting cash was deemed to be Customer Service. There isn’t a lot of that in local banks nowadays.

The banks cannot stop cash because it is made and issued by the government, but they could, theoretically, cease to handle it,although that might put them in breach of their banking licence authorised by the Bank of England. I think I shall start getting cash from the counter in future and present the cashiers with cheques for odd amounts like £34.27.

Ruth says:
27 January 2018

I am concerned that by forcing the customer to confirm the payee is ‘correct’, the liability if they have been scammed falls on the customer. The banks must know who these scammers are, and if they don’t, they SHOULD be able to find out. I have been very upset to read in a comment here that the ‘official’ fraud body does nothing, even when they are helped by a victim. What is that body FOR, if it doesn’t help catch these vermin? The cuts to the Police service are shameful in my view – you can see how ‘saving’ money in taxes COSTS everybody so much in other ways!

Confirmation of payee system is only the first step but at least it will stop any misdirected payments. All payers making payments in good faith should at least be re-assured they are paying the person or company they think they are. There are already regulations in place like MLR2017 (fraud and money laundering prevention) but banks ignore them. Going to the core of the problem is the answer, banks should not facilitate fraud.

I have heard stories of people being duped by email and text to send money into fake accounts for real purchases including house sales. While I want there to be a balance between barriers to opening a new bank account and protecting consumers I feel banks could do more to mitigate risks. They have the ability to flag risky transactions for credit card purchases if someone is suddenly sending £10,000 online to a new account or a new account is receiving large sums of money this should be flagged. On a personal note I always send a test payment of 1p when sending money to new accounts. I then check directly with the receiver such as my credit card company that it has arrived before sending any more money. If this is for a large purchase such as a house I would confirm in person that they received it.

Hi everyone, some good news for our scams campaign supporters today – following its consultation on a reimbursement scheme for victims of bank transfer scams, the Payments Systems Regulator (PSR) has confirmed that it will press ahead with plans to better protect scams victims.

It has also announced the formation of a steering group to design the code that will underpin the reimbursement scheme, setting out the members as well as the key principles and objectives of the group for the next six months. Forming this steering group alongside Which? are Age UK, Toynbee Hall, and representatives from the banking and tech industries.

The group will deliver an interim set of rules by the end of September. These will then be consulted on with a final set agreed by the end of the year.

However, from September, the Financial Ombudsman Service (FOS) will be able to use the draft code when determining new consumer complaints about authorised push payment scams.

Today’s Which press release is headed
Which? responds to regulator’s plans to protect victims of payment scams
28 February 2018
Which? responds to the Payment Systems Regulator’s announcement on its reimbursement model for victims of authorised push payment (APP) scams……..“The introduction of a steering group, that includes Which?, should help to ensure this much-needed reimbursement scheme properly compensates victims who have been left out of pocket through no fault of their own………………..”

Its is good news that Which? are directly involved with the process and hope they will take account of the many and varied comments that have been posted by commenters in Convos.

The Payment Systems Regulator’s report of Nov 17 (https://www.psr.org.uk/sites/default/files/media/PDF/PSR-App-Scams-report-and-consultation.pdf) discussed various models in section 6. I’d be interested to know what Which? proposes and hope it will keep its Members up to date with both its contributions and progress in what should be a transparent process.

This comment was removed at the request of the user

oliverp says:
2 April 2018

Most of this thread concerns the exact details of the receiving bank account. Any self-respecting fraudster would supply the full name of the bank account. Why do the regulators allow banks to open accounts, receive and pay out large sums, without a recallable trail. The weak point in the system lies more in the onward drawing out being lost without trace.

I agree.

The Payment Systems Regulator consulted on this in Nov 17 and published the outcomes in February 18. An interim code of practice was planned for this month. Which? can tell us whether this is on time as they are, apparently, part of the steering group helping its development.

https://www.psr.org.uk/sites/default/files/media/PDF/Outcome_of_CRM_Consultation_Feb_2018.pdf1.

”1.3 (PSR) received responses from 21 organisations (which included the major UK retail banks, Which? and UK Finance), one Parliamentarian and ten private individuals. Consumer groups and many of the industry players were supportive or conditionally supportive of the introduction of a CRM (Contingent Reimbursement Model)* for victims of APP scams. We received a range of views from different stakeholders on the key elements of the model and how it should function.

1.4 Taking account of responses, we consider that an industry code, developed collaboratively by industry and consumer group representatives, that sets out the CRM’s rules is the most effective way to promote the interests of users of payment system services and reduce the consumer harm that APP scams can cause…….

We have set out an ambitious timeline for the steering group. We want it to produce an interim code by September 2018 that the Financial Ombudsman Service can start taking into account as a relevant consideration when determining consumer complaints about APP scams. The steering group – following a final round of consultation – should have the final code in place in early 2019

*The CRM will involve deciding the “requisite level of care” that someone has to take when deciding a complaint.

Which? comments on new name check safeguard for bank transfers
18 October 2018

“It’s right that banks and building societies have finally been forced to introduce this much-needed check at the point of transfer. However, customers will wonder why banks have dragged their heels and not implemented this system years ago, as it could have prevented a significant amount of fraud.
Perhaps it was not that simple to introduce; that was the impression given from the reports I read. Does every other country have such as system? If not, we might ask why not if it is so easy to implement. And it is taking quite a time to introduce which also suggests it is not a quick fix. Which? could ask the Payment Systems Regulator to inform us about this, instead of leaving it hanging in the air.

I could ask why Which? did not suggest a way to do this years ago and work with the banks to introduce it. Criticising what happened in the past seems not a constructive way to make things work better in the future.

“With losses to bank transfer fraud increasing drastically it’s clear this measure can’t come in soon enough. While we await its introduction, it’s crucial that an agreement is reached on the funding mechanism to reimburse all victims of bank transfer fraud who have been left out of pocket through no fault of their own.” This suggestion was repeated on TV this morning – reimburse the customer when they are not to blame. Well, with a push payment it is the scammer who begins this process by contacting the customer with false information. It then requires the customer to do something before the payment can be made. The customer instigates the transfer by instructing their bank to move money from their account to the scammer’s account. They are responsible (I wouldn’t use the term “to blame” but they are the initial “at fault” party). Unless the bank knows the scammer is such, that the account is only set up to deal with fraudulent transactions, I fail to see how someone other than the customer can be held responsible for their own voluntary action.

The problem is that if every fraudulent transaction, however done, is refunded it is not the banks who pay but all of their customers. They will see increased charges and lower interest rates perhaps, something continually complained about. Do you and I want to give our money to refund someone else who has made a fraudulent transfer? A bit like us giving our money to everyone who has been robbed.

Perhaps insurance is needed, but they will be searching when investigating a claim to ascertain the merit and the share of responsibility; something the proposed system effectively recommends before a refund is authorised.

One certain consequence of such refunds is (some) people will be less careful, knowing their money is not at risk as someone else will pay them back. A likely escalation in fraud.

Another consequence will be using the refund system fraudulently – conspire with someone else to transfer your money to an account that is out of reach and then claim a refund.

https://press.which.co.uk/whichstatements/which-comments-on-new-name-check-safeguard-for-bank-transfers/

Recently, when dealing with bequests, I was taken through a set of statements during my bank interview. My agreement was sought on the facts that, I knew the person/s I was transferring money to; that no one had asked me to make these transfers by calling me and that the bank details I had supplied were correct. These were shown to me and I checked them again. This was a bit “belt and braces” since we had been discussing these transactions for some time before this, but it was reassuring to know that this check was in place. However, the onus was on me to verify the data and not on the bank to check I had correctly noted it before going to the branch. Transfers on line might have also taken me through these statements, but again relied on me being accurate and, of course, negating their responsibility if I was not. Large or unusual transfers should always be questioned. There should be a delay in making these. Most crooks seem to take advantage of the speed with which they can extract their stolen money to get it before it can be detected and stopped. I wonder how hard it would be for banks to actually check transfer details and inform customers of any discrepancies in the transaction? Perhaps, too, banks should note the age of customers and typical behaviour of bank accounts and use this to trigger alerts when something unusual is flagged up. That would be customer service even when some might think it insulting.

You realise that by sending cheques to the recipients crossed to their Bank and Account [that is you write Lloyds say , and the account number and name on the cheque] then the fraudulent conversion aided by a Bank puts them squarely responsible for the lost funds.

But Banks are busy trying to shed the case law that makes them responsible and Which? appears to be part of the problem by not advising readers of the alternatives.

Perhaps Which? should spend less on their senior Executives and more on researchers and analysis.

This seems, according to the FT, to be the procedure being implemented next summer:
. When making an online transfer in future, there will be three possible outcomes.
– If the correct account name is entered, a confirmation appears and the customer can proceed with the payment.
– If a similar name to the account holder is entered, the actual name of the account holder will be provided for the customer to check. The customer can then update the banking details and try again or contact the intended payee to confirm their details.
– If the wrong name for the account holder is entered, the customer will be told that the details do not match and will be advised to contact the intended recipient.”

The Intro to this Conversation has become incredibly incoherent. There are dates without years quoted, there are things promised in given timescales that have not materialised, there are outcomes described as a “Win!” that have not been fulfilled, and there is repetition and confusion throughout. It is an absolute riot of cut-&-paste conglomeration.

Could Which? please clean this topic up and composite the content properly and chronologically [from the top instead of from the bottom as now] so that readers can understand it. References to dates or seasons should always give the year. I don’t think this is too much to ask on such a serious and important subject.

The article is heavy on what the banks should do – and rightly so because, as some commenters have said, their procedures have allowed false accounts to be set up by criminals – but there is no mention of what action is being taken to detect, arrest and prosecute the perpetrators of these crimes. For all the thousands of APP fraud events I suspect there are only a handful of criminal outfits active across this particular form of crime. What is being done to identify and disrupt them? How many have been caught and prosecuted? What is the response of the National Police Chiefs Council and the Serious Fraud Office? Are they treating these crimes seriously enough or is it in the ‘too difficult’ tray? Are the banks cooperating with them and assisting in the investigation of the crimes? [Possibly not because they are not out of pocket].

I feel there needs to be much more publicity about the risks of changed instructions for making authorised push payments; where is the pressure on government to publicise this type of crime and give consumers guidance? I would like to see newspaper and TV adverts used to highlight the problem and – perhaps – advise people not to use the on-line banking facilities for such payments; that would bring it home to the banks that they are not making enough progress since on-line banking is all part of their plan to reduce the amount of customer interface and manual processing of payments so they can close more branches.

It is good to see Which? highlighting this problem on YouTube but on its own that does not connect with enough potential victims as it is passive media rather than active. I haven’t noticed any large posters in my banks about the risks involved, or prominent flyers accompanying their monthly statements, or as an accompaniment to the fatuous slogans in their TV commercials [“we’re on your side”, “we’re always here to help”, “by your side” etc, etc]. The occasional mention in one of the consumer-oriented TV programmes is not getting through to people.

The new measure proposed – the confirmation of payee service – is good, albeit overdue, and should make this crime less prevalent but I doubt it will put an end to it. Banks must also attend to their procedures for accepting new customers, opening accounts, and monitoring irregular account activity [for example, personal accounts that do not have the usual outgoings like utility payments, mortgage repayments, council tax bills or incomings like salaries or pensions but consist only of large credits from personal payers and immediate withdrawals or transfers and virtually no continuing credit balance]. They also need to do proper checks on applications for business accounts and query those that use the same or similar name as an existing company and take up references from other banks and suppliers.

There is also the money-laundering side of this that is not being thoroughly investigated: where is the money going next? who is handling it and what is it being used for? This is hot money so I bet it is not being placed in savings accounts or used to buy premium bonds. I cannot believe it isn’t being used to fund other criminal activity including, of course, the drugs trade.

Calling these crimes a “scam”, or just a fraud, seems inadequate. To the victim who has had a large sum plundered this is daylight robbery or grand theft and can have life-changing consequences with possible mental illness or breakdown.

Banks must also attend to their procedures“. Indeed. I hope the improvements to the systems proposed will help significantly.

Customers must also take responsibility for their actions, helped by their banks educating them in proper procedures and precautions, and the way problems can arise. I think that their should be two levels of online banking accounts; one for those conversant with the way they operate and possible pitfalls, and one with more restricted facilities for people less able or less confident. The latter might restrict the amount that could be transferred, and/or put a time delay on the transfer so that second thoughts could be had. Howeve,r if you do make a mistake I’m not sure how many people would bother to go back and check, but it might help with possible fraudulent transactions.

Hi John. Take your points on the layout after several updates to this one. I’ll have a look at tidying it up.

Thanks, George.

It’s so easy to mis-type a bank number or to mis-hear one. It’s also easy to mis-enter an amount on a cheque or write an amount correctly but leave space for someone else to add extra on to what you wrote.

The advice repeated often is to transfer just £1 to a new account and check it has been received before transferring the balance. I always ensure the space on cheques is filled with lines to ensure no changes can be made. We have to do such things carefully as they are our responsibility. We cannot make someone else responsible for our own mistakes.

And to mis-type words. I keep putting “their” for there; autofingers.

The banks should have been required to make use of the payee’s name in the first place. If the name given for the payee does not match the recorded name then the payment can be held for further investigation but if it does match then there is little chance of a misdirected payment.

The modern age of the Internet a scammers paradise. If in doubt in anyway no matter how small dont transfer. Request for money always check all Name exact, Email address exact, THEN contact the company and confirm the request via a known used email or phone number,,,that is genuine, use a different phone if you have been contacted by phone.., and speak to the person in the email. Check Sort code, account number, name of recepient inc exact spelling. Once 100% sure all is totally correct then transfer and pray very hard.

This comment was removed at the request of the user

There is no excuse for the sending and receiving banks to dither and delay once they are notified of a possible fraud. Red tape between departments should be no hindrance to their investigations and the protection of their customers. Banking is an international network that does not need government approval in order to act on criminal activity. I don’t think we need excuses to let the banks off the hook.

Hang them fraudsters by the neck until death, as the minimum sentence!

This comment was removed at the request of the user

This comment was removed at the request of the user

The bank receiving the transfer has erred, by allowing a scammer to set up an account for fraud purposes.
Therefore, the receiving bank should be liable for the losses of the victims.