/ Scams

Why the PSR must take action to protect APP scam victims

We’re calling on the Payment Systems Regulator (PSR) to introduce new transparency requirements on banks so that customers can see exactly how they treat and reimburse victims of APP scams.

8/07/2021: the PSR must not let victims down

Today, Rich Piggin (@rpiggin), Head of External Affairs and Campaigns at Which?, is appearing in front of the Treasury Select Committee to give evidence about the devastating impact of bank transfer scams and what action the regulator needs to take to make life better for victims. 

The chances are that in the past year you either have, or know somebody that has, received a text, call or email that turn out to be a scam attempt. While we should all be vigilant online, nobody intends to be the victim of a crime. Scam victims frequently talk of feeling scared and untrusting of others after the event, and often feel re-victimised when their bank blames them for not realising quickly enough that something wasn’t right.

These victims all too often struggle to get their money back, despite most major banks being signed up to a code that should ensure customers are reimbursed when they are not at fault. Banks are failing to implement the Code that they helped to write properly and consistently. Don’t just take our word for it – the Financial Ombudsman and the Lending Standards Board (which oversees the Code and is funded by the banks) have both criticised banks repeatedly over the years for their failures. The result is a lottery of protection for victims.

The situation is unsustainable. Encouragingly, the Payment Systems Regulator (PSR) is proposing mandatory protections be introduced. One solution they have put forward is to let the banks modify and rewrite the existing code, effectively handing them the opportunity to water down the consumer protections they disagree with and ignoring the evidence from the last two years. We firmly oppose this. Instead, the regulator should take forward its other proposal and introduce a requirement on all firms to reimburse customers who have acted appropriately.

Self-regulation has failed. We must do better. Letting banks act as judge and jury when it comes to scams has not worked. We must put in place a new system centred on helping the victims of this terrible and growing crime.

Banks and the regulator have had two years to try and make self-regulation work. All the evidence shows that this approach has failed. £700k a day is being lost to this crime, but less than half of it is reimbursed. Victims – particularly vulnerable ones – are being routinely failed by banks whose actions are undermining the Code they helped to write.

It is vital that the PSR does not hand the banks the power to modify or rewrite the existing code. Instead, it must take writing the new rules into its own hands and make it mandatory for all firms to reimburse victims when they are not at fault.

Rich will be giving evidence from 10:30am today (Thursday, 8 July).  A longer version of this update appeared as an Op Ed in Times Redbox (paywalled content)


Do you agree that the regulator must not give banks the power to write their own rules on scam reimbursement?
Loading ... Loading ...

15/06/2021: Update

28/04/2021: PSR must take action

When you fall victim to a crime, you expect to be believed. If someone breaks into your house, you don’t expect the police officer to point out where you should have installed CCTV. If you get mugged, you don’t expect to be asked for proof of how you put up a fight. And if you fall victim to a sophisticated and intricate scam, you don’t expect your bank to add to your feelings of guilt and distress by pinning the blame on you.

Yet that is exactly what is happening at the moment, with victims of authorised push payment scams (otherwise known as bank transfer scams) when they are tricked into unwittingly transferring money to a scammer. 

Which? News: Banks routinely blame victims of fraud

We receive information from hundreds and thousands of victims every year. The case studies we see highlight the impact on victims of this horrific crime – and how this is often exacerbated by banks who appear not to care about what has happened to one of their own customers who may have just lost a life-changing sum of money.

Blaming the victims

Recent evidence published by the Lending Standards Board (LSB) and the Financial Ombudsman (FOS) demonstrate just how poorly some banks are treating victims and the lengths they will go to to try and pin the blame on individuals rather than accept any wrongdoing on their part.

The LSB oversees a voluntary code that industry helped to write and which sets out protections for APP scam victims. The Code states that victims should be reimbursed other than in a few specific circumstances – and even then banks are expected to consider the scam in the round and how individuals may have been affected by the context of what happened and how.

Data showing just how well banks are adhering to the letter and spirit of the Code was recently provided to the LSB by signatories to the Code (which includes all the major banks plus Co-op, Metro, and Starling) and published earlier this year. 

It paints a damning picture of how banks are interpreting and implementing the Code in wildly inconsistent ways and how victims are being mistreated across the board:

🔹 Victims were held fully or partially to blame 60% of the time, and therefore often denied any reimbursement

🔹 Blame was shared between the customer and either the bank sending or receiving the money, or between the two banks themselves, in a further 17% of cases

🔹 Two banks pinned the blame on victims in nine out of every ten instances

🔹 For investment scams – which often involve the highest amounts of losses – victims were blamed 67% of the time

🔹 Romance scams, which can involve extreme emotional and psychological manipulation, had a blame rate of 61%

Final adjudication

When a victim is dissatisfied  with the outcome of a decision made by their bank they can escalate it to the Financial Ombudsman for a final adjudication. In some cases, these decisions are published.

We had a look at some recent decisions, which were all upheld in favour of the victim (as are the vast majority of APP cases), and found evidence of banks placing extreme and unjustifiable expectations on what a customer should have done to avoid being scammed. 

These included HSBC telling a victim who lost £2,000 to a HMRC scam that it was “inconceivable” that he didn’t spot the red flags because he worked in a professional industry, and Nationwide refusing reimbursement of £1,146 because the victim “didn’t listen” to warnings given – despite receiving a call from a spoofed number which made her believe she was speaking to her building society.

In a separate case, Halifax only returned half of a £60,000 loss to an investment scam victim who had “failed to make sufficient checks” before investing – before backtracking after Which? intervened to point out they had never asked the victim what checks they had actually made.

All of these and more provide further evidence for what we have been saying for years: the banks are consistently misinterpreting the Code they helped to write in order to put the blame on the victim, and the Payment Systems Regulator (PSR) is doing little to ensure they adhere to the rules.

Our calls on the PSR

We are calling on the PSR to use its upcoming consultation to introduce new transparency requirements on banks so that customers can see exactly how they treat and reimburse victims of APP scams. It must do this as quickly as possible to prevent banks making this a race to the bottom, and many more victims being denied rightful reimbursement

That same consultation will also recommend a way to make APP scam protections mandatory. We strongly believe that industry has been given sufficient time and opportunity to provide the solutions so under no circumstances must the banks be allowed to write another new code to replace the existing voluntary one as the PSR has suggested. 

We will be continuing to make this case over the coming months so that the PSR stands firm and takes action to protect victims.

What would you say to the PSR if it suggested allowing the banks to write another new code?

Rod says:
9 July 2021

Banks a facilitating fraud. There should be agreement among banks to reverse ANY fraudulent transfer world wide!

Just common sense to me. For too long now the Banks have slowly eroded any form of trust with customers and treated them appallingly when it comes to any form of recompense for not protecting them from fraud.
They want your business but are not prepared to accept responsibility for any wrongdoing or fraudulent act against a customers account.
A heavy fine should be imposed each time a Bank is found guilty of evading their responsibility of protecting customers.

Darren Rowe says:
9 July 2021

When a money transfer or payment is made to a non verified account the bank should be investigating the transaction before any money is released. There should be a delay in the payment and the clearance of large amounts of money if not to a well trusted account

Arthur says:
9 July 2021

My thought’s

What I don’t understand, if I open a new bank account I have to provide identification passport, driving licence and so on, if you are defrauded and have unwittingly sent money or money taken from your bank why can’t the banks find where your money is.
When a money transfer or payment is made to any account the bank should not send until verified by the customer also keep an update on recognised fraudulent accounts and do not send, so if I have scammed someone out of money and this is reported to the bank then this should be passed on to law enforcement to investigate and if found to be correct that persons assets should be taken.
With the latest technology and with everyone with a mobile phone a simple text from the bank to authorize payment would be very simple.
The banks can do more, the regulator must act to protect the vulnerable.

the banks are just taking taking & TAKING

Jack Duncan says:
9 July 2021

I propose that the UK Government adopts the EU MIFID2 Law as UK Law and add to this the this law that Banks must accept the responsibility for the security of their Clients money entirely.

I agree that the Government must make it mandatory that Banks must be made to accept full responsibility for the security and safety of their clients’ money. When a client chooses to put their financial assets in a particular bank that bank should sign an agreement with the new customer
ensuring that their financial assets are secure and that the bank now takes full responsibility to this effect.

Their money is secure. What the client then decides to do with their money is a completely separate issue. Should the bank question you whenever you make a transaction so they will approve what you are doing?

Carolyn, your (I presume) email address is visible when I click on “recent activity” and see your comment extract. Best not to use personal information as it could be misused.
@gmartin. Can it be removed?

All fixed – thanks for the flag @malcolm-r


Allowing the Banks to write the rules is rather like putting the fox in charge of the chicken coup, Banks have over the years have proved to be one of the least trustworthy institutions, the scandal over unnecessary insurance, which still has not been finally settled, a case in point
Yesterday Lloyds Bank were handed a very large fine for contravening regulations. If the Banks continue to flout regulations not only the Bank but its board of directors should face financial punishment and said directors barred from holding any directorship for a minimum of 5 years.

Banks should do more to warn customers and Ask for conformation when unusual payments are being made. The banks would also benefit.

I would agree with that.

Gwilym says:
9 July 2021

I receive several scam phone calls a week. Often the same automated voice with the same message .

It is essential that life is made difficult for these automated scam sweeper calls. I am sure there is software that would pick up and block or trace such calls in the first instance. There must be transparency as to where calls are generated from and also proactive fraud police work on these calls. Why do I get so many? Or is everyone getting this number? How did the scammers get my personal phone number in the first place?

Hi Gwilym,

Scanners can probably ring your number just by working through a sequence of typical UK phone numbers. When you pick up any of these calls, their robot diallers may record that a number has been answered and note that for further calls.

At the moment the best way to block these calls is to do it yourself, with the aid of something like a BT Call Guardian phone. Some phone companies, like BT, do also offer subscription to services for doing this.

Most of these calls seem to originate from overseas via the internet. Grey hat hackers like Jim Browning (check out his YouTube channel) regularly tracks the origin of these calls and sometimes local police may act on the information that he supplies to them.

Ken says:
9 July 2021

While there is a need for a degree of protection there is also a requirement to be responsible for your actions. Often you see women in a supermarket, handbag open and purse in full view. If stolen no one would expect the victim to be able to report the theft to the bank and to be reimbursed for the money lost. Similarly we re expected to safeguard PINs. Remember banks do not have money. Banks are custodians of our money. Therefore, reimbursements impact directly on our money – be it on interest rates, or dividends payed to shareholders such as individuals and pension funds. Making the cost of being scammed the sole responsibility of the banks may well make the individual less alert as s/he knows that there will be no fiscal penalty to her/him.

Gwilym says:
9 July 2021

When money is fraudulently transferred out of someones account presumably it is being transferred to another bank. This bank is hosting criminal activity and should be required to take responsibility for the loss and return the money, close the fraudsters account and pass all the information they have on the holders of the account to fraud police. If I allow my home to be used for criminal activity of any kind I think I would have to answer for this. Banks that allow fraudsters to hold accounts knowingly or otherwise should be expected to take responsibility and sanctions should be taken against them.

The internet is the source of so many problems which did not exist previously I think it would be worth considering licensing or at least registering all users. Perhaps any unregulated user could be immediately flagged up as such.

Although some posters are defending the banks to the hilt, my experience with Nationwide’s details not being recognised by the major banks seems to have slipped from sight.


As you will see from the link, when the banks can’t even seem to get their confirmation of Payee set up to recognise each other, what chance they will manage anything for the ordinary folk?

I see no posters”defending banks up to the hilt” but I do see a few attempting to inject some balance and constructive suggestions into these Convos, rather than just joining a relentless attack. But maybe I have missed them.


Jennifer Jones says:
9 July 2021

Scams are clever and there should be some safeguard at a bank to ensure that the ‘victim’ can be alerted before transferring large sums from his/her account to an unknown destianation

Hi Jennifer, I already get texts and emails from my bank whenever I authorise cash transfers. I think anyone not already doing this should update their banking arrangements to include such alerts.

So if anyone else somehow managed to request transactions on my behalf, I would most likely still receive those messages and get some warning that something odd was happening.

Of course, when I am the one requesting the transaction, the destination won’t be unknown to me, because I will have requested it. It may of course, be unknown to my bank though.

But rather than relying on my bank to do everything for me, I think my first lines of defence should be to start out by never sending money to firms or individuals that are new and unfamiliar to me, especially those organisations or individuals first made contact with me, as opposed to the other way round. For goods and services over £100, I also prefer to pay by credit card, so the credit card company will share some liability for checking out the fidelity of the vendor.

Reg Mason says:
9 July 2021

I agree entirely with Darran Rowe that the banks must be held responsible for ensuring customers money is safe with them and delaying paying large payments to allow the customer to agree would be the very least they should be doing.

9 July 2021


Sally says:
9 July 2021

What is the point of a regulator if those they are supposed to be regulating can write their own code. Banks have consistently sidestepped their responsibilities. Their websites ask if the user wants their password to be remembered – really!!! They use complicated login procedures which the older user inevitably has to write down somewhere. Banks can reverse transactions, they chose not to. Any accounts which are clearly being used for purposes of fraud should be immediately locked pending a police investigation. The banks know the account details as they are the ones transferring the funds to these accounts from those that are being scammed.

Doug Knox ACIB, ACCA. says:
9 July 2021

When using a paper cheque, we are protected by law, because a forgery is null and void.
When using the bank’s computer systems, which are open to fraud and hacking, malware, spyware, and appear intrinsically unreliable, they become able to blame the customer.
This is part of the greed of placing the banks interest ahead of the customer, making customer service secondary, and treating former valued customers as mere punters to be taken advantage of.
Its not the computer’s fault, but the loss of skilled bankers, who understood risk, against the long term value of each customer.

Em says:
9 July 2021

I think you are misinformed about cheque forgery being somehow different. The act of forgery has little to do with the medium used to commit the fraud. It is the intent that matters.

This is from the Crown Prosecution Service Prosecution Guidance – Fraud – Relevant Offences and Legislation. I’ll leave the full except here, as it clarifies other related aspects of payment fraud, including the “theft” of personal data.

“Offences under the Fraud Act 2006 are applicable to a wide range of cyber-frauds by focussing on the underlying dishonesty and deception. The nature of the offending will dictate the appropriate charges, and prosecutors may also consider offences under the Theft Act 1968, Theft Act 1978, CMA, Forgery and Counterfeiting Act 1981, and Proceeds of Crime Act 2002 (‘POCA’).

Note that if an offender accesses data, reads it and then uses the information for his/her own purposes, then this is not an offence contrary to the Theft Act. Confidential information per se does not come within the definition of property in section 4 of the Theft Act 1968 and cannot be stolen (Oxford v Moss 68 Cr App R183 DC). It is likely however that this would constitute an offence under section 1(1) CMA. Also, if it was done with the intent to commit or facilitate the commission of further offences, it would constitute an offence contrary to section 2(1) CMA.

Where there are a number of suspects allegedly involved in an online fraud, a statutory conspiracy under section 1 of the Criminal Law Act 1977, or common law conspiracy to defraud may be appropriate. Prosecutors should consider the Attorney General’s Guidelines on the Use of the common law offence of Conspiracy to Defraud before making a charging decision. Where several people have the same access to a computer, one way to seek to prove the involvement of suspects will be to follow the payment trail as payments will often be required to be sent to a designated account, and may be attributed to an individual.

The acts of setting up a false social networking accounts or aliases could also amount to criminal offences under the Fraud Act 2006 if there was a financial gain, as under section 8 possession or making or supplying articles for use in frauds includes any program or data held in electronic form. For further guidance see the legal guidance on the Fraud Act 2006.”

Em says:
9 July 2021

CMA is reference to the Computer Misuse Act 1990.

This creates a range of offences relating to the abuse of computer systems in general, such as data theft, hacking, destruction, interfering with operations, etc.

Terry H. says:
9 July 2021

Do same as me, transfer money by cheque book only, do not use internet banking, trust no one other than yourself, if they are giving you something, they want something back in return, be extremely careful what you click on, if you think you see something you would like, don`t click, look for it yourself, ignore the tempting discount offer, & remember, if it sounds too good to be true then that`s what it is.

Rex Norris says:
9 July 2021

The banks cannot just abdicate their responsibility for allowing criminals to open the bank accounts to which they transfer their illegally gotten gains. If the money goes into such an account then they must assume responsibility for refunding the victims.

Dave says:
9 July 2021

It seems to me all the banks are interested in is having your money and not looking after you as they should, protecting you and your money from fraudsters.