/ Scams

Why the PSR must take action to protect APP scam victims

We’re calling on the Payment Systems Regulator (PSR) to introduce new transparency requirements on banks so that customers can see exactly how they treat and reimburse victims of APP scams.

8/07/2021: the PSR must not let victims down

Today, Rich Piggin (@rpiggin), Head of External Affairs and Campaigns at Which?, is appearing in front of the Treasury Select Committee to give evidence about the devastating impact of bank transfer scams and what action the regulator needs to take to make life better for victims. 

The chances are that in the past year you either have, or know somebody that has, received a text, call or email that turn out to be a scam attempt. While we should all be vigilant online, nobody intends to be the victim of a crime. Scam victims frequently talk of feeling scared and untrusting of others after the event, and often feel re-victimised when their bank blames them for not realising quickly enough that something wasn’t right.

These victims all too often struggle to get their money back, despite most major banks being signed up to a code that should ensure customers are reimbursed when they are not at fault. Banks are failing to implement the Code that they helped to write properly and consistently. Don’t just take our word for it – the Financial Ombudsman and the Lending Standards Board (which oversees the Code and is funded by the banks) have both criticised banks repeatedly over the years for their failures. The result is a lottery of protection for victims.

The situation is unsustainable. Encouragingly, the Payment Systems Regulator (PSR) is proposing mandatory protections be introduced. One solution they have put forward is to let the banks modify and rewrite the existing code, effectively handing them the opportunity to water down the consumer protections they disagree with and ignoring the evidence from the last two years. We firmly oppose this. Instead, the regulator should take forward its other proposal and introduce a requirement on all firms to reimburse customers who have acted appropriately.

Self-regulation has failed. We must do better. Letting banks act as judge and jury when it comes to scams has not worked. We must put in place a new system centred on helping the victims of this terrible and growing crime.

Banks and the regulator have had two years to try and make self-regulation work. All the evidence shows that this approach has failed. £700k a day is being lost to this crime, but less than half of it is reimbursed. Victims – particularly vulnerable ones – are being routinely failed by banks whose actions are undermining the Code they helped to write.

It is vital that the PSR does not hand the banks the power to modify or rewrite the existing code. Instead, it must take writing the new rules into its own hands and make it mandatory for all firms to reimburse victims when they are not at fault.

Rich will be giving evidence from 10:30am today (Thursday, 8 July).  A longer version of this update appeared as an Op Ed in Times Redbox (paywalled content)


Do you agree that the regulator must not give banks the power to write their own rules on scam reimbursement?
Loading ... Loading ...

15/06/2021: Update

28/04/2021: PSR must take action

When you fall victim to a crime, you expect to be believed. If someone breaks into your house, you don’t expect the police officer to point out where you should have installed CCTV. If you get mugged, you don’t expect to be asked for proof of how you put up a fight. And if you fall victim to a sophisticated and intricate scam, you don’t expect your bank to add to your feelings of guilt and distress by pinning the blame on you.

Yet that is exactly what is happening at the moment, with victims of authorised push payment scams (otherwise known as bank transfer scams) when they are tricked into unwittingly transferring money to a scammer. 

Which? News: Banks routinely blame victims of fraud

We receive information from hundreds and thousands of victims every year. The case studies we see highlight the impact on victims of this horrific crime – and how this is often exacerbated by banks who appear not to care about what has happened to one of their own customers who may have just lost a life-changing sum of money.

Blaming the victims

Recent evidence published by the Lending Standards Board (LSB) and the Financial Ombudsman (FOS) demonstrate just how poorly some banks are treating victims and the lengths they will go to to try and pin the blame on individuals rather than accept any wrongdoing on their part.

The LSB oversees a voluntary code that industry helped to write and which sets out protections for APP scam victims. The Code states that victims should be reimbursed other than in a few specific circumstances – and even then banks are expected to consider the scam in the round and how individuals may have been affected by the context of what happened and how.

Data showing just how well banks are adhering to the letter and spirit of the Code was recently provided to the LSB by signatories to the Code (which includes all the major banks plus Co-op, Metro, and Starling) and published earlier this year. 

It paints a damning picture of how banks are interpreting and implementing the Code in wildly inconsistent ways and how victims are being mistreated across the board:

🔹 Victims were held fully or partially to blame 60% of the time, and therefore often denied any reimbursement

🔹 Blame was shared between the customer and either the bank sending or receiving the money, or between the two banks themselves, in a further 17% of cases

🔹 Two banks pinned the blame on victims in nine out of every ten instances

🔹 For investment scams – which often involve the highest amounts of losses – victims were blamed 67% of the time

🔹 Romance scams, which can involve extreme emotional and psychological manipulation, had a blame rate of 61%

Final adjudication

When a victim is dissatisfied  with the outcome of a decision made by their bank they can escalate it to the Financial Ombudsman for a final adjudication. In some cases, these decisions are published.

We had a look at some recent decisions, which were all upheld in favour of the victim (as are the vast majority of APP cases), and found evidence of banks placing extreme and unjustifiable expectations on what a customer should have done to avoid being scammed. 

These included HSBC telling a victim who lost £2,000 to a HMRC scam that it was “inconceivable” that he didn’t spot the red flags because he worked in a professional industry, and Nationwide refusing reimbursement of £1,146 because the victim “didn’t listen” to warnings given – despite receiving a call from a spoofed number which made her believe she was speaking to her building society.

In a separate case, Halifax only returned half of a £60,000 loss to an investment scam victim who had “failed to make sufficient checks” before investing – before backtracking after Which? intervened to point out they had never asked the victim what checks they had actually made.

All of these and more provide further evidence for what we have been saying for years: the banks are consistently misinterpreting the Code they helped to write in order to put the blame on the victim, and the Payment Systems Regulator (PSR) is doing little to ensure they adhere to the rules.

Our calls on the PSR

We are calling on the PSR to use its upcoming consultation to introduce new transparency requirements on banks so that customers can see exactly how they treat and reimburse victims of APP scams. It must do this as quickly as possible to prevent banks making this a race to the bottom, and many more victims being denied rightful reimbursement

That same consultation will also recommend a way to make APP scam protections mandatory. We strongly believe that industry has been given sufficient time and opportunity to provide the solutions so under no circumstances must the banks be allowed to write another new code to replace the existing voluntary one as the PSR has suggested. 

We will be continuing to make this case over the coming months so that the PSR stands firm and takes action to protect victims.

What would you say to the PSR if it suggested allowing the banks to write another new code?

Paul says:
13 July 2021

Having had to go through the rigorous process for vetting any signatories for any new bank account for both personal and business banking, I don’t understand why the banks can’t trace where the money goes and get it back. Surely any banks that receive any fraud payments can be identified, and if they can’t say who the end client is then they should be blackilisted. Or is it that the main banks aren’t so good at identifying their own customers as they should be and are all at fault themselves.
I’m sure that if senior managment bonuses were linked to a target of zero cash going into bogus/fraudsters accounts they’d soon manage to sort the problem.

Providing there is no colusion between the two parties then the Banks should reimburse the scammed person

We need cabinet minister appointees , like the appointee to sort out the vaccination programme , to regulate bank scams and the financial conduct ombudsman , energy companies and their puppet regulator Ofgem ………………………………………………………………………… moreover ,
car dealerships , rape cases , stalking cases , obesity etc .
The existing regulation is woefully inadequate , because politicians of the three main parties have ” no guts ” …………. !! Keeping the status quo , protects their jobs !!

It explains why 1 in 3 people do not vote in elections ……….. and live in a parallel universe !!

Of course , if we had a democratically elected head of state like a president , the political parties would be accountable to them ……….. and ultimately accountable to us all !!

Trevor black says:
18 July 2021

The PSR needs removing from his job because he’s not fit for the purpose.
His mind obviously does not work properly……………

Em says:
18 July 2021

Can you be more specific please? The PSR is not a person and there are several male members on the Board that we could remove, if only we knew whom you have in mind.

If Banks are allowed to carry on discriminating between who they reimburse, without implementing the necessary preventative measures available to them in the absence of legislative enforcement, fraudulent transactions will continue unabated. UK Banking Codes of Practice are archaic and outmoded and have little relevance to modern day advanced technological banking development and progression.

The difficulty is proving that the banks are not operating correctly in accordance with the relevant codes and the terms and conditions of customer accounts.

I believe the banks have a wide degree of discretion so there is bound to be considerable inconsistency both between one bank and another and between one customer and another. There is possibly the excuse that no two sets of circumstances are identical. The process is not helped by having to remain completely confidential so we never know why any purloined funds cannot be retrieved or whether there was any negligence on the part of the paying or the receiving bank that allowed the funds to end up in criminal hands.

My own view is that liability should normally fall on the receiving bank, but the process is initiated by the paying bank [the victim customer’s bank] and the paying bank cannot influence, or even check, the findings of the receiving bank and seek recompense from them.

The banking industry has a massive reputational and confidence incentive to put this situation right so I don’t see what is preventing the banks from reaching a more sensible resolution. It is highly likely, of course, that much of the misappropriated money is in foreign jurisdictions where there is no cooperation with UK investigations or compliance with UK banking codes.

It would be so helpful if a representative of the bank regulatory authorities would assist Which? with explanations and consideration of these points because at the moment we can only speculate. I am not sure whether we really know the scale of the problem, the number of cases and amounts of money involved, and the frequency of diverted payment frauds.

There is little that customers can do to recover their money from receiving banks, so they must rely on their own bank recovering the money. It is the receiving banks that have provided criminals with accounts and possibly card services.

Rather than the current voluntary code of practice we need clear rules about how cases should be dealt with in a way that is fair to customers and their banks.

Getting “both sides of the story” is a plea sometimes (often?) made but it rarely happens, so we see the “popular” view.
I want to see customers helped generally to run their financial affairs more carefully and safely. I also want to see any reimbursement for losses go to customers who merit it – where they have carried out a transaction quite reasonably but have been failed, to some degree or another, by negligence on the part of their bank.

See – https://www.bbc.co.uk/news/business-58061993

This is an article on Which?’s pressure for reimbursement in bank fraud cases and shows how badly two people were treated by their banks when trying to report the scams and save their money from being plundered.

That is a worrying report and it would be interesting to see full details. Why can a PIN – just four digits – be the key information needed to access many thousands of pounds? Perhaps higher security is needed to tackle fraud.

One of the customers spent seven hours on the phone to HSBC. This deserves investigation because any customer who is trying to report suspected fraud needs prompt action. I looked up the HSBC website and was presented with the message:

“Get in touch
The quickest way to reach us is with our 24/7 chat service in the app or online banking. Our call centres are currently very busy, so you may have to wait.”

Perhaps there should an easy to find number exclusively for reporting suspected fraud.

The press release is here and continues what has already been said https://press.which.co.uk/whichpressreleases/fraud-victims-left-in-the-lurch-and-exposed-to-scammers-by-their-banks-which-research-reveals/

It is quite wrong that people should be kept waiting to report serious fraud, but just how widespread are these sorts of cases? The report states that 80% of”victims” were satisfied with the way they were dealt with; this suggests, given some people who are dealt with correctly but don’t accept it, that most cases are well handled.

However, the scope here is to monitor and improve the way (some) banks are set up to handle such problems. That is quite different from imposing by regulation a contingent reimbursement model on all banks. The two issues should not be conflated; we need to ensure that reimbursement is dealt with fairly, paying due regard to the way each participant contributed to any loss.

Wavechange — That is another example of how large customer-facing organisations are increasingly driving their so-say esteemed client base to using alternative and indirect means of communication such as chat lines and on-line message forms. Even when accessible, they are not suitable for the sort of immediate report of a fraud attempt.

I think the “our call centres are very busy” gambit should be outlawed, especially for banks and similar organisations. They should equip and deploy enough resources to handle the traffic they have created by closing so many outlets. I can understand the O&M rationale of channelling customer calls through chat lines etc because that enables the casework to be spread out over long shifts rather than occurring in peaks, but that does not recognise the essential priority of certain types of contact.

I feel we should be able to talk to our bank when we decide rather than when it is convenient to the bank; we now live in the digital age and the banking procedures that were appropriate in the days of postal correspondence are no longer good enough. I have noticed that scammers don’t make an appointment to interview us; they do it when it might cause the most difficulty for us in thwarting their schemes.

You also don’t know when this took place. If it was around the time of the first lockdown, call centres struggled to cope and it took a few months to sort out people working from home instead of a call centre. All call centres were short-staffed for a while until they got their new systems & security up and running.

Where do you draw the line? Have a read of this article:

James (not his real name) transferred money to a crypto account in his own name from First Direct. First Direct queried one of his transfers but James still went ahead. He the lost £20,000 thinking he was investing money from his crypto account.

Why would First Direct be responsible for refunding his money?

As more and more scams will take place with crypto currencies and likely to be much larger amounts of money, are our High Street banks expected to reimburse those victims too?

Communication with some organisations has become a real problem. I spent one and a quarter hours on a chat line trying to resolve a mobile phone issue. Simple queries with Amazon resulted in 40 minutes “chats”, wasting both my time and that of the company chatterer. I wanted to put my information and requirements in an email – thought out in advance – but no option existed with the phone company “we don’t have an email team”!

I presume chat lines, like telephone contact, can ration calls to the number of staff available with many callers simply abandoning their efforts to make contact. In attempting to set up government benefits for a relative I routinely get “all our agents are busy at the moment, please hold until one becomes available”; usually 30to 45 minutes pass before you can speak to someone, so put the phone on speaker and get on with something else.

It is time proper communications were established that do not waste time and patience, particularly with public services. Would be a useful Which? campaign perhaps.

Alfa — Although I agree we need to make some allowances for the possibility of customer service lines being overstretched while staff are dislocated in consequence of the coronavirus emergency, some things are of top priority and systems exist to filter and prioritise those for urgent action.

Banks employ thousands of people and their branch networks are interconnected both by telephone and the internet so resources can be redeployed quickly. I do not accept the excuse that people who wish to report a fraud attempt should be kept waiting. Planning for such contingencies should be an ongoing process.

I should think 80% of the country’s personal banking is concentrated in the hands of just a few massive corporations. They have a duty to organise for emergencies and to fight crime with all the means at their disposal. Securing our money is their No.1 duty and while I can understand the liability difficulties around dealing with Authorised Push Payments when a criminal diversion of funds has occurred, the basic function of receiving and processing reports of criminal action should still take precedence. They can’t stop crime if they won’t look out for it; you have to trap money while it’s still hot.

John wrote: “I think the “our call centres are very busy” gambit should be outlawed, especially for banks and similar organisations.”

I agree that this must change. I would expect to speak to someone promptly if I suspected fraud or a card had been stolen, because time could be critical. Perhaps the answer is to make an emergency number available and cut off callers that misuse it for other purposes.

Yet again I would like to point out that by introducing a delay in transferring larger sums of money could help avoid fraud. That would not be needed when transferring money to existing payees.

I did say around the time of the first lockdown. I doubt any companies had seriously planned for the whole country to be in total lockdown.

Employees couldn’t just switch to using their own computing equipment at home on unsecured internet for sensitive banking. Bank equipment and software would likely have had to be installed securely in operators homes. Operators with slow broadband might have needed faster broadband or additional equipment installed before they could work properly from home. Installations likely required 3rd party personnel who may have had their own difficulties to deal with.

I am not defending the banks, but just pointing out some of the difficulties faced by not only the banks and call centre workers, but all businesses at the start of the pandemic.

Yes, I appreciate the points you are making, Alfa; the early days of the lockdown were particularly problematic, and as you wrote earlier, we don’t know when these cases exhibited by Which? actually occurred. They could have been chosen for their sensation value without explaining the mitigating factors. We rarely get the full picture, and as Malcolm said previously, we don’t get the banks’ side of the stories.

Not everyone was expected to work from home, as some work was of an essential security nature, although I can understand that a call-centre might be perceived as a super-spreading environment and it was responsible to allow staff to work from home if possible.

L.Neil says:
10 August 2021

Banks and other large company s are getting too big and powerful, that does not look good for the rest of us.

Rather than pander – for obvious reasons – to the financial establishment’s own get rich, stay rich agenda, regulators and parliament ought to consider the people who actually do the work, generate the cash, ensuring our country continues to be a rich one. People at the ‘top’ could be thought of as parasites because they receive an inordinate amount of money, breeze from position to position and rarely are accountable. The political chumocracy consists of the privileged who were schooled privately (and expensively), have little idea of what ordinary peoples’ lives are like and likely do not care. The proles should stop complaining, ‘man-up’ and keep working.
Yes, it is acknowledged that money from the filthy rich finances projects that provide jobs for ordinary workers who need to earn a crust; it should also be acknowledged those projects are done by ordinary workers who have the skills. They do not enjoy rich pickings nor are they beneficial members of a chumocracy.