/ Scams

Why the PSR must take action to protect APP scam victims

We’re calling on the Payment Systems Regulator (PSR) to introduce new transparency requirements on banks so that customers can see exactly how they treat and reimburse victims of APP scams.

8/07/2021: the PSR must not let victims down

Today, Rich Piggin (@rpiggin), Head of External Affairs and Campaigns at Which?, is appearing in front of the Treasury Select Committee to give evidence about the devastating impact of bank transfer scams and what action the regulator needs to take to make life better for victims. 

The chances are that in the past year you either have, or know somebody that has, received a text, call or email that turn out to be a scam attempt. While we should all be vigilant online, nobody intends to be the victim of a crime. Scam victims frequently talk of feeling scared and untrusting of others after the event, and often feel re-victimised when their bank blames them for not realising quickly enough that something wasn’t right.

These victims all too often struggle to get their money back, despite most major banks being signed up to a code that should ensure customers are reimbursed when they are not at fault. Banks are failing to implement the Code that they helped to write properly and consistently. Don’t just take our word for it – the Financial Ombudsman and the Lending Standards Board (which oversees the Code and is funded by the banks) have both criticised banks repeatedly over the years for their failures. The result is a lottery of protection for victims.

The situation is unsustainable. Encouragingly, the Payment Systems Regulator (PSR) is proposing mandatory protections be introduced. One solution they have put forward is to let the banks modify and rewrite the existing code, effectively handing them the opportunity to water down the consumer protections they disagree with and ignoring the evidence from the last two years. We firmly oppose this. Instead, the regulator should take forward its other proposal and introduce a requirement on all firms to reimburse customers who have acted appropriately.

Self-regulation has failed. We must do better. Letting banks act as judge and jury when it comes to scams has not worked. We must put in place a new system centred on helping the victims of this terrible and growing crime.

Banks and the regulator have had two years to try and make self-regulation work. All the evidence shows that this approach has failed. £700k a day is being lost to this crime, but less than half of it is reimbursed. Victims – particularly vulnerable ones – are being routinely failed by banks whose actions are undermining the Code they helped to write.

It is vital that the PSR does not hand the banks the power to modify or rewrite the existing code. Instead, it must take writing the new rules into its own hands and make it mandatory for all firms to reimburse victims when they are not at fault.

Rich will be giving evidence from 10:30am today (Thursday, 8 July).  A longer version of this update appeared as an Op Ed in Times Redbox (paywalled content)


Do you agree that the regulator must not give banks the power to write their own rules on scam reimbursement?
Loading ... Loading ...

15/06/2021: Update

28/04/2021: PSR must take action

When you fall victim to a crime, you expect to be believed. If someone breaks into your house, you don’t expect the police officer to point out where you should have installed CCTV. If you get mugged, you don’t expect to be asked for proof of how you put up a fight. And if you fall victim to a sophisticated and intricate scam, you don’t expect your bank to add to your feelings of guilt and distress by pinning the blame on you.

Yet that is exactly what is happening at the moment, with victims of authorised push payment scams (otherwise known as bank transfer scams) when they are tricked into unwittingly transferring money to a scammer. 

Which? News: Banks routinely blame victims of fraud

We receive information from hundreds and thousands of victims every year. The case studies we see highlight the impact on victims of this horrific crime – and how this is often exacerbated by banks who appear not to care about what has happened to one of their own customers who may have just lost a life-changing sum of money.

Blaming the victims

Recent evidence published by the Lending Standards Board (LSB) and the Financial Ombudsman (FOS) demonstrate just how poorly some banks are treating victims and the lengths they will go to to try and pin the blame on individuals rather than accept any wrongdoing on their part.

The LSB oversees a voluntary code that industry helped to write and which sets out protections for APP scam victims. The Code states that victims should be reimbursed other than in a few specific circumstances – and even then banks are expected to consider the scam in the round and how individuals may have been affected by the context of what happened and how.

Data showing just how well banks are adhering to the letter and spirit of the Code was recently provided to the LSB by signatories to the Code (which includes all the major banks plus Co-op, Metro, and Starling) and published earlier this year. 

It paints a damning picture of how banks are interpreting and implementing the Code in wildly inconsistent ways and how victims are being mistreated across the board:

🔹 Victims were held fully or partially to blame 60% of the time, and therefore often denied any reimbursement

🔹 Blame was shared between the customer and either the bank sending or receiving the money, or between the two banks themselves, in a further 17% of cases

🔹 Two banks pinned the blame on victims in nine out of every ten instances

🔹 For investment scams – which often involve the highest amounts of losses – victims were blamed 67% of the time

🔹 Romance scams, which can involve extreme emotional and psychological manipulation, had a blame rate of 61%

Final adjudication

When a victim is dissatisfied  with the outcome of a decision made by their bank they can escalate it to the Financial Ombudsman for a final adjudication. In some cases, these decisions are published.

We had a look at some recent decisions, which were all upheld in favour of the victim (as are the vast majority of APP cases), and found evidence of banks placing extreme and unjustifiable expectations on what a customer should have done to avoid being scammed. 

These included HSBC telling a victim who lost £2,000 to a HMRC scam that it was “inconceivable” that he didn’t spot the red flags because he worked in a professional industry, and Nationwide refusing reimbursement of £1,146 because the victim “didn’t listen” to warnings given – despite receiving a call from a spoofed number which made her believe she was speaking to her building society.

In a separate case, Halifax only returned half of a £60,000 loss to an investment scam victim who had “failed to make sufficient checks” before investing – before backtracking after Which? intervened to point out they had never asked the victim what checks they had actually made.

All of these and more provide further evidence for what we have been saying for years: the banks are consistently misinterpreting the Code they helped to write in order to put the blame on the victim, and the Payment Systems Regulator (PSR) is doing little to ensure they adhere to the rules.

Our calls on the PSR

We are calling on the PSR to use its upcoming consultation to introduce new transparency requirements on banks so that customers can see exactly how they treat and reimburse victims of APP scams. It must do this as quickly as possible to prevent banks making this a race to the bottom, and many more victims being denied rightful reimbursement

That same consultation will also recommend a way to make APP scam protections mandatory. We strongly believe that industry has been given sufficient time and opportunity to provide the solutions so under no circumstances must the banks be allowed to write another new code to replace the existing voluntary one as the PSR has suggested. 

We will be continuing to make this case over the coming months so that the PSR stands firm and takes action to protect victims.

What would you say to the PSR if it suggested allowing the banks to write another new code?

Arthur Ng says:
8 July 2021

The scammers are quite quick about getting at your money so WHY AREN’T THE REGULATORY AUTHORITIES better at getting these SCAMMERS to PAY UP and PAY BACK to the VICTIMS?

Malcolm Webster says:
8 July 2021

As with most of the financial regulators they are useless, do not protect the ordinary people and basically a waste of money. My opinion of them is as much use as half a scissor!

The banks need to be one step ahead of the criminals, not five steps behind all the time. Their clunky and disjointed software systems are often to blame, yet they know where money has gone, but it is never pursued. It took years for banks to associate a name with a payment as well as an account number and sort code, handy, but criminals are way past that measure. Banks – think like a crook, act like a gentleman!

If we do not deal with this now, we will become a country which will harbour international money laundering crime groups. The UK will lose the respect of all its neighbours. The world’s money markets will no longer associate with this country and we will become ostracised and isolated. This is not a future which any of us should want.

Seb Carroll says:
8 July 2021

It’s not usually the banks who are on the receiving end of poor treatment by their customers. It’s usually the other way round. Banks can’t help but consider what is in their own best interests first, often at the expense of their customers. Let’s make sure they act responsibly.

Banks should do more to help people look after their money. Also since lockdown they should help people save more to help themselves.

Having worked for 48 years of my life, I do not see why the banks do not have systems in place to flag up these scams! Are they just worried about their share holders and the premiums they pay them, or are they genuinely worried about their customers? It appears to be the first option! All they are worried about is having your hard earn money one way or the other!

Why is it that the bank can ring you but there is no verification such as a password they must give. We recently seemed to have been scammed and were genuinely rang by our bank. I refused to discuss the matter as they could not prove they were genuine and my understanding was that banks would never phone you. We went to the bank the following day but they were not interested in us giving them a password for them to use next time.

While there is an onus on us all to take care all too often businesses fail to live up to reasonable standards of care, frequently on (often unacknowledged) grounds of convenience and cost. The advice given by banks not to give out personal information eg to unsolicited callers is seriously undermind by the banks’ own practice as described by Del Turner. I receive calls from my bank in which they begin by asking me for information to check MY identity at which point I refuse to speak further and say I will ring customer service. Without providing proof of my ID I usually will not be told the reason for the call which then hinders the follow-up through Customer Services but that is a price one pays for security. The banks justify this behaviour by saying they will never ask for sensitive data but this is seriously inadequate reasoning. Once one accepts these calls it is all too easy to be drawn into giving out information that is helpful to fraudsters inadvertantly under pressure or because, to the layperson it may seem harmless. The blindingly obvious way for banks to behave is to tell the customer to ring Customer Services and make sure that CS can easily discover who to direct one to.

Many well-intentioned efforts to protect people and/or provide convenience rapidly end up doing the opposite. Recall the adoption of non-geographical numbers which became a money spinner for many firms. I drew the attention of both Which and Ofcom to this very early on but Ofcom said it was not their problem and Which failed to take it up as an issue for several years. Data protection is another case . It is now used to protect companies and has in someways worsened one’s ID security through endless organisations insisting on pointless checks thereby making information such as one’s birthday a frequently used but largely useless form of ID check (giving only the appearance of security which could be worse than nothing). I now refuse to give out my birthday to organisations who ask for it unless it is clearly necessary but in reality this is probably closing the door after the horse has bolted. Banks are rushing to persuade us of the advantages of biosecurity – supposedly on grounds of ease and greater security. And this despite the evidence that these hightech methods invariably are found to be subvertible sometime by very low tech means. One cannot ever change one’s biological characteristics so once these are harvested by criminals there is no way of recovering. Hence no voice-recognition for me. Another weakness is that bank statements can fail to give adequate information. Thus one Building Society claimed it could not tell me who the payee of a Direct Debit was though clearly the details must have been somewhere on their computer system. It turned out that they had shortened the ID of the payee on the statements and on what their staff could read on screen making identification only possible by diligent detective work by me. Once upon a time when cheques were widely used I was under the naive assumption that banks checked the names of payees on receipt of a cheque but then found that my mother had inadvertently banked cheques that were for me at a bank at which I had no account. Enquiring with the bankmanager of that branch I was told that it was not normal practice to check the payee’s name against the relevant account. That would have been too much effort. Oh how naive can one be !!!! There are miriads of such cost-cutting practices which banks and others pursue at the expense of the customer and making the task of customers to protect themselves very difficult.

Why is it that the bank can ring you but there is no verification such as a password they must give. We recently seemed to have been scammed and were genuinely rang by our bank. I refused to discuss the matter as they could not prove they were genuine and my understanding was that banks would never phone you. We went to the bank the following day but they were not interested in us giving them a password for them to use next time.

Rosie Hawtrey says:
8 July 2021

Funny isn’t it. I’ve been scammed out of £7500 by criminals. The police agree with me, action fraud agree with me, yet its *my fault* according to financial ombudsman and HSBC and they can do what they like, including flat out lie on recorded phonecalls but that’s OK.
These organisations are the worst kind of scum, because they can ignore the law and morality at will – customers who are cancer sufferers and seriously ill individuals can be abused, ignored and verbally assaulted by these people. And that’s OK,. Too Big To Give A F***.

This society is an embarrassment.

M sample-piggot says:
8 July 2021

A voluntary code set by the banks is completely unacceptable in a time of rampant fraud & in the long term will result in a complete lack of trust in the banking system
Independent regulation is the only viable way forward

James Fletcher says:
8 July 2021

The banks have literally forced us to use on line banking by closing so many branches in fact the majority of branches therefore they have the total responsibility to reimburse customers for any losses incurred by fraud due to the internet. No if, no buts.

Em says:
8 July 2021

I like your logic. I have a postal account with a Building Society that closed their local branch about 30 years ago. Then if I’m defrauded by mail, they must take total responsibility. Why hasn’t this happened yet?

Janet Mary Marshall says:
8 July 2021

Is this big money talking. Controlling and blaming the person who has been scammed, thereby increasing their anguish, when they are at there most vulnerable. Then making it more difficult to claim the money back. It is a shame to all banks involved and they need to look at there morals and ethics.
Also work to make scamming impossible, work with the police and Action Fraud, and bring these scammers to justice.

I’ve been the victim of several debit card and on-line scams perpetrated by seemingly legitimate companies and although my bank (Nationwide) know who these companies are and suspect them of fraudulent activities, they have been allowed to persist due to inadequate Service Level Agreements (SLA) between the banks and the credit card provider, leaving me many thousands of pounds out of pocket, despite my complaints to the Financial Ombudsman (another powerless entity).

One would think in such a digitally advanced world, with KYC, AML and Anti-Bribery laws in place, this is less likely to happen but such fraud is actually on the increase. It’s almost as if the banks get a financial kick-back for allowing such scams to perpetuate!

When legislation is changed, there is a consultation period- the banks can make their point then, but not write their own policy!

All Regulators seem to be Paper Tigers. Very rarely, if ever, have l read of a prompt resolution arrived at via any Regulator. I’m open to correction. It’s time for the whole system of Regulation to be overalled weighted away from Banks & Utilities etc, which they seem to be advocates for rather than their Customers.

Mic Porter says:
8 July 2021

Becasue of the personal risk of losing money that is not recoverable from banks I do not use online or telephone banking but pay cash, use cheques and credit cards. Until the law and behaviour of banks change am I wrong to take this view?

Peter Armstrong says:
8 July 2021

It has to be a fundamental principle that no person or organisation – no matter how apparently august that organisation appears – should be allowed to make its own rules and regulations of safeguarding other peoples money or assets.

Peter C says:
8 July 2021

Its not just individuals that are being scammed out of large amounts of money, the banks are being scammed out of millions of pounds every year, when a bank has been scammed why is they don’t pursue the culprits. It appears that they just choose to write off the losses rather than going after the scammers, but that just encourages more of the same.
Ultimately the customer has to pay for these losses

It seems incredibly easy for money to be taken from people in numerous and varied ways yet banks are able to wriggle out of compensating their unfortunate customers on the flimsiest grounds. How can this be fair? We have had our bank card cloned but it was picked up quickly as the card was used to buy a train ticket in a place neither of us had or could have been, but it might have been so different.
Isn’t is about time the banks, police and security services caught up with the sheer audacity of these bare-faced criminals who seem quite able to operate with impunity, netting billions of hard earned cash with almost no risk to themselves. Indeed why would anyone bother working hard, saving for a pension when you can sit back skimming off the cream of people’s earning with almost no effort and certainly no punishment. This is a crime that people think won’t happen to them so choose not to think about but sadly they could easily fall victim without even realising before it is too late. Strong action is needed and now, banks must be made to take action as they won’t do it till they are forced into it.

Keith Winn says:
8 July 2021

I agree with most of the comments.
Bank should take care of their customers. Not blame them for been scammed.