/ Scams

Why the PSR must take action to protect APP scam victims

We’re calling on the Payment Systems Regulator (PSR) to introduce new transparency requirements on banks so that customers can see exactly how they treat and reimburse victims of APP scams.

8/07/2021: the PSR must not let victims down

Today, Rich Piggin (@rpiggin), Head of External Affairs and Campaigns at Which?, is appearing in front of the Treasury Select Committee to give evidence about the devastating impact of bank transfer scams and what action the regulator needs to take to make life better for victims. 

The chances are that in the past year you either have, or know somebody that has, received a text, call or email that turn out to be a scam attempt. While we should all be vigilant online, nobody intends to be the victim of a crime. Scam victims frequently talk of feeling scared and untrusting of others after the event, and often feel re-victimised when their bank blames them for not realising quickly enough that something wasn’t right.

These victims all too often struggle to get their money back, despite most major banks being signed up to a code that should ensure customers are reimbursed when they are not at fault. Banks are failing to implement the Code that they helped to write properly and consistently. Don’t just take our word for it – the Financial Ombudsman and the Lending Standards Board (which oversees the Code and is funded by the banks) have both criticised banks repeatedly over the years for their failures. The result is a lottery of protection for victims.

The situation is unsustainable. Encouragingly, the Payment Systems Regulator (PSR) is proposing mandatory protections be introduced. One solution they have put forward is to let the banks modify and rewrite the existing code, effectively handing them the opportunity to water down the consumer protections they disagree with and ignoring the evidence from the last two years. We firmly oppose this. Instead, the regulator should take forward its other proposal and introduce a requirement on all firms to reimburse customers who have acted appropriately.

Self-regulation has failed. We must do better. Letting banks act as judge and jury when it comes to scams has not worked. We must put in place a new system centred on helping the victims of this terrible and growing crime.

Banks and the regulator have had two years to try and make self-regulation work. All the evidence shows that this approach has failed. £700k a day is being lost to this crime, but less than half of it is reimbursed. Victims – particularly vulnerable ones – are being routinely failed by banks whose actions are undermining the Code they helped to write.

It is vital that the PSR does not hand the banks the power to modify or rewrite the existing code. Instead, it must take writing the new rules into its own hands and make it mandatory for all firms to reimburse victims when they are not at fault.

Rich will be giving evidence from 10:30am today (Thursday, 8 July).  A longer version of this update appeared as an Op Ed in Times Redbox (paywalled content)


Do you agree that the regulator must not give banks the power to write their own rules on scam reimbursement?
Loading ... Loading ...

15/06/2021: Update

28/04/2021: PSR must take action

When you fall victim to a crime, you expect to be believed. If someone breaks into your house, you don’t expect the police officer to point out where you should have installed CCTV. If you get mugged, you don’t expect to be asked for proof of how you put up a fight. And if you fall victim to a sophisticated and intricate scam, you don’t expect your bank to add to your feelings of guilt and distress by pinning the blame on you.

Yet that is exactly what is happening at the moment, with victims of authorised push payment scams (otherwise known as bank transfer scams) when they are tricked into unwittingly transferring money to a scammer. 

Which? News: Banks routinely blame victims of fraud

We receive information from hundreds and thousands of victims every year. The case studies we see highlight the impact on victims of this horrific crime – and how this is often exacerbated by banks who appear not to care about what has happened to one of their own customers who may have just lost a life-changing sum of money.

Blaming the victims

Recent evidence published by the Lending Standards Board (LSB) and the Financial Ombudsman (FOS) demonstrate just how poorly some banks are treating victims and the lengths they will go to to try and pin the blame on individuals rather than accept any wrongdoing on their part.

The LSB oversees a voluntary code that industry helped to write and which sets out protections for APP scam victims. The Code states that victims should be reimbursed other than in a few specific circumstances – and even then banks are expected to consider the scam in the round and how individuals may have been affected by the context of what happened and how.

Data showing just how well banks are adhering to the letter and spirit of the Code was recently provided to the LSB by signatories to the Code (which includes all the major banks plus Co-op, Metro, and Starling) and published earlier this year. 

It paints a damning picture of how banks are interpreting and implementing the Code in wildly inconsistent ways and how victims are being mistreated across the board:

🔹 Victims were held fully or partially to blame 60% of the time, and therefore often denied any reimbursement

🔹 Blame was shared between the customer and either the bank sending or receiving the money, or between the two banks themselves, in a further 17% of cases

🔹 Two banks pinned the blame on victims in nine out of every ten instances

🔹 For investment scams – which often involve the highest amounts of losses – victims were blamed 67% of the time

🔹 Romance scams, which can involve extreme emotional and psychological manipulation, had a blame rate of 61%

Final adjudication

When a victim is dissatisfied  with the outcome of a decision made by their bank they can escalate it to the Financial Ombudsman for a final adjudication. In some cases, these decisions are published.

We had a look at some recent decisions, which were all upheld in favour of the victim (as are the vast majority of APP cases), and found evidence of banks placing extreme and unjustifiable expectations on what a customer should have done to avoid being scammed. 

These included HSBC telling a victim who lost £2,000 to a HMRC scam that it was “inconceivable” that he didn’t spot the red flags because he worked in a professional industry, and Nationwide refusing reimbursement of £1,146 because the victim “didn’t listen” to warnings given – despite receiving a call from a spoofed number which made her believe she was speaking to her building society.

In a separate case, Halifax only returned half of a £60,000 loss to an investment scam victim who had “failed to make sufficient checks” before investing – before backtracking after Which? intervened to point out they had never asked the victim what checks they had actually made.

All of these and more provide further evidence for what we have been saying for years: the banks are consistently misinterpreting the Code they helped to write in order to put the blame on the victim, and the Payment Systems Regulator (PSR) is doing little to ensure they adhere to the rules.

Our calls on the PSR

We are calling on the PSR to use its upcoming consultation to introduce new transparency requirements on banks so that customers can see exactly how they treat and reimburse victims of APP scams. It must do this as quickly as possible to prevent banks making this a race to the bottom, and many more victims being denied rightful reimbursement

That same consultation will also recommend a way to make APP scam protections mandatory. We strongly believe that industry has been given sufficient time and opportunity to provide the solutions so under no circumstances must the banks be allowed to write another new code to replace the existing voluntary one as the PSR has suggested. 

We will be continuing to make this case over the coming months so that the PSR stands firm and takes action to protect victims.

What would you say to the PSR if it suggested allowing the banks to write another new code?

Iain lo5 says:
8 July 2021

Regulators via government have to be proactive and tough, coming down hard on Ceo’s, non executive directors and senior management. Fining a bank means nothing to the bottom line. Apologies run to a few words meaning job done, move on !!

Michael Newman says:
8 July 2021

We all had to bail the banks out when their greed caused them to fail – the Government had no hesitation in implementing this. Now, when it’s the turn of the banks to help us if we innocently fall victim to fraud, why is the Government hesitating to mandate this?

David Smith says:
8 July 2021

I agree. And the banks are still lending money willy-nilly. It is still all about greed. The more money they lend, the bigger bonuses they pay.
I was a consumer credit and debt adviser. I saw how loans people, who had got into financial difficulties, were persuaded to take bigger loans, to cover their debt, that they could not afford.
It is all about bonuses. Banks should not be able to pay bonuses when, as we see, people, especially like me, older and unsure, are conned into giving details of accounts, with no protection from the bank.
The regulator should do the job of protecting the public. Not the banks. They should have their own intelligence to see a fraud is happening.

Suzie Morley says:
8 July 2021

The Regulator is supposed to be the voice and champion of the individual. As long as the Regulators have no money or teeth, they are beholden to big businesses, who just want to get bigger. Isn’t it time Regulators looked after victims?

“[The government] needs to extend the scope of that bill to include online paid-for adverts that fraudsters are using. …the opportunity is now.”

In case you missed it, @rpiggin speaking at the Committee on how the Online Safety Bill should be expanded to help victims scam victims.

Watch it again here: https://parliamentlive.tv/event/index/46116450-0596-42fd-bc58-83cfe6370c11?in=11:26:20&out=11:27:27

What do you think? https://conversation.which.co.uk/scams/online-safety-bill-open-letter-anabel-hoult/

Even if some victims of scamming have been foolish (and I’ve come pretty close to being fooled), getting the banks to reimburse victims is a way of ensuring that banks take this problem seriously. After all, the banks are pushing us into online banking partly as a way of keeping down their branch costs. I urge those who have received phishing emails to forward them to report@phishing.gov.uk

The banking sector seems to assume that all their customers have unlimited time to learn about the sophistication of scams and the far reaching abuse of the internet that all major providers is guilty of allowing. As personal banking is not particularly profitable, it is still incumbent on the service providers (the banks) to charge slightly more and to protect their customers. Banks are sophisticated and must be regulated appropriately, and in the interest of their customers. This is far deeper than it appears….

8 July 2021

As more bank branches close, more people who are not efficient at using on-line banking will be more liable to scams. Also, Banks will be saving money by not paying rent on town centre premises – maybe they could divert that money to having more stringent checks (not cheques!) on scams. Even the canny among us could get caught out as scammers become more and more adept.

I wouldn’t give a criminal the right to choose his/her own sentence, we need regulation in our lives. Banks must not be able to write their own rules.

TonyT says:
8 July 2021

As well as the banks having to help, the platforms that allow scammers to use them as cover should be held responsible. This would then make it harder for scammers to find victims.

Really important as thousands are being cheated , often the most vulnerable, and the banks’ only concern is their profits.

Kate Gilbert says:
8 July 2021

I find it incredible, in this day and age, the the bank happily allow scammers to take money out of your account. So many alarm bells should be ringing and they should know exactly where the money is going and they should be able to get it back.
I would hold them totally responsible if I was scammed if they not contact me to ask if I had made such a payment.
My bank has contacted me on a number of occasions to ask if I had made certain payments as it was out of character so they were on the ball.
On the one occasion that my credit card allowed a money transfer of £500 on the 1st day of the new statement should have flagged up as I have never done such a thing before and so they refunded me the £500.

Elfrieda Haley says:
8 July 2021

It’s insane to expect to allow the banks financial institutions to write there own policy and govern themselves. They are not trustworthy as history has proved again and again.

I have POA for a 90 year old who is trusting and generous. I have a good working relationship with her bank manager who intercepts any cheque or phone call to the bank. He has been able to stop all attempts to take her money, (There have been many). He takes care of his customers!

Banks have shown in the past (2008) that they cannot be trusted to self regulate. Bring back regulation ,!

A J says:
8 July 2021

History tells us that banks will only do what is right when they are forced to do so, either by regulation, public pressure, or legal action.
Otherwise – What do you call a cross between a shark and a leach ? – Answer: A high street bank !
That is what they become when not effectively regulated, as history shows.
But I also think that the police need to be far more active on this front, catching the damned scammers and locking them up for a long time !

Bob Lucas says:
8 July 2021

While it is essential that bank customers take great care not to fall victim to these criminals, it is often the elderly and confused that are targeted. Surely there should be a lot more done to identify and prosecute these despicable characters with severe punishments that match the crimes.

It isn’t the banks that pay the “victims”, it is their customers – you and I. Lower interest rates on deposits, higher charges for loans and mortgages, overdrafts and, at some point, bank charges for them to operate your account. It is just worth bearing in mind that it is your money that refunds people who may have been less than responsible in their financial dealings. Are you happy with that?

I would like to see banks made to offer accounts with different levels of facilities, maybe earned by customers, maybe imposed on the more vulnerable, that limit their ability to do certain things. For example, a limit on the amount they can transfer to a new payee without a check being made, delaying payments in case they have second thoughts, requiring a second family authorisation on certain transfers, and such like.

If the bank is negligent then they should be held to account, just as should the customer.

How can there be regulation if banks are allowed to follow there own rules. This a step to far, they aren’t taking any responsibility for any of the scams. They don’t repay victims now, that will only get worse if they regulate them selves. It’s a ridiculous suggestion. The customer or victim should be able to get recompense , that is already dire now. If this happens it’s only going to get worse.

Now the subject at hand: Rich is now speaking on whether the CRM code has been effective. Catch it from the start:


Robert Morrison says:
8 July 2021

If the banks bare greater responsibility it will encourage them with a financial incentive to combat cyber crime by investing in the appropriate technology.

I am especially concerned with organizations emailing me, telling me that I have enlisted via ” REVERSE SOLICITATION CONFIRMATION”.

This is a major infringement of liberty that is difficult to stop. It can end up making complaints to banks and generally creating more work and confusion.