/ Scams

Why the PSR must take action to protect APP scam victims

We’re calling on the Payment Systems Regulator (PSR) to introduce new transparency requirements on banks so that customers can see exactly how they treat and reimburse victims of APP scams.

8/07/2021: the PSR must not let victims down

Today, Rich Piggin (@rpiggin), Head of External Affairs and Campaigns at Which?, is appearing in front of the Treasury Select Committee to give evidence about the devastating impact of bank transfer scams and what action the regulator needs to take to make life better for victims. 

The chances are that in the past year you either have, or know somebody that has, received a text, call or email that turn out to be a scam attempt. While we should all be vigilant online, nobody intends to be the victim of a crime. Scam victims frequently talk of feeling scared and untrusting of others after the event, and often feel re-victimised when their bank blames them for not realising quickly enough that something wasn’t right.

These victims all too often struggle to get their money back, despite most major banks being signed up to a code that should ensure customers are reimbursed when they are not at fault. Banks are failing to implement the Code that they helped to write properly and consistently. Don’t just take our word for it – the Financial Ombudsman and the Lending Standards Board (which oversees the Code and is funded by the banks) have both criticised banks repeatedly over the years for their failures. The result is a lottery of protection for victims.

The situation is unsustainable. Encouragingly, the Payment Systems Regulator (PSR) is proposing mandatory protections be introduced. One solution they have put forward is to let the banks modify and rewrite the existing code, effectively handing them the opportunity to water down the consumer protections they disagree with and ignoring the evidence from the last two years. We firmly oppose this. Instead, the regulator should take forward its other proposal and introduce a requirement on all firms to reimburse customers who have acted appropriately.

Self-regulation has failed. We must do better. Letting banks act as judge and jury when it comes to scams has not worked. We must put in place a new system centred on helping the victims of this terrible and growing crime.

Banks and the regulator have had two years to try and make self-regulation work. All the evidence shows that this approach has failed. £700k a day is being lost to this crime, but less than half of it is reimbursed. Victims – particularly vulnerable ones – are being routinely failed by banks whose actions are undermining the Code they helped to write.

It is vital that the PSR does not hand the banks the power to modify or rewrite the existing code. Instead, it must take writing the new rules into its own hands and make it mandatory for all firms to reimburse victims when they are not at fault.

Rich will be giving evidence from 10:30am today (Thursday, 8 July).  A longer version of this update appeared as an Op Ed in Times Redbox (paywalled content)


Do you agree that the regulator must not give banks the power to write their own rules on scam reimbursement?
Loading ... Loading ...

15/06/2021: Update

28/04/2021: PSR must take action

When you fall victim to a crime, you expect to be believed. If someone breaks into your house, you don’t expect the police officer to point out where you should have installed CCTV. If you get mugged, you don’t expect to be asked for proof of how you put up a fight. And if you fall victim to a sophisticated and intricate scam, you don’t expect your bank to add to your feelings of guilt and distress by pinning the blame on you.

Yet that is exactly what is happening at the moment, with victims of authorised push payment scams (otherwise known as bank transfer scams) when they are tricked into unwittingly transferring money to a scammer. 

Which? News: Banks routinely blame victims of fraud

We receive information from hundreds and thousands of victims every year. The case studies we see highlight the impact on victims of this horrific crime – and how this is often exacerbated by banks who appear not to care about what has happened to one of their own customers who may have just lost a life-changing sum of money.

Blaming the victims

Recent evidence published by the Lending Standards Board (LSB) and the Financial Ombudsman (FOS) demonstrate just how poorly some banks are treating victims and the lengths they will go to to try and pin the blame on individuals rather than accept any wrongdoing on their part.

The LSB oversees a voluntary code that industry helped to write and which sets out protections for APP scam victims. The Code states that victims should be reimbursed other than in a few specific circumstances – and even then banks are expected to consider the scam in the round and how individuals may have been affected by the context of what happened and how.

Data showing just how well banks are adhering to the letter and spirit of the Code was recently provided to the LSB by signatories to the Code (which includes all the major banks plus Co-op, Metro, and Starling) and published earlier this year. 

It paints a damning picture of how banks are interpreting and implementing the Code in wildly inconsistent ways and how victims are being mistreated across the board:

🔹 Victims were held fully or partially to blame 60% of the time, and therefore often denied any reimbursement

🔹 Blame was shared between the customer and either the bank sending or receiving the money, or between the two banks themselves, in a further 17% of cases

🔹 Two banks pinned the blame on victims in nine out of every ten instances

🔹 For investment scams – which often involve the highest amounts of losses – victims were blamed 67% of the time

🔹 Romance scams, which can involve extreme emotional and psychological manipulation, had a blame rate of 61%

Final adjudication

When a victim is dissatisfied  with the outcome of a decision made by their bank they can escalate it to the Financial Ombudsman for a final adjudication. In some cases, these decisions are published.

We had a look at some recent decisions, which were all upheld in favour of the victim (as are the vast majority of APP cases), and found evidence of banks placing extreme and unjustifiable expectations on what a customer should have done to avoid being scammed. 

These included HSBC telling a victim who lost £2,000 to a HMRC scam that it was “inconceivable” that he didn’t spot the red flags because he worked in a professional industry, and Nationwide refusing reimbursement of £1,146 because the victim “didn’t listen” to warnings given – despite receiving a call from a spoofed number which made her believe she was speaking to her building society.

In a separate case, Halifax only returned half of a £60,000 loss to an investment scam victim who had “failed to make sufficient checks” before investing – before backtracking after Which? intervened to point out they had never asked the victim what checks they had actually made.

All of these and more provide further evidence for what we have been saying for years: the banks are consistently misinterpreting the Code they helped to write in order to put the blame on the victim, and the Payment Systems Regulator (PSR) is doing little to ensure they adhere to the rules.

Our calls on the PSR

We are calling on the PSR to use its upcoming consultation to introduce new transparency requirements on banks so that customers can see exactly how they treat and reimburse victims of APP scams. It must do this as quickly as possible to prevent banks making this a race to the bottom, and many more victims being denied rightful reimbursement

That same consultation will also recommend a way to make APP scam protections mandatory. We strongly believe that industry has been given sufficient time and opportunity to provide the solutions so under no circumstances must the banks be allowed to write another new code to replace the existing voluntary one as the PSR has suggested. 

We will be continuing to make this case over the coming months so that the PSR stands firm and takes action to protect victims.

What would you say to the PSR if it suggested allowing the banks to write another new code?

Roger Pomlett says:
8 July 2021

I can understand the view of those taking part in this, as I believe it is a shared responsibility between user and provider to ensure that fraudster criminals do not profit from their activities.
My thoughts are: Self Regulation is never as effective as external, independent regulation that is brought into being by consultation with all stake holders, and is then backed by the necessary national legislation enacted into law. Every-one can then be confident that, as far as possible, what protections are in place. As a certain well known international investor once said; “Do not expect markets to have morality, markets will do, what markets do, it is the responsibility of the state to apply morality and regulation”
No matter who is deemed to have been negligent in a particular situation, the point for me is: If citizens who trust their money to the grater banking sector, loose that trust, then the state as a whole has a serious problem.
Therefor, I suggest that what ever the regulatory regime is brought into being, we need a national awareness raising initiative, which includes a national education programme aimed at all users, as to the rights and responsibilities of all concerned, and how we can all work together to defeat this costly problem.
So, that is why I support external regulation.

Extremely well versed and a sensible solution.

I totally agree with Roger Pomlett and many others commenting here. There are so many telephone, email and text scams out there at the moment. Blocking calls, texts and emails doesn’t work because it just pops up again from another number or address. Sadly, it is often the elderly and less educated (who are probably least likely to be able to afford any loss) that are most likely to fall victim. However, some scams are so sophisticated and apparently genuine that even the most astute person could find themselves fooled.

I used to believe (maybe wrongly) that banking was an honourable profession, but these days the shareholder is king and executive bonuses the be-all and end-all.

David Flinn says:
8 July 2021

I agree with the proposals you are making today. I would like to add something else that urgently needs attending to. That is the multitude of persistent scam telephone calls and mobile messages that arrive daily. These are a major part of the scammers tools but nothing seems to be able to stop them. Telephone preference and phone settings don’t work. It urgently needs to be tackled Nationally.

Gareth Llewelyn Lewis says:
8 July 2021

Yes, the government and City regulators must move on legislation to ensure retail banking makes (or are obliged to make) better efforts to protect and reimburse it’s customers following fraud and scams. Some of the smaller ethical banks appear to be doing well here but the bigger UK banks are disgracefully uncaring seemingly more concerned with short term margins and profit (witness the Covid gains too)

mindmapper says:
8 July 2021

Forget ‘rules’ that end up open to interpretation. This issue requires regulation, cast in law on the statute book.

steve wilcox says:
8 July 2021

There must be a common code backed by legislation
Allowing banks to do there own will cause confusion for customers
The code has to be written by the regulator ( or other independent body ) otherwise there is a conflict of interest and must be done quickly
However this must be balanced with the need for people to take responsibility for their own actions

My bank now goes through a detailed enquiry, to make sure I am paying the correct person or company.
Therefore, it follows that they realise full well that their protections in the past were not sufficient.
They must compensate customers for the weakness of their systems.
We bailed them out when the financial crash happened. Now it is their turn to bale out their defrauded customers.

I was rung by someone purportedly from the Metropolitan Police. She told me that I was being taken to court for tax fraud. She knew I was a pensioner, and asked me whether I had access to a solicitor to defend myself. At this point, I became suspicious, because she had an Asian accent. She did not ask for my bank details , at least. If she had, I would have terminated the call immediately!
I reported it to the police, who said “oh God, not another one”. This told me that my suspicions were justified! In my opinion, these people need to be punished for attempting to defraud people. I am vulnerable in that I am a stroke survivor and wheelchair user. My brain is damaged, and they attempted to exploit my financial vulnerability.
These criminals must be stopped, before they do real damage!

Nigel B says:
8 July 2021

For hundreds of years, when cash and valuables were held in safes and vaults, banks have taken careful measures to physically protect customers’ money and property; they would never have allowed an imposter to turn up in person to take what they didn’t own. Customers were known to bank staff and that relationship underpinned security measures. Today, privacy and anonymity prevail but banks have not stepped up to adequately secure their digital safes and vaults against theft and money laundering, yet they arrogantly decide it’s the bank’s bona fide customers who are at fault when scammers strike.

It’s painfully obvious that the banks cannot be allowed to write their own code of conduct in this matter, it has to be written by an unbiased and trustworthy organisation which has the interests of bank customers to the fore.

Whilst my only personal experience of a successful scam when my 92 year old mother-in-law had £18,000 taken from her account was resolved extremely considerately and satisfactorily with a full refund by Santander I am flabbergasted that the PSR would even consider allowing institutions that exist solely for profit to both write and police their own rules. This is dystopian!

P.L.Smith says:
8 July 2021

This is just one more example of the electorate being ‘sold down the river’ by the Government as they pursue their Party principles of protecting business at the expense of the health and wellbeing of the electorate.
I began months ago to draft a message to Which outlining what I see as the plethora of examples of the deconstruction of many legal and traditional characteristics of this society which made our daily life as good as it was, from citizens’ rights, consumer rights and protections to the current business practices of avoiding fair trading responsibilities. But my first draft is still awaiting completion because so many further issues arise almost every day that I can’t keep up!
Alongside that is the frustration that however much we campaign, this Government ploughs its furrow regardless; Ministers, led by the ‘Prime’ one blatantly lie and cheat the public, spend public money on their priorities rather than democratically agreed ones and the electorate is gradually and systematically hoodwinked into believing their mantras only to discover all too late that our best public services e.g. the NHS are being sold to private insurance companies.

John Fox says:
8 July 2021

Having in the past had a refund from a PPR debacle with HSBC, we received at the time a letter from them to inform us of the refund. On opening it, it was a photocopy of the refund we were about to receive. Being sceptical we took all the paperwork to our branch. The assistant checked it all out and confirmed it was genuine. We decided to open an account with another bank with only £20 pounds deposit in case as this process went further and a scam may still be the case we would only lose this amount. As it all turned out to be genuine and the monies were received but the initial correspondence being photocopied we think this is very careless of HSBC to communicate in this way. The moral as always be very aware of these banks, they are not astute as they appear.

Nicky Deacon says:
8 July 2021

I would like to see free assistance given automatically via a third-party, especially to some of the more vulnerable sectors of society who may be uncertain of how to begin the long process of compensation.

Although not directly connected to fraud, the banks have been careless with how they identify cash transfers for many years. Removing the double check of requiring a name as well as an account number was a ridiculous move. Get one number wrong or accidentally send and the money is instantly transferred to the wrong account. That is then classed by the banks as “your fault”, which it technically is but the bank’s already removed a double check method that worked well by making two independent verifications of correctness necessary. Numbers only are not people friendly or reliable- if they were people wouldn’t ring a wrong number or send an email to the wrong person.

In the past, even with name checking in place banks were adamant they could do no wrong. As a student, I suddenly had about £1000 extra appear in my bank account. When I went to the branch I was told I’d put a cheque in. When I told the bank I hadn’t they were adamant I had and I actually ended up forcing them to look in to it. It turned out there was another student with the same name. It was the other student’s cheque that had been placed into my account. Had I not been honest I could have either ignored it or spent it without realising it was wrong. They were also surprised once I’d sorted it that I closed the account and went with another bank. I told them it could have gone the other way and had my cheque gone elsewhere would they then have blamed me? I think we know the answer to that one, it wasn’t risk I wanted to take.

do not understand, after all the publicity, why people are still getting scammed !!
JUST SAY… NO…. what is so hard in that ???
if everybody realized they will NEVER have a claim on their bank, then they may make more of an effort with their own security.
JUST SAY.. NO.. easy peasy..

Tim Rogers says:
8 July 2021

Unfortunately, for the more easily flustered and confused, (which often comes with age or illness), saying no is not so easy. In this we must protect the vulnerable. There is no way Banks can be trusted to write a code on this without mandatory supervision. Suggest, lobby, recommend, justify, etc fine, but decide NO WAY!

Peter Sturgess says:
8 July 2021

You must have an independent regulator. Nobody marks their own homework!

John Corrigan says:
8 July 2021

I also agree with the proposal there are to many vulnerable people out there especially the elderly and disabled who have lost all there savings to these scams and these scams are very believable

Leonard McNeill says:
8 July 2021

Why blame the banks? It would appear that the Governments vested interest is foremost in this debate. The Government is more interested in the “big” picture – money laundering as it effects the economy and reputation of financial London. These enquiries don’t really delve into the “small” man/woman cases. It would be better to treat this as two different enquiries, Money laundering and similar serious crimes and the ordinary citizen being scammed. Treat these as two different topics and you will serve the ordinary citizen more simply and effectively. Otherwise it becomes totally convoluted.

Consider myself a cynic, but have come close to falling for scams. The banks are keen on online banking at least in part to keep down branch costs. It may be that some of the victims have been very foolish. Reimbursing everyone, without investigating what happened, will encourage fraud and cost bank customers as well as banks. However, getting the banks to reimburse victims is an excellent way to ensure banks take these problems seriously. This won’t be achieved by allowing banks to write their own code of practice! Furthermore, I urge everyone to report phishing, vishing and smishing to the appropriate authorities: e.g. phishing emails to report@phishing.gov.uk Some organisations have their own e-addresses to which you can forward phishing emails (e.g. BT, Santander).

The banks should never be given the power of self-regulation. Much more can be done by banks to safeguard customers. In particular, vulnerable customers should be cared for more efficiently. With the increase of more and more elaborate scams, there must be a way to determine whether a transaction is genuine.