/ Scams

Why the PSR must take action to protect APP scam victims

We’re calling on the Payment Systems Regulator (PSR) to introduce new transparency requirements on banks so that customers can see exactly how they treat and reimburse victims of APP scams.

8/07/2021: the PSR must not let victims down

Today, Rich Piggin (@rpiggin), Head of External Affairs and Campaigns at Which?, is appearing in front of the Treasury Select Committee to give evidence about the devastating impact of bank transfer scams and what action the regulator needs to take to make life better for victims. 

The chances are that in the past year you either have, or know somebody that has, received a text, call or email that turn out to be a scam attempt. While we should all be vigilant online, nobody intends to be the victim of a crime. Scam victims frequently talk of feeling scared and untrusting of others after the event, and often feel re-victimised when their bank blames them for not realising quickly enough that something wasn’t right.

These victims all too often struggle to get their money back, despite most major banks being signed up to a code that should ensure customers are reimbursed when they are not at fault. Banks are failing to implement the Code that they helped to write properly and consistently. Don’t just take our word for it – the Financial Ombudsman and the Lending Standards Board (which oversees the Code and is funded by the banks) have both criticised banks repeatedly over the years for their failures. The result is a lottery of protection for victims.

The situation is unsustainable. Encouragingly, the Payment Systems Regulator (PSR) is proposing mandatory protections be introduced. One solution they have put forward is to let the banks modify and rewrite the existing code, effectively handing them the opportunity to water down the consumer protections they disagree with and ignoring the evidence from the last two years. We firmly oppose this. Instead, the regulator should take forward its other proposal and introduce a requirement on all firms to reimburse customers who have acted appropriately.

Self-regulation has failed. We must do better. Letting banks act as judge and jury when it comes to scams has not worked. We must put in place a new system centred on helping the victims of this terrible and growing crime.

Banks and the regulator have had two years to try and make self-regulation work. All the evidence shows that this approach has failed. £700k a day is being lost to this crime, but less than half of it is reimbursed. Victims – particularly vulnerable ones – are being routinely failed by banks whose actions are undermining the Code they helped to write.

It is vital that the PSR does not hand the banks the power to modify or rewrite the existing code. Instead, it must take writing the new rules into its own hands and make it mandatory for all firms to reimburse victims when they are not at fault.

Rich will be giving evidence from 10:30am today (Thursday, 8 July).  A longer version of this update appeared as an Op Ed in Times Redbox (paywalled content)


Do you agree that the regulator must not give banks the power to write their own rules on scam reimbursement?
Loading ... Loading ...

15/06/2021: Update

28/04/2021: PSR must take action

When you fall victim to a crime, you expect to be believed. If someone breaks into your house, you don’t expect the police officer to point out where you should have installed CCTV. If you get mugged, you don’t expect to be asked for proof of how you put up a fight. And if you fall victim to a sophisticated and intricate scam, you don’t expect your bank to add to your feelings of guilt and distress by pinning the blame on you.

Yet that is exactly what is happening at the moment, with victims of authorised push payment scams (otherwise known as bank transfer scams) when they are tricked into unwittingly transferring money to a scammer. 

Which? News: Banks routinely blame victims of fraud

We receive information from hundreds and thousands of victims every year. The case studies we see highlight the impact on victims of this horrific crime – and how this is often exacerbated by banks who appear not to care about what has happened to one of their own customers who may have just lost a life-changing sum of money.

Blaming the victims

Recent evidence published by the Lending Standards Board (LSB) and the Financial Ombudsman (FOS) demonstrate just how poorly some banks are treating victims and the lengths they will go to to try and pin the blame on individuals rather than accept any wrongdoing on their part.

The LSB oversees a voluntary code that industry helped to write and which sets out protections for APP scam victims. The Code states that victims should be reimbursed other than in a few specific circumstances – and even then banks are expected to consider the scam in the round and how individuals may have been affected by the context of what happened and how.

Data showing just how well banks are adhering to the letter and spirit of the Code was recently provided to the LSB by signatories to the Code (which includes all the major banks plus Co-op, Metro, and Starling) and published earlier this year. 

It paints a damning picture of how banks are interpreting and implementing the Code in wildly inconsistent ways and how victims are being mistreated across the board:

🔹 Victims were held fully or partially to blame 60% of the time, and therefore often denied any reimbursement

🔹 Blame was shared between the customer and either the bank sending or receiving the money, or between the two banks themselves, in a further 17% of cases

🔹 Two banks pinned the blame on victims in nine out of every ten instances

🔹 For investment scams – which often involve the highest amounts of losses – victims were blamed 67% of the time

🔹 Romance scams, which can involve extreme emotional and psychological manipulation, had a blame rate of 61%

Final adjudication

When a victim is dissatisfied  with the outcome of a decision made by their bank they can escalate it to the Financial Ombudsman for a final adjudication. In some cases, these decisions are published.

We had a look at some recent decisions, which were all upheld in favour of the victim (as are the vast majority of APP cases), and found evidence of banks placing extreme and unjustifiable expectations on what a customer should have done to avoid being scammed. 

These included HSBC telling a victim who lost £2,000 to a HMRC scam that it was “inconceivable” that he didn’t spot the red flags because he worked in a professional industry, and Nationwide refusing reimbursement of £1,146 because the victim “didn’t listen” to warnings given – despite receiving a call from a spoofed number which made her believe she was speaking to her building society.

In a separate case, Halifax only returned half of a £60,000 loss to an investment scam victim who had “failed to make sufficient checks” before investing – before backtracking after Which? intervened to point out they had never asked the victim what checks they had actually made.

All of these and more provide further evidence for what we have been saying for years: the banks are consistently misinterpreting the Code they helped to write in order to put the blame on the victim, and the Payment Systems Regulator (PSR) is doing little to ensure they adhere to the rules.

Our calls on the PSR

We are calling on the PSR to use its upcoming consultation to introduce new transparency requirements on banks so that customers can see exactly how they treat and reimburse victims of APP scams. It must do this as quickly as possible to prevent banks making this a race to the bottom, and many more victims being denied rightful reimbursement

That same consultation will also recommend a way to make APP scam protections mandatory. We strongly believe that industry has been given sufficient time and opportunity to provide the solutions so under no circumstances must the banks be allowed to write another new code to replace the existing voluntary one as the PSR has suggested. 

We will be continuing to make this case over the coming months so that the PSR stands firm and takes action to protect victims.

What would you say to the PSR if it suggested allowing the banks to write another new code?


There is of course a duty of care where possible by the customer and there is an even greater responsibility of financial institutions and the state to better protect its citizens. Citizens do not have individually a great deal of power, or sufficient knowledge to know all aspects of the banking system bearing in mind that the small and basically unrepresented citizen individual is the end user on the end of a weak chain. It is also too easy for the state to duck its responsibilities and cosy up to the financial services, an incestuous arrangement that benefits the powerful.

In these COVID tims where more and more people are stuck at home at the mercy of telephone scammers, it is a moral duty on society (and the custodians of our money) to protect the most vulnerable. It must therefore be written in law and within the banking code that customers must be protected from fraudulent activity and it is up to those banks to introduce stringent safety measures to prevent access by unscrupulous scammers. A lack of them is no excuse to not reimburse account holders for losses directly caused.

Trevor Platt says:
8 July 2021

Scams are getting more and more sophisticated, eventually they will be so slick, you will visit what you believe is a genuine website and get scammed. Banks are the gatekeepers who are giving scammers access to bank accounts, if they did better background checks on who is opening accounts to receive money – they could reduce fraud. Similarly telcos could do more to block calls, but only if you pay them. This all needs motor regulation to prevent misery to their customers.

Simon Phillios says:
8 July 2021

My wife lost £24k thanks to a scam and money transfer. Thousand after thousand she handed over! And not once did the bank think something funny was going on???

We must be careful what we wish for. There may be unintended consequences.

When responsible account holders wanted an overdraft facility they asked their bank; they were charged, say 18.9%. Those who went into the red without approval were charged, say, 39.9%. Some considered this unfair on those who did not seek approval for the loan from their bank. And so everyone is now charged the higher rate. A good outcome? Not in my view.

If the CRM is felt to be acting against the banks unfairly, they might well look at their customer base and close the accounts of those who act irresponsibly. Why should they offer facilities to someone who is not capable of taking care with their affairs and will cost them – and their other customers – a lot of money?

Is that the outcome we would be happy with?

This is not to absolve the banks in any way. They need to do as much as they can to prevent scams, but then so do their customers. It needs to be a fair system, and seen to be.

Banks seem to be a rule unto themselves, I often heard the words self regulate in the past, RUBISH meaning word, means they can please themselves, they don’t seem to care about there Staff or the customer, only the pay packets of the directors and shareholders. there is not one Bank premises in our town of 30000 plus people, the people of this country have not asked for this, its been forced on them, they soon come running to the Public when things go wrong on a Bail out, then the government of the day gives it all back to them, its the old boys network.

Paul Nye says:
8 July 2021

If self-regulation has failed, an external regulator needs to step in. That’s what it’s for: clue’s in the name.

Why isn’t the bank who has offered banking facilities to scammers held to account for not checking sufficiently who they are? If these rogues were denied bank accounts in the first place none of these scams could happen. And if they get through the net and an account is opened for them, the receiving bank should be making recompense, not the sending bank or sending customer.

Susan Gould says:
8 July 2021

Remember the time that borrowers needing a mortgage were able to self certificate about their earnings? Look at how that turned out eventually……

The relationship between a bank and its customers is one of simple debtor/creditor and is governed by the law accordingly. If money is removed from an account without valid authority then that does not affect the actual amount of the debt, whatever the statement says, or the obligation on the bank to make good that loss.

The only exception to that might be when identity has been stolen and the bank executes a fraudulent transaction in good faith. One might expect however that most banks will have procedures in place to verify the source of that instruction.

Self-regulation is open to so many problems: firstly the banks will be looking at self-interest in this matter if they are allowed to self-regulate. So there is no way that the banks should be able to write their own codes; it is putting the fox in charge of the hen-house. Ridiculous in the extreme if they are allowed to do this. So many hard working people lose so much money to scams already they need the banks there to help protect their savings with a code of conduct written by an unbiased and ethical organisation.

Clive French says:
8 July 2021

I fell foul of an international fraud where money just disappeared .
Bank did nothing except make it very easy for the fraudsters to not only get away with it but did nothing to trace where the money went .
Someone actually physically withdrew money but no one was interested in persuading police into investigation like thousands of others so the criminals will just keep on doing it with no fear of being caught .

We have bank accounts in France and UK. Some years ago a french company “took” about €90 from all our accounts. We contacted the french authorities and got the monies back within one day and the bank lost nothing, Barclays procrastinated and refused, we took the matter to the ombudsman and they agreed with us and Barclays ended up paying, but now the joke, had barclays not procrastinated they would also have got the monies back, but because they never acted swiftly enough, they lost the chance and so had to pay the monies themselves. I wonder how many times similar things have happened.

If the bank see large sums of money are going to the same individuals they should have a right to question the person whose account is being emptied. Even more so if it is not a company that everyone knows.

Banks are pressurising elderly people to do on line banking. OAP’s in a lot of cases are unable to able to cope with this and mistakes cost money.

Much, much more can and must be done to trace and arrest the criminals behind scamming.

James Spence says:
8 July 2021

This issue should not be turned into an us or them blame game. There are some individuals who continue to ignore repeated calls about ensuring their online security and, after years of clever online scam disaster tales, fail to act with caution when in regard to purchasing on line. Likewise, I am sure there are many cases when, despite taking all the necessary precautions, some otherwise sensible individuals have succumbed to very clever scam or other. There must be an element of individual responsibility in any new regulations, which places blame correctly where it deserves to be.
Banks should most certainly NOT be permitted to rewrite the rules. That is the job of an independent, knowledgable and responsible body who must be given sufficient teeth to hold individuals, companies and banks to account.

James Spence

Ian HOPKIN says:
8 July 2021

Am I overlooking something here. If I am scammed and money is transferred into someone else’s account, then that account must have a sort code and an account number, in other words a name and an address. Clearly the receiving bank did not carry out proper checks on it’s customer before letting them bank with them and therefor are totally liable for reimbursing me. Furthermore if the receiving bank is a repeat offender then the governing watchdog should step in and financially punish that Bank

The banks, and any other commercial institution, cannot self regulate. On the other hand they are very good at exercising self protection.

Two major issues lie behind these frauds.

The easy way that fraudsters are able to obtain access to the communication systems, be it by phone or internet, without appropriate, verifiable, identity.

The easy way that fraudsters are able to obtain access to the banking system. For these frauds to operate the perpetrators need to have a bank account into which funds are transferred. Who is responsible for verifying the account opening information? The banks.

The beneficiary account holder should be traceable in the event of fraud but often appears to “disappear” with lots of other peoples money. If someone manages to open an account for the purposes of fraud, clears out the account and disappears there are two parties responsible for the theft – the fraudster and the bank. The fraudster is unlikely to refund the victim therefore the bank responsible for opening the recipient/beneficiary account should do so.

It should be exceptional that a customer is held responsible for the loss and only in cases of absolute negligence (or fraud) on their part, as opposed to systematic cases of organised fraud.

The government made a complete and utter hash with recycling, allowing all councils to make their own rules. If you travel into another area, the rules are different in each council area; and, if you put the refuse into the wrong recycling bin you could be prosecuted.
So, if each bank is allowed to make up its own rules, this will result in absolute chaos, and every bank will blame someone else. Lawyers will have a “field day”, the cost to both banks and customers will rise, and we will all end up being poorer. For God’s Sake, where has common sense gone?
Answers on a postcard to “the government”!! But, a warning, these may not be answered!!


Sadly in this increasing IT dominated world it is getting more and more challenging to speak to a person. Everything online is challenging to the elderly and vulnerable. The elderly grew up when phones were a luxury and many over 80’s find it difficult enough to shop, cook a meal. Some get confused and some have no close family at all or living near. This government/society seems to only care about money and big business. After being stung about 10 years ago by one of the earlier computer scams I am careful. I even attended a computer course as I struggled when windows 7 was changed. The tutor spent many sessions helping us recognise scam emails. But now corruption is increasing and becoming very tech savvy, and deceiving us. Phone calls are very clever and frightening and so the vulnerable and elderly can be deceived thinking they are speaking to the bank.
Sadly the government does not support the disabled and vulnerable, as shown by the refusal to keep the extra Covid measure of an extra £20 a week universal credit, which could cause more distress and ill-health. There needs to be a change in attitude to the poor, elderly and even people vunerable to scams. A good society cares for the weakest. There was a time in history when Christian business owners cared for their employees, even built good housing, eg, Cadbury’s Bourneville. Sadly now life and even education is about success in IT or higher education and earning potential for the future wealth of the country and big business. the very much needed practical ones doing essential but poorly paid jobs are looked down on. Self-employed and zero hours contracts result in money worries for employees, sometimes working for big business who use power, influence as money rules this country. Without reform there will be increasing pain and distress for the vulnerable who get caught up by scams or loan sharks.
Therefore there needs to be a change in attitude so that all people are valued. When they have been deceived and distressed by scams, or ripped off by expensive repairs poorly done, or cladding which is a fire hazard; instead of justice and help they find they have to fight big business, the government and even the NHS. The distress and ill-health this causes is damaging society as people can no longer trust there is justice in the UK. This causes fear and distrust.
The government, businesses and banks need to rethink and care for the people they serve. If we learn anything from Covid, that face to face relationships are essential for people, and IT should be a tool and we should be careful not to continue to increase isolation by becoming remote screen watchers. Parents need to start talking to your young children rather than chatting with your screen. Businesses need to talk to customers and stop sending so many emails. Better education about adult life, budgeting and life skills eg practical household jobs may help, as we live in such a challenging money focused culture. The serious problems of the internet causing corruption in our society has to be addressed, but it seems the scammers always seem to be one step ahead of the financial institutions. Keep safe, and give yourself space and do not act instantly when the scam phone call or email comes through. Perhaps warning ads need to be on TV and online.