/ Scams

Contingent Reimbursement Model (CRM) Code: two years on

Today marks the two year anniversary of the Contingent Reimbursement Model (CRM) Code. Here’s how it’s worked in practice, plus a round-up of FAQs.

04/06/2021: Update


The Contingent Reimbursement Model (CRM) Code sets out how banks should approach prevention of scam payments and reimbursement of victims. At the time, the Code was a landmark piece of work – a document written by consumer groups and industry to address some of the key concerns that we had raised in our super complaint in 2016.

It spelled out for the first time in one place how victims should be treated and when and why they should be reimbursed by their bank.

Some things have improved since the Code was introduced. Average reimbursement rates have risen from around 20% pre-Code to around 45% and banks have invested more heavily in warnings on their apps and online banking systems.

Some have introduced (either voluntarily or after being directed by the regulator) systems such as Confirmation of Payee to help people spot when they may be making a payment to the wrong account. We have welcomed such improvements and pushed banks who are lagging behind to start taking similar action.

Inconsistent implementation

In other areas, however, things have been less rosy. As we and others like the Financial Ombudsman Service have noted on multiple occasions, the voluntary nature of the Code and the lack of proper oversight by the regulator has resulted in a haphazard and inconsistent implementation by signatories.

Reimbursement rates, though higher than they were two years ago, are not as high as the regulator expects they should be and vary wildly between firms – with some reimbursing over 50% of victims, and others reimbursing fewer than 10%.

This data is still anonymous, too, meaning that customers have no idea how their bank approaches reimbursement of victims. Other data, such as the level of bank transfer scams by bank, is not published at all.

£700k lost every day to scammers

Today we have published research showing that, on average, an astonishing £700k was lost every day to scammers between the introduction of the Code and the end of 2020.

That’s the equivalent of around £491 – or the cost of a new iPhone XR – every minute. It is clear that both prevention of APP fraud, and reimbursement of those who’ve been deceived by sophisticated fraudsters, must improve.

We will continue to push for the voluntary Code to be replaced by a mandatory set of protections, and we are pushing the regulator to ensure it comes out strongly in favour of this in its upcoming consultation.

In the meantime, we have been busy pressuring the banks to be transparent about their reimbursement rates – and next week we will be publishing which banks have committed to publishing data and which have refused.

Scams campaign FAQs

As this is an anniversary piece for Which? Conversation, I thought I’d take the opportunity not only to update you on the campaign, but also to reply to some of the many comments and questions you have asked about scams over the years.

Q: Why should my money be used to reimburse people who have fallen victim to these scams?

Much like taxes, the money your bank earns in interest, overdraft fees, and other charges are used to fund a wide range of services. 

Although the amount of money reimbursed in 2020 across all banks under the Code – £147m – is a sizeable amount, it represents a drop in the ocean compared to the money earned by banks each year. While the costs borne by banks may be passed onto consumers, we think that the burden of scams should be shouldered more broadly rather than falling entirely on victims.

Q: Shouldn’t people take responsibility for falling for these scams?

It can be difficult to appreciate how sophisticated and realistic these scams can be when you haven’t been a victim yourself. Some are carbon copies of legitimate investment websites; others intercept legitimate email or text exchanged with banks, solicitors, builders and others; others present themselves as legitimate marketplaces or online sellers when in reality they are selling nothing but a scam.

Many of us see scams every day, and it’s easy to dismiss people who fall victim to them as foolish or stupid. However, the ones we spot as scams are often the ones which are obviously a scam – they are littered with spelling mistakes or have an obviously fake email address, for example. But by and large these are not the ones that many victims actually fall for.

Other payment schemes have rules that protect consumers against fraudulent payments, including mechanisms for payments to be challenged and reversed. Faster payments the system that bank transfer scams take place on does not have such protections. The CRM Code aims to help plug this gap, but it remains voluntary.

There are certain circumstances where people have been ‘grossly negligent’ and in these circumstances we have always said that they should not necessarily be reimbursed.

Q: Won’t reimbursing people who have been scammed inevitably make them more careless in their transactions, knowing that if they lose money the rest of us will ‘see them right’?

We haven’t seen any evidence of this. Nobody wants to be a victim of a scam not only because of the potential financial losses, but also the emotional impact. The CRM Code does not guarantee reimbursement (and we have never argued for 100% reimbursement), and so there remains strong incentives for consumers to avoid financial loss.

Indeed, it is possible that the opposite is true people who fall victim to a scam are likely to have a heightened awareness of when they may possibly be being scammed again in the future.

TSB has said that even where it reimburses more than 99% of victims, it has not seen issues with customer behaviour and in fact they believe it has helped lead to more open conversations with victims.

Q: Why should banks be held responsible for their customer’s actions? Haven’t they just carried out their instructions?

Banks have a responsibility to take action to prevent scam payments. After all, fraudsters use bank accounts and the payment systems that banks offer in order to commit bank transfer fraud. 

Banks hold a lot of knowledge – about the prevalence of certain scams, the way scammers operate, and how their customers make payments. We believe it is reasonable, therefore, that banks assume responsibility rather than all of the responsibility being placed on the individual.

If you have any further questions for me please do let me know in the comments I’ll do my best to get back to as many as I can.


My debit and credit cards both have my first name displayed in full CAPS, followed by the initial only of my second name, again in CAPS, followed by my surname also in CAPS.

Nothing could be made more clear for card payments. If the payees name is written in exactly the same way on a cheque, or other means of payment, as that displayed on the payees cards issued by their bank, there would be no mistaking the payees identity, based on the assumption, of course, all banks agree to abide by the proposed revised CoP regulations.

I worry that the online platforms who claim to be FinTech companies and not banks will not agree to the CoP regulations. Just as most of them have not signed on to CRM ( they use the “ Uber” argument, “we are a technology company and not a taxi company, so taxi rules and regulations don’t apply to us “!). FCA needs to bring all online platforms under their strict rules and regulations, including KYC / due deligence for account opening, minimum Capital requirements, depositor protection etc. Has Which? looked into this ?

I cannot recall reading anything but this is too important to ignore.

I have had credit card payments rejected because my name didn’t match exactly. It was probably a few years ago now, but since then I have always made sure I entered my name exactly the same as it is printed on the card.

Now I have the benefit of seeing how my name is printed on my credit or debit card, something that is denied to most payers. They have to rely on word of mouth, or a written communication that might not contain the precise details.


The impression I get from these is that Which? is constructively looking at ways scams could be reduced. I hope they are working with the banking industry to help standardise ways in which they can all minimise their customers exposure to scams. This is far better than just criticising from the sidelines. I imagine, as with CoP, implementing appropriate practices is not always as easy as may appear at first sight.

I would like to see no links provided in communications from banks, just a request to contact your bank through the normal route.

desmond andrews says:
5 February 2022

call customers before making payments to companies

“ensure that all scam victims who are not at fault are swiftly reimbursed when they are targeted by fraudsters.”
Just how do you decide they are not at fault?

Malcolm – I am hoping that you are not suggesting that any scam victims would be dishonest. They must be presumed to be as pure as the driven snow.

Malcolm, do you think the victims knowingly part with their money to the fraudsters? In all cases they are tricked into sending money to the fraudster, usually by the fraudster pretending to be a real business, sending invoices ( faked) in the name of real business and redirecting the money to a bank account which unbeknown to the victim is not in the name of the real business but the fraudster’s bank account.

SingDon, a question for you:

I get calls from this person who has a client wanting my shares for a hostile takeover. She is offering £15 a share making them worth £150,000, considerably more than what they were worth the last time I looked.

She sounds very plausible, wants to send me the paperwork and I will need to pay a bond of £10,000.

If I pay the bond and it turns out to be a scam, should I get my £10,000 refunded to me?

My response to SingDon is that many victims are knowingly parting with their money — because they are not thinking what they are doing.

Yes, it is trickery, but there is nobody standing over the victim threatening them, or with a weapon or using blackmail. It’s just a telephone call which can be terminated instantly. What if you weren’t in or didn’t answer the phone? Nothing is so urgent that it cannot be dealt with formally. Banks can always make a potentially dangerous situation safe if the customer is not available; tech companies can repair landlines or restore connectivity without customer intervention and shutting down their internet.

People are progressively building up their immunity to scams through experience and due to exposure: the more calls you get the more you realise there are far too many to be genuine, so you distrust them all. Constantly looking for protection is not doing anything to build up people’s own defences through intuition and common sense.

So suspicious and adverse have people now become that scammers are getting desperate and are resorting to ever more ludicrous scenarios — like the National Insurance No. scam. Through sheer weight of numbers the criminals are ruining their own pitches, and they are running out of plausible narratives. The chances that your internet is going to be disconnected, your Amazon account will be unexpectedly debited for a Prime subscription, and that a parcel you hadn’t ordered was being held for delivery on payment of £2.99, all on the same day, must be one in a hundred million. So when the phone rings again and you are told that a £600 charge has been put on your Visa card, are you going to believe it?

alfa and John Ward
As I mentioned above, may be we are talking about different types of scams. The one I am talking about goes as follow
1) The victim wants to buy a genuine item from a genuine business
2) The fraudster sends him a fake invoice in the name of the genuine business – almost impossible for victim to tell from the invoice that it is not from the genuine business he wants to buy from
3) The fraudster has set up a bank account, usually at an online platform with lax due diligence/KYC. The account is either in the name of the genuine business or more likely in any other name the fraudster chooses for which he can easily provide fake id or address references – some platforms are happy with website and/or social media ( FB and Instagram) presence as adequate proof of existence.
4) The fraudster asks the victim to remit the invoice amount to the fake bank account he has set up
5) In the remittance instructions to his bank the victim specifies a) account name of the genuine business he thinks he is buying from and b) the sort code and account number of the fake account the fraudster has set up
6) Even though the receiving account name victim has mentioned in his instructions does not match the actual name on the fake account. the sending bank does not flag this to the victim. This may be because the receiving bank does not participate in the COP scheme and/or CRM, ( I feel FCA needs to look into making COP compulsory for all banking institutions, including online payment platforms) .
7) So the sending bank fails to either stop the payment as no COP is received or does not tell victim clearly that no COP is received. In that case the sending bank should ask victim to double confirm if he still wants to go ahead with the payment in spite of no COP having ben received,
8) In this case, clearly it is not the victim’s fault but more likely the fault lies at the sending bank end for not doing proper COP and warning victim that names don’t match ( i guarantee most victims would not go ahead with the payment if their bank clearly tells them this) or at the receiving bank end for either not participating in COP/CRM or worse still allowing the fraudster to open a bank account with inadequate KYC/due diligence


I note your comment but cannot recall any cases that follow that pattern having been reported or discussed here. The usual APP or Payment Diversion scams involve the interception of the supplier’s e-mail account to substitute the payment details that have already been given on the invoice. The points you have made are nonetheless valid and there is usually maladministration in the receiving bank as well as a lack of security in the supplier’s system that allows their account administration to be easily penetrated. Nowadays this largely affects small businesses and sole traders. Following publicity, people are more wary now about taking notice of a ‘change of payment details’ message without checking with the genuine supplier.

I think the comments in this thread are intended to cover all scams where people are parted from their money on false pretences.

SingDon – Thanks for posting here. Much has been said about careless victims but it is time to pay more attention to how banks and businesses are allowed to operate and remove opportunities for fraud.

I think what has been said, in my case anyway, is to look at both sides of this problem – how customers can deal better with their online financial transactions, the part they play in losing money, how the banks can improve their systems to support safe customer transactions and their failures in a transaction that loses money.

I do not subscribe to the view that all victims are free from fault or responsibility in conducting a transaction that goes wrong, nor that they should be automatically compensated by the banks customers, nor that the banks are always responsible for what their clients choose to do with their own money.

SingDon, we can all make a contribution when next in contact with our bank, to inquire whether they have signed up to CoP. If not, why not? And threaten to switch to another bank if the you receive a negative response.

I don’t believe that all victims should be automatically compensated and have repeatedly said that each case should be treated on its merits. Losing a fairly small amount of money by responding to a fake Facebook ad may be of educational video.

As SingDon has said, CoP should be universal rather than used by only the main banks. Until that happens I see these organisations partially responsible for losses. Elsewhere we have criticised the owners of online marketplaces where traders are able to sell products that do not comply with safety regulations.

The Payment Systems Regulator (PSR) is consulting Phase 2 of CoP that would include smaller banking institutions and others. The issued a document in May. What would be useful is, as I have asked a number of times, for Which? to report on why this process may not be as simple as we might like. They could ask the PSR to provide a summary in laymen’s terms. That would be of benefit to all of us and to this Conversation.
@jon-stricklin-coutinho, Jon, will Which? do this?

My view is that Confirmation of Payee should have been in place when online banking was introduced. It beggars belief that a payment system that ignores the name of the payee was ever allowed.

The payee is identified by their account number and sort code. Adding, and confirming, the precise name of the payee would, I assume, require some commonality in banks software systems that allowed this information to be exchanged in a standardised way. As I assume banks have their own software – just an assumption – changing would no doubt have many ramifications. Until a problem became apparent, and I do not believe that was so when online banking was launched, there seemed no need for the additional check that has now become necessary. However, that is my uninformed speculation, so…..

Why do we not see what the PSR has to say about this? That is, if Which? ask them. I would like to be properly informed. My recollection, as I have said in response in the past, is that setting up such a “simple” thing was not at all that simple. But………

I wonder what happens in other countries?

When I see my bank or card statements, I quite often find payments to businesses that I have never heard of.

So far, these have all turned out to be legitimate payments that I have authorised, but the company names as regards their bank accounts can differ considerably from their apparent “shop front” trading names.

Hence, although CoP may help in some cases, it may not be as useful in others.

As regards steps 1 and 2 of SingDon’s scenario, we have seen a similar kind of thing reported for all the “fake Clarks Shoes” scams. But for cases where step 1 involves a genuine interaction with the genuine retailer, step 2 probably requires that either the retailer or the customer has been hacked. Under those circumstances, I’m not convinced I’d want my bank to shoulder 100% of the burden of such a scam, if the victim were also one of their customers.

At the head of this Article, Which? says “…we think that the burden of scams should be shouldered more broadly rather than falling entirely on victims.” As I’ve noted before, there are businesses (i.e. insurance companies) who work to share similar burdens amongst groups of like minded consenting individuals. Although it may well make sense for banks to provide this kind of insurance to all of their customers, I cannot believe that banks will not pass the associated costs onto their customers. I think just expecting banks to fund them out of profits is unrealistic.

Malcolm – When the largest banks were eventually instructed to introduce CoP, all of them managed to do so. Maybe it was not that difficult.

I don’t believe that the views of PSR would necessarily be independent.

One of the inadequacies of the Faster Payments Service method of transferring money to a payee’s account is that on its own the sort code is not a helpful indicator of the destination of the money.

I don’t have a list of sort codes showing which bank, building society or other payment service provider they relate to. If I received a message purporting to come from my electrician, for example, asking me to use a particular sort code and account number differing from those shown on the invoice I would probably not query it, but if the message requested me to remit my payment to the Toy Town Bank it is highly likely that I would query it and probably send him a cheque instead.

A fraudster who had managed to hack into my electrician’s e-mails to send a fake message would probably have been able to set up a receiving account in another bank in the same account name so the Confirmation of Payee would show a match and the money would be transferred and then lost.

My view is that for any new payee, and for any existing payee’s change of bank details, it is essential to make a nominal trial payment first and check it has been received by the correct payee before transferring the balance. So long as the banking systems remain potentially open to new customers setting up false accounts there are serious risks which CoP does not entirely mitigate.

I note that, because of the costs and and potential liabilities of the new Confirmation of Payee code of practice [the contingent reimbursement model], the NatWest Bank has decided to withdraw from servicing accounts held by family trusts and will be closing them. This does not affect a huge number of customers [maybe no more than a thousand in NatWest’s case] but the decision will create serious difficulties for those trusts which do bank with them since they will have to find another home for their funds and other banks might be reluctant to take them on board. Two kinds of people for whom trust fund accounts are in common use are orphans and disabled people who cannot manage their own money. This was reported in The Daily Telegraph and other newspapers last week. There is concern that it could be the start of a general retreat from some banking services if the complications of the new code outweigh its value to the banks. It looks to me as though the balance of liability has tipped too far in the banks’ direction so they are bound to take other steps to limit their liabilities.

NatWest has introduced a lower default limit on the amount that can be paid in a single transaction, though customers can choose to increase or decrease this figure: https://www.theguardian.com/business/2021/may/13/natwest-lets-customers-own-limit-online-transfers-scams It’s just one of the many measures that banks have been introducing to help their customers protect their money. Although I have been highly critical over the Confirmation of Payee issue I am very encouraged by the progress being made in other areas.

I believe that there is scope to assess customers ability to operate their accounts safely before deciding what sort of facilities individual customers should be granted. If we want to drive a car or a bus we have to demonstrate some competence, yet many have been able to open current accounts and use online banking without any evidence that we are fit to do so. Perhaps the CRM Code is has been a wake-up call for the banks.

I have repeatedly suggested that banks should be encouraged to offer account facilities that would better align with their clients’ assessed capabilities. Quite how this assessment would be made I do not know; many clients would, I expect, resist having their freedom to do as they please removed. So maybe it would be reactive rather than proactive. So when a client has been found to make an irresponsible transaction, limitations are imposed on how they, in future, operate their account.

We almost all need bank accounts and passing an exam to show we can use one wisely seems impractical. It is not generally about the method of operation – although taking care to type in numbers is necessary – but about how we respond to people wanting our money and being diligent in dealing with those situations. How do you predict that?

I have, as John advises, for a long time transferred a token amount to any new payee, checked it has been properly received, and I then know it is correct in my list. It ensures large amounts are not lost due to mistyping errors. It always seemed like common sense.

Online assessment is widely used and effective. It can also be used for formative assessment, for example to allow existing customers to check that their skills are still up to date. It also removes possible embarrassment if the customer is declined the facilities they would like.

COP is only going to work for genuine mistakes not scams.

A scammer is very unlikely to set up an account in their own name. They will likely use stolen identities or details of genuine people they might already have hacked into. They either tell the victim the actual name on the account or make up some reason why it doesn’t match.

If a victim is falling for a scam they will likely fall for whatever excuse is used if COP doesn’t match. After all scammers don’t need to be at the physical addresses they use, but just forward the money onto other accounts often abroad where they are virtually untraceable and untouchable.

As Derek said,
When I see my bank or card statements, I quite often find payments to businesses that I have never heard of.
So far, these have all turned out to be legitimate payments that I have authorised, but the company names as regards their bank accounts can differ considerably from their apparent “shop front” trading names.

Perhaps use of business names needs cleaning up first.

It is necessary to ensure you have the actual name on the account to use CoP effectively, whether business or private. The legitimate business should give you this information, just as they do the a/s number and sort code. When I received cheques there could be, say, 20 ways of the payee being filled in. CoP must be precise and, if only a partial match is returned, it makes the payer aware that they may need to do more. Being sloppy about making payments is not the way to look after your money; it may take time to do it properly but it can save a lot of heartache.

I cannot accept that when a bank customer has done no wrong there is an automatic assumption that a bank must be at fault. This is probably because the forces of law and order have completely failed to get a grip on the real culprit, the fraudster. I think we should address that with equal vigour, but the banks must play their part in that and investigate all crimes against them and their legitimate customers, whether by external parties or insiders, with a view to prosecution. They are frightened that could damage their reputation, of course.

Yes, the fraudster is the culprit. Here is a list of outstanding problems that could be addressed:

:: The role of the receiving bank in providing account services to fraudsters
:: The need for a delay in transferring money to a new payee to allow time for checking and blocking payments if necessary
:: The full implementation of Confirmation of Payee
:: The need to be able to close down fraudulent websites promptly (see my recent discussion with NFH)
:: The need to consider the abilities of individual customers when providing them with banking services

Customers can and should do their best to protect themselves from scams but the banks could do much more.

You can choose to delay payments already. A customer option. So if you are a bit unsure you could do this then think about it, although best not to do it in the first place unless you are sure. Just how many people would have second thoughts, if they have not even had first thoughts, would need to be looked into.
CoP is available now for 90% of transactions. Given the wide publicity given to transfer scams, where this facility is not available, payers can use the trial amount transfer precaution.

I don’t expect that many scammers will suggest delaying payment in case the customer is being scammed. The delay must be the default. It’s not needed for existing payees.

I often set a future payment date for an on-line transfer so as to ensure there are funds to cover the payment, but I have never gone back to see if it is possible to cancel or amend a payment after it has been set up. Is that possible? I don’t have a waiting payment open at the moment to test it.

I do not know if that is possible but if a payment is delayed by default and a scam is suspected there is time to contact the bank urgently, as you would if your debit card was lost or stolen.

I have not delayed payments since I set up direct debits to pay monthly credit card bills. It would be interesting to know if it is possible for customers to cancel their own pending payments, John.

The delay can be set by the payer. I presume that if they have concerns before the payment leaves their account they can instruct their bank to cancel it. They do not have to respond to instructions of course, and many would be very wary of being told they must do this straight away. However, we have clearly many people who do not think too carefully about what they are doing. I do not believe that the banks have any duty to compensate for their clients’ deficiencies unless they were negligent as well. Help them, yes, of course.

There are many situations in life where we make mistakes, and some cannot accept that and look for someone else to blame. We do have to accept we are fallible and, unless we can show how we were put in that position by someone else’s negligence I think we have to take it on the chin.

What has surprised me is how some people have parted with huge sums of money in questionable circumstances without making elementary checks. If they lack the capacity to handle their affairs then they need help rather than compensation otherwise they are likely to continue being defrauded. It is a horrible business, nothing new, and we will never stamp it out.

Maybe a “test paper” could be devised that account holders would need to complete, unaided, to try to assess how capable they are of operating their finances in a knowledgeable and competent way. I doubt that would be easy and I expect online sources would soon tell you how to complete it.

Maybe there should be insurance available to cover losses, but the insurer would no doubt be pretty careful to check that the client had done everything correctly. They would then try to recover their payout plus costs from the guilty party, ideally the scammer, then the scammers bank and then the payers bank if they had been negligent. I consider that would be far better than having a blanket “bank pays” that will reward many unjustifiably, using my money – and other account holders.

I used online tests for between ten and fifteen years in university teaching and assessment so I’m fairly confident about what can be achieved. If you provide a random selection of questions and a limited amount of time this will provide a useful challenge and could help to evaluate customers’ understanding of recent scams and the risks they face online. One of the benefits of online assessment is that it can be used by many people at no cost other than setting up tests.

I have tried to move the focus to what banks need to do to protect our money. Unless they act, more of our money could be used to compensate victims of fraud. 🙁

I think the Which? focus has always been on the banks, with no-fault victims. I would also like to see some focus on the account holders and what they need to do to protect their money, and what help might be given.

If I withdraw cash from my bank’s ATM, or over the counter, and spend that unwisely, would I expect to be reimbursed by the bank, if I have been defrauded for example? The bank does not know what I intend to do with the money. When I ask them to transfer money to someone else, and the bank has no knowledge that the person is committing fraud, they again have no knowledge of what I intend to do with the money. But somehow they are now in the firing line to give my money back. It seems a little odd. Maybe it is because we see banks as cash cows. In practice, the money they give away to victims is ours and we should be careful just how that money is used.

We see a plea that banks should declare routinely how much money they repay to “victims”. What we should be asking for is banks to declare how much money they have had to repay because of some fault in their process. Then I would know who I’d prefer to bank with. One that dishes out my cash willy nilly is not an institution I would want to patronise.

I agree with you malcolm.

Does Which? really have the right to make demands of the banks? Has Which? ever approached the banks to give their views?

All we get from Which? is the big bad banks with as usual, no consideration given to the consequences of the demands they are making. Banks do not have magic money trees and recompense will be paid for by customers.

I can’t find it now, but some years ago there was a convo entitled something like ‘Why is interest on savings so low?’ Well now, Which? will be an additional reason why interest rates are kept low. People saving for their first home and getting next to no interest on their savings can blame Which?

Sometimes I think Which? wants scams to keep going so it stays relevant. I have suggested starting emails with Do’s and Dont’s instead of beating about the bush with individual experiences. I have suggested a self-help convo to teach people how to check who they are dealing with, but all has been ignored.

Why wouldn’t Which? want to help people help themselves? I just don’t get it.

Here’s an interesting one to consider: it’s too easy to make an error of a single digit when making a bank transfer. That’s one reason COP was introduced.

But a close friend has encountered a far more serious issue.

He’s found that the banks continue to play the idiot with our money. How else can we describe the behaviour of some of the major players in the banking industry refusing or failing to include other banks in their COP checking?

Let’s say he’d tried to pay off his mortgage in full. He had a spare £23,000 in his savings accounts, so he contacted his mortgage supplier who is Nationwide. Armed with the sort code and account number of Nationwide’s mortgage account. he then tried to make a transfer through his own bank’s website.

His bank has a transfer system whereby it checks the name you enter of the company with the list it maintains but when he put in the codes for the Nationwide’s account the bank flagged it up as finding no matching name.

So I tried the same process and was unable to get my bank to find a name matching the account number. It did offer alternatives – the Nationwide Gold card and Nationwide visa card – but not the Nationwide’s mortgage account or Nationwide itself.

I spoke to a Nationwide representative and asked them why the High Street banks didn’t seem to recognise their name. He told me he had no idea, but it was a fact that the big four banks don’t acknowledge Nationwide’s existence in their COP systems.

Seems to me that’s an obstructive approach to take to customers. It’s almost as though the banks don’t want to cooperate. In that instance, who would be to blame if a large sum of money went to the wrong person?

This may be explained in the PSR and Pay. UK Documents and, if so, is being addressed in the Phase 2 of CoP. This included PSPs with Secondary Reference Data (SRD) accounts, including some building societies – mortgage accounts and cards. This may be why the CoP was not returned. However, I am no expert.

Ian makes a good point as Nationwide are different from the big four banks. “As a building society, we’re owned by you, our members, and run for your benefit. (You’re a member if you bank, save or have a mortgage with us.)”


If some of Nationwide COPs are returned, then it sounds like not all of them have been set up by Nationwide yet. Mortgage and savings accounts change names very frequently, some of them will go back many years and may be in a dormant state. Some accounts are also exempt from COP:

Nationwide say:
When we won’t be able to match your name

– within the first 24 hours of opening a new account
– on payments to a Nationwide credit card account – but we’re working on it

You can still continue with the payment – but always double-check the account name and details are correct.

Ian, I am reading your post again and you said His bank has a transfer system whereby it checks the name you enter of the company with the list it maintains

I would hope COP does a check with the receiving bank for every transfer, not check against a list they have that may be out of date.

Ian wrote: “It’s almost as though the banks don’t want to cooperate. In that instance, who would be to blame if a large sum of money went to the wrong person?”

I suppose that some would insist that the customers should shoulder the entire blame.

I really don’t understand why there is a need to consult on the further roll out of a system that should have been in place years ago.

Alfa: I was not referring to privately held mortgage accounts, but to the main, Nationwide account into which my pal was attempting to transfer a large sum to redeem his mortgage. It exists and has done for many, many years. The account No. is 44444445 (verified by the Nationwide chap to whom I spoke).

The main point I was making is that this account, this hugely significant account of a bank / building society, is not being recognised by most of the big high street banks for the purposes of COP.

I found this out by accident. I wonder just how many other COP issues are awaiting discovery?

The documents issued by the PSR and Pay. UK are useful here to help understand that the process is not as simple as it might appear.

Some would certainly ask that if a payer has negligently sent a large sum of money to the wrong person, why are they not responsible? If they accidentally added an extra 0 or 00 to the amount to be paid, who might be held responsible for that?

..and these are easy errors to make, at the best of times. But if it transpires that banks are actively refusing to list competitors, such as Nationwide, on the COP systems, I believe it adds a more sinister slant.

I think it’s mainly down to lack of transparency and self-imposed noncommittal prevarication, hiding behind an archaic obsolescent code of confidentiality that precludes them from any legal responsibility to protect the
concerns of the clientele whose financial interests are
entrusted to them.

Banks are fully aware that the PSR needs the cooperation of all banks for the implementation of CRM to work, and that it won’t work if only a few agree to do so. Therefore, it’s in their own interests to take the necessary steps to ensure continuity of the status quo.

Malcolm wrote: “The documents issued by the PSR and Pay. UK are useful here to help understand that the process is not as simple as it might appear.”

What would happen if it was difficult for manufacturers to produce products that complied with new international safety standards? The fact that all the banks that were told to implement COP were successful suggests that problems can be overcome.

Manufacturers do have to adapt to produce products that meet new regulations. The banks had to do the same. The instruction to join CoP followed on from the period during which banks made the necessary preparations.

https://www.pinsentmasons.com/out-law/news/confirmation-of-payee-delay is a third part comment, from a couple of years ago. Pinsent Masons LLP is an international law firm which specialises in the energy, infrastructure, financial services, real estate and advanced manufacturing and technology sectors. ..

I know that manufacturers have to meet new regulations, Malcolm, which provides the necessary to achieve prompt action. It’s very disappointing that after a year there is still consultation about further roll-out of a system that has proven to be effective.

I have just been into First Direct and the only accounts to appear if I search for Nationwide are the same Nationwide Gold card and Nationwide visa card.

Manufacturers are usually involved – with others – in the development of new regulations, and I expect the banks have also been involved in the past in developing the means to achieve CoP. It will not have been imposed out of the blue. That is necessary to ensure proposals are workable and achievable. It takes time to ensure what results will do the job.
As I have asked repeatedly, as we are not experts it would be useful to shed light on this topic if someone unbiased and independent could provide a contribution. An organisation directly involved would be good.
Phase 2 is not just about a “further roll out”, but about being able to involve institutions that were not able to take part in phase 1.
https://www.nationwide.co.uk/support/payments-and-transfers/confirmation-of-payee#matchname. Has anyone asked Nationwide about the problems they raise? Maybe Which? could comment.

Er, yes; I’ve spoken to them about the situation and they’ve claimed to be in the dark as to why the banks don’t recognise them.

With 15 million personal customers [not all of whom necessarily bank with Nationwide], the building society must be at least as big in retail banking as any of the other major high street payment service providers [Barclays, Lloyds, NatWest Group, and HSBC], and they all have the same regulators, so why this anomaly persists eludes me.

I’ve been persistent, and spoken at some length today with a representative from Nationwide. I reiterated the question about COP recognition and he explained that the reason they’d been given was the account was elderly and the name too large to squeeze into the available space for COP.

However, determined to get to the bottom of this I pretended to be transferring several thousands from our own bank to Nationwide.

We encountered several red, flashing warnings that ‘this account is not supported’ but nonetheless pushed on until the vary last bit before pressing the ‘do your worst’ button. Miraculously, this appeared in the very last screen in the payee name space:


What makes this even curiouser is the fact that I searched on the lists of available companies our own bank provided. No matter what criteria I selected, nothing similar to that name appeared.

This something that needs investigation. This is exactly what we pay our subscriptions for. It’s critical, not least because we’ve discovered this example but we don’t know for sure how many other examples of this exist – or why.

I cannot find much about similar complaints online. Which? could ask Pay.UK, who set the rules and standards, to comment.

That makes more sense Ian, I just couldn’t believe banks would intentionally refuse to participate.

That reminds me that reference numbers can also be too long. A while back I couldn’t transfer money online to a building society because their reference number was too long. I had to phone the bank to make the transfer.

That’s basic programming, though. Itself, simply refusing to consider future possibilities. But it’s clear that it can be done, so the question is why it’s not.

It’s not just that, however. I’ve written abut this before, but finding out exactly who demands you complete a ‘verified by visa’ form by providing a number sent to you by mobile ‘phone when you don’t have any mobile signal is a nightmare.

The banks insist this is not them, but the merchants. The merchants, however, say otherwise. Someone clearly isn’t telling the truth.

In truth I have some sympathy with those who resent a nanny-style approach to victims of scamming, but the banks are very, very far from blameless.

The original thrust from Which? about all this was simply to set the UK’s major banks and building societies a deadline of 28th May to commit to publishing their reimbursement rates regularly and in full. It wasn’t demanding every apparent victim be reimbursed, immediately and without question. It was to find out how the banks have been responding to the code and to explain the differing approaches being taken by the various institutions.

That’s Which?’s job, surely?

It is the credit card companies who request verification Ian, you might have missed my reply on 28th May.

Can you now use your internet to boost your mobile signal?

It seems irrelevant how much reimbursement the banks have paid out. What is more relevant is how many times they have been wholly or partially at fault. And that failure can lead to more than one bank paying out, and the customer receiving a reduced amount if they have been somewhat negligent.
The code recognises the shared part of responsibility in, for example, ALL2(2) where, if the bank(s) have failed to meet the standards for firms the allocation of reimbursement should be shared.

But the credit card companies say it’s the merchant, Alfa. So what’s the real truth, I wonder?

Regarding the passcode, the issue is not that simple. It’s making the inherent assumption we have mobile ‘phones. We’re lucky, in that we can both afford iPhones. But what about those who can’t?

Oh, and the codes don’t arrive via Wi-Fi, for some reason.

Not sure that helps a lot. One sentence leapt off the page:

Visa always offers comprehensive fraud protection to cardholders. With Verified by Visa, you get an extra layer of security to protect your identify and your shopping experience online.

How, exactly? There’s already sufficient protection when using a credit card. So for whom is this “comprehensive fraud protection” intended? The three, poster-sized ‘benefits’ are mniot benefits at all:

“Peace of mind in your online purchases, More successful checkouts and the last – and possibly most bizarre – “Minimal additional friction”.

I suspect these are marketing ploys, perhaps even lies. I’d also like to ask Which?’s specialists to answer the questions I’ve posed.

1. Who, exactly, asks for extra verification?
2. Why do the main banks not list Nationwide in their COP systems?
3. If Nationwide isn’t listed, how many other institutions are affected?
4. What is stopping the banks publishing the relevant data on COP?

Friends who held very senior positions in some of the big four banks have revealed over time the relentless search for huge profits, often at the expense of service to their own customers.

For interesting reading it’s worth browsing the annual accounts from the big four.

In my view, the amount lost to scammers could be greatly reduced by introducing a delay in transferring substantial amounts of money to new payees, giving time for the bank’s customers to report that they suspect they have been scammed and give the bank time to investigate before it is too late.

The delay needs to be by default and if individuals want to forgo this protection, then they could lose the opportunity for their money to be recovered. There would be no need to delay payment to existing payees.

I agree with all that but would suggest cancelling the default delay should be possible on an individual optional basis per transaction rather than as a routine preference.

Yes, I can see where that would be useful. Of course the danger is that a scammer could push their victim to defeat the protection of a delayed payment.

Some transactions need to be made quickly, for a variety of reasons.
I favour accounts with tiered facilities that match better the perceived, or real, ability and capacity of the account holder to operate them responsibly. That can include a compulsory delay, but should include limitations on single transaction size and frequency, requirement for a second authorisation where appropriate, an automatic response from the bank to certain value transactions requiring confirmation from the account holder or an appointee before it is paid, for example.

One example of such a limitation was when NatWest reduced the default amount that a customer could pay online from £20k to £5k, though this can be changed: https://www.theguardian.com/business/2021/may/13/natwest-lets-customers-own-limit-online-transfers-scams

It is very encouraging what has been done in the past year or two to help protect customers.

The limit for a single transaction with my bank is £10k, but I can make multiple transactions to the same payee on the same day. With one building society you had to wait 24h before making a further transaction over the limit.

Most people operate their accounts quite satisfactorily. We need to identify those who are less able and structure accounts to limit their loss in case they act without sufficient thought.