Contingent Reimbursement Model (CRM) Code: two years on

I worry that the online platforms who claim to be FinTech companies and not banks will not agree to the CoP regulations. Just as most of them have not signed on to CRM ( they use the “ Uber” argument, “we are a technology company and not a taxi company, so taxi rules and regulations don’t apply to us “!). FCA needs to bring all online platforms under their strict rules and regulations, including KYC / due deligence for account opening, minimum Capital requirements, depositor protection etc. Has Which? looked into this ?

I cannot recall reading anything but this is too important to ignore.

I have had credit card payments rejected because my name didn’t match exactly. It was probably a few years ago now, but since then I have always made sure I entered my name exactly the same as it is printed on the card.

Now I have the benefit of seeing how my name is printed on my credit or debit card, something that is denied to most payers. They have to rely on word of mouth, or a written communication that might not contain the precise details.

Malcolm – I am hoping that you are not suggesting that any scam victims would be dishonest. They must be presumed to be as pure as the driven snow.

Malcolm, do you think the victims knowingly part with their money to the fraudsters? In all cases they are tricked into sending money to the fraudster, usually by the fraudster pretending to be a real business, sending invoices ( faked) in the name of real business and redirecting the money to a bank account which unbeknown to the victim is not in the name of the real business but the fraudster’s bank account.

SingDon, a question for you:

I get calls from this person who has a client wanting my shares for a hostile takeover. She is offering £15 a share making them worth £150,000, considerably more than what they were worth the last time I looked.

She sounds very plausible, wants to send me the paperwork and I will need to pay a bond of £10,000.

If I pay the bond and it turns out to be a scam, should I get my £10,000 refunded to me?

My response to SingDon is that many victims are knowingly parting with their money — because they are not thinking what they are doing.

Yes, it is trickery, but there is nobody standing over the victim threatening them, or with a weapon or using blackmail. It’s just a telephone call which can be terminated instantly. What if you weren’t in or didn’t answer the phone? Nothing is so urgent that it cannot be dealt with formally. Banks can always make a potentially dangerous situation safe if the customer is not available; tech companies can repair landlines or restore connectivity without customer intervention and shutting down their internet.

People are progressively building up their immunity to scams through experience and due to exposure: the more calls you get the more you realise there are far too many to be genuine, so you distrust them all. Constantly looking for protection is not doing anything to build up people’s own defences through intuition and common sense.

So suspicious and adverse have people now become that scammers are getting desperate and are resorting to ever more ludicrous scenarios — like the National Insurance No. scam. Through sheer weight of numbers the criminals are ruining their own pitches, and they are running out of plausible narratives. The chances that your internet is going to be disconnected, your Amazon account will be unexpectedly debited for a Prime subscription, and that a parcel you hadn’t ordered was being held for delivery on payment of £2.99, all on the same day, must be one in a hundred million. So when the phone rings again and you are told that a £600 charge has been put on your Visa card, are you going to believe it?

I note your comment but cannot recall any cases that follow that pattern having been reported or discussed here. The usual APP or Payment Diversion scams involve the interception of the supplier’s e-mail account to substitute the payment details that have already been given on the invoice. The points you have made are nonetheless valid and there is usually maladministration in the receiving bank as well as a lack of security in the supplier’s system that allows their account administration to be easily penetrated. Nowadays this largely affects small businesses and sole traders. Following publicity, people are more wary now about taking notice of a ‘change of payment details’ message without checking with the genuine supplier.

I think the comments in this thread are intended to cover all scams where people are parted from their money on false pretences.

SingDon – Thanks for posting here. Much has been said about careless victims but it is time to pay more attention to how banks and businesses are allowed to operate and remove opportunities for fraud.

I think what has been said, in my case anyway, is to look at both sides of this problem – how customers can deal better with their online financial transactions, the part they play in losing money, how the banks can improve their systems to support safe customer transactions and their failures in a transaction that loses money.

I do not subscribe to the view that all victims are free from fault or responsibility in conducting a transaction that goes wrong, nor that they should be automatically compensated by the banks customers, nor that the banks are always responsible for what their clients choose to do with their own money.

SingDon, we can all make a contribution when next in contact with our bank, to inquire whether they have signed up to CoP. If not, why not? And threaten to switch to another bank if the you receive a negative response.

I don’t believe that all victims should be automatically compensated and have repeatedly said that each case should be treated on its merits. Losing a fairly small amount of money by responding to a fake Facebook ad may be of educational video.

As SingDon has said, CoP should be universal rather than used by only the main banks. Until that happens I see these organisations partially responsible for losses. Elsewhere we have criticised the owners of online marketplaces where traders are able to sell products that do not comply with safety regulations.

The Payment Systems Regulator (PSR) is consulting Phase 2 of CoP that would include smaller banking institutions and others. The issued a document in May. What would be useful is, as I have asked a number of times, for Which? to report on why this process may not be as simple as we might like. They could ask the PSR to provide a summary in laymen’s terms. That would be of benefit to all of us and to this Conversation.
@jon-stricklin-coutinho, Jon, will Which? do this?

My view is that Confirmation of Payee should have been in place when online banking was introduced. It beggars belief that a payment system that ignores the name of the payee was ever allowed.

The payee is identified by their account number and sort code. Adding, and confirming, the precise name of the payee would, I assume, require some commonality in banks software systems that allowed this information to be exchanged in a standardised way. As I assume banks have their own software – just an assumption – changing would no doubt have many ramifications. Until a problem became apparent, and I do not believe that was so when online banking was launched, there seemed no need for the additional check that has now become necessary. However, that is my uninformed speculation, so…..

Why do we not see what the PSR has to say about this? That is, if Which? ask them. I would like to be properly informed. My recollection, as I have said in response in the past, is that setting up such a “simple” thing was not at all that simple. But………

I wonder what happens in other countries?

When I see my bank or card statements, I quite often find payments to businesses that I have never heard of.

So far, these have all turned out to be legitimate payments that I have authorised, but the company names as regards their bank accounts can differ considerably from their apparent “shop front” trading names.

Hence, although CoP may help in some cases, it may not be as useful in others.

As regards steps 1 and 2 of SingDon’s scenario, we have seen a similar kind of thing reported for all the “fake Clarks Shoes” scams. But for cases where step 1 involves a genuine interaction with the genuine retailer, step 2 probably requires that either the retailer or the customer has been hacked. Under those circumstances, I’m not convinced I’d want my bank to shoulder 100% of the burden of such a scam, if the victim were also one of their customers.

At the head of this Article, Which? says “…we think that the burden of scams should be shouldered more broadly rather than falling entirely on victims.” As I’ve noted before, there are businesses (i.e. insurance companies) who work to share similar burdens amongst groups of like minded consenting individuals. Although it may well make sense for banks to provide this kind of insurance to all of their customers, I cannot believe that banks will not pass the associated costs onto their customers. I think just expecting banks to fund them out of profits is unrealistic.

Malcolm – When the largest banks were eventually instructed to introduce CoP, all of them managed to do so. Maybe it was not that difficult.

I don’t believe that the views of PSR would necessarily be independent.

One of the inadequacies of the Faster Payments Service method of transferring money to a payee’s account is that on its own the sort code is not a helpful indicator of the destination of the money.

I don’t have a list of sort codes showing which bank, building society or other payment service provider they relate to. If I received a message purporting to come from my electrician, for example, asking me to use a particular sort code and account number differing from those shown on the invoice I would probably not query it, but if the message requested me to remit my payment to the Toy Town Bank it is highly likely that I would query it and probably send him a cheque instead.

A fraudster who had managed to hack into my electrician’s e-mails to send a fake message would probably have been able to set up a receiving account in another bank in the same account name so the Confirmation of Payee would show a match and the money would be transferred and then lost.

My view is that for any new payee, and for any existing payee’s change of bank details, it is essential to make a nominal trial payment first and check it has been received by the correct payee before transferring the balance. So long as the banking systems remain potentially open to new customers setting up false accounts there are serious risks which CoP does not entirely mitigate.

I note that, because of the costs and and potential liabilities of the new Confirmation of Payee code of practice [the contingent reimbursement model], the NatWest Bank has decided to withdraw from servicing accounts held by family trusts and will be closing them. This does not affect a huge number of customers [maybe no more than a thousand in NatWest’s case] but the decision will create serious difficulties for those trusts which do bank with them since they will have to find another home for their funds and other banks might be reluctant to take them on board. Two kinds of people for whom trust fund accounts are in common use are orphans and disabled people who cannot manage their own money. This was reported in The Daily Telegraph and other newspapers last week. There is concern that it could be the start of a general retreat from some banking services if the complications of the new code outweigh its value to the banks. It looks to me as though the balance of liability has tipped too far in the banks’ direction so they are bound to take other steps to limit their liabilities.

NatWest has introduced a lower default limit on the amount that can be paid in a single transaction, though customers can choose to increase or decrease this figure: https://www.theguardian.com/business/2021/may/13/natwest-lets-customers-own-limit-online-transfers-scams It’s just one of the many measures that banks have been introducing to help their customers protect their money. Although I have been highly critical over the Confirmation of Payee issue I am very encouraged by the progress being made in other areas.

I believe that there is scope to assess customers ability to operate their accounts safely before deciding what sort of facilities individual customers should be granted. If we want to drive a car or a bus we have to demonstrate some competence, yet many have been able to open current accounts and use online banking without any evidence that we are fit to do so. Perhaps the CRM Code is has been a wake-up call for the banks.

I have repeatedly suggested that banks should be encouraged to offer account facilities that would better align with their clients’ assessed capabilities. Quite how this assessment would be made I do not know; many clients would, I expect, resist having their freedom to do as they please removed. So maybe it would be reactive rather than proactive. So when a client has been found to make an irresponsible transaction, limitations are imposed on how they, in future, operate their account.

We almost all need bank accounts and passing an exam to show we can use one wisely seems impractical. It is not generally about the method of operation – although taking care to type in numbers is necessary – but about how we respond to people wanting our money and being diligent in dealing with those situations. How do you predict that?

I have, as John advises, for a long time transferred a token amount to any new payee, checked it has been properly received, and I then know it is correct in my list. It ensures large amounts are not lost due to mistyping errors. It always seemed like common sense.

Online assessment is widely used and effective. It can also be used for formative assessment, for example to allow existing customers to check that their skills are still up to date. It also removes possible embarrassment if the customer is declined the facilities they would like.

COP is only going to work for genuine mistakes not scams.

A scammer is very unlikely to set up an account in their own name. They will likely use stolen identities or details of genuine people they might already have hacked into. They either tell the victim the actual name on the account or make up some reason why it doesn’t match.

If a victim is falling for a scam they will likely fall for whatever excuse is used if COP doesn’t match. After all scammers don’t need to be at the physical addresses they use, but just forward the money onto other accounts often abroad where they are virtually untraceable and untouchable.

As Derek said,
When I see my bank or card statements, I quite often find payments to businesses that I have never heard of.
So far, these have all turned out to be legitimate payments that I have authorised, but the company names as regards their bank accounts can differ considerably from their apparent “shop front” trading names.

Exactly.
Perhaps use of business names needs cleaning up first.

It is necessary to ensure you have the actual name on the account to use CoP effectively, whether business or private. The legitimate business should give you this information, just as they do the a/s number and sort code. When I received cheques there could be, say, 20 ways of the payee being filled in. CoP must be precise and, if only a partial match is returned, it makes the payer aware that they may need to do more. Being sloppy about making payments is not the way to look after your money; it may take time to do it properly but it can save a lot of heartache.

Yes, the fraudster is the culprit. Here is a list of outstanding problems that could be addressed:

:: The role of the receiving bank in providing account services to fraudsters
:: The need for a delay in transferring money to a new payee to allow time for checking and blocking payments if necessary
:: The full implementation of Confirmation of Payee
:: The need to be able to close down fraudulent websites promptly (see my recent discussion with NFH)
:: The need to consider the abilities of individual customers when providing them with banking services

Customers can and should do their best to protect themselves from scams but the banks could do much more.

You can choose to delay payments already. A customer option. So if you are a bit unsure you could do this then think about it, although best not to do it in the first place unless you are sure. Just how many people would have second thoughts, if they have not even had first thoughts, would need to be looked into.
CoP is available now for 90% of transactions. Given the wide publicity given to transfer scams, where this facility is not available, payers can use the trial amount transfer precaution.

I don’t expect that many scammers will suggest delaying payment in case the customer is being scammed. The delay must be the default. It’s not needed for existing payees.

I often set a future payment date for an on-line transfer so as to ensure there are funds to cover the payment, but I have never gone back to see if it is possible to cancel or amend a payment after it has been set up. Is that possible? I don’t have a waiting payment open at the moment to test it.

I do not know if that is possible but if a payment is delayed by default and a scam is suspected there is time to contact the bank urgently, as you would if your debit card was lost or stolen.

I have not delayed payments since I set up direct debits to pay monthly credit card bills. It would be interesting to know if it is possible for customers to cancel their own pending payments, John.

The delay can be set by the payer. I presume that if they have concerns before the payment leaves their account they can instruct their bank to cancel it. They do not have to respond to instructions of course, and many would be very wary of being told they must do this straight away. However, we have clearly many people who do not think too carefully about what they are doing. I do not believe that the banks have any duty to compensate for their clients’ deficiencies unless they were negligent as well. Help them, yes, of course.

There are many situations in life where we make mistakes, and some cannot accept that and look for someone else to blame. We do have to accept we are fallible and, unless we can show how we were put in that position by someone else’s negligence I think we have to take it on the chin.

What has surprised me is how some people have parted with huge sums of money in questionable circumstances without making elementary checks. If they lack the capacity to handle their affairs then they need help rather than compensation otherwise they are likely to continue being defrauded. It is a horrible business, nothing new, and we will never stamp it out.

Maybe a “test paper” could be devised that account holders would need to complete, unaided, to try to assess how capable they are of operating their finances in a knowledgeable and competent way. I doubt that would be easy and I expect online sources would soon tell you how to complete it.

Maybe there should be insurance available to cover losses, but the insurer would no doubt be pretty careful to check that the client had done everything correctly. They would then try to recover their payout plus costs from the guilty party, ideally the scammer, then the scammers bank and then the payers bank if they had been negligent. I consider that would be far better than having a blanket “bank pays” that will reward many unjustifiably, using my money – and other account holders.

I used online tests for between ten and fifteen years in university teaching and assessment so I’m fairly confident about what can be achieved. If you provide a random selection of questions and a limited amount of time this will provide a useful challenge and could help to evaluate customers’ understanding of recent scams and the risks they face online. One of the benefits of online assessment is that it can be used by many people at no cost other than setting up tests.

I have tried to move the focus to what banks need to do to protect our money. Unless they act, more of our money could be used to compensate victims of fraud. 🙁

I think the Which? focus has always been on the banks, with no-fault victims. I would also like to see some focus on the account holders and what they need to do to protect their money, and what help might be given.

If I withdraw cash from my bank’s ATM, or over the counter, and spend that unwisely, would I expect to be reimbursed by the bank, if I have been defrauded for example? The bank does not know what I intend to do with the money. When I ask them to transfer money to someone else, and the bank has no knowledge that the person is committing fraud, they again have no knowledge of what I intend to do with the money. But somehow they are now in the firing line to give my money back. It seems a little odd. Maybe it is because we see banks as cash cows. In practice, the money they give away to victims is ours and we should be careful just how that money is used.

We see a plea that banks should declare routinely how much money they repay to “victims”. What we should be asking for is banks to declare how much money they have had to repay because of some fault in their process. Then I would know who I’d prefer to bank with. One that dishes out my cash willy nilly is not an institution I would want to patronise.

I agree with you malcolm.

Does Which? really have the right to make demands of the banks? Has Which? ever approached the banks to give their views?

All we get from Which? is the big bad banks with as usual, no consideration given to the consequences of the demands they are making. Banks do not have magic money trees and recompense will be paid for by customers.

I can’t find it now, but some years ago there was a convo entitled something like ‘Why is interest on savings so low?’ Well now, Which? will be an additional reason why interest rates are kept low. People saving for their first home and getting next to no interest on their savings can blame Which?

Sometimes I think Which? wants scams to keep going so it stays relevant. I have suggested starting emails with Do’s and Dont’s instead of beating about the bush with individual experiences. I have suggested a self-help convo to teach people how to check who they are dealing with, but all has been ignored.

Why wouldn’t Which? want to help people help themselves? I just don’t get it.

This may be explained in the PSR and Pay. UK Documents and, if so, is being addressed in the Phase 2 of CoP. This included PSPs with Secondary Reference Data (SRD) accounts, including some building societies – mortgage accounts and cards. This may be why the CoP was not returned. However, I am no expert.

Ian makes a good point as Nationwide are different from the big four banks. “As a building society, we’re owned by you, our members, and run for your benefit. (You’re a member if you bank, save or have a mortgage with us.)”

https://www.nationwide.co.uk/products/current-acco…rrent-accounts/what-makes-us-different

If some of Nationwide COPs are returned, then it sounds like not all of them have been set up by Nationwide yet. Mortgage and savings accounts change names very frequently, some of them will go back many years and may be in a dormant state. Some accounts are also exempt from COP:
https://www.ukfinance.org.uk/confirmation-of-payee

Nationwide say:
When we won’t be able to match your name

You can still continue with the payment – but always double-check the account name and details are correct.
https://www.nationwide.co.uk/support/payments-and-transfers/confirmation-of-payee#matchname

Ian, I am reading your post again and you said His bank has a transfer system whereby it checks the name you enter of the company with the list it maintains‘

I would hope COP does a check with the receiving bank for every transfer, not check against a list they have that may be out of date.

Ian wrote: “It’s almost as though the banks don’t want to cooperate. In that instance, who would be to blame if a large sum of money went to the wrong person?”

I suppose that some would insist that the customers should shoulder the entire blame.

I really don’t understand why there is a need to consult on the further roll out of a system that should have been in place years ago.

Alfa: I was not referring to privately held mortgage accounts, but to the main, Nationwide account into which my pal was attempting to transfer a large sum to redeem his mortgage. It exists and has done for many, many years. The account No. is 44444445 (verified by the Nationwide chap to whom I spoke).

The main point I was making is that this account, this hugely significant account of a bank / building society, is not being recognised by most of the big high street banks for the purposes of COP.

I found this out by accident. I wonder just how many other COP issues are awaiting discovery?

The documents issued by the PSR and Pay. UK are useful here to help understand that the process is not as simple as it might appear.

Some would certainly ask that if a payer has negligently sent a large sum of money to the wrong person, why are they not responsible? If they accidentally added an extra 0 or 00 to the amount to be paid, who might be held responsible for that?

..and these are easy errors to make, at the best of times. But if it transpires that banks are actively refusing to list competitors, such as Nationwide, on the COP systems, I believe it adds a more sinister slant.

I think it’s mainly down to lack of transparency and self-imposed noncommittal prevarication, hiding behind an archaic obsolescent code of confidentiality that precludes them from any legal responsibility to protect the
concerns of the clientele whose financial interests are
entrusted to them.

Banks are fully aware that the PSR needs the cooperation of all banks for the implementation of CRM to work, and that it won’t work if only a few agree to do so. Therefore, it’s in their own interests to take the necessary steps to ensure continuity of the status quo.

Malcolm wrote: “The documents issued by the PSR and Pay. UK are useful here to help understand that the process is not as simple as it might appear.”

What would happen if it was difficult for manufacturers to produce products that complied with new international safety standards? The fact that all the banks that were told to implement COP were successful suggests that problems can be overcome.

Manufacturers do have to adapt to produce products that meet new regulations. The banks had to do the same. The instruction to join CoP followed on from the period during which banks made the necessary preparations.

https://www.pinsentmasons.com/out-law/news/confirmation-of-payee-delay is a third part comment, from a couple of years ago. Pinsent Masons LLP is an international law firm which specialises in the energy, infrastructure, financial services, real estate and advanced manufacturing and technology sectors. ..

I know that manufacturers have to meet new regulations, Malcolm, which provides the necessary to achieve prompt action. It’s very disappointing that after a year there is still consultation about further roll-out of a system that has proven to be effective.

I have just been into First Direct and the only accounts to appear if I search for Nationwide are the same Nationwide Gold card and Nationwide visa card.

Manufacturers are usually involved – with others – in the development of new regulations, and I expect the banks have also been involved in the past in developing the means to achieve CoP. It will not have been imposed out of the blue. That is necessary to ensure proposals are workable and achievable. It takes time to ensure what results will do the job.
As I have asked repeatedly, as we are not experts it would be useful to shed light on this topic if someone unbiased and independent could provide a contribution. An organisation directly involved would be good.
Phase 2 is not just about a “further roll out”, but about being able to involve institutions that were not able to take part in phase 1.
https://www.nationwide.co.uk/support/payments-and-transfers/confirmation-of-payee#matchname. Has anyone asked Nationwide about the problems they raise? Maybe Which? could comment.

Er, yes; I’ve spoken to them about the situation and they’ve claimed to be in the dark as to why the banks don’t recognise them.

With 15 million personal customers [not all of whom necessarily bank with Nationwide], the building society must be at least as big in retail banking as any of the other major high street payment service providers [Barclays, Lloyds, NatWest Group, and HSBC], and they all have the same regulators, so why this anomaly persists eludes me.

I’ve been persistent, and spoken at some length today with a representative from Nationwide. I reiterated the question about COP recognition and he explained that the reason they’d been given was the account was elderly and the name too large to squeeze into the available space for COP.

However, determined to get to the bottom of this I pretended to be transferring several thousands from our own bank to Nationwide.

We encountered several red, flashing warnings that ‘this account is not supported’ but nonetheless pushed on until the vary last bit before pressing the ‘do your worst’ button. Miraculously, this appeared in the very last screen in the payee name space:

“NATIONWIDE BLDG SCTY”

What makes this even curiouser is the fact that I searched on the lists of available companies our own bank provided. No matter what criteria I selected, nothing similar to that name appeared.

This something that needs investigation. This is exactly what we pay our subscriptions for. It’s critical, not least because we’ve discovered this example but we don’t know for sure how many other examples of this exist – or why.

I cannot find much about similar complaints online. Which? could ask Pay.UK, who set the rules and standards, to comment.

That makes more sense Ian, I just couldn’t believe banks would intentionally refuse to participate.

That reminds me that reference numbers can also be too long. A while back I couldn’t transfer money online to a building society because their reference number was too long. I had to phone the bank to make the transfer.

That’s basic programming, though. Itself, simply refusing to consider future possibilities. But it’s clear that it can be done, so the question is why it’s not.

It is the credit card companies who request verification Ian, you might have missed my reply on 28th May.
https://conversation.which.co.uk/community/off-topic-lobby-3/#comment-1628167

Can you now use your internet to boost your mobile signal?

It seems irrelevant how much reimbursement the banks have paid out. What is more relevant is how many times they have been wholly or partially at fault. And that failure can lead to more than one bank paying out, and the customer receiving a reduced amount if they have been somewhat negligent.
The code recognises the shared part of responsibility in, for example, ALL2(2) where, if the bank(s) have failed to meet the standards for firms the allocation of reimbursement should be shared.

But the credit card companies say it’s the merchant, Alfa. So what’s the real truth, I wonder?

Regarding the passcode, the issue is not that simple. It’s making the inherent assumption we have mobile ‘phones. We’re lucky, in that we can both afford iPhones. But what about those who can’t?

Oh, and the codes don’t arrive via Wi-Fi, for some reason.

https://www.visa.co.uk/pay-with-visa/featured-technologies/verified-by-visa.html

https://www.visa.co.uk/content/dam/VCOM/global/run-your-business/documents/visa-3d-secure-2-infographic.pdf

Not sure that helps a lot. One sentence leapt off the page:

Visa always offers comprehensive fraud protection to cardholders. With Verified by Visa, you get an extra layer of security to protect your identify and your shopping experience online.

How, exactly? There’s already sufficient protection when using a credit card. So for whom is this “comprehensive fraud protection” intended? The three, poster-sized ‘benefits’ are mniot benefits at all:

“Peace of mind in your online purchases, More successful checkouts and the last – and possibly most bizarre – “Minimal additional friction”.

I suspect these are marketing ploys, perhaps even lies. I’d also like to ask Which?’s specialists to answer the questions I’ve posed.

1. Who, exactly, asks for extra verification?
2. Why do the main banks not list Nationwide in their COP systems?
3. If Nationwide isn’t listed, how many other institutions are affected?
4. What is stopping the banks publishing the relevant data on COP?

Friends who held very senior positions in some of the big four banks have revealed over time the relentless search for huge profits, often at the expense of service to their own customers.

For interesting reading it’s worth browsing the annual accounts from the big four.

I agree with all that but would suggest cancelling the default delay should be possible on an individual optional basis per transaction rather than as a routine preference.

Yes, I can see where that would be useful. Of course the danger is that a scammer could push their victim to defeat the protection of a delayed payment.

Some transactions need to be made quickly, for a variety of reasons.
I favour accounts with tiered facilities that match better the perceived, or real, ability and capacity of the account holder to operate them responsibly. That can include a compulsory delay, but should include limitations on single transaction size and frequency, requirement for a second authorisation where appropriate, an automatic response from the bank to certain value transactions requiring confirmation from the account holder or an appointee before it is paid, for example.

One example of such a limitation was when NatWest reduced the default amount that a customer could pay online from £20k to £5k, though this can be changed: https://www.theguardian.com/business/2021/may/13/natwest-lets-customers-own-limit-online-transfers-scams

It is very encouraging what has been done in the past year or two to help protect customers.