/ Scams

Contingent Reimbursement Model (CRM) Code: two years on

Today marks the two year anniversary of the Contingent Reimbursement Model (CRM) Code. Here’s how it’s worked in practice, plus a round-up of FAQs.

04/06/2021: Update


The Contingent Reimbursement Model (CRM) Code sets out how banks should approach prevention of scam payments and reimbursement of victims. At the time, the Code was a landmark piece of work – a document written by consumer groups and industry to address some of the key concerns that we had raised in our super complaint in 2016.

It spelled out for the first time in one place how victims should be treated and when and why they should be reimbursed by their bank.

Some things have improved since the Code was introduced. Average reimbursement rates have risen from around 20% pre-Code to around 45% and banks have invested more heavily in warnings on their apps and online banking systems.

Some have introduced (either voluntarily or after being directed by the regulator) systems such as Confirmation of Payee to help people spot when they may be making a payment to the wrong account. We have welcomed such improvements and pushed banks who are lagging behind to start taking similar action.

Inconsistent implementation

In other areas, however, things have been less rosy. As we and others like the Financial Ombudsman Service have noted on multiple occasions, the voluntary nature of the Code and the lack of proper oversight by the regulator has resulted in a haphazard and inconsistent implementation by signatories.

Reimbursement rates, though higher than they were two years ago, are not as high as the regulator expects they should be and vary wildly between firms – with some reimbursing over 50% of victims, and others reimbursing fewer than 10%.

This data is still anonymous, too, meaning that customers have no idea how their bank approaches reimbursement of victims. Other data, such as the level of bank transfer scams by bank, is not published at all.

£700k lost every day to scammers

Today we have published research showing that, on average, an astonishing £700k was lost every day to scammers between the introduction of the Code and the end of 2020.

That’s the equivalent of around £491 – or the cost of a new iPhone XR – every minute. It is clear that both prevention of APP fraud, and reimbursement of those who’ve been deceived by sophisticated fraudsters, must improve.

We will continue to push for the voluntary Code to be replaced by a mandatory set of protections, and we are pushing the regulator to ensure it comes out strongly in favour of this in its upcoming consultation.

In the meantime, we have been busy pressuring the banks to be transparent about their reimbursement rates – and next week we will be publishing which banks have committed to publishing data and which have refused.

Scams campaign FAQs

As this is an anniversary piece for Which? Conversation, I thought I’d take the opportunity not only to update you on the campaign, but also to reply to some of the many comments and questions you have asked about scams over the years.

Q: Why should my money be used to reimburse people who have fallen victim to these scams?

Much like taxes, the money your bank earns in interest, overdraft fees, and other charges are used to fund a wide range of services. 

Although the amount of money reimbursed in 2020 across all banks under the Code – £147m – is a sizeable amount, it represents a drop in the ocean compared to the money earned by banks each year. While the costs borne by banks may be passed onto consumers, we think that the burden of scams should be shouldered more broadly rather than falling entirely on victims.

Q: Shouldn’t people take responsibility for falling for these scams?

It can be difficult to appreciate how sophisticated and realistic these scams can be when you haven’t been a victim yourself. Some are carbon copies of legitimate investment websites; others intercept legitimate email or text exchanged with banks, solicitors, builders and others; others present themselves as legitimate marketplaces or online sellers when in reality they are selling nothing but a scam.

Many of us see scams every day, and it’s easy to dismiss people who fall victim to them as foolish or stupid. However, the ones we spot as scams are often the ones which are obviously a scam – they are littered with spelling mistakes or have an obviously fake email address, for example. But by and large these are not the ones that many victims actually fall for.

Other payment schemes have rules that protect consumers against fraudulent payments, including mechanisms for payments to be challenged and reversed. Faster payments the system that bank transfer scams take place on does not have such protections. The CRM Code aims to help plug this gap, but it remains voluntary.

There are certain circumstances where people have been ‘grossly negligent’ and in these circumstances we have always said that they should not necessarily be reimbursed.

Q: Won’t reimbursing people who have been scammed inevitably make them more careless in their transactions, knowing that if they lose money the rest of us will ‘see them right’?

We haven’t seen any evidence of this. Nobody wants to be a victim of a scam not only because of the potential financial losses, but also the emotional impact. The CRM Code does not guarantee reimbursement (and we have never argued for 100% reimbursement), and so there remains strong incentives for consumers to avoid financial loss.

Indeed, it is possible that the opposite is true people who fall victim to a scam are likely to have a heightened awareness of when they may possibly be being scammed again in the future.

TSB has said that even where it reimburses more than 99% of victims, it has not seen issues with customer behaviour and in fact they believe it has helped lead to more open conversations with victims.

Q: Why should banks be held responsible for their customer’s actions? Haven’t they just carried out their instructions?

Banks have a responsibility to take action to prevent scam payments. After all, fraudsters use bank accounts and the payment systems that banks offer in order to commit bank transfer fraud. 

Banks hold a lot of knowledge – about the prevalence of certain scams, the way scammers operate, and how their customers make payments. We believe it is reasonable, therefore, that banks assume responsibility rather than all of the responsibility being placed on the individual.

If you have any further questions for me please do let me know in the comments I’ll do my best to get back to as many as I can.


Thanks for this Conversation, Chris.

I do hope Which? will push for universal implementation of Confirmation of Payee.

Much has been said about whether or not money should be refunded to scammers but perhaps the role of the receiving bank is the elephant in the room. It would be interesting to know what is being done by banks to prevent accounts and card services being given to scammers. If I was to rent a flat I would be required to place a deposit that could be lost if I don’t pay the rent or damage the property. Perhaps new businesses should pay a deposit that could be lost if they are subsequently found to using the account for fraudulent purposes.

On 1st November 2009, The Banking Code was superseded by The Financial Services Authority Payment Services Regulations 2009 (FSA), amongst other things, making banks legally liable for transactions, unless they could prove that customers had authorised them.”

Codes of Practice are guidelines and rules that members of a profession are expected to adhere to. Codes of Practice do not usually carry the force of legislation.

The Banks are therefore bound by The FSA’s Payment Services Regulations 2009, and are unlikely to view The Pressure Consumer Groups’ CRM Code as legally binding without a lot more pressure applied to them, preferring instead to abide by their own legally binding ability to be able to prove customers had, in fact, authorised fraudulent transactions.

Unless the FSA reintroduce further legislation upon the banking profession to force them to reimburse their customers who have lost money to fraudsters, the banks will continue to regard their confidentiality code as sacrosanct, applicable to all their customers at an individual level.

Consumer Groups need to understand that any future changes need to come directly from the FSA, which have to be legally binding, and not waste time with The Financial Ombudsman, whose role is that of an advisory acting for, and funded by the large organisations that subsidise it.

Here is an FCA document that explains that customers must be refunded except under specific circumstances: https://www.fca.org.uk/consumers/unauthorised-payments-account

Perhaps there is a case for payment of a fee towards the costs of investigation of cases.

I’ve had no experience of using ombudsman services, Beryl, but I share your concern about impartiality.

That is not quite right wavechange. The first line says:
In most circumstances, your bank must refund you for an unauthorised payment.

Why a refund can be refused

If your bank refuses to refund an unauthorised payment, it should explain why.

It can only refuse a refund if:
– it can prove you authorised the transaction – however, your bank can’t simply say that the use of your password, card or PIN proves you authorised a payment
– it can prove you are at fault because you acted fraudulently or because you deliberately, or with ‘gross negligence’, failed to protect the details of your card, PIN or password in a way that allowed the transaction
– you told your bank about an unauthorised payment 13 months or more after the date it left your account – so make sure you contact the bank as soon as possible

My concern is being fair to all parties. The size of the loss is emotive, but not material in my view. If someone I don’t know tells me I’ll double your money, just transfer a lot first, or if I respond to a transfer request without taking some care to ensure it is legitimate then I’d question why we expect the bank – who we instruct – to repay us when we have been foolish or more negligent than is reasonable.

I would like banks to offer a range of accounts to help protect those who seem less able to handle their finances.

Thanks Alfa. I was following up Beryl’s first paragraph but I could have inserted the extra word.

Malcolm – If you are tricked by a fraudster into authorising a payment you can be eligible for a refund from your bank. From the FCA document:

“Authorised push payment (APP) fraud

APP fraud is when a fraudster tricks you into making a payment to an account controlled by them.

This is different from other kinds of fraud, for example, when a fraudster steals money from your account without you knowing. With APP fraud, you authorise the payment, albeit under false pretences.

If your bank or other payment service provider has signed up to the code of practice for APP scams, you can expect to get your money back if you weren’t to blame for the success of a scam.

Get in touch with your bank or payment services provider as soon as possible if you think you have been scammed.”

That bit of FCA document relates to whenunauthorisedwithdrawals are made from your account. Many of the scams reported are, in fact, authorisedby the account holder.

The question “if you weren’t to blame” is part of the problem. When you respond to a scam you initiate the success of the scam and simply instruct your bank to do what they are obliged to do, make the payment. If they would not be expected to know the money was going to a fraudster I am hard pushed to know why we expect them to take responsibility and use my money to give it back to the victim. So the responsibility begins with the victim and, I believe, it should then be necessary to show why they do not have, or share, responsibility.

If others think that all “fraud” should be paid for by the banks then please explain to me why I, as a responsible account holder, should be expected to fund it. There are also at least two dangers in this approach that should be recognised. It opens the door for an account holder to set up a fraudulent scam on themselves. It also relieves some of taking a responsible attitude towards their financial transactions if they know, when they act irresponsibly, they’ll be more than likely to get their money back. Which will lead to even more successful scams.

We should also be discouraging carelessness; suffering a loss may produce a more thoughtful approach in future as many who post here have realised.

I asked about this and here is what Lauren Merryweather told me: https://conversation.which.co.uk/scams/monzo-bank-fraud-victim-refund/#comment-1608977

I then found the FCA document and it seems that if you are TRICKED into making a payment you may be eligible for a refund. See the text that I quoted above. It would be very helpful if the FCA would provide us with some clarification about the circumstances when a customer would or would not be eligible for a refund, with the proviso that some cases will be complicated.

I have no axe to grind here but there have been suggestions that those who have been victim of fraud may have no chance of recovering their money. Like a retailer saying that a customer must contact the manufacturer because their guarantee has expired, this could be misrepresentation of the facts.

Banks could impose restrictive conditions on both new and existing account holders if they feel that customers are not behaving responsibly.

My concern is not about reimbursing customers when the fraud perpetrated upon them was clearly not with their “involvement”. It is with the Which? approach that seemingly proposes that the customers generally shares no responsibility and that, by default, we expect the bank to reimburse even when they bank has played no part in the event and has not been negligent.

When someone responds to a “scam” they inevitably play a part in its success. Why should we exempt them from any responsibility? Of course they are “tricked”; that is the essence of fraud.

It should be incumbent upon the customer to explain what they did, the precautions they took and why they have no responsibility for the fraudulent transaction before they are wholly or partially reimbursed. An independent organisation should assess the merits of their claim, not the bank. But the rules should show fairness to all parties. If I have not shown reasonable responsibility then my claim should be suitably considered.

However, if we think everyone should be compensated then ask all the other responsible customers if they are happy to repay the victims out of their own pockets. Including repaying those who have been promised huge rewards by the scammer for doing nothing – other than transferring funds to them.

Perhaps the banks should do more to recover money from the receiving banks in the cases of fraud. If banks fail to try I would regard them as negligent.

I would support having claims judged independently and Beryl mentioned this in the context of ombudsman services.

We should know what the process is, and how effective, for banks to recover money sent to fraudsters. The banks could tell us the difficulties involved. I would suggest the banks would be entitled to a fee when recovering funds to cover the costs of helping a customer who has acted irresponsibly and without the negligent involvement of their bank.

Banks could consider operating different kinds of account – (1) a “no risk” account where any losses to criminals would be refunded, and (2) an “unprotected” account where the customer would bear all the risk. Account (1) would incur monthly fees [so a sort of insurance arrangement] and would involve deep vetting when opened and frequent monitoring and supervision thereafter. Other control features could be incorporated to raise or lower the risks, a bit like the excess on an insurance policy.

Malcolm, when all is said and done, it’s not really a question of who has been negligent.

Allowing the banks to act as judge and jury when large (or small) amounts of their customers money entrusted to them goes to a fraudsters account is grossly unjust. It is incumbent upon the banks to provide proof of customer negligence, under the FSA 2009 Act.

Failure to provide sufficient evidence can, as we have witnessed in many cases here on Convo, leave customers confused, bewildered and unhappy and without an independent, unbiased opinion with legal powers to take any mitigating circumstances into account, is discriminatory and unjust.

As previously stated, people are humans not machines that can be programmed to commands from their operators, but people with free will, feelings and emotions that can overwhelm at times, especially when faced with evil minded fraudsters who have only one aim, which is to apply any method available to steal from honest, unsuspecting vulnerable people.

‘Negligence’ is not always an appropriate word to use in such circumstances. Perhaps ‘coerced’ would be a little more relevant and fitting.

Banks have the capacity and technological prowess to prevent this ongoing criminality, and reform is urgently needed. Legislation is the only means of forcing them to put their honest, law abiding customers financial interests before that of the fraudsters.

Beryl, I have used “negligent” when referring to banks, not (I don’t think) victims. I think I have used “responsibility” in that context.

The problem with this topic is in the generalisation. All fraud and victims seem to be lumped together whereas, in practice, there is a wide variety of scams and a wide variety of responses to them. Some will, no doubt, be clever coercion, others will appeal to greed or unrealistic expectations, others will be on customers who have ignored advice, abandoned common sense, and so it will go on. They cannot all be treated in the same way.

As for ”Banks have the capacity and technological prowess to prevent this ongoing criminality, ” I would like to see evidence that this is the case because, at the moment, I do not think it is.

From ITPro

Police officers from the Dedicated Card and Payment Crime Unit (DCPCU) have arrested eight people in relation to a Royal Mail text phishing, or ‘smishing’, scam.

The eight arrested individuals are suspected of attempting to commit financial fraud and impersonating the Royal Mail by sending out fraudulent texts and emails which link to phishing websites.

The arrests come weeks after researchers from Check Point Software reported a 645% increase in Royal Mail-related phishing scams, with March being the biggest month for attacks on record.

Stephen Ritter, CTO at digital identity verification provider Mitek, called for organisations within the technology and finance sector to “step up to the challenge” in fighting scammers.

“All too often, industry experts are quick to blame consumers for “falling” for scams – but this blame game needs to stop,” he said. “To fight misinformation, Twitter and Facebook started flagging posts that weren’t backed up by fact, and the problem has improved significantly. Why can’t we do the same for fraudulent activities on our phones?”

It is not so much the “blame” for “falling for scams” that is an issue with me but whether someone else (including me and you) should always refund the money lost.

Malcolm, definition of negligence “failure to take proper care over something.” Responsibility “the state of being accountable for something.”

For the sake of argument, failing to take proper care over something is irresponsible and both allude to negligence.

Evidence will be forthcoming through intervention from the regulators who possess the necessary legislation to force the banks to act upon continuing and longstanding pressure from Consumer Groups interested enough to ensure protection is provided for all bank customers money.

Do you think, then, that no matter what part I play in losing money to a scam, I should be recompensed?

I have already made a valid point. ie I don’t think banks should act as judge and jury to decide whether or not they will compensate, given indirectly, they are acting upon the unethical, immoral and illegal transfer of money from the victims account to the perpetrators.

What you are expecting, Beryl, is that the banks will refund their customers, virtually automatically, if they have cooperated with a fraudster. I understand that there is deceit, pressure, coercion sometimes, harassment, and intimidation, but I don’t see how my bank could take automatic responsibility for criminal behaviour without a very intrusive investigation of the customer’s actions. Telephone and e-mail scams do not involve any physical violence even though the pressure can be very intense and the after-effects can be extremely harmful.

While there are some genuine cases where a transaction has been mishandled by a bank, in most of the cases reported here the customer has admitted that they fell for a scam. Obviously they want their money back and hope their bank will oblige, but I fail to see why that should be the case if there has been no fault, negligence, incompetence or delinquency by the bank.

While, as you say, the banks are entrusted with our money, that is only for the purpose of storing it safely; they are not trustees concerned with what should happen to the money and they are under a statutory duty to comply with the instructions of a customer to move it somewhere else if authorised through the secure procedures, on-line banking being one of them.

A bank is not in a position to know whether a customer’s order to transfer money to a different account is occasioned by any form of fraud. It would be different if the bank had leaked a customer’s account access details or had insecure systems that allowed hackers to tap into their database. It is a sorry fact of life that, in almost every case I have heard of, the customer took some part in the process that enabled the crime.

Many of the really serious frauds revolve around confidence trickery in one form or another; there is no safety net for those losses. If someone is persuaded to give money to a stranger in pursuit of a romantic adventure, or a gamble on the markets, there could be just as much deceit, emotional pressure, falsehoods, and coercive behaviour in some cases. I don’t understand why a theft executed through a banking transaction in which the bank played no part should be treated exceptionally.

I am profoundly sorry that people get caught by scam attempts and I wish that there was a proper way in which society collectively could protect those who are vulnerable and recompense them, but I think that would have to be by way of charitable endeavour rather than by an official process funded either by the state or through a levy on the financial services industry.

I am convinced that if it became the norm for banks to refund losses in most of the fraud cases where there had been a banking transaction then the criminal mind would quickly latch on to it and all sorts of collusion techniques would be employed. We don’t use lie detectors in this country to catch criminals but I suggest it would be the only way to establish beyond reasonable doubt that the story someone told their bank when seeking their refund was a pack of lies and that collusion with another criminal was at the root of it. Unfortunately, even persistent criminals are presumed to be innocent until they are properly proved to be guilty.

John. Please refer to my 20.30 comment. There have been numerous suggestions from many contributors to Convo over a long period of time that banks could do to prevent the transfer of money to fraudsters. The time has now come for the regulator to act, otherwise this topic could persist ad infinitum with repeated solutions that lead to nowhere.

Just because some commenters say that banks could prevent the transfer of money to fraudsters does not mean it is fact. If only it were so simple. Convos like this would benefit from knowledgeable input from those directly involved, something that Which? seems to avoid.

FOS Case :

This fraud victim paid over £323,000 in 43 payments to a scammer even though he suspected fraud early on.

Given that large payments were going in and out of his account prior to the scam, could the bank really be held liable for his actions. The ombudsman thought so.

Seems you only have to claim you are vulnerable and suffer distress and inconvenience and the battle is half-won. These days, conditions get downgraded and much like disabilities, those in real need suffer the consequences. Obesity was re-classed as a disability so now overweight people take up disabled parking spaces when it would do them a lot more good to get some exercise and walk a bit further, and people with real walking disabilities can’t get parking spaces.

This scam is a good example of automatic recompense opening the gates to victims actually being the scammers. Where and how do you draw the line?

I am sorry, Beryl, but this morning I cannot see which of your comments was timed 20:30 yesterday, but picking up on a point you made yesterday about the bank being both judge and jury, I am afraid I have to disagree with your interpretation.

So far as I am aware, the banks are not under any statutory or regulatory obligation to refund payments to customers who have been defrauded unless the bank itself was negligent and failed in its general duty of care to the customer. Thus, in all other circumstances, i.e. where there has been no negligence on the part of the bank, the decision to offer a refund is a matter of discretion and it is a judgement that the bank is entitled to make on its own. The default position is that no refund is justified if the bank (i) has not done anything wrong, or (ii) it has done something it should not have done, or (iii) it has not done something which it should have done.

If the bank’s decision is disputed then an appeal can be submitted to the the Financial Ombudsman Service and the bank would have to provide evidence to demonstrate that (a) it had not been negligent, and (b) the customer had contributed directly or indirectly to the fraud. Faced with such a referral the bank might settle the case and no one is then any the wiser of the facts or circumstances or outcome [since I would anticipate that a compromise agreement containing non-disclosure terms would be have to be signed by the customer].

I want to see prudent and responsible banking, and my overall impression is that that is what we have in the UK, and I want to see a fair process for both parties. I also want to see customers acting sensibly and taking heed of the continuous warnings that are given – and the banks can certainly do more to improve people’s understanding of the risks and the best ways of protecting themselves. But creating a climate in which a refund is virtually automatic if people have given access to their accounts will not help to stop these frauds taking place. There is a case for much better investigation and prosecution by the law enforcement agencies and I would support the banks providing some funding to get that up and running [I believe they already contribute towards ActionFraud with financial and operational support].

I am not going to discuss interpretations of the wording of the Payment Services Regulations 2009 because I have not researched their status and application nor am I fully conversant with the role and powers of the Financial Services Authority. Ultimately these questions would be for the courts to consider.

No need to apologise John. For confirmation of the points I have endeavoured to pass to you, apparently unsuccessfully, perhaps the following websites can convince you of the role the banks could play to protect their customers money, something they appear to be dragging their heels over.

theguardian.com – Why won’t our banks take a simple step to stop fraud?

fca.org.uk – Why confirmation of payee can’t come soon enough

I have expressed my concern about the delay in introducing Confirmation of Payee several times and have received criticism. Here is the most recent example: https://conversation.which.co.uk/scams/monzo-bank-fraud-victim-refund/#comment-1628177

We are all entitled to our own views and even more so to be treated respectfully.

Confirmation of Payee Phase 2 is about to be introduced that simplifies the process and will allow more banks to join, I understand. I have suggested that introducing CoP may not be the simple process that some think; I see no disadvantage to any bank taking part.

I have repeatedly asked that we seek an informed contribution to clarify just what CoP involves and why it has not been universally implemented. When we know then we are better able to discuss. I would criticise if banks have wilfully avoided taking part.

PayUK could maybe shed light on this. I have asked Which?, before, to look into this. Maybe they could ask them to contribute.

The links provided above are prior to CoP being introduced. This happened with 6 major banks last year and phase 2 this year will help other banks to introduce CoP.

alfa, I wonder why the receiving bank did not question a large influx of payments. The source of funds is often required to be declared by financial institutions to combat money laundering. I wonder if the recipient were pursued for the return of money and prosecuted for fraud.

This seems a classic instance where there is no shared responsibility. I presume the bank account will, in future, if left with this bank be subject to severe restrictions as the client is in no position to handle it adequately. Also an example of where there could easily be collusion to defraud a bank, although I am not suggesting this was the case here.

Thank you, Beryl.

I entirely agree with you on the steps the banks need to take to inform, educate and warn their customers. As Malcolm states, they have already introduced the first phase of Confirmation of Payee with all the major banks and the building societies that operate current accounts. The second phase will now follow.

I don’t know the technicalities of the implementation and why it has taken so long, but I assume it has something to do with priorities and capacity. It was vital that the banks with the highest numbers of retail customers [i.e. those found on most high streets] should implement CoP first. Getting their computer systems to harmonise the data handling and presentation must have been a major challenge – especially since some of them were still implementing previous mergers, branch closures, and other integration activities. Once that exercise has completed its course it should be easier and quicker to follow on with the institutions with a smaller retail turnover as the protocols and the interfaces will already have been standardised, tested and proved to work satisfactorily.

I also feel that the banks must go further in helping customers to manage their financial affairs and act more supportively by, as Malcolm has frequently advocated, offering tailored services and supervision to protect people who may be more at risk from fraudulent activity. I won’t recite them all again now but they have been well-rehearsed in the relevant Conversations -unfortunately with scant recognition from Which?.

To some extent there is a conflict between what the banks need to do and how their customers might react to them. I must admit that on some occasions I have bridled when a teller has commented on the accounts I hold and the funds I have in them; their intention is naturally benign and to be helpful in making our money work harder, nevertheless the thought passes through my mind – “none of your business“. It doesn’t help if this goes on in the open banking hall in front of a queue of earwiggers. So the banks need to hone their skills in having appropriate dialogues with their customers, which is linked to the points Patrick Taylor often makes [or was it Em?] about needing to KYC – Know Your Customers. With all the mechanisation of banking that has gone on in the last few decades, which has meant pulling management and operating personnel out of the branches, there is much less customer contact these days and we have become a set of digits rather than human beings. Banks need to re-establish that source of knowledge and understanding of their customer’s needs because when they do there will be more trust on both sides.

I would also like to know – but don’t expect it to be revealed – the extent to which the banks totally internalise their investigations and action in response to fraud attempts or share information with the law enforcement authorities in order to detect and prosecute the perpetrators. I have a suspicion that the banks buy their way out of such operational difficulties by making a confidential settlement and keeping it all under wraps. I am open to the possibility that there could be commercial sense in such an approach, but would still prefer that concept to be tested in the interests of greater openness which could in turn actually lead to a reduction in these crimes.

In my previous comment I referred to the Financial Services Authority. Its relevant regulatory powers and duties for retail banking were taken on by the Financial Conduct Authority in 2013 and the FSA was abolished. [Higher-level regulatory and supervisory functions across all financial service providers were transferred to the Prudential Conduct Authority which is now a subsidiary of the Bank of England.]

I would not like to be thought heartless in taking a fairly detached and rational view of the question of refunding customers who have been defrauded, because I am genuinely sympathetic to their cases, but I feel we should take care to look for the right solution rather than the easiest one [paraphrasing what Alfa wrote recently: the banks have got loads of money – they must be held liable]. As has so often been said in these discussions, it is not the banks’ money to spend profligately and we all have a civic duty to prevent crime and to reduce the opportunities for crime.

Thanks Chris. It was contributor NFH (who works in banking but not retail banking) who highlighted the issue of receiving banks in an earlier discussion. I hope that PSR will investigate whether a delay in payments to new payees could provide time for customers to report suspected fraud in time for this to be confirmed and payments stopped.

It would be interesting to know whether Which? members in general are opposed to or in favour of the Code.

Chris – thank you for your responses.

In haven’t really been discussing the APP frauds but those where people are telephoned and are pressured into allowing a fraudster to have their account access details or to take control of their device. As you will have seen from my comments, the Regulations do not require the banks to make refunds in those circumstances, but are you saying that the Code does?

The question revolves around the authentication of the payment instruction; it seems to me that when the bank’s computer gets an authorised payment transfer instruction [and it has no idea by whom or how it was generated] so long as it meets the bank’s process requirements it is regarded as authenticated so the computer executes the transfer.

I thought the banks might have had a hand in drafting these regulations; they work in their favour and can leave customers high and dry.

An unbalanced review of the situation that ignores many views posted in Convos. It seems to take the view that people who are scammed have no responsibility for actions and that, almost by default, the banks – which is you and I – must pay them back. I believe there needs to be a proper assessment of the responsibilities and negligence involved.

This approach is essentially a lazy one. What we need is constructive efforts made to minimise scams, or at least their effects, rather than just dish out compensation.

Bank accounts tailored better to the customers needs and abilities, better publicity of scams to all customers with a requirement that ignoring the advice will count against recompense, regular tv scam advice, a requirement that any compensation comes from the receiving bank unless the sender’s bank is negligent, delaying significant payments and asking the payer to confirm they accept responsibility if they proceed, positive measures rather than just giving in.

The continuing problem will be the arrival of new scams that, clearly, you cannot be warned about. Why should that responsibility be the banks’?

As for the reimbursement costs being like “taxes” and they “may” fall on all customers, of course they will, in reduced interest rates, higher personal loan charges, mortgage costs, overdraft charges. I do not see why everyone should suffer to fund some victims’ irresponsibility.

I would simply like to see a fair and balanced approach; fair to victims, fair to banks and fair to all their customers; balanced in proposing constructive measures to mitigate scams, place responsibility where it lies.

Once again, the key piece of information here for me is the figure of £700K daily loss from scams. Never mind about paying it back, that’s a separate issue and I welcome moves to help victims here. We can debate the difference between fecklessness, vulnerability, and simple deception, and form a judgement about who deserves our sympathy and recompense. I welcome such discussion. For the record I mildly disagree with Malcolm here. No one wants the trauma of seeing their life savings disappear and all their future life suddenly altered for ever. Not many would deliberately hand over their money to a scammer if they knew what they were doing. At the same time I appreciate the argument that we are paying for their loss, and why should we do that? If we want to start a campaign and publicity effort, then anything that gets into the public domain and sticks there, regarding safety with money is to be a good thing and worth doing.
The reason people are losing money is because there are scammers out there who are busy taking it. There is such a success rate to their activities that, for what ever reason, they know how to deceive swathes of the public and, for what ever reason, they are not getting caught. Until that changes, the threat will remain and we will continue to debate whether x was foolish or y didn’t proceed properly or z was conned and we will continue to debate the question of who should suffer and who should be reimbursed.
Our third argument is that of the tightening of banking procedures. I hope this continues despite the inconvenience it causes. Like the current virus, we have scammers and we have to adapt to cope with them until they are eradicated. There will be those who don’t get vaccinated against them. With the virus the NHS steps in to help, with the scammers its the banks that have to do this.

I understand your point about losing life changing sums, of course. I tried to address this, I hoped, by tailoring bank accounts with restrictions to avoid such excessive losses. However, I would be extremely careful before moving a significant amount. Maybe we need the banks to simply question a significant payment and seek confirmation before they release it.

Two of the concerns I have; complicity in scams to obtain “compensation”; telling victims they almost certainly be compensated may well make them less responsible in their financial transactions.

I sympathise with people who are tricked out of money, of course. But I do want systems that are designed to protect them, at least from major loss, which may mean limiting what they can do online.
No one has yet told us why the receiving bank, that allows the scammers to operate, should not be the one to provide redress if they have been shown to have not been diligent in opening accounts. Maybe, given these banks are worldwide, it is just too difficult to implement fir some, or many.

Now, all of that, I totally agree with Malcolm. Of course, your scenario of crooks aiding crooks is an interesting one that hadn’t occurred to me -double pickings from the same double scam. I somehow doubt much of that goes on, but I would like to see some research into the profiles of those who have lost money. Are there any common characteristics to these people? Is there a syndrome attached? Are there any scams that work better than others and resonate more with any of these victims? Are there any socio-economic similarities within the victim groups? What, if anything, is a common trigger within victim groups?
Since we seem unable to get at the scammers, we should be looking at their modus operandi. I wonder what attempts are being made to look for emerging scams before they can get hold. It seems easy enough to gather a great deal of personal details about us for commercial use, so the technology is there to hound the scammers. These crooks must also have predictable working methods and it must be possible to predict their prospective targets and watch for activity. Compensating victims is really an admission of defeat and a reaction to a committed crime. It is time to become proactive and put more effort into countering this threat. One obvious start is the identification of new bank accounts. These are a necessary tool in the scammers armoury, and should be easy to pick up and monitor. Who is doing what except wringing hands? Who is engaged in taking these scammers out ? Why do they seem to be cleverer than we are? I’m sure they are not!

Well said, Vynor. I agree with you that a far more intelligence-led approach is needed where no technological protection is available.

With a significant number of the scams reported here I am sure there must be some inside information at work. It is beyond all likelihood that every employee in the financial sector, or the parcel carrier industry, or involved in distance selling operations, is as pure as the driven snow. I would love to be proved wrong so I would like to see an in depth study from the HR records made of a batch of personnel in one or two selected organisations to see if there are any grounds for my suspicions.

Cracking the Enigma and Ultra codes in the Second World War relied on looking for patterns and noticing when a lapse of concentration or errors occurred to give clues to coding inconsistencies thus betraying the sequences. The best arithmetical brains in the top universities were deployed to crunch the numbers and we need a similar onslaught on the problem today.

Even with all available resources at their disposal – including a small army of staff carrying out very tedious menial tasks, the Ultra code breakers only managed to decrypt about 25% of intercepted transmissions. I’m not sure that we’d be happy with only stopping 25% of all scams.

As GCHQ are already involved ( see:-https://www.ncsc.gov.uk/ ) we probably already have some of our best arithmetical brains on the case. But I doubt that we are giving them the level of resourcing that was applied to Ultra.

I agree, Derek – and GCHQ have far greater computing capacity and speed than was available with the Colossus machines at Bletchley Park, but my guess is that once the boffins had burnt out one or two of the scams the game would be up because the field of attack would be narrowed considerably. A parallel move would be to take unused telephone numbers out of the equation, stop the sale of multiple SIM cards for mobile phones, and impose registration requirements on all mobile numbers – admittedly a huge data management operation but that’s a walk in the park for the tech giants with their supercomputers. A coordinated action by the government beefing up GCHQ and regulatory requirements imposing obligations on the networks would seem to be required.

It is good to see Which? actually acknowledge that all bank customers will be shouldering the costs of these refunds.

But isn’t this a bit like asking all drivers to pay the same insurance premium, no matter what or how much they drive?

And for that premium to remain fixed, no matter whether they have accidents – for which, of course, they are all blameless. It is the road provider who must be at fault.

At least Which? does agree that: “There are certain circumstances where people have been ‘grossly negligent’ and in these circumstances we have always said that they should not necessarily be reimbursed.”

Why the “not necessarily”? Unless the bank(s) have been negligent also? I do not think people just need to be grossly negligent but if they have been negligent to any degree they should take a share of the responsibility. That could still, in my view, meaning no compensation unless the bank(s) have also been negligent in any material way.

One way suggested is to insure against such losses. The insurer would, no doubt, be quite careful to determine how culpable their client was when assessing a claim. This may be one way forward, if any insurer would offer an appropriate policy. But beware, you may not like the outcome when you make a claim.

This is just another example of how Which? has to tread carefully with its public pronouncements so as to avoid stamping on the hands that feed it. The world won’t become a better place if we only say what we think might please. Facts have to be faced and the truths of personal fallibility or incompetence accepted, but in the whirlpool of life that is not the way to curry favour with the expectant consumer who is banking on a refund or counting on compensation at other citizens’ expense.

Which was partly the reason in my initial comment when I described the Convo intro as an unbalanced review. Adopting a populist view, and using its influence to pursue it, is not what I pay Which? to do. I expect it to take a realistic and fair (to all) approach and not just look to ingratiate themselves. They would find a lot of support, no doubt, to abolish income tax, vat, …… Ignoring the arguments against, largely presenting those for, is, in my view, an unprofessional approach.

Insurance policies are good, but the companies always make sure that they pay out less than they get in. That means that premiums are always higher than the risk of a claim and there is one more taker in the chain that needs feeding to protect us against scams. Also think about extended warranties which are very seldom good value for money.

Indeed so. It is always better to provide one’s own risk mitigation instead of relying on insurance. But for expensive items like houses and motor vehicles, I doubt that many of us would not want to take advantage of available insurance deals, especially for low likelihood, high consequence events.

That’s the catch, Derek – with buildings insurance it’s not easy to pick and choose just the risks you want to cover.

I insure our house [it is mortgage free so insurance is not obligatory] in case our next door neighbour’s house blows up and demolishes or wrecks ours.

While a claim might lie against the neighbours, they might not have insurance or it might not be adequate to cover the combined and entire losses so we would have to fall back on our own policy and face the prospect of higher premiums in future [and these are now quite heavily taxed, to rub salt into the wounds!]. But in providing ourselves with that degree of specific cover, the policy covers all sorts of other risks and perils which are far less likely to occur but which, if they did, would be financially devastating . The premiums have to reflect these contingencies and the principle of pooling is the way it is achieved.

It is also extremely worthwhile having the public liability cover that comes with home insurance.

I regard home insurance as one of those things that just has to be put up with and met, but that doesn’t mean the insurance industry should see us as a cash cow and exploit the trap we find ourselves in. Another side of this coin is that I wouldn’t want to be insured by a company that wasn’t solvent and didn’t have ample reserves; this is generally protected by legal and regulatory requirements, but a threadbare insurer might be meaner on claims and drag out a settlement with nit-picking arguments about this and that.

Motor insurance at a basic level is mandatory and people who do not take out a fully comprehensive insurance policy are effectively insuring themselves against the other risks not statutorily covered. Whether they and their family appreciate the implications of their position is their look-out and in my view it is a false economy, but I can understand why it is the option chosen by many.

”companies always make sure that they pay out less than they get in.”. Which is, of course, what the banking industry will do to ensure they are still just as profitable. They will recover the cost of compensation from all their customers, plus a margin to maintain their profits. There is no magic compensation pot.

If the problem of scams and compensation continues to grow, then holding our money may well become a Liability not an Asset for our banks. If so, we could see an end to free banking whilst in credit and the introduction of negative interest rates on all accounts.

”3. Miele H7164BP single oven £1,316 from Currys PC World and John Lewis

Read more: https://www.which.co.uk/news/2021/05/smart-oven-explainer-what-they-do-and-how-they-work/ – Which?

So, I decide to buy this oven from Currys. There has been much criticism of CPCW and Which? are aware of their poor consumer performance but list them as the place to buy the oven with no warning about problems you might face. Then your purchase all goes pear shaped; it is out of stock but they may not tell you when it will be delivered and they may not reimburse you; or it arrives damaged, goes back but you may not get an immediate replacement; or it goes wrong and they don’t know when they can fix it. All experiences reported multiple times on Convo pages. Do you claim reimbursement from Which? for pointing you to this retailer – you can’t be to blame for ignoring or being unaware of performance issues, can you? Have they been negligent in effectively recommending this retailer?

I only mention this because it seems to me there are similarities with making an unwise financial transaction and then seeking to blame your bank. Just where do we draw the line between penalising irresponsibility and rewarding…… well, irresponsibility. Is it just because the perception is that because banks have huge amounts of (our) money they are an easy touch to placate the unwise?

Is a smart oven a smart buy? I want appliances that will last for many years and that’s not usually a feature of smart products.

The oven was not the focus of my comment. It was one of the recommended suppliers that I was pointing to.

I realise that but I have made a comment that is relevant to the article. My comment was not relevant to the discussion and I had assumed we were in The Lobby.

Monitoring and adjusting your oven from your smart phone while you are out might be useful. I am not convinced about the real worth of smart appliances but, as I don’t have any, would welcome reports from users once the novelty has worn off.

Nothing is smart if it doesn’t do the ironing.

What is the difference between an unwise financial transaction and betting £10,000 on a horse that loses?

From ITPro:

Police officers from the Dedicated Card and Payment Crime Unit (DCPCU) have arrested eight people in relation to a Royal Mail text phishing, or ‘smishing’, scam.

The eight arrested individuals are suspected of attempting to commit financial fraud and impersonating the Royal Mail by sending out fraudulent texts and emails which link to phishing websites.

The arrests come weeks after researchers from Check Point Software reported a 645% increase in Royal Mail-related phishing scams, with March being the biggest month for attacks on record.

Stephen Ritter, CTO at digital identity verification provider Mitek, called for organisations within the technology and finance sector to “step up to the challenge” in fighting scammers.

“All too often, industry experts are quick to blame consumers for “falling” for scams – but this blame game needs to stop,” he said. “To fight misinformation, Twitter and Facebook started flagging posts that weren’t backed up by fact, and the problem has improved significantly. Why can’t we do the same for fraudulent activities on our phones?”

I am getting rather fed up with the way Which? continually portrays banks as the uncaring big baddies with loadsa spare dosh, so I have been doing a bit of digging of my own. It would appear there is a lot more going on behind the scenes to combat fraud than is highlighted by Which?

I haven’t had time to collate my findings, but you might find some of these enlightening.

Unauthorised financial fraud losses across payment cards, remote banking and cheques totalled £783.8 million in 2020, a decrease of five per cent compared to 2019.

TSB have not signed up to the Contingent Reimbursement Code and they have to find the money from somewhere so that might explain why they offer such low rates on savings.

Proposals for reform of Companies House data looks interesting:

The Economic Crime Plan



When I use companies to provide me with goods and services I want to be sure that I can recover my money if something goes wrong.

Although I was an early user of telephone banking I was wary of online banking, having heard of cases of money being taken from users’ accounts. What encouraged me to use online banking was when I heard that a friend who was a customer of the same bank as me had lost money and it had been refunded promptly. So far I have lost nothing.

I prefer to pay amounts in excess of £100 by credit card because I am aware that the credit card company is jointly liable under Section 75 of the Consumer Credit Act, if there is a problem that the provider of goods or services lets me down or goes out of business. So far I have not had to make a claim.

All my regular bills including credit cards are paid by direct debit. I am protected by the Direct Debit Guarantee, so that if something goes wrong I am eligible to a refund.

I have savings in several accounts covered by the Financial Services Compensation Scheme, so that if one company fails I will not lose money.

Guarantees and the Consumer Rights Act provide the opportunity for compensation if something goes wrong with products and services. That, as some of us have discovered, is a bit of a minefield but it is reassuring to know that there is the opportunity for redress.

Dare I suggest that the opportunity for compensation is extremely important for all of us. It is up to the government, the banks and the regulators to devise systems that provide adequate protection for consumers. In the case of scams there needs to be impartial investigation of individual cases.

Compensation has been heavily criticised but is very important to consumers.

I was wary of online banking because I had heard of customers losing money from their accounts. What encouraged me to sign up was when a friend who uses the same bank as me received a prompt refund when money disappeared from his account.

I pay amounts over £100 by credit card because Section 75 of the Consumer Credit Act makes the card company jointly liable if something goes wrong.

All my regular bills including credit cards are paid by direct debit because I will be reimbursed under the Direct Debit Guarantee if there is an unauthorised payment.

Guarantees and our statutory rights under the Consumer Rights Act allow us to make claims against retailers and service providers for inadequate goods and services. These are the only forms of compensation that I have made use of so far.

I have never been scammed but if that happened I would want my bank to investigate the case and comply with current requirements and official advice regarding compensation.

Compensation has been heavily criticised but is very important to consumers.”.
“Compensation” has not been criticised as a principle of redress for consumers. What I believe has been heavily criticised is indiscriminate compensation, compensation where the claimant has played a part – wholly or partially – in creating their loss.

We should need to show that we merit compensation and that the organisation we are claiming from contributed to our loss.

In many cases given in these Convos I would suggest those complaining have acted injudiciously, recklessly, without proper consideration, as well as those who have genuinely been disadvantaged by their institution. We need to discriminate, so those who deserve compensation get it in full, those who were partly responsible but were also let down by their institution are partially recompensed, and those who behaved recklessly have to bear the cost of their mistake, and not pass that cost onto me and others.

All of which would legally require the banks to provide proof that all customers had authorised payments.

Yes, and according to the FCA, if you are tricked by a fraudster into authorising a payment you can be eligible for a refund from your bank. That does not mean you will receive a refund and the merits of each case must be investigated.

It is the banking industry that can tackle fraud and obviously we can help.

Yes, Beryl, that would be technically possible but not necessarily true. The problem is that the bank doesn’t know whether it is the customer who has authorised the payment or a fraudster who has got access to their account. I don’t know how that could happen without the customer’s cooperation but it presumably does, somehow.

The process for authorising credit card payments for on-line ordering requires the entry of a one-time pass code sent to the cardholder’s mobile phone. That would seem to offer protection, but if the fraudster has accessed a person’s on-line banking, having persuaded the scam victim to log-in for them, and then gained control of their computer through the usual tricks, I can’t see how a transfer of funds can be stopped. As soon as the money goes into the fraudster’s interim account it will be moved out again, either as a lump sum or in a series of small payments that are difficult to track and trap.

The easiest and fastest way in which everyone with a bank account can help defeat fraud is to terminate immediately any phone call or message that claims to be coming from a bank or any other part of the financial services industry.

John – Most of the discussion here focuses on what the customer should do to protect themselves but what about companies? We need to tackle that too and companies can take very effective action such as the one-time passcodes that many of us have become accustomed to.

Today I received a message with a link inviting me to investigate a billing problem. From experience it looked like a scam and I was able to confirm this by looking at the company’s website. Some genuine companies provide links in emails and text messages for customers to access their accounts. A better solution would in my view be to invite customers to log into their account rather than using links.

If the bank is unable to prove whether it was the customer or the fraudster who authorised the payment, then the onus is on the bank to reimburse the customer, under the FSA now (FCA) Payment Services Regulations, 2009.

I do not see why the bank should be automatically held responsible. Although I would expect a bank to be able to prove that it had no part in the illegal or voluntary (even if coerced) transfer of funds. It usually starts with the account holder taking an action that they should not have done, yet we are trying to make them all blameless victims and the banks to be everyone’s saviour – except that “everyone” excludes all those who operate their accounts responsibly, do not fall for romantic scams, don’t think a fairy godmother will double their money, don’t give control of their computer or bank details to someone they don’t know or haven’t double checked, and have to use their hard earned cash to fund the payments the bank is expected to make to the others.

This will simply lead to more expensive loans, mortgages, lower interest rates and, in all probability, charges imposed on current accounts to everyone to cover the costs.

Maybe, like car insurance, those charges will be higher for those who have been found wanting. I expect we will then have a campaign against that.

We have seen the outcome of an ill-conceived campaign not to penalise those who chose to use an overdraft, without asking the permission of the bank, by extra charges. Now everyone has to pay extra charges, including those responsible enough and courteous enough to ask their bank if they would grant them an overdraft facility. 39.9% interest for many..

The 2009 Regulations have been superseded by the Payment Services Regulations 2017 [which incorporated an EU Directive into UK law, but that is not relevant to this question].

From my reading of the Regulations it would seem that, so long as a payment is authenticated in accordance with the applicable process, it is deemed to be authorised by the payer [Reg 67: A payment transaction is to be regarded as having been authorised by the payer for the purposes of this Part only if the payer has given its consent to — (a) the execution of the payment transaction; . . . ]. From that I deduce that if a fraudster has effectively been given access to the customer’s account that is tantamount to consent to execution of the transaction and means that the customer has authorised it.

It would therefore appear that the bank would be under no obligation to prove that their customer authorised it so long as they have a proper record of the transaction [Reg 75: Where a payment service user— (a) denies having authorised an executed payment transaction; or . . . , it is for the payment service provider to prove that the payment transaction was authenticated, accurately recorded, entered in the payment service provider’s accounts and not affected by a technical breakdown or some other deficiency in the service provided by the payment service provider].

The regulations go on to deal with the customer acting fraudulently but I can find no reference to any liability on the bank where the customer assigns their authority to another party, even if under deception or coercion.

The Which? guidance [dated 4 March 2021] on the 2017 Regulations do not cover this point at all. It does, however, include this prominent notice –
The Payment Service Regulations 2017 set out what payment service providers must do if there has been unauthorised or fraudulent activity on your account. Subject to the exceptions noted in this guide, you should be able to get your money back as long as your provider can’t prove that you hadn’t taken reasonable steps to keep your card or account information secure. See –
https://www.which.co.uk/consumer-rights/regulation/payment-services-regulations-2017-a8rD47W6pdfN ]
It can be seen that this advice confirms that any reparation is discretionary on the part of the bank.

It gives no satisfaction to come to this conclusion, and my interpretation might be too narrow, so it would be useful if Which? would obtain a competent legal opinion on the interpretation of these sections of the Regulations. Without such a professional opinion we could all be under the delusion that there is a statutory entitlement to a repayment of the abstracted funds when in fact there is not.

“Discretionary” in this instance, would mean The Payment Service Provider, although supposedly acting under the updated (2017) Payment Services Regulations, and is legally obligated to reimburse customers in the event of them being unable to prove who authorised payment, would automatically take on the role as judge and jury, which begs the question, in legal terms, where does this leave the customer?

The Regulations do not say that reimbursement is ‘discretionary’. That is my interpretation of the meaning of a fairly complex set of regulations. I have used the word ‘bank’ to represent the ‘payment service provider’ because that suits our context better.

As I see it, the bank is not obligated to prove who authorised payment; their only obligation is to ensure that the payment is ‘authenticated’ which, as I wrote before, means that anybody who has the necessary access passwords or codes, or who has gained control of the computer, can authenticate the transaction and is deemed to be ‘the payer’.

If the fraudster acquires access by whatever means I take the view that the account-holder has assigned their authority to the fraudster and the transaction is therefore authenticated, so the bank cannot then be liable [though it might agree to accept liability, which is where a discretionary refund comes in]. In such a situation the bank isn’t acting as ‘judge and jury’ over the validity of the payment – that it is authenticated is a matter of fact – but merely deciding whether or not to exercise its discretion in making a refund.

I am not qualified to say where this would leave the customer in legal terms but my assumption is that it leaves them entirely at the bank’s mercy. If its customer has conducted their account satisfactorily for many years and generally has a healthy balance then the bank might make a refund as an act of goodwill; a good bank would also review its own actions conscientiously and see whether any failings on its part [falling short of actual negligence] would justify a partial reimbursement. This reinforces the absolute necessity of not allowing anyone else to gain access to their account through their computer or other device, never mind what pressure they are put under; I know it’s hard, but it seems to me that the law gives no comfort to people who have lost money through this type of fraudulent act unless, and only when, the bank has been in some way negligent.

A bank’s denial of a reimbursement is not final since it can be referred as a complaint to the Financial Ombudsman Service. If the bank does not concede in the event of a referral it will have to be very sure of its position and be prepared to demonstrate conclusively that it did not act in any way to the customer’s detriment. The overall uphold rate of the FOS in 2020-21 is 40% [excluding PPI complaints].

I have not compared the wording of the 2017 Regulations against the 2009 Regulations because those ceased to apply when the 2017 Regulations passed into law.

I concur entirely in Malcolm’s comment immediately before my previous one. [I don’t refer to comments by the time stamp because at midnight it is replace by the date].

In addition to these regulations we have the Code that is the subject of this Conversation. Most banks have signed-up. From the FCA document I linked to earlier:

“Authorised push payment (APP) fraud
APP fraud is when a fraudster tricks you into making a payment to an account controlled by them.

This is different from other kinds of fraud, for example, when a fraudster steals money from your account without you knowing. With APP fraud, you authorise the payment, albeit under false pretences.

If your bank or other payment service provider has signed up to the code of practice for APP scams, you can expect to get your money back if you weren’t to blame for the success of a scam.

Get in touch with your bank or payment services provider as soon as possible if you think you have been scammed.”

In my view banks could help reduce fraud by delaying payment to new payees for several days, giving time for the customer to report suspected fraud and for their bank to investigate and if necessary block the transaction.

I think we’re in the right place now with the APP scams [alternatively referred to as Payment Redirection Fraud] but there remains a serious lack of recovery with the type of deception fraud whereby criminals get access to people’s bank accounts and raid them. This is the kernel of the nut we can’t crack, largely because the bank plays no part in the fulfilment of the fraud other than transferring the money in compliance with a duly authenticated instruction from the customer or on their behalf as a criminal act purporting to be executed by the customer. The Payment Service Regulations effectively confirm that position.

The Code is voluntary and thus is not enforceable. I would hope this means that the banks would be able to make sensible decisions as to whether a customer has acted without due diligence. What Which? appear to want to do is change this from a code into an enforceable regulation.

Whatever the “rules” I simply want a scheme where responsibility is properly placed. If a bank is wholly or partially responsible for a client’s loss then they should provide redress. If a client has made a poor financial transaction, whether deliberately, in error or through coercion, and their bank has played no part other than obeyed instructions, then the client should accept the consequences. We can certainly examine all ways that precautions can be put in place, from bank procedures and spending pattern analysis to ensuring clients are better educated and kept informed of fraudulent methods. But fundamentally I consider we should all accept responsibility for the ways we operate.

I have said before that one way banks could help is to offer clients accounts with different levels of facility. Limited single transaction amounts, daily amounts, restricted payments to new payees, delayed payments, automatic query from the bank requiring confirmation that a proposed payment should proceed, transfers that require a second person’s authentication…… for example. We talk of scams perpetrated on the more vulnerable so we need to ensure that such people are more protected.

Routine, almost automatic, compensation will not stop this problem. It will almost certainly make it worse, for example by reassuring clients that they can take a financial risk in the knowledge that they won’t lose money when it all goes wrong. It will give the opportunity for a client to contrive a scam – and you only need to do it once if the amounts are large, as in the £300 000+ romance scam referred to above. All clients will lose money to repay those who are negligent or irresponsible.

What we need are constructive proposals that are realistic to fight the scammers from both the client and bank perspectives. Not just attack the banks and assume they have a magic money tree.

I agree with Wavechange, banks have the means to intervene to stop a transaction by delaying payment. They also have the means to check all new accounts to ensure customers money that passes through their electronic systems goes to the legitimate payees account. Some banks have signed up to agree to make changes, but are not always compliant when push comes to shove.

Initial action has to come from the banks. Constant banking update and reform in this fast and forever evolving technological financial world is needed, in order to stay one step ahead of the fraudsters. Apportioning blame only prevents progress. Action is needed from all sides, but it has to be initiated by the banks.

The majority of people are mindful of the need to proceed with caution when carrying out computerised transactions, but inevitably one will become the target of a fraudster when they are going through a difficult time in their lives and fall prey to their devious tactics.

The banks will have to find solutions, John. The adult population cannot be relied on to recognise attempted fraud and act to prevent it, even if most of us can cope. Much has been said about education of customers. What assessment do banks carry out to ensure that their customers have achieved the intended learning outcomes?

Your bank and mine have signed up to the CRM Code and others are likely to follow. Hopefully this will be an incentive for the banks to act and do what is necessary to ensure that money can be recovered from receiving banks. They need to work together to help control fraud. Recall how banks worked together to provide a network of ATMs, so that customers no longer had to use one provided by their own bank.

The adult population cannot be relied on to recognise attempted fraud and act to prevent it, even if most of us can cope”. Exactly – most of us can cope and most can be relied upon to avoid being defrauded (oops, there but for the grace of…….etc). So we need to concentrate on those who cannot recognise fraud and succumb to it. That is a job for the whole of society; fraud involving bank accounts directly is only a part of it.

As far as bank account fraud is concerned, however tenuous, restricting the facilities a particular account offers clients seems a worthwhile step. While it may not prevent people making injudicious decisions it could limit their losses.

This problem needs to be attacked on several fronts. Simply asking the banks to do everything is not, in my view, a realistic solution.

Beryl – Although I have not been scammed I would like reassurance that my bank will help if this was to happen. I wonder how many members of the public or even Which? members feel that the bank has no responsibility if we are victim of a scammer.

As I suggested at the start of this discussion I would be happy for customers to pay a fee to have a scam investigated but I would expect my bank to recover the money.

Four of us have now agreed that a delay in payments might be beneficial. In some circumstances fast payments are important, for example to payees we have used before, but by delaying payment to new payees it would help to tackle scams.

As you have pointed out we could be more vulnerable at under certain circumstances and some elderly people can become too trusting. Young people lack experience and at any age some people can be vulnerable.

“The adult population cannot be relied on to recognise attempted fraud and act to prevent it, even if most of us can cope”. Exactly – most of us can cope and most can be relied upon to avoid being defrauded (oops, there but for the grace of…….etc). So we need to concentrate on those who cannot recognise fraud and succumb to it.

I’m not sure about that, Malcolm. Although the notion of IQ is highly suspect at the best of times, I think it’s safe to assume that, in terms of general cognitive functioning, the ‘adult population’ forums part of the bell curve distribution, which suggests that those who find difficulty coping quite possible form more than half of the adult population. IQ scores have been shown to be associated with such factors as nutrition, parental socioeconomic status, morbidity and mortality, parental social status, and perinatal environment. While the heritability of IQ has been investigated for nearly a century, there is still debate about the significance of heritability estimates and the mechanisms of inheritance. All that aside, the depressing possibility is that we might well need to actively support around 70% of the adult population.

That makes it a far larger problem than we might imagine.

Malcolm wrote:
“As far as bank account fraud is concerned, however tenuous, restricting the facilities a particular account offers clients seems a worthwhile step. While it may not prevent people making injudicious decisions it could limit their losses.

This problem needs to be attacked on several fronts. Simply asking the banks to do everything is not, in my view, a realistic solution.”

Several of us have suggested restricting facilities. I would add restricting them for new customers and for the banks to carry out some assessment of whether it might be necessary to curtail facilities as we get older or if we have been a victim of a scam. I will be 70 this year and will be expected to renew my driving licence. If I suffered certain medical conditions I would need to seek approval from my GP.

Edit: I see that Ian has posted about factors that affect individual ability to cope with life’s challenges. In the same way that we cannot just ignore the needs of disabled people, banks that provide services for the general public must accommodate differing abilities.

As we seem to agree on banks offering different types of accounts perhaps who could persuade Which? To look at that approach, alongside other proposals?

I hope Which? do take a constructive approach. There were comments a while ago that said it was not Which?’s job to make proposals. I hope that is not the case.

Some banks already offer basic banks accounts, for example to those who have had problems with debt. If they are losing money as a result of successful claims from customers who have been scammed I’m sure they can see the need to apply restrictions.

What do you think about banks delaying payment to new payees, Malcolm? It could of reduce the success of scams by allowing time for the customer to report the incident and giving time to block transfers. We don’t know how quickly customers act following a scam but the banks will have this information if cases are investigated following a claim.

Which? have done more than anyone else to keep me informed about scams and I am happy to acknowledge that.

”What do you think about banks delaying payment to new payees, Malcolm?” I simply do not know, wavechange, because I have seen no information to support it. For example, how many people who are susceptible to scams might quickly realise they have made a mistake? If they do not then a delayed payment will be ineffective. We need evidence to back the concept.

What might be more effective is, when a significant payment is made to a new payee, the payer is sent a message asking them to check and confirm this is a payment they want to proceed with. Once they have confirmed then they take responsibility.

This does not stop us requiring the banks to be vigilant. I would still like to see banks rated for holding scammers accounts, and an “amber” list created of those banks that have been less diligent.

Hopefully the banks are exploring ways of reducing fraud. Most of us will have experienced the need to use a one-time passcode as a way of contributing to improving security. We have no information about how quickly people realise they have been scammed but as I said the banks will have this information.

”We have no information about how quickly people realise they have been scammed but as I said the banks will have this information.”. What information will they have?

I presume that when someone is aware they have been scammed and reports this to their bank, the date and time will be logged.

The ajudicator’s report regardsing Lloyds and the repaying of £300,000 plus makes interesting reading and is relevant to comments here on responsibility. The Banks do have a duty of care to customers and one must bear in mind that a lot of what has happened over the last 30 years has been designed to remove many safeguards that previously existed and which cost the Banks money to operate.

Just as a background here in France I have a limit on how much I can draw in cash per month and an overall speneding limit per month. If I set up a new payee the payment will take three days to action. You do need the account name. All of these safeguards existed in 2016.

Yes there is still a scamming problem but at least the Banks here do seem to have a clue on what is required. Possibly it is a reflection of the Bank of France which does have a considerable finger in th epie given it can ban people from operating bank accounts. And issuing cheques without funds is a major offence unlike the UK where bouncing cheques was a revenue earner for the Banks [Also significantly for the US Banking industry]

My wife and I being very well placed in the banking industry and offering our services pre- 2013 were never asked for advice. I doubt many W? staffers were qualified bankers and judging by the output nor were the people they did talk to.

Of course W? did have a major role in getting Banks to do instant electronic payments ….. A simple sounding measure but apparently no one looked at the downsides. Humans are simple and can be impulsive and misguided so allowing them to part with invisible money swiftly was always going to be a problem. No human would part with large amounts of real physical money at the drop of a hat.

However lower costs for Banks , the plaudits of W?, the smiles of the betting companies and share dealers, the online selling channels ……… all well worth the effort ?

All well put, Patrick.

I found it odd that in guidance issued only three months ago on the Payment Service Regulations, Which? did not cover the problems of fraudulent access to bank accounts and the transfer of funds. Its note on that point seemed to get lost in its own double negatives leaving the picture far from clear and giving the impression that there were good chances of getting a refund.

”blameless victims of bank transfer scams should be reimbursed their losses.”

Read more: https://www.which.co.uk/news/2021/06/which-calls-on-banks-to-come-clean-about-fraud-refunds/ – Which?

As has been said before it is all the bank customers who reimburse the victims. It is, therefore, important to determine whether, or by how much, a victim is “blameless” to decide whether reimbursement is merited.And whether a bank played any part in the loss; I do not see why they should automatically be expected to take our money and give it to “victims” for no good reason.

Whether or not Which? claim that because there is a voluntary code that exempts customers from exercising due diligence, we need to operate a fair system, giving recompense where it is justified.

“Blameless” is an emotive word to use to, maybe, gain sympathy. Should we apply “blameless” to banks when they have no material part in a loss? It is about common sense, responsibility, being a little careful. Suggestions have been made that could reduce losses from scams, a constructive approach, rather than reimbursement that does little to solve the underlying problem.

Your final point is my main objection to the application of the voluntary code as Which? would like to see it.

It is surely far more in the interests of consumers generally that we find a way of preventing these scams and solving the problem strategically rather than keep paying out other people’s money to compensate for something the bank hasn’t done. Tactical solutions might make people feel better at the time but they don’t get to the root of the problem and do nothing to deter irresponsible financial conduct.

I am sure it would also be worth exploring whether there are other ways of helping the ‘blameless victims’, and banks which have made mistakes must fully reimburse customers they have failed, but tapping the rest of us every time is not the answer.

Hi all, along with the replies Chris has left, I wanted to provide a further update. To coincide with the two year anniversary of the Code, we set the UK’s major banks and building societies a deadline of 28th May to commit to publishing their reimbursement rates regularly and in full.

Despite the Code being clear that the starting point for banks should be to reimburse victims, we know that signatories have wildly varying approaches, with some reimbursing as low as 18% and as high as 64% – and all of the data being published anonymously.

Almost all banks failed to commit. Barclays were the only Code signatory to say that they were ready to publish this data “periodically”, having already published data for the first two months of 2021. TSB is the only bank which regularly publishes its data and its reimbursement rate sits at 99%. All other banks either refused or did not reply at all.

We believe that banks cannot continue to hide behind this cloak of anonymity. Without greater transparency, inconsistent and unfair treatment of scam victims will continue. We are therefore urging the Payment Systems Regulator to take urgent action and order all firms to publish this information regularly and in full as part of a broader package of measures to resolve the systemic problems in the APP scams system.

In the meantime, we will continue to pressure the banks to come clean about how much money victims of these scams are being reimbursed.

Thanks Gareth. Perhaps when we have more information we will be in a position to make better informed comments.

It would help if the various comments and proposals posted on this Convo were considered by Which? Then I, maybe alone, would feel we were having a useful discussion and not just being asked to support a Which? campaign which some consider is flawed. Such are Convos…….

”As of 30 April 2021, over 5.8 million emails were reported to the Suspicious Email Reporting Service (SERS). The tool, which was launched by the National Cyber Security Centre (NCSC) and the City of London Police last April, allows the public to forward suspicious emails to an automated system that scans it for malicious links. Since its launch, over 43,000 scams and 84,000 malicious websites have been removed.

That is encouraging. It is often claimed that reporting scams etc. to Action Fraud is worthless.

Claims that websites have to be investigated to make sure that genuine websites are not affected.

Anyone can set up a new website at little cost and perhaps more screening is needed to restrict availability of domains, particularly where these are very similar to those used by genuine businesses.

This does have benefits but there is a massive — although possibly unavoidable — inefficiency involved.

It shouldn’t be necessary to process 5.8 million reports in order to deal with 125 thousand scams and websites.

Is it not possible for the new system to identify further reports that match existing ones and just park those with no further action taken, and possibly even give notice to the public that the Royal Mail scam or the mock-DVLA site are being dealt with?

It is likely that a high percentage of individual contacts are probably never reported to ActionFraud for whatever reason, so no one knows what the true number of scams is and the absence of more won’t make much overall difference to the actual results. I am always more interested in outputs than inputs.

Emails forwarded to report@phishing.gov.uk and texts forwarded to 7726 will be checked automatically by computer, so I am not sure that this is inefficient, at least from the government’s point of view. We have not been told how the system works but computer analysis will allow identical reports to be enumerated and novel scams to be highlighted. It’s no great problem that members of the public report large numbers of suspect emails and text and it could help make them more aware that they are under threat.

As a mere layman my top priority would be address the problems that make scamming profitable, for example how we make receiving banks responsible, for example by tackling the problem that they are providing scammers with accounts, and making them responsible for returning money stolen from customers of other banks. Yes we can do our best to make customers responsible for their actions but I believe that it’s equally important to make banks responsible.

As has been said before, if a bank sets up accounts without due diligence then they are partly culpable. However, we cannot place the results of the activities of scammers on all banks indiscriminately. No more than we should sue the police – the guardians of our security – if we are burgled, particularly if we leave a window open or door unlocked. We can try to claim on insurance, and maybe that is the best answer for scams. Mind you, I am sure the insurer will be more careful about who they refund, and those who are recompensed may well end up paying larger premiums. That might make them think harder about closing windows and locking doors.

” but I believe that it’s equally important to make banks responsible.“ My view would be that it is equally important that banks behave responsibly, not that they are responsible for repaying all those scammed.
I hope Which? will attempt to find out those banks most involved in holding accounts used by scammers. We could then have a warning maybe that you could be transferring money to a bank with less security then you might like. I don’t know how easy it is to recover money from such banks but they are the ones to target, in my view, rather than the payer’s bank.

Forgot to mention in my comments above about online platforms like Tide that they do NOT even participate in the Confirmation of Payee scheme allowing the fraudster to open accounts in different fake names from the one the legitimate business name they give to the APP victims

After the six largest banks were instructed to introduce CoP the Payment System Regulator is consulting about extending the requirement to other banks: https://www.psr.org.uk/news-updates/latest-news/news/psr-seeks-views-on-next-steps-for-all-banks-to-deliver-confirmation-of-payee/

How banks were ever allowed to ignore the name of the payee in electronic payments beggars belief. That’s my opinion, of course.

Previous posts suggest the reasons why, but that is also my view. It would be useful if Which? asked the question and posted the answer.

To clarify, my earlier posts asked whether getting all banks systems to work together to allow i formation on payees to be interchanged was as simple as some assume. In the consultation period about introducing it this was, I believe, one of the obstacles to rapid implantation, even by the major banks, with different software. However, I also suggested it would be useful if Which? dug into this and got hold of the whole story . So often we are left without all the facts, on both sides, so difficult to be objective.

If Confirmation of Payee had been in place at the time that banks were allowed to offer online accounts that would have prevented a large number of misdirected payments.

In the period between introduction of online accounts we first had payments going to the wrong person or organisation and then APP fraud.

If they “could have”. My recollection of online banking was not one of lots of frauds, and maybe mis-typed payments due to carelessness. Then we had intercepted emails which seemed to begin the real concerns. That was the trigger the extra precaution needed of CoP but it also required banks software systems to be able to exchange the necessary information, and that may not be the simple task assumed. I would like to see the whole story told.

Should we not have had online banking at all without CoP? I’d suggest it worked very well for the vast majority of people, and probably still does. Other than double checking your account and sort code input to minimise that mistake, you could, as many seemed to do, transfer a small amount to check it went to the right account. We can help ourselves avoid problems, although the more hand-holding the banks can offer, the better.

Many adults are not very good with numbers, Malcolm. Through my involvement with university teaching I learned that people can be very bright but have problems with numbers and also spelling of common words. No doubt there are careless people too.

If software was an issue, banks had plenty of time to migrate to using a uniform system but there are other examples that might indicate that they have let their customers down. In many online systems users are invited to type in a new password and then retype it as confirmation. That’s often done where security is not really an issue, but I’m not aware of banks using this simple system to check account numbers and sort codes. It has often been said that we should make test payments before transferring large sums. This could have been recommended by all banks from the start or better the individual banks could have made this an essential part of making a larger payment. Although I have not had a single problem I feel that customers in general have been let down by banks.

From what I have seen, banks are now taking security much more seriously.

The issue is not that the sort code and account number does not exist, the issue is that the account name is completely different from the account name the scammer gave to the victim. Do some how reconfirming the account number and sort code, even with entering details twice or sending token amount first will not overcome the problem of the scammer’s account name being completely different from what he claimed to the victim

If many adults are not very good with numbers, then I question whether they should be offering themselves up on the altar of internet banking. There are other ways to make payments that have served most of the people well for years.

We may not realise that our own abilities are substandard, though this can be identified by assessment. When I was working I referred students for testing when I suspected a problem such as dyslexia. In most cases they were unaware that they had a problem. Some extremely intelligent people are affected.

In my opinion, Confirmation of Payee should have been in place from the start. I am not aware that any of the major banks warned their customers that payments would be made to the specified account number and sort code and that the name of the payee would be ignored.

I am sure you are right, Wavechange. Banks did not make it clear that there was no direct check on the payee other than the sort code and account number. The name of the payee was requested together with any reference detail but that was apparently just for administrative reference and customer convenience.

In my experience, many companies have trading names that are very different from their paying-in account names. The same applies to private individuals who sometimes have their maiden names or additional initials or other discriminators on their bank account names. I therefore believe that if the full Confirmation of Payee reconciliation had been required at the outset then implementation of the inter-bank Faster Payments Service would have been delayed for years. That might have been no bad thing but I was glad to have the facility and started using it immediately.

I agree that banks should have exercised more care in guiding customers in how to make the best and safest use of the service but, as ever, there was a conflict between speed and economy of transfer overall and integrity of the service. Private customers received no warnings about potential pitfalls, given little information on how the process worked, nor offered any practical tips on how to make payments safely and what checks of their own they should make.

Unfortunately, the criminal fraternity were onto it like a shot and with their ability to intercept e-mails and hack into company invoicing systems were able to exploit some fairly elementary loopholes in the process. Banks let down their business clients too in that respect because many had to make expensive alterations to their procedures, pay compensation, and – in the case of some solicitors – were disciplined and refused permission to continue practising because of their lax security.

There are problems with the multitude formats a name can be written or misspelled. For example:
Mrs Susanne J McDonut
Ms Suzanne Jane Macdoughnut
Sue J. Mac-Doenut
SJ Mac Downutt

The way account numbers and branch codes are formatted is universal across all banking systems, but names are a different matter and payments are being rejected by the banks as mismatching.

When it comes to businesses, very often the bank account name is different from the trading name like when I buy Kaspersky Internet Security directly from Kaspersky, Digital River appears on my CC statement.

Confirming the payee before finalising a transaction can overcome mismatches and payments to wrong accounts, but I can’t see it will do much to stop scammers as they will just advise victims of the account name in advance.

There are two obvious solutions to the problem of name matching:

1. The payee is responsible for providing payers with the exact name to be used.
2. Two or more names are registered as being acceptable matches.

As SingDon has said, confirmation of payee was already in use in other countries.

John and I cross-posted much the same thing !!!

SingDon, what other countries use COP?

IBAN payments might, but bank to bank within countries?

John wrote: “Private customers received no warnings about potential pitfalls, given little information on how the process worked, nor offered any practical tips on how to make payments safely and what checks of their own they should make.”

That is my understanding. Thankfully the customers of banks are now receiving plenty of useful information on how to protect their money from fraudsters. It is very encouraging.

Even if it was difficult to implement confirmation of payee, it would have been very easy to warn customers to make trial payments, especially before making a large payment and it might not have been difficult to automate this (for new payees) via their online banking system.

No Alfa, scammers in most cases are using a legitimate business name ( and in some cases fake/ doctored invoices issued in the name of those legitimate businesses) but the account name is completely different. If they advice victims of the actual name on the account, most victims will not transfer money to those accounts

I agree with an up thread comment that the receiving bank or online payment services providers ( or quasi bank as I call them ) is usually the weak link as they do not do proper KYC or due diligence, and allow the fraudsters to open accounts with fake credentials. This is especially true of online platforms

In addition, in many countries like USA Confirmation of Payee is the norm and “ in compatible software systems” is just an excuse UK banks and payment
providers use. Which should pick up this issue as it will no doubt reduce the number of APP Scams. Sending a token payment is not the answer when the problem is that the receiving account does exists but is not in the name that the payer was given. Only confirmation of payee name match will overcome this problem

Sending a token payment and checking with the intended (genuine) recipient that it has been received assures the sender that the balance can then be sent.

If the UK banks’software systems were incompatible in dealing with CoP (because they had not needed to in the past) then that problem needed dealing with. But I’d hope Which? would give the background so that we knew why the problem was not solved as quickly as we would like, whether for genuine reasons or just excuses.

The demands are:

– banks should pick up and stop unusual payments

– confirmation of payee needs to be a broad match to take into account variations of name spelling

And there you have conflicting demands.

If a payment is stopped because the name does not match the payer will have to find out the correct name to be used. It is in the interests of the payee to make it clear to payers what account name they must use.

Much has been said about the importance of checking account numbers and sort codes but the same could apply to account names.

The issue I raised was not the usefulness of CoP, which I do not question, but what prevented it being adopted more quickly. I would like to see that explained then I can decide whether criticism is appropriate.

If I had to hazard a guess, I’d bet it was down to the necessity for cooperation between different banks. Not that the major players will ever admit to such a thing, of course…

alfa said: Today 09:33
The demands are:

– confirmation of payee needs to be a broad match to take into account variations of name spelling

Most companies now send an advice note with the correct name of the company shown. Failing that, a simple code word would suffice. Needs the banks to cooperate of course.

True Ian, but how do you tell the difference between a genuine name change and a name change a scammer might give you?

That’s a different issue; I was thinking only of how COP might be made to work well.