/ Scams

Win! Reimbursement to be made mandatory

New data from the Financial Ombudsman Service shows banks cannot be trusted to interpret the voluntary CRM code fairly or treat customers in the right way.

18/11/21: Win! Reimbursement to be made mandatory

11/11/21: FOS finds banks are failing to follow their own code

I, for one, do all my banking online. And when I say all my banking – I mean all of it. My bank statements are sent to my email, my bank card’s exist mostly as pictures on my smartphone that flash up with a tick as I make a contactless payment, and I use my banking app to send my friends and family money when settling the bill at a restaurant. 

But, as I pay for things in bytes and bits; ones and zeroes, I worry what would happen if something were to go wrong. What if the person on the other end of the transaction is not my bank, barista or buddy – but I’ve fallen victim to a sophisticated fraudster?

I’d like to think my bank would reimburse me fairly easily. Which is why new data from the Financial Ombudsman Service (FOS) – the place where customers go when they’re unhappy with how they’ve been treated by their bank – is so worrying.

The numbers speak for themselves

The data shows that the number of authorised fraud complaints made to the FOS more than doubled in 2020-21. Complaints rose from 3,600 to 7,770 in that time frame.

The vast majority of complaints are related to the sort of scam I was talking about above. An Authorised Push Payment (APP) scams is when someone is tricked into sending money to an account that’s being operated by a fraudster when they may think it belongs to a friend, family member or legitimate business. Scammers’ techniques are getting harder and harder to recognise. 

We spotted the threat to consumers from and the lack of protections for victims of APP scams years ago. And after our super-complaint to the regulator, the Payment Systems Regulator (PSR), five years ago, most major banks signed up to a voluntary code (Contingent Reimbursement Model code).

The code instructs banks to give customers their money back when they are not at fault and to provide them with adequate support.

Not following the code

Not only are the number of complaints to the FOS rising, but nearly three-quarters (73%) of complaints were upheld by the FOS in favour of the customer. Many complaints have been made about banks refusing to or delaying reimbursement. This means that the FOS have found the banks to be breaking their own code in nearly eight in ten cases. 

Figures show that NatWest and The Royal Bank of Scotland (RBS) – part of the same banking group – are getting it wrong in nearly nine in 10 (86%) cases, with Santander (82%) and Bank of Scotland (81%) following closely behind.

Why we need mandatory reimbursement

Having such a high percentage of decisions upheld in favour of victims shows that banks cannot be trusted to interpret the voluntary CRM code fairly or treat customers in the right way. 

That is why Which? wants the government to swiftly make the necessary changes to enable the PSR to introduce mandatory APP fraud reimbursement obligations on all firms, with robust oversight and enforcement. 

See how your bank ranked and the number of cases upheld by the FOS in favour of the fraud victim:

Have you been refused reimbursement by your bank after falling victim to an APP scam? Did you made a complaint to the Financial Ombudsman Service about your bank’s decision?

Was that complaint upheld by the Financial Ombudsman Service? Let us know by emailing yourstories@which.co.uk 

Comments
marilyn says:
19 November 2021

Fantastic news – hopefully now all banks will step up to the mark and actually DO something ‘at source’ to stop scammers instead of paying out sometimes huge amounts – I know someone who lost £9,000 to scammers – the bank paid him that amount and explained that “they don’t really do much chasing on such a small amount” – seems it’s just written off !!!! If you add up one or two or eighty or ninety £9,000s — hell of a lot of money — sickening to me!! They must now sit up and get with the programme i.e. use their brains to stop this rotten loss for both customers and banks themselves.

Bob R says:
19 November 2021

So people silly enough to get caught out by the scammers are to be reimbursed. Where have these people been, on the moon?
So the banks are going to pay? Well kind of, but indirectly by those customers paying bank fees which no doubt will go up as a consequence. So if bank fee increases you’ve only got yourselves to blame.

Bob R

Thomas says:
19 November 2021

Problem is the banks don’t pay anything. In the end its the all the other customers who pay. The media repeatedly tell us about scams. How many times have people got be told that they must take responsibility for their actions. Its not the banks fault if people are stupid.

The £9,000 lost [see above] happened the day after a new card was issued [the same card had been used for over 7 years and renewed as normal] – not all customers ‘live on the moon’ – some are just downright ‘unlucky’.
We are continually told that banks do not telephone their customers — so, I wonder why my bank now asking for my telephone number — they are their own worst enemies.

Robert says:
27 November 2021

Clearly, by your comment, there are many people not as clever or as aware as yourself to recognise the pitfalls!
That is probably why WHICH? found it necessary to run a campaign, on their behalf, to protect them.
Congratulate WHICH? ON THEIR VICTORY rather than denigrating those who have innocently fell victim!

I agree with Rob and Thomas. There is enough information about to let people know how scamming takes place. Why should sensible bank customers have to pay for the stupidity of those who allow themselves to be scammed.

At present the banking system is effectively supporting crime by allowing scammers to use banks accounts and services to receive money from their victims. In my view the banks should be working together to tackle the problem and to ensure that money is returned to the victims bank accounts.

Have you evidence that everyone who has been scammed is stupid, Ken?

Describing the victims of fraud as “stupid” or “foolish” is not helping. Scammers are not idiots and probably target victims whom they know to be vulnerable. Even if it is purely random, two or three times a day they probably catch someone out and plunder their funds. There have been plenty of reports, here and in the press, of perfectly sensible people being tricked by scammers posing as their bank.

The question is whether the banks have provided money transfer facilities that are vulnerable to scam attacks, and the evidence seems to show that they have. The liability lands with the paying bank, which to many of us appears unfair since they have not usually contributed to the fraud through any negligence on their part, but in the opinion of the regulator that is the easiest place to pin the obligation for a reimbursement where such is accepted after investigation; it is no doubt assumed that over time the liabilities and the amounts involved will balance out proportionately according to the capacities of the various banks. It should eliminate the potential for inter-bank disputes and work quicker in the customer’s favour where reimbursement is justified.

The obvious next question is whether the internal investigation process is diligent, consistent, and secure from fraud in itself. Many doubts remain on that and I don’t think the banks have done enough yet to satisfy public opinion that overall the process is a fair one. It is certainly not an independently monitored one because each bank makes its own decisions internally according to its own assessment standards which might not be shared with the customer. There are concerns that some outcomes are one-sided in favour of the bank, the investigations are skimped and customers are brow-beaten into accepting refusal to reimburse or to accept a confidential ex gratia settlement, and even that decisions are sometimes made without any proper investigation at all but having regard to irrelevant factors like the individual customer relationship or other types of prejudice.

”Describing the victims of fraud as “stupid” or “foolish” is not helping.”.
In case this refers to a comment I made let me be clear. I have not said that the victim of a fraud is foolish. What I said was that to ignore a warning ( of a possible scam, say) was foolish. If you prefer, I could say “ill advised” but I still consider it irresponsible. For example, when a CoP response is “no match”.

I exclude the “vulnerable” from this because, as I have said before, they need special help with ,managing their finances.

”At present the banking system is effectively supporting crime by allowing scammers to use banks accounts and services to receive money from their victims
I don’t think this kind of accusation of the banking system is at all helpful.

However, as I, and others, have suggested before, we do need to know how (some) banks allow accounts to be set up by what turn out to be fraudsters. Could they know in advance? – I doubt it. Do they not do proper checks? (validity of ID and residence for example) – possibly. At what point should they realise certain accounts are being used fraudulently?

And, importantly, are there particular banks that host more fraudsters than others, and who are they. The Contingent Reimbursement Debate is asking that each payer’s bank publishes the number of customers who have been scammed and have been refunded. They should also be asked, as a payee’s bank, how many accounts they hold have been found to have been used fraudulently.

And is it overseas banks that are more of a problem than UK ones?

Identifying lax banks, if some stand out, would perhaps begin the basis of a sending bank looking closer at a transaction.

Malcolm wrote: “I don’t think this kind of accusation of the banking system is at all helpful.”

I’m not keen on your criticism and I am referring to a problem with the industry rather than any specific bank. Are you saying that scammers are NOT using bank accounts and facilities? If I am wrong I will apologise.

Like Ian, I want to see the banking industry working together and tackling fraud and to do what they can to return stolen money to the victims’ accounts.

malcolm r says: Today 14:49

”Describing the victims of fraud as “stupid” or “foolish” is not helping.”.
In case this refers to a comment I made let me be clear. I have not said that the victim of a fraud is foolish. What I said was that to ignore a warning ( of a possible scam, say) was foolish. If you prefer, I could say “ill advised” but I still consider it irresponsible. For example, when a CoP response is “no match”.

So in my case, when exactly that happened, what ought I to have done? In that case both banks blamed the other.

The banks cannot have it all ways; they can’t keep closing branches and espouse all the wonderful advantages of digital money transfers yet want to penalise those who, because branches are no longer easily available, are forced to go against the recommendations.

I think to say the banking system is “supporting” crime, and that they “allow” scammers to use banks accounts and services to receive money from their victims could be taken to suggest they are actively complicit in fraud. I do not think that is the case. Perhaps the statement was just badly worded?

It may well be the case that, for example, some banks – including overseas – may be deficient in checking prospective account holders. Ian has reported on legitimate bank account holders selling their accounts to fraudsters. Until illegal activity on those accounts is discovered I do not see that it would be easy for the banking system to predict fraudulent use. But I see no evidence that the UK banking system supports crime.

I think all who contribute here want to see fraud tackled, with the banking system playing a full part; some have been making constructive proposals in that regard.

I understand the emotions that fraud engenders, with myself and others, and the desire to place responsibility for it on someone. We can then direct our ire accordingly. If only it were that simple. But the aim must be to find practical and workable ways of reducing it. CoP and checking the authenticity of payees is part of that. The CRM will placate some but I hope the outcome will not just be repayment but system changes that can help prevent customers being defrauded. This is not something individual banks and related financial businesses can do separately; it needs industry coordination and the involvement of other relevant bodies, including those who provide systems solutions to the industry. Hopefully the PSR’s oversight is doing that.

One paragraph in the PSR’s consultation rather disturbs me, and partly answers a question I have asked a number of times – “ why, when no negligence can be attached to a bank when a fraudulent transaction occurs, are they expected to repay the customer who instigated the movement of money?” Consumer groups apparently suggest that it is because the banks have plenty of money. That does not seem a fair reason; as has been pointed out the “banks” money is profits made from their customers so they, inevitably, will suffer through higher charges and lower savings rates. But perhaps some think that is fair.

”PSPs generally thought that the focus of liability had ‘moved’ towards PSPs over the period since the Code’s implementation, and that there needed to be more focus on customer liability in APP scams – as consumers do have a general responsibility for their decisions. Consumer bodies tended to think that liability should sit more with those stakeholders better able to bear the (often significant for an individual consumer) cost of APP scams – that is, the PSPs.

https://conversation.which.co.uk/scams/financial-ombudsman-service-psr-code/#comment-1640691
Ian, I do not know the details of your particular case and whether or not you chose to go against a banks warning.

But, if a customer does choose to ignore a warning that a transaction is suspect then I consider that ill-advised and to be taken at their own risk. Why should a bank repay someone when they have been warned not to undertake a particular transaction? That was the gist of my comment.

Malcolm – Where have I suggested or implied that banks are complicit in fraud? They are supporting crime by failing to return money paid into the accounts of scammers. We are protected by the FSCS if we lose money as a result of the failure of a company (where applicable) but until the CRM Code arrived it was a gamble whether money would be returned to scam victims.

”They are supporting crime by failing to return money paid into the accounts of scammers.”. What was said was ” allowing scammers to use banks accounts and services to receive money from their victims“. I doubt the system knowingly “allows” that. It assumes banks and the system know that particular accounts are fraudulent. If that were the case then I would condemn them too. But is their evidence to support that? I have not yet seen any.

I do think that the onus should be on the receiving banks to make repayments to defrauded customers when that is appropriate, rather than the payer’s bank. Quite how easy is that for overseas banks to be made to do?

I suggest that we wait and see what information is published.

malcolm r says: 20 November 2021

Ian, I do not know the details of your particular case and whether or not you chose to go against a banks warning.

I’m glad you asked that, Malcolm, because how it was handled goes to the root of my assertion that the banks need to be forced to work together.

Some time ago (only weeks) we decided to transfer an amount close to £20,000 from one major bank to another. I enquired of the bank from which the money was to be transferred and also of the bank to which it was being transferred.

The transferring bank gave me precise instructions which, given the amount involved, I double checked with them before doing anything.

At the time arranged (if you’re transferring large amounts it’s always good to arrange a time with the receiving bank) I carefully – very carefully – completed all the details on the online ‘send money to others’ account form and pressed ‘send’.

A notice appeared from the sending bank (one of the really big banks) with a clear warning, advising that the name of the account could not be verified and I should re-check all the details,

This I did–extremely carefully. The warning continued to appear. What was chilling was the wording: ‘If you choose to disregard this warning the money could be lost to you.”

That drove me back to both banks. I talked to the second–the receiving bank. They assured me every detail was accurate. They even confirmed that I should ignore the warning.

I returned to the first bank–the sending bank. They used an immortal phrase: “Something’s probably wrong.” Other than that, they didn’t say much.

Back to the receiving bank. I asked to speak to a manager this time, explained the issue and his response was along the lines of ‘We’ve seen this before. But all the details we gave you are accurate. I’d go ahead anyway.’

So what was I supposed to do?

Frankly, the way the two banks were behaving convinced me that the banks have to be forced, which now–thankfully they are, to accept responsibility for APP frauds to a far greater extent than they are currently.

It was a trying afternoon and being thoroughly au fait with scammers and their techniques, it brought an entirely new dimension to this debate.

If the banks can’t get things in their own houses to function properly, they need to realise there will be consequences.

I remember you relating this some while ago. If the banks advised you to proceed after checking the authenticity of the transfer and effectively guaranteeing your payment was safe then that seems OK. You were prompted to make checks which seems fail safe, particularly when transferring such a large sum. As a check you could have sent £1 and ensured the correct person had received it before sending the balance.

However, my comment about the success or otherwise of CoP was whether there were a significant number of failures reported.

malcolm r says: Today 11:19

If the banks advised you to proceed after checking the authenticity of the transfer and effectively guaranteeing your payment was safe…

Well, who’s to say they did? These were all telephone calls. They ought to have kept a copy, of course, but these things get lost. I don’t believe anything was “guaranteed. ”

You were prompted to make checks which seems fail safe, particularly when transferring such a large sum

I suspect you may be missing the point, here; this topic (and several others) centre around the banks’ competence and the ‘stupid’ people who suffer the scam consequences.

What I’m saying is incredibly simple: when the banks cannot even recognise other banks, through a system that was incredibly overdue and eventually only implemented begrudgingly, and which was supposed to be a fail-safe system to guard against specific types of scam, what confidence can we–the customers of the banks–ever have that they will respond fairly, openly and honestly without being forced?

On the basis of one experience? I simply have asked for evidence that this is a significant problem. Maybe someone can link to that; the PSR seem unaware. Until then perhaps we should wait.

malcolm r says: Today 11:40
On the basis of one experience? I simply have asked for evidence that this is a significant problem.

Are you doubting the veracity of what I’ve told you? If so, then please say it. Otherwise, how would you describe a situation where a basic plank of user verification doesn’t work between major banks?

And you’ve studiously avoided saying what I ought to have done–or not done:

So what was I supposed to do?

Ian — I was going to suggest, but Malcolm beat me to it: “you could have sent £1 and ensured the correct person had received it before sending the balance”.

All the banks or their regulator could have advised or insisted on customers making a trial payment before transferring a larger sum, but this did not happen.

Online banking systems could have required insertion of the account number and sort code twice – a system widely used to confirm passwords. I am not aware of this system been used for banking.

Missed opportunities that have resulted in some customers losing money as a result of misdirected payments.

I learned about making trial payments before I made any online payments, either thanks to a radio programme or Which? magazine.

Ian, John said what I would have said.
No, I don’t doubt your experience and have never implied that. What I have said is that, on its own, it is insufficient to condemn the confirmation of payee system. I think I made that clear.

However, if the PSR (or, perhaps, Which?) have evidence of significant failures of the CoP system then they would be a cause for concern. My own experience has, so far, been 100% good and, according to the PSR, has been beneficial.

John Ward says: Today 15:20
Ian — I was going to suggest, but Malcolm beat me to it: “you could have sent £1 and ensured the correct person had received it before sending the balance”.

Which is exactly what I always do with new transfers. But with two big banks, it’s far from that simple. I suggested that to the receiving banks, who told me it could take the best part of a day to verify. I was facing a deadline, because, in my innocence, I assumed the banks’ own systems would obviously recognise another major bank.

That’s the other point, of course. If we can’t trust the banks to have their systems working properly, delaying a payment for any length of time could be merely prolonging the inevitable.

All of which misses the point, however: we can’t trust the banks, so it makes it unlikely that they will act honestly with APP claims, unless forced.

I’m not sure of the point of this discussion. I don’t doubt that Ian has had problems with CoP and Malcolm has not. For the record, I have had three problems since CoP was introduced and I chose to proceed because I was certain the details were correct and the amounts were small.

Most of my payees had already been set up and used before the system was introduced, so CoP is not involved. I have 19 payees in my list, having removed ones I don’t expect to use again. I guess I have only attempted to make fewer than ten payments involving CoP and three have not been confirmed. In two cases I have reported the cases on Conversation. I have no doubt that CoP provides us with long awaited protection but from my own experience there is need for improvement. If problems are logged we might learn more in future when the regulator produces a report.

Nancy I Reeves says:
19 November 2021

Of course everyone should always stop and think before communicating in any way with anyone. But life isn’t always clear cut there are pitfalls along the way. Not everyone is thinking straight all the time. They could feel ill, particularly vulnerable because in a state of shock ,or not hearing or seeing well or just plain confused trying to come to terms with modern technology.
One of the big ones for my generation is how the world has changed.The disbelief that people can do such unbelievable things- finding someone who is struggling and deciding to take all you can off them, – the kind hand that rakes in all it can.

This may be good news but the point is that up until now these scammers seem to get away with the money and the law is too busy or otherwise unable to recover the stolen money and charge them.
This money is no doubt funding further crimes and giving them more confidence to continue.
At some point there should be a waiting or cooling off period before large sums of money are taken from accounts and transferred on. Also how are these criminals allowed to get bank accounts so easily and then empty them & disappear? These should be much more strict identification and checking of new accounts as they must be setting up new accounts to continue with each scam.
It is sad the increase of these scams which show how greed and criminality has grown in some misguided people recent years.

Margaret Cameron says:
19 November 2021

The banks must be more proactive in determining whether a transaction is kosher.
Is it the sort of payment that the customer normally carries out ? If not they must contact that customer and determine the facts.I am sure that a lot of customers , as soon as they have sent to money to the scammer immediately worry if it is ok. So a telephone call from the bank querying the payment should be carried out before any transfer of money
is made.. Isn’t that obvious ?
If a genuine recipient is made to wait an hour or so that is better than the sender losing
money. In my branch of Barclays [now deceased]..if a sum was more than I normally transferred the cashier would always ask me about it. That of course is when humans are involved. If it is done technically then programmes must be devised to act like humans.

As others have said, it’s not really a ‘win’, as the banks won’t lose money.

All they’ll do is increase fees & charges for everyone; including people who don’t fall for scams, in order to pay out for the fools who are gullible enough not to make sufficient security checks, which is simply common sense when it comes to money..

Sheila Anne Cataroche says:
20 November 2021

The majority of people are aware that banks won’t phone you and just hang up when they receive these calls. The victims are usually the elderly and mentally challenged who are more easily panicked into doing what the reassuring voice tells them to do to protect their savings.

The scammers are making a huge number of calls and robo calls to prey upon the vulnerable.

But the banks do ‘phone you. I’ve had quite a few calls from them.

So I transfer £10,000 to my friend, the bank reimburses me and we then go halves on the money I transferred to my friend.
Being obliged to reimburse sounds like opening a whole new door to scamming.
Why are the banks having to pay back something authorised by a customer.

This is why it is so important that money is recovered from the recipient’s account, so that crime does not pay. I would like to see everyone making a claim being liable for part of the cost, maybe £50.

I would support that but suggest that 10% of the sum at stake would concentrate minds further.

My suggestion of scam victims having to pay £50 for their bank to recover funds would deter trivial claims, such as those by people who have responded to a Facebook scam, hoping to obtain fashion clothing and footwear at an unrealistically low price. Bear in mind that many scam victims are older people that have been tricked by scammers. 10% of a larger sum could be a lot of money for them.

I would like to see a focus on the banking system being required to repay money that has been stolen. I hope that the CRM code will help concentrate minds to help make this happen.

It’s a sound idea.

Ben says: 21 November 2021

So I transfer £10,000 to my friend, the bank reimburses me and we then go halves on the money I transferred to my friend. Being obliged to reimburse sounds like opening a whole new door to scamming.
Why are the banks having to pay back something authorised by a customer.

For all of the reasons discussed earlier in this topic. And regarding your own proposal you would, of course, be committing a criminal offence which could incur a custodial sentence.

The banks will never disclose what methods they use to track miscreants, but once they are compelled to behave fairly towards their customers, we can be absolutely certain they will set up entire departments, whose only task will be to determine the authenticity or otherwise of any claim.

If this were fairly resolved on the basis of negligence then, if the bank or banks were the negligent parties, depriving the customer of the full refund would be unfair.

The problem with recovering money from the recipient’s account is that, from what I have understood, it is quickly emptied so there is no money. I consider the recipient’s bank should repay from their own funds, if a real fraud has been perpetrated. That would concentrate their minds on ensuring they vetted their new customers properly before allowing them to open accounts.

However, I doubt it is that simple. If the Guardian report that Ian read is correct, that many legitimate accounts opened by students are sold to fraudsters, the bank could not immediately identify those.

Maybe substantial sums, that are unusual to the account, transferred into an account should be held for, say, a few days before they can be withdrawn. This should allow time for the payee to have second thoughts, speak to their bank, and freeze the money until an investigation into authenticity can be completed. I have not experienced depositing a large sum of cash into my account, unfortunately, but understand I would be quizzed on its origins before the bank would accept it. Doing the same with large transfers would seem a similar precaution.

This still leaves the smaller fraudulent sums needing attention. Like small crimes reported to the police, will the time and effort required be available or will the pragmatic solution be acquiescence and a refund? That is not good to encourage customers to be more careful but might persuade more investment in preventative systems. I fear we must accept that successful fraud is with us now and forever and some will be treated as a business cost for which we will all pay. Are we happy to do that?

The problem to be resolved is not a simple decision of whether the customer or the bank was at fault but how money stolen from the customer can be recovered. The customer’s bank may refund that but unless the money can be recovered from the receiving bank the costs will be shared by other customers.

Many of us are unhappy with the ‘knock for knock’ system that the motor insurance industry is keen on. If you have an accident that is not your fault, your insurer may pay out and reward you with a higher premium at renewal time. Since accidents have to be declared, switching company may not help and it’s best to make sure that your insurance record does not show any blame.

Introducing delays in payments to new payees to give banks’ customers to report suspected fraud could help if customers keep an eye on their accounts. I would not expect the banks to discuss their planned strategy.

In the past few years the banks have put in considerable efforts to protect their customers. With the CRM Code, there is pressure on the industry to do more to tackle fraud. We as customers can and should do our bit to protect ourselves, just as computer users need to protect their data and accounts. I’m amazed that banks don’t insist on us using a supported operating system and current anti-malware software.

”The problem to be resolved is not a simple decision of whether the customer or the bank was at fault but how money stolen from the customer can be recovered. “
Exactly. We want to reduce (but we can never prevent) fraud or ensure the perpetrators are traced and penalised where we can. Simply using anyone – banks, insurance – to just refund lost money is no solution.

There will be many ways of tackling the problem and I hope the latest PSR’s consultation will lead to some positive ways forward as well as simply demanding banks provide refunds. The PSR does, incidentally, mention delaying payments but does not seem too sure.

Perhaps we should wait and see what the PSR has to say. It may be that the effectiveness of delaying payments is already being evaluated.

@jon-stricklin-coutinho, hello John. I asked George Elcock over a week ago now a question about the % of banks “getting it wrong”. https://conversation.which.co.uk/scams/financial-ombudsman-service-psr-code/#comment-1640590.

In fact, my original comment asking the question is nearly 2 weeks old https://conversation.which.co.uk/scams/financial-ombudsman-service-psr-code/#comment-1640103
I have posted a reminder but had no response. Is George intending to clarify what was said, please?

Brilliant. Now if I leave my car or house unlocked I’ll just claim compensation from the car maker or house builder if anything is stolen.

There is an element of personal responsibility. Yes, there are some clever and elaborate scams but there are some obvious ones, such as clicking a dodgy link, transferring vast sums of money to a newly-created account, giving away your PIN. Why should the banks be forced to pay out compensation because of someone’s negligence in certain cases? Ultimately, it’s not the banks that will pay, it will be the financially savvy consumers. See also PPI. Payday loans. Avoidable excessive overdraft and credit card charges. Won’t be long before we see the end of free banking. The best thing the government could have done was to make financial education compulsory.

Banking services need to be fit for purpose and we have seen major improvements such as two factor authentication and confirmation of payee, which could have been in place before to help protect customers. Here are rules that were in place before the CRM voluntary code was published: https://www.fca.org.uk/consumers/unauthorised-payments-account Which? has been pushing for the voluntary code to be replaced because different banks were treating their customers differently. It’s unfair and almost a form of discrimination.

It is highly unsatisfactory that scammers can obtain accounts and use these to receive the proceeds of crime. I have suggested that by delaying payments to new payees, this would give the opportunity for scam victims to report incidents to their banks in time for the payment to be blocked. An unintended consequence of faster payments seems to be the loss of opportunity to recover stolen money.

I suppose it is going too far to suggest that users of online banking should also, at least to some degree, be “fit for purpose”.

Very little in life is perfect (with the exception, perhaps, of hindsight), and I would suggest the online banking system has shown itself to be pretty good for the vast majority of people. A consequence of banks that have no part in a fraudulent loss, other than carrying out their customer’s instruction to move their money to another account, may be something some might regret in hindsight. Rather like the overdraft charge debacle.

The PSR, LSB, FCA and the government have all had a hand in fraud issues and they will have access to information that we do not. Those who are scammed are victims of crime and the banks must work together to return stolen money.

It’s true that the overdraft debacle was foreseen, although the consequences of the attack on fake reviews in Amazon was not, but no-cost current accounts are not quite what they seem. For example. many banks have minimum amounts users must keep in their accounts to benefit from all the advantages of the ‘free’ system. Which is fine, if you have £100,000 to spare.

The banks will never lose; they’ll ensure that and the only thing that keeps them offering ‘free’ banking is the fear that another bank will undercut them and they’ll have access to less cash.

Until we know the present scale of this crime it is difficult to make useful comments. My impression is that the APP fraud is greatly diminished but it would be helpful to have the facts.

I accept that the banks had presided over a system that was so flawed it was vulnerable to fraud, and that they were reluctant to rectify it by their own collaboration but for the intervention of the Payment Systems Regulator. The banks therefore must be held generally culpable. However, in this imperfect world, not all victims of financial crime get all their money back and I do feel that if people have given someone access to their account details or allowed their device to be taken over they should be subject to an ‘excess’. I believe insurance cover is available for such contingencies as an extra on some household policies.

Banks have always had to make provision for losses due to robbery and theft; I doubt if, in real terms, the amounts involved today are as great as, say, twenty or thirty years ago, so to some extent we are arguing more about liability than principle.

I think we are all agreed that it would be better if the bank receiving any scammed funds were to reimburse the victim, but the PSR’s mechanism places that obligation on the victim’s bank, and I can see why: it should be a faster and less contentious means of redress. It is then for that bank to recover what it can from the bank holding the unlawful account.

Where an APP fraud was made possible by a company used by the innocent customer being open to a fraudulent attack on its e-mail system I would expect the receiving bank to take action against that firm — and that has happened in a number of cases, including a law firm where a house purchaser was tricked by an impostor’s e-mail into transferring the completion balance to a fraudster’s account. I don’t think the e-mail trick is a current issue; at least, I have not seen any reports of it for some time.

My main concerns are for the banks collectively and separately (a) to put an end to fraudulent withdrawals from their customers’ accounts, (b) to deal with reimbursement in a transparent way according to a set of principles, under external monitoring and with access to an independent adjudicator, and (c) to ensure that the reimbursement process is not itself open to misuse or fraudulent action.

I consider it would be reasonable for the scammed customer to be liable for £50 or 1% of the loss [whichever is the greater] if, and only if, they have made a direct contribution by any act or omission on their part to the loss. Restoring trust in the banking system should be a primary objective of the reforms in my view and creating customer reassurance is now essential. Even if the origin of the reimbursement seems to be wrong, it is probably a price worth paying to achieve that.

The banks I use give me all the services I need – no bells and whistles – with no requirement to keep a minimum balance in my current accounts. So I was a little surprised to see that many banks do not, and particularly the high balance needed to maintain them.

It would be helpful to identify these banks and the facilities those accounts offer that differ from the basics.

As Ian, and others, have said the banks will not lose as costs will be passed on to all their customers, through higher loan rates, lower interest rates, higher penalties (such as the nigh-on 40% overdraft interest many charge). That is why it is important, in my view, on reducing the need for them to make payouts to customers for 3rd party fraud. The focus should be on avoiding fraud, including, for example, by improved banking intelligence and systems, educating customers to be more aware and careful, and tailoring the facilities given to different groups of customer that better match their abilities to handle transactions.

Am I right in believing that individual cases will continue to be adjudicated? I support Which? in wanting the voluntary code replaced with legislation that will remove the present lottery where the outcome depends on which bank you use.

In an ideal world all cases should be investigated, where money is involved, to try to ensure the correct attribution of responsibility and a fair outcome. The latter is difficult to achieve when the customer responds to a fraud and tells their bank to transfer their money, because all the necessary details will not be recorded nor, necessarily, accurately recalled or reported. And the effort will not be there to properly investigate. So the easy way is to pay out and recover the money from other customers through the banks’ general business.

I do hope that fraud involving substantial amounts will be properly investigated to avoid, for example, a system being abused and to avoid a lapse in customers being careful.

I wonder what criteria should be used eventually to decide who should pay. Will we continue with the principle that (except in clear cases) the customer is not in the wrong and that the banks should pay out because, as some say to the PSR, the banks are better able to resist the loss than their customers?

I don’t see this as a satisfactory solution in the longer term.

However, as John says, it would be useful to see how much positive effect Confirmation of Payee has had. I would also be interested to know just how requests to banks to authenticate a new and unknown payee might help and whether banks might, in future, require this if a refund is to be made in the event of fraud.

We have had many suggestions in these Convos about improvements that could be made. It would be useful if Which? reported on all these in a neutral way so we might glimpse possible ways forward, other than just compensating “victims”.

The CoP protocol might be made more effective and reliable if banks ensured that the names used for accounts for payments were the same as the names used for trading purposes. Large firms are getting better at giving their correct account details as they realise that on-line payment transfers are now much more popular and efficient, but small traders seem to struggle – for a builder I use I needed to transfer interim payments to his wife’s bank account and she doesn’t use her married surname; it has been sorted out now so future payments will be straightforward but it’s an example of the difficulties that could have led to confusion.

There are identifiable processes that the bank does for the domestic customer. It is probably fair to say that the domestic customer is a separate branch of the banking system and, as such, this requires its own rules and regulations. Business operates in other ways and only crosses with the domestic bank through its customers.
The domestic bank is required to hold client’s money, to accept payment in and make payment out of each account, handle direct debits, process credit and debit cards and deal with cheques and bank transfers. In its back rooms, it takes our money and invests it so that there is an income that is more than it pays out. This pays for our free banking, bank staff and premises and it boosts profits. It charges fees for various activities and for loans, mortgages and overdrafts. So far, so good.
Our electronic world has spawned the criminal element who have seen that it is easy to cheat and defraud without getting caught. This element has made the banks examine their domestic dealings and some changes have been made. Future progress will be made when there is an analysis of each bank/customer interaction and the way in which it can go awry, be subject to customer error and be manipulated by the criminals.
When we all went to our branch and did all our banking there, the system worked very well. The electronic element has changed that. Customers make mistakes. They have insecure computer systems. There are more opportunities to interact with the customer, tempt them, frighten them and confuse them. Perhaps it is impossible to get a fail safe system, but currently we seem to be reacting to all these problems and not finding ways to deal with them. Electronics mean that we don’t go banking in town and the banks can cut staff and overheads.
The problem with compensation for criminal activity and carelessness is that it a problem with the system and a symptom problem caused by the crime and stupidity. If these were not present, there would be no compensation to worry about and to consider what is fair and reasonable. Is our banking system bust or does it need just a little refinement?

In another Conversation, Malcolm asked whether banks should be expected to refund customers that had responded to an offer that is ‘too good to be true’.

My first priority is that if money is paid into a scammer’s account the receiving bank should be responsible for returning it to the customer’s account, otherwise the banking system is effectively facilitating crime. That might be a factor in why scams are now so common.

Investigating suspected scams incurs costs and I have suggested that the customer could be charged a fee of up to £50 in respect of a claim for reimbursement. That could deter customers from making a claim for small purchases. We can and should do our best to protect ourselves against scams but the banking industry could do a lot more.

I believe what has been lost in all the debating that’s taken place is one simple fact: the banks have brought all this on themselves.

“New data from the Financial Ombudsman Service shows banks cannot be trusted to interpret the voluntary CRM code fairly or treat customers in the right way.”

I think that single sentence says it all.

“Not only are the number of complaints to the FOS rising, but nearly three-quarters (73%) of complaints were upheld by the FOS in favour of the customer. Many complaints have been made about banks refusing to or delaying reimbursement. This means that the FOS have found the banks to be breaking their own code in nearly eight in ten cases.

The receiving bank would be where I would target an investigation, as I have said before. Holding them “responsible” would be dependent upon whether they have been negligent in anyway, for example not exercising due diligence when opening new accounts.

Ian linked to a Guardian report that legitimate account holders such as students were selling their accounts to others when they had finished with them – presumably, as an example, when returning overseas. I do not see how the bank can be held responsible for that action.

I’ll repeat what I believe is fair. A customer who has instructed their bank to transfer money has chosen to do so, or been coerced into doing so, but that choice or coercion has not come from their bank. Should the bank have acted reasonably under all known circumstances then I do not see them as having a responsibility for the outcome of the transaction.

If, however, we can show that the bank, or the systems it operates, or the general banking industry systems are known to be defective , or practical systems could be put in place to detect potential fraud but are not and the banks should be able to warn customers of possible fraud before they complete a transaction then y they should. If they do not then they take at least a share of responsibility for the outcome.

If, as apparently one or more consumers’ organisations have suggested, in their response to the PSR’s consultation, that customers should be reimbursed by their bank because the bank has more assets than them, then let us say so.

Meanwhile, it would be useful to accumulate the constructive comments that have been made on both sides of the discussion and present them as a summary. Perhaps Which? would do that Jon @jon-stricklin-coutinho ?

Cases will not necessarily be straightforward and that is what an ombudsman service is for. What has not been reported here is the total number of cases that have been resolved and therefore not referred to the FOS. The 8 out of 10 cases refers to those, not the total number as far as I am aware, so is misleading if used out of context. I have asked Which? 3 times to clarify this but without any response.

”New data from the Financial Ombudsman Service shows banks cannot be trusted to interpret the voluntary CRM code fairly or treat customers in the right way.” is a statement by Which?, who have adopted a particular stance, not an official statement. They may be among the respondents to the PSR consultation (or maybe not) whose argument is that as the banks have more assets than their customers they can afford to give refunds.

As I suggest below, rather than continually going over old ground, an (impartial) summary of the arguments and views given on both sides of this issue would be useful, as in any constructive debate.

It would also be useful to get expert and informed input on just what systems could be set up to identify potential fraudulent transactions.

Sadly, as long as the same points are relentlessly being re-made, we’re doomed to repeat the same arguments. And the banks are not going to reveal very much, if anything, to us.

I’ve also not seen anything that suggests Which? is arguing the banks have to refund for every single case, regardless of circumstances. What is wanted is for the banks to cooperate (which they haven’t) and treat customers fairly (which they’re not).

I also doubt it’s necessary “to get expert and informed input on just what systems could be set up to identify potential fraudulent transactions.”. Firstly, they’re the banks’ responsibilities, and secondly, we’re not bankers.

All we need to do is watch to see if things change.

I agree. As pointed out in the introduction, banks are sometimes failing to follow their own code. The reimbursement rates vary between banks. Rather than a voluntary code (which I believe the PSR required six of the banks to use, but others followed) we need clear rules backed by legislation.

Please can we leave this for the PSR and other to sort out.

You seem very keen to terminate discussions when some ask for information that would add to the debate. I’d prefer to keep an open mind, look at what facts there are and try to reach a balanced conclusion, not an emotive one.

When we say “the banks must do something”, or words to that effect, we should be able to suggest what that “something” might be.

As far as failing there own code, the (voluntary) code gives the banks the option to decide on where responsibility lies. They may feel that when some customers fall for some frauds they bear some responsibility. I asked Which? in the Cryptocurrency Convo whether they expected banks to refund customers who made bad deals and was told they did not expect that.

It is not suggested banks refund every single case but some seem to expect something like it. I want to see an outcome that is fair to both sides and accepts that some customers can make bad decisions, mistakes, poor judgement that results in them making a loss when no one else can be held responsible.

Without new information I don’t see any point in continuing the discussion, Malcolm. You keep repeating essentially the same points and have asked me the same question several times.

Please may I ask you a question? If the customer of a bank pays money into an account held by a fraudster, should the money be repaid by the receiving bank? If not then the receiving bank is supporting crime, hopefully unwittingly. I want to see the banking system run in a way that as far as possible blocks fraud. I blame the current fraud problems on the banking system rather than any individual bank. Ian has repeatedly said that banks should be cooperating. As Beryl has said the banks can afford to give refunds and that may be necessary if they fail to recover funds that are paid into fraudsters’ accounts.

I expect we will learn more from the PSR and then there will be more to discuss.

This is a Convo for all, not just between individuals.
You ask ”If the customer of a bank pays money into an account held by a fraudster, should the money be repaid by the receiving bank? If not then the receiving bank is supporting crime, hopefully unwittingly”. As I have said a number of times, if the bank has no way of knowing the account was set up by a fraudster and is being used to commit a crime then why is the bank responsible for returning money? They only support crime, as you put it, if they knowingly host fraudsters. I have also said that if a bank is negligent, to a greater or lesser degree, then they should be a party to a refund. My posts on this topic this have repeated these views several times.

We need to separate emotive responses from the facts, seek information, examine solutions to progress this difficult issue. But I do not accept the reasoning, for example, that just because banks have assets then they should repay customers who have lost money. I do accept that there may be systems, intelligence, cooperative measures, that could be developed to help warn customers about fraud, there are measures banks could take on account restrictions to prevent certain customers getting into too much trouble, there may be banks that are lax in opening accounts, and other suggestions that have been made already. Rather than just continually criticise the banking system I would like to see constructive proposal debated and, as we are all as far as I know inexpert in this field, try to get and take heed of expert input.

Malcolm wrote: ” As I have said a number of times, if the bank has no way of knowing the account was set up by a fraudster and is being used to commit a crime then why is the bank responsible for returning money? They only support crime, as you put it, if they knowingly host fraudsters.”

What if someone sets up an account, uses normally and then uses it for criminal activity? I wonder how much fraud is conducted in this way. If the receiving bank is not responsible for returning stolen money, that makes scamming etc. a profitable activity. How long do we carry on?

None of us have declared whether we have any relevant expertise. I have worked in universities and and as some have joked, I have never had a real job. My contributions here are mainly because I believe that our present banking system is facilitating crime and not doing enough to prevent scams.

I look back fondly on older Conversations when we could drop in and have friendly discussions, helped along by contributors that did have expertise on the various topics. Perhaps we should adapt a slogan intended to help gamblers: When friendly discussion stops, STOP.

malcolm r says: 6 December 2021
You seem very keen to terminate discussions when some ask for information that would add to the debate.

Such a shame when individuals are brought into a debate, isn’t it? 🙂

malcolm r says: 6 December 2021

When we say “the banks must do something”, or words to that effect, we should be able to suggest what that “something” might be.

Why? We are saying the banks need to treat their customers fairly. How they do that is a matter for the banks, surely? If we offer detailed ideas, then some will simply point out all the flaws in those ideas. The Banks need to suggest the ideas.

As far as failing there own code, the (voluntary) code gives the banks the option to decide on where responsibility lies. They may feel that when some customers fall for some frauds they bear some responsibility.

But what has that to do with the banks following the code in the same ways? Because that’s the current problem.

It is not suggested banks refund every single case but some seem to expect something like it.

Can you provide examples of that, Malcolm?

malcolm r says: Today 09:20

You ask ”If the customer of a bank pays money into an account held by a fraudster, should the money be repaid by the receiving bank? If not then the receiving bank is supporting crime, hopefully unwittingly”. As I have said a number of times, if the bank has no way of knowing the account was set up by a fraudster and is being used to commit a crime then why is the bank responsible for returning money?

Interesting. I suspect most banks have very sophisticated IT systems, which can detect irregular activity, such as any account receiving a sudden donation, followed by an immediate withdrawal.

In days of yore, of course, before the banks had closed most of their local branches in the search for even greater profits, such activity would have been spotted as you’d have been known by the friendly staff. Surely, the banks are culpable, even in part, for making their operations less accessible and hence, less secure?

And just when did we start expecting instant transfers? That, in itself, has empowered the current wave of APP fraudsters.

Of course the banks can more afford to give refunds, as for every paltry1% of interest you receive on the money you lend to them they receive 90% of interest on that same money which they lend to borrowers.

The CRM Code is easily open to interpretation, using such terms as “greater level of protection”, “reimbursing customers who are not to blame.” The banks still use their autonomous right to decide (a) who is to blame and (b) the level of protection they implement.

We need clear cut legislation laid down by a team of financial advisers and lawyers, fully conversant with banking practice and procedures, preferably those who are fully conversant with Which Conversation, where they will find an abundance of information, including facts and figures and heart wrenching tales about the huge sums that have disappeared into cyber space at a moments accidental, indecisive, off guard tap on a computer or telephone key, often as the result of a con man eagerly awaiting in anticipation of the rich pickings coming his way.

When should people be held responsible for their actions? People make “mistakes”, bad decisions, exercise poor judgement in all kinds of ways in life. Should we look for someone else to take responsibility and absolve them from their responsibility? I’m curious to know why someone who decides to transfer money – not just an accidental tap on a computer key – is deemed free from any responsibility.

Because most people unwittingly think they can trust their bank to safeguard their money. We are now obligated to place our money into a system akin to a hornets nest that is fraught with criminals, con men and fraudsters. Why? because (a) we have little or no choice or (b) the banking system is unregulated.

Nice analogy, Beryl. 🙂

malcolm r says: 6 December 2021

When should people be held responsible for their actions? People make “mistakes”, bad decisions, exercise poor judgement in all kinds of ways in life. I’m curious to know why someone who decides to transfer money – not just an accidental tap on a computer key – is deemed free from any responsibility.

Are they? Can you provide a link to where that has been suggested?

Thanks Ian 🙂

I wonder, if the responsibility is generally shifted onto the banks, whether they will jointly routinely use a database of authenticated accounts that are known to be legitimate. When a customer tries to make a transaction they could compare with this and give a green flag to an appropriate transaction, a red flag to one of unknown provenance. The latter would be continued at the customer’s risk. Just as returning no match or a dodgy match to a Confirmation of Payee should put the risk onto the customer should they ignore it.

At present I believe you can ask your bank to confirm whether they consider a transaction to be to a legitimate non-fraudulent party, but this is a voluntary action.

This would make online transactions much safer if it were done routinely and establish clearly when a refund was justified or not. But, no doubt, many payees’ authenticity would be to unknown (to the banks) parties and it would require customers to then look carefully at who they were considering transacting with.

Here is a post by Colin in another Conversation:

Maybe there is something I don’t understand, but it seems to me that where money has been electronically transferred to a fraudster’s account, the bank hosting this account is more than culpable. At somer point in time they will have allowed the fraudster to open an account without fully verifying who they are hence allowing the banking system to act as a conduit for illegal money transfer. I can understand that a major difficulty in detecting fraudsters lies in their hiding behind stolen identities and hence in actually identifying who they are. But surely, in this age of technology, it must be possible for an individual’s true identity to be verified beyond any doubt using, for example, previously recorded personal information such as passport details, National Insurance number, NHS number, etc, etc, and surely here the banks have an ideal opportunity to fight crime.

https://conversation.which.co.uk/scams/sms-best-practice-business-guide/#comment-1641795

This is why receiving banks must return stolen money.

Colin says, quite fairly, ”At some point in time they will have allowed the fraudster to open an account without fully verifying who they are hence allowing the banking system to act as a conduit for illegal money transfer.”. If that were the case then they have been negligent and should be a party to the return of “stolen” funds.

However, if the bank has acted totally correctly when opening an account and had no way of knowing it was going to be used fraudulently then I see no logical justification why they should return stolen funds. They should certainly try to recover them, of course. Whether we, as it is our money that is being used, should agree that from an emotive perspective the bank should repay out of sympathy is another matter.

These arguments ignore the part the customer has in this process. They instigate these payments, one way or another, and we should look at to what degree they themselves could have acted maybe more responsibly. We cannot always shift responsibility onto others.

In my view we need to see the regulator look hard at what processes the individual banks and the banking systems could practically adopt that would reduce the incidence of fraudulent transactions. We would then be better placed to see where culpability lies and how fair recompense should be provided. We will never eliminate criminal activity nor people being hoodwinked but we should reduce the extent.

malcolm r says: Today 09:53

Colin says, quite fairly, ”At some point in time they will have allowed the fraudster to open an account…

However, if the bank has acted totally correctly when opening an account and had no way of knowing it was going to be used fraudulently then I see no logical justification why they should return stolen funds. They should certainly try to recover them, of course.

I agree. But it all hangs, really, on this line:

“had no way of knowing it was going to be used fraudulently”

We cannot expect the banks to be clairvoyant, despite a large section of their industry being based around that particular talent, it seems. I forget; wasn’t it Futures that played a large part in the 2008 global crisis? Along with cheap credit, lax lending standards, a series of corporate accounting scandals and a lot more, almost all of which depended on the banks knowing how things would turn out, despite their entire business models being based on exactly that premise.

This is what it’s all about; not an emotional response to those scammed but an approach inextricably and fundamentally linked to the banks’ own organisation. An organisation it seems, that failed at the first major hurdle.

Unless the receiving banks are required to refund money paid in to fraudsters’ accounts, fraud will continue. My view is that the banks should be required to refund money paid into fraudsters accounts. That is my view and is unlikely to change, and by blocking payment to fraudsters the banks could help reduce fraud.

I have not said much about how compensation cases are handled by banks because little information is available. I support the efforts of Which? to tackle the problem of customers being treated differently by banks, and obviously we need legislation rather than a voluntary code. I have suggested that those claiming compensation should make a payment of £50 to have cases investigated which could help offset costs and reduce the number of small claims.

I don’t understand why you effectively condone banks allowing their services to be used by fraudsters without an obligation to return stolen money, Malcolm. If I was to hit a person or a dog when driving I have to report the incident and rightly face any consequences, even though I did not know that the accident would happen.