/ Scams

Win! Reimbursement to be made mandatory

New data from the Financial Ombudsman Service shows banks cannot be trusted to interpret the voluntary CRM code fairly or treat customers in the right way.

18/11/21: Win! Reimbursement to be made mandatory

11/11/21: FOS finds banks are failing to follow their own code

I, for one, do all my banking online. And when I say all my banking – I mean all of it. My bank statements are sent to my email, my bank card’s exist mostly as pictures on my smartphone that flash up with a tick as I make a contactless payment, and I use my banking app to send my friends and family money when settling the bill at a restaurant. 

But, as I pay for things in bytes and bits; ones and zeroes, I worry what would happen if something were to go wrong. What if the person on the other end of the transaction is not my bank, barista or buddy – but I’ve fallen victim to a sophisticated fraudster?

I’d like to think my bank would reimburse me fairly easily. Which is why new data from the Financial Ombudsman Service (FOS) – the place where customers go when they’re unhappy with how they’ve been treated by their bank – is so worrying.

The numbers speak for themselves

The data shows that the number of authorised fraud complaints made to the FOS more than doubled in 2020-21. Complaints rose from 3,600 to 7,770 in that time frame.

The vast majority of complaints are related to the sort of scam I was talking about above. An Authorised Push Payment (APP) scams is when someone is tricked into sending money to an account that’s being operated by a fraudster when they may think it belongs to a friend, family member or legitimate business. Scammers’ techniques are getting harder and harder to recognise. 

We spotted the threat to consumers from and the lack of protections for victims of APP scams years ago. And after our super-complaint to the regulator, the Payment Systems Regulator (PSR), five years ago, most major banks signed up to a voluntary code (Contingent Reimbursement Model code).

The code instructs banks to give customers their money back when they are not at fault and to provide them with adequate support.

Not following the code

Not only are the number of complaints to the FOS rising, but nearly three-quarters (73%) of complaints were upheld by the FOS in favour of the customer. Many complaints have been made about banks refusing to or delaying reimbursement. This means that the FOS have found the banks to be breaking their own code in nearly eight in ten cases. 

Figures show that NatWest and The Royal Bank of Scotland (RBS) – part of the same banking group – are getting it wrong in nearly nine in 10 (86%) cases, with Santander (82%) and Bank of Scotland (81%) following closely behind.

Why we need mandatory reimbursement

Having such a high percentage of decisions upheld in favour of victims shows that banks cannot be trusted to interpret the voluntary CRM code fairly or treat customers in the right way. 

That is why Which? wants the government to swiftly make the necessary changes to enable the PSR to introduce mandatory APP fraud reimbursement obligations on all firms, with robust oversight and enforcement. 

See how your bank ranked and the number of cases upheld by the FOS in favour of the fraud victim:

Have you been refused reimbursement by your bank after falling victim to an APP scam? Did you made a complaint to the Financial Ombudsman Service about your bank’s decision?

Was that complaint upheld by the Financial Ombudsman Service? Let us know by emailing yourstories@which.co.uk 


It seems NatWest are not the only bank to make a mess,
HSBC and Standard Charted also should confess.
The US treasury have leaked a lot of beans to spill.
So when the banks complain we hear their voices–rather shrill.

The banks and Sky News

I received the following offer by email just now. Given the inflationary year we have just entered I welcome such an attractive investment opportunity in which to place my savings, reassured in the knowledge that my bank will refund me in the unlikely event it turns out badly:
Encrypted digital currency,
Sign up to join the node mining community to get a 3%-10% interest income every day!
If you are interested, please add whatsAPP ############
. 🙁

I’ve had an email today from Which? entitled Tackling Scams and includes “Scammers stole more than £854 million through bank transfer scams in the past two years. And what’s more shocking is that only 42% of this money was reimbursed by the banks, resulting in losses of £470 every single minute.

Since we launched our super-complaint in 2016, to highlight the unfair treatment of scam victims, there’s been progress but the issue is still growing. More often than not, banks have continued to lay the blame on their customers.”.

I have absolutely no problem with “victims” being reimbursed by banks (using our money, of course) when either the sending or receiving bank has been negligent and could, or should, have recognised a fraudulent transaction was being perpetrated.

What I cannot accept is that if the banks have not been negligent in any way but have simply followed their client’s instructions to move money from their account to another, why they should be forced to refund money that their client’s have lost. This simply implies the clients have no responsibility for the losses, cam make online transactions without due diligence in the knowledge they cannot lose.

I believe that some, maybe many, people are responsible for their actions. Fraudster can be very convincing but why should banks be automatically regarded as the fall back?

There are vulnerable people who are less capable of making good financial decisions. We should help them avoid significant losses by restricting what they can do with their account.

What I would like to see is proposals for how fraudulent account holders can be identified and fraudulent transactions predicted, and accounts taken down quickly. And examples of what other actions can be taken by banks that are realistically achievable.

I have suggested that banks could have a database of “clean” accounts that they will underwrite should a transaction prove bad. And notify customers if they are trying to transfer money to an account that has not been so classified with a warning that they do so at their own risk. Can that work?

What I cannot accept is that if the banks have not been negligent in any way but have simply followed their client’s instructions to move money from their account to another, why they should be forced to refund money that their client’s have lost.

Perhaps something like this ?

Without knowing the background to any of the cases where the subjects of the scams were not reimbursed, it is hard to draw any conclusions on why 42% [£358m] might have been withheld. It could be that investigations were carried out by the banks and customers had acted incautiously, had not exercised proper security, had falsified or exaggerated claims, or been negligent in completing the transfer documentation. It is also not beyond the bounds of possibility that within the criminal fraternity there are some circular scams trying to exploit the scam reimbursement system itself and were rumbled. I was under the impression that, over the two year period stated, a number of banks and payment services providers had not signed up to the reimbursement protocol which could account for some of the unrecovered losses. I am not suggesting that the banks have done nothing wrong, and possibly half the lost money should also have been reimbursed. The banks are not going to reveal the background to these cases which is why we need to have an independent adjudication process to oversee this whole business and ensure fair play across the board.

I’ve just come off the ‘phone after a lengthy conversation with a major bank. A few days ago, I received an email from this bank and I believe it’s worth going through it to demonstrate just how good the banks are shooting themselves in their collective feet.

From start to finish it’s a litany of errors. The email is headed:

“A simpler way to log on and access your accounts”

That’s the first error. What they go on to do is describe a system that’s so convoluted and error-strewn that you do start to wonder if it’s a genuine email.

The next sentence can’t be as bad, can it?

It’s been a while since you last logged in. To help make managing your accounts simple, safe and secure, we’re introducing a new way to log on to mobile and online banking.

Hmm. We log in daily. So don’t know if 24 hours counts as ‘quite a while.’ Or maybe they’re only talking about mobile banking.

Er. no. It specifically says ‘mobile and online

But after 24 minutes of talking to a bank specialist, it transpires that the changes won’t affect online banking. Or at least she doesn’t think so. Or maybe not much.

What shreds of confidence I might have had, now remorselessly being tossed beneath a tractor (we don’t have buses…) I move, timorously, onto the next major paragraph.

WHAT’S NEW? it thunders. in intimidating type size, and leads on:

Set up a new Digital Secure Key

Errr…but I don’t use an old digital secure key. I do, however have a tiny, plastic code generator, whereupon I type my special number and the card thingy spits out a special code which grants me access to my shekel store–if the battery hasn’t died.

Now to start with the paragraph itself. This has to be clearer, surely?

“To continue using our app, you’ll need to set up a Digital Secure Key with a unique 6-digit PIN. You’ll use this instead of your physical Secure Key to log on to the app or to generate codes for online banking. You’ll also be able to set up fingerprint or facial recognition to log on to the app if your phone has those features. Your new PIN will be there as a back-up option.”

The big problem is that we don’t use an app. So it’s odd that they seem to think we do. Maybe it’s the same person who thinks 24 hours is ‘quite a time’? There’s also the problem of language. I know what the words mean but not what they mean when strung together in sentences.

What’s a ‘Digital Secure Key’, for example? ‘Digital’ can mean fingers or numbers, ways of storing data but it’s the word ‘Secure’ I have the most difficulty with. Just as many people prefer not to use the ‘cloud’, wonderful and life changing as so many of its proponents seem to believe, I prefer my little code generator. It’s served me very well since the start of the online world and I’ve become rather attached to it. I also doubt that anything stored remotely can ever be ‘secure’.

The next paragraph continues by extolling the wonders that await me.

Access the full app on multiple devices

‘Multiple’ means having several parts, but it seems the bank thinks it’s limited to three.

This is one of the worst examples of multinational communication with customers. And it gets worse. The next paragraph firmly explains

….. bank will never ask you for confidential information…links within our email will only take you to information pages.

which is, I imagine, class 101 in Scammers school. What the banks don’t seem to comprehend is that normalising links in emails is a seriously bad idea. Far better idea to maintain a comprehensive help page on the main site and tell folk to visit that.

Perhaps the email writer has never heard of ‘cloaked links’, ‘spoofed addresses’ or faked URLs, but they should have. Those who vehemently defend the poor, downtrodden banks should take a long, hard look at exactly how they do business. Because it’s our money they’re doing it with.

If a bank can be shown to be wholly or partially responsible for a customer losing money in a fraud then some or total reimbursement, which is the subject of the Convo, is justified. I don’t know whether the example described for one bank would contribute or not to assisting, or helping, prevent fraud but reimbursement justification is where my comment was directed.

With a serious mis-trust of the electronic world in general, I always assume that anything I do on line is hackable and anything stored on my computer is readable. I take calculated risks when buying things but avoid any bank transactions so that what isn’t there can’t be stolen. This is somewhat naïve on my part because the bank has created an account on my computer and continues to feed it with my account details and transactions even though I don’t access it. I hope my antivirus will do something to help keep it secure. Similarly, as Ian points out, I’m one of the cloudless people who keep things on discs -two of them.
I tend to side with the victim of scams and expect the bank to protect them, since, as has been shown, it is quite easy to make a mistake with complex transactions. There is a difference between a mistake and a transaction made despite a warning or a request to confirm it. Those tempted to cash in on an offer that’s too good to be true, should know better, but the bank should also be able to spot these; for this is the area where I feel we are being let down. Not enough is being done to monitor who has an account and which account is likely to cause trouble. There also doesn’t seem to be many checks against those who have been reimbursed – at least not publicly.
With ever increasing security risks, the banks have (as Ian points out) increased their demands on customers who log in, adding more hoops to jump through. In addition they wish to improve their banking experience with more features. These additions add complexity to the site and generate explanations that Ian has complained about. Banking used to be a simple visit to the branch or a cheque. Credit cards came along and the revolution began. Now it is a complex web, sophisticated enough for the financier and demanding for those less well endowed with internet skills. It has proved a haven for the criminal who lurks and is seldom caught.
On a slightly different tangent, I have on a few occasions, made a purchase and when making the payment the site has crashed. One is left with the question of whether the payment has been made and what has happened to it.

malcolm r says: 15 March 2022
My role is not to do HMRC’s job for them but to pay as suits me at the time.

While I might agree with the sentiment I suspect there may well be a conflict between that view and your view of banks and their responsibilities, as expressed here and elsewhere:

We should not just assume that because a customer has lost money they have no responsibility. It is, of course, money from all customers that will be effectively used to repay them.

In the case of those who pay by cash it is precisely the same. HMRC might well not see any of the tax due on a cash transaction and that means the shortfall has to be made up out of all contributions from all tax payers.

I was, of course, saying that a customer who has been wholly negligent, while their bank has not, should not be automatically compensated. Thus saving all bank customers money. I think that was the clear meaning.

Maybe if we arranged our tax laws so the likes of Amazon paid their dues their would be alityle less of a burden on the rest of us.

I am reluctant to believe that all small traders that are paid in cash are defaulting on their tax liabilities. The HMRC is not entirely stupid and they have pretty good intelligence about all those who provide goods and services in one form and another.

Obviously, any lack of recovery is a charge on the law-abiding community but, as I wrote yesterday, I take the view that the more (undeclared) cash small traders take the more VAT they will pay in their personal expenditure and, although the 20% VAT rate might be lower than the 40% higher rate of income tax, it is likely that taking account of all the other reliefs and allowances there is probably not a huge difference in the realistic revenue accruing to the Exchequer. That is a different basis to the compensation paid by banks to careless bank customers which is never recovered from the offending parties.

John Ward, I didn’t fully understand your reference to VAT and the higher rate of income tax?

VAT and income tax are entirely separate, so I am confused how you relate the two?

If small traders are withholding tax they have more spending money on which VAT is levied. Assuming they don’t gorge on food, if they buy big houses, top-of-the-range cars, fat cigars, and other expensive goods to display their ill-gotten gains they will be contributing more in taxation — not just VAT, but stamp duty, car and fuel tax, tobacco duty and, ultimately, inheritance tax on their wealth.

I don’t think that is a valid excuse for evading tax at the point of income but it does go some way to neutralising the impact on the public finances.

I still don’t follow. I think my brain must be taking longer to engage this morning.

I was looking at this from the point that a trader or business MUST register for VAT when their income reaches the VAT threshold. Without looking I am not sure what the threshold is currently, but lets assume its £90,000. Therefore, if a trader declares less than £90,000 income there is no requirement for them to register for VAT.

The advantage in doing so is by remaining under the threshold, they pay less tax, but additionally their accounting is simpler without having to file VAT Returns. By remaining below the threshold there are time and cost savings by not being VAT registered.

John Ward, I have just read your post again and have grasped it now.

The VAT threshold is currently £85,000 [which is nett of various deductible expenses]. I would guess that very few of the tradespeople that are commonly paid in cash, from window cleaners to piano tuners, dog walkers and dressmakers, are anywhere near that level of income. While the overall amount involved might be substantial, focussing on the petty tax evaders takes our eyes off the serious fraudsters and other criminals whose activities are far from benign and have no community value.

Thanks John, as you indicated, I agree in reality no tax regime can possibly catch every penny. I guess it’s one of those subjects that perhaps some of us feel more strongly about than others, but it’s useful to share opinions and understand how others view these subjects.

The Payment systems regulator has decreed that, to reduce the level of fraud, card user will have to submit to a second form of ID checking in the future. Now everyone at all times however, but more than at present.

Living, as we do, in the mountains mobile ‘phone signals don’t exist in any reliable form, so banks insisting on 2FA, under the erroneous assumption that everyone has a mobile ‘phone (which we do, in fact but no reception…) are starting to issue card readers for those of us who don’t get mobile signals.

Naturally, as soon as I heard of this I ordered my personal card reader and today it arrived. Rather neat in design, with a square format screen and a card slot into which the card is inserted. The instruction for use, however, redefined ‘minimal’, with no instructions as to which way round or which way up the cards should be inserted.

However, I small chit I had with the card reader explained there was a handy ‘how to’ guide on the bank’s website. Which there is. Trouble is, it’s not only a completely different image of the car reader but when I followed their instructions to the letter the device announced ur cards were invalid.

I rang the bank after struggling to comprehend what was happening And had a very interesting chat with a Scottish chap who asked me to stay on the line while he made some enquiries. He returned after around a minute and asked me to read out my card number. I did. Then the dates.

Surprise! None of our cards will work with this device as each was issued around 2.5 years ago. We’re now being sent new cards.

Why do I post this minor epic? Because I have to undergo stringent security procedures to access my bank and its representatives, yet when I asked for the card reader no one in the bank thought to mention about needing new cards.

This is one of the biggest banks in the world yet they seemingly can’t even get images to match the products or train their online staff to check the details of customers in case a single device requires an updated card. They pay their CEO £1,500,000 per annum and yet, like many other banks, they have their defenders when it comes to paying out claims for mistakes made by customers.

Calls to this bank over the past two weeks have totalled more than two hours, and they were all unnecessary, and only because the bank can’t do simple tasks properly.

Better payment services providers are available, Ian!

I am very happy with my mutual society which is ultra-competent and efficient by comparison. It provides nearly all the services that a major bank does but it doesn’t engage in all the corporate and foreign exchange activities that possibly impair other institutions in dealing with personal customers.

I have had a card reader for many years and used it successfully. It is soon apparent which way to insert the card.

I don’t know who the title “defenders” is aimed at. In my case, in this Convo where the subject is “reimbursement”, I am questioning the principle “Reimbursement to be made mandatory“ (by banks) when a bank has not been negligent, nor should or could have had knowledge that a transaction was likely to be fraudulent. There needs to be proper evaluation of responsibility. That is not “defending banks” but seeking a system that is fair. If it “defends” anyone it might be ensuring unjustified payments are not made; these will come from the banks’ customers of course, so, if anything, might be regarded as defending the customers’ costs.

…as do any deficiencies in Tax collections.

The problem I have is that were banks beyond reproach, utterly superb in what they do and faultless there might be grounds for your perception. As it is they’re about as far from perfect as it’s possible to be, I suspect.

The principle of the grounds for fair reimbursement is being confused with a quite separate personal perception of banks. In my view.

We need to examine how banks could and should practically be able to detect and prevent fraudulent transactions before they are completed. We also need to examine personal responsibility in making any transaction and taking reasonable steps to avoid possible fraud. We need to consider why, if a bank has had no reasonable means of preventing a fraudulent transaction taking place, they should be expected to refund lost money.

I can’t really see any confusion and it’s not actually a personal perception, any more than those who argue the banks ought not to be liable for APP scams.

What I have detailed is objectively noted incidences of bank failures. Which is where I think you have conflated two issues: how banks detect and deal with potentially fraudulent activity and that of personal responsibility.

The second issue has been found to be rare, both by Which? itself and by whatever information can be gleaned from the banks, which is precious little, sad to say.

The problem lies with your assertion: “why, if a bank has had no reasonable means of preventing a fraudulent transaction taking place, they should be expected to refund lost money.”

Banks are notoriously secretive–with good reason, I suspect. So getting them to divulge “reasonable means of preventing fraudulent transactions” is never going to be possible, let alone simple, even if both parties could agree with what the words mean. “Reasonable” is the word which, in legal circles, earns Lawyers vast sums.

We will never get to know, either, because secrecy is baked into their culture. So the only option is for us–the public–to examine how they deal with their customers. And that’s not been exactly encouraging thus far.

It might be worth looking at the requirements of the CRM Code and the information available for customers. I cannot recall if the latter has been discussed: https://www.lendingstandardsboard.org.uk/wp-content/uploads/2022/01/Information-for-customers-CRM.pdf

One weakness is that it fails to provide protection if money is sent overseas.

It seems that the CRM Code is a protocol of ultimate liability on the part of the banks irrespective of whether or not they acted negligently, the circumstances depending entirely on the condition and experience of the customer at the time of the scam.

A relevant paragraph in the guidance document is as follows:
The Code says that if the combination of a person’s individual circumstances and the scam itself mean that it wasn’t reasonable to expect that person to have protected themselves then they should always be given their money back. The Code refers to these people as ‘vulnerable to APP scams’. There isn’t a tick list to decide if someone is
vulnerable, it will always be decided on a case by case basis.

So the vulnerability of the customer at the time is the underlying principle. My view is that this effectively makes the debate about customer behaviour and whether or not the bank could have taken steps to prevent the fraud unviable, notwithstanding that the points remain pertinent to consideration of the policy behind the Code. Therefore, the impact of reimbursement on all customers as a result of exercise of the code is just a price society has to pay for the benefit afforded to victims of APP fraud. In previous times all bank customers would suffer from the activities of bank robbers since losses would ultimately have to be made up from customers funds and banks’ insurance protection funded from their operating costs. The nature of bank robbery has changed but the consequences endure.

My chief concern is that there is no mechanism to ensure that the decisions on customer vulnerability made by each bank are fair and consistent across the system so I firmly believe an independent adjudication process should be put in place. This would necessarily impose some extra costs and bureaucracy but I think that would be worth it in the interests of equality of treatment and would remove one of the bones of contention in the present arrangements.

Which? has highlighted the lack of consistency in deciding cases. I agree about the need for independend adjudication, John.

The document refers to banks taking steps to educate their customers about APP scams. It seems to be assumed that ‘education’ is about providing information and assuming that customers will act on it. That is not the case, as anyone involved in education will know. You have to assess whether your learning outcomes have been achieved.

I believe that the focus should be on ensuring that scammers and others do not profit from scams, so that money paid into their accounts is returned to victims. As I have mentioned before, introducing a delay that would give customers time to report a suspected scam to their bank for investigation could allow payments to fraudsters to be blocked. It’s good that we encoruage everyone to behave responsibly with their money but it’s cooperation between banks that has the power to prevent fraud.

Wavechange, the suggestion of delaying payments to allow customers time to report a suspected scam is in principle an excellent concept.

Some of the payment providers operate a system for newly opened accounts whereby the funds are either ringfenced for a period or the account holder can only withdraw a proportion of the funds. This normally applies to new account holders and the level of restriction varies between payment providers, but it certainly goes some way to protecting consumer funds. Over time and assuming the account holder maintains a legitimate trading history, the restrictions are slowly lifted to allow full access to the funds.

There will be cases where a scammer opens an account and uses it legitimately for a period, allowing restrictions to be fully lifted and will then engage in fraudulent conduct and have full access to the funds received. But there is certainly merit in banks and/or payment providers placing restrictions on accounts to protect consumer funds.

Establishing whether it could be used as a workable solution is difficult as it could prove problematic for legitimate businesses in terms of cashflow etc, but it’s certainly something that requires further consideration.

Thanks Wingman. In other Conversation I have suggested that a delay would not be necessary for existing payees. Perhaps payments to well known companies and other large organisations need not be subject to delay either. In the days before electronic payments there was the opportunity to ask your bank to stop a cheque if you acted promptly.

I agree about banks etc. placing restrictions on accounts and perhaps this should be done for new customers as well as when fraud has occurred. As I see it, the real solutions lie in the hands of the bank and their customers should do their best to protect themselves from fraud.

We can discuss our views but we do not have access to the information that the banks have.

It would be well worth reviewing the various proposals that have been made since this topic was first introduced. For example,
– mandatory delayed payments (but they have a downside for customers using legitimate businesses),
– bank account facilities tailored to help the more vulnerable (if you can identify them). Such as limited withdrawals, transfers to a white list only with a second authorisation required for others.
– a database of “bank approved” accounts where reimbursement is guaranteed. A warning if an account is not (yet) approved and the potential risk in transferring to it
– and others.

A danger of widespread reimbursement is that it will encourage some to be less vigilant in their financial transactions if they know they are unlikely to lose, it can generate fraud of itself. The other danger is that for smaller amounts banks may take the view that rather than spend time and money investigating it is simpler to cough up.

Reimbursement is not a cure for the problem. What is needed is ways to minimise fraud. We need to better identify accounts that will be used fraudulently, look at how systems can be improved to minimise fraud, see how customer awareness can be improved, encourage receiving banks to recover funds and take responsibility for their fraudulent account holders, better verification of new account holders….. And, of course, prosecution of those found to have committed fraud.

So as well as debating how the CRM should be implemented I’d like to see an informed debate on practical measures that could be taken to attack fraud and minimise losses. Those who know banking systems should be able to help. Perhaps Which? should seek informed input.

As I thought I’d pointed out above, we lack the information as we don’t know and are not privy to the banks’ inner workings, so getting ‘informed input’ may well be impossible.

But whereas you may be right when you say “Reimbursement is not a cure for the problem.” I cannot accept that blaming those who are defrauded is the correct approach. The truth is that we don’t know how to stop people falling victim to fraud, because individuals tend to have unique characteristics making the one rule for all plan almost certainly impossible.

But here’s another question: it’s very clear Which? has taken the line that the banks are not treating their customers fairly enough. Which? is, first and foremost, a consumer organisation that works on behalf of the banks’ customers. If I may quote from one of your own posts “my role is not to do HMRC’s job for them” perhaps you can explain how fraud in a public sector organisation differs in any major way from fraud in a bank?

Which? prioritises the consumer–rightly so, in my opinion–and not the banks. It is up to the banks to identify fraudulent methods and to enhance fraud detection systems. Not up to us, the consumers, to do their job for them.

I agree, Ian. The remit of Which is very clearly to serve the needs of consumers, especially its members.

Whilst that is its declared aim, “making consumers as powerful as the organisations they have to deal with” (or something like that) I would hope it also presents fair, balanced and well-researched information on topics so consumers, and the wider world, are reasonably well informed.

It has been said in relation to the Consumer Rights Act that this should be fair to both consumer and retailer. I see that principle as important in other topics.

As Which? is unlikely to know the details of cases decided by banks it cannot, it seems to me, comment on “inconsistency” of judgement, just on the proportion of submitted cases that have been approved or rejected by various banks. We do not know, for example, whether a bank decides not to investigate cases because of the time and cost involved. There is great suspicion that this happened when making PPI refunds.

Unless Which? know more than they have published.

The Financial Ombudsman Service has found that banks are failing to follow the CRM Code: https://www.which.co.uk/news/2021/11/banks-wrongly-denying-fraud-victims-compensation-in-up-to-8-in-10-cases/

Some consider – myself included – that an independent determination of cases is a good thing; the FOS seems to fulfil that role. If a bank feels the circumstances are such that they cannot agree a refund then referring to the FOS seems quite reasonable. 27% of such cases are found in favour of the banks. Seems a sensible process.

One concern that I expressed above is how many cases banks might simply refund rather than spend time investigating.

Many may regard it as fair that when a customer has been defrauded the benefit of the doubt should be in their favour. But a basic question that others evade answering is worth repeating: if a bank could not know a customer was transferring money that proved to be a fraudulent transaction, why is their bank expected to refund it? I see no legal basis for requiring that. So, it must be a discretionary payment. Why is the bank used in that way, at the expense of it’s customers? I’d just like a straightforward look at that.

But, more important, I’d like to see the effort made to improve the whole system to tackle fraud; that starts with practical proposals. Presumably banks are doing this to limit their exposure to claims. What can be done?

I have advocated an independent adjudicator of the administration of the CRM Code. I accept that the Financial Ombudsman Service could fulfil that function but I would suggest a number of qualifications –

a. it is equipped to deal with cases quickly so that any claims of maladministration against a bank are resolved expeditiously and those entitled to it get their money back shortly after reference to the FOS [currently it is not noted for closing cases speedily and has a considerable backlog]

b. it is not limited in its role to investigating cases referred to it but can adopt a proactive, quasi-auditing, role looking at the processes within in banks even where there are no formal referrals and can annually review each bank’s compliance with the Code irrespective of whether any complaints have been made to the FOS [this is to avoid the tendency of the banks to consume their own smoke and hide unsatisfactory management practices].

c. it would be allowed to make recommendations about changes to management practices within banks, either individually or across the board, and seek authority for implementation from the Financial Conduct Authority [or the appropriate sub-body e.g. the Lending Standards Board or the Payment Systems Regulator].

d. it would be allowed to make recommendations [to the same authorities] about ways of reducing fraud anywhere in the retail banking system since that is the primary objective of this framework.

e. this aspect of the FOS’s work is confined to a small internal unit for security and commercial confidentiality reasons [this would give more assurance to the banks over cooperating with the FOS where its work was clearly not based on its relationship with a particular customer but applied to its overall management arrangements].

I would prefer an adjudicator function to be truly independent and not associated with some other regulatory body and that this function would be funded by the banks subject to the CRM Code specifically and not the entire financial services industry since that would give an added incentive towards improved management by the banks.

I support this, John, and would like to see it apply to all ombudsman services. Martin Lewis has provided examples of problems that exist.

Seeking justice seems to be a very time consuming process generally, with consequent impacts on those involved. An employment unfair dismissal case for someone I know has currently taken 2 years, and £000’s of costs, to reach a tribunal. Other litigation seems equally slow and expensive. No doubt many give up because of the costs involved, let alone the wait. Arbitration would seem a better solution in many cases, if a system existed for the particular complaint.

The new cards have arrived today. I noted one issue was that it wasn’t clear which way the card had to be inserted, to which another commentator posted

“I have had a card reader for many years and used it successfully. It is soon apparent which way to insert the card.”

Clearly, the bank itself now disagrees, as they have made it extremely clear which way to insert this card, and sent a little note:

“With the help of Alzheimer’s Society and our customers, we’ve made our new cards more accessible.

Your new card has an Arrow and Raised Dots, to help you insert your card into the machine the right way.”

It’s actually a lot easier to use. And what’s interesting is that the card is printed in such a way as to confuse. The arrow and notch, however, make it extremely user-friendly.

“My son sent me a message on WhatsApp, asking if I could pay a £3,600 bill for him because he’d had problems setting up the online payment. The HSBC account I was asked to transfer the money to wasn’t in my son’s name, but I thought it might be a friend who he owed money to, so I went ahead. When I talked to my son shortly after, he said he’d sent no such message. Can I get my money back?

Read more: https://www.which.co.uk/news/2022/03/my-son-sent-me-a-whatsapp-message-asking-for-money-but-it-was-a-scam-can-i-get-my-money-back/ – Which?

I may well be on my own in questioning this but I think it raises important questions.
Why transfer money to an unknown account?
Why not ask the son before the transfer, not after?
How was the bank supposed to know that the account was fraudulent?
The bank was eventually persuaded to refund the money as the customer was in their 80s. The mitigation was they were assumed “vulnerable”. I know many people in this age group who have all their faculties.

Of course it is sad when someone makes a mistake and we are all sympathetic, but who should pick up the pieces? Are we treating the banks as a benefactor to “put things right”.

But there are, as I say, important questions. One key one is, how was the customer known to be vulnerable (was it only based on age, which is quite demeaning, or because they made this mistake?). Can banks have methods to detect vulnerable customers and then restrict their activities, for example limiting the size of payments to accounts not on a “whitelist”, or without another person’s authorisation, or without getting their bank’s permission? When we reach a certain age should we have to pass tests set by our bank to retain normal account facilities?

I would like to see a system that penalises banks when they are negligent, should or could see a fraudulent transaction likely, encourages them to take actions to minimise fraud (maybe someone could explain how this could happen). I would like to see more effort made to catch fraudsters (if they are within our jurisdiction). I would like to see the receiving bank held responsible for fraudulent losses where it can be shown they have not properly verified a customer’s credentials or not monitored the account for suspicious activity.

I would also like to see customers better vetted for financial capability with restrictions placed on accounts where they are identified as vulnerable.

I would like, if possible, banks to have a core base of all accounts they regard as “safe” that, rather like CoP, will be reported as such to the customer when a transaction is attempted. In turn, they would report accounts that are not verified – may be lack of sufficient history for example – that would be transferred to at the customer’s risk.

In short, we need to actively address the problem of fraud not simply reimburse.

Hi malcolm r. I have read several of your posts questioning why many feel the Banks should be responsible regardless of the circumstances.

I support the view that customers have to take some responsibility for their actions. In cases where an individual has transferred funds and especially thousands of pounds to an imposter, personally I find it astonishing that the individual would not contact the son or daughter first.

When significant sums of money are requested I assume it would be normal behaviour to call the person requesting the money, talk to them and find out exactly why the funds were needed and what they were for, but I guess we all behave differently in these circumstances. But I certainly find it unusual that someone would transfer thousands of pounds to an unknown account without first contacting their son/daughter first.