/ Scams

Win! Reimbursement to be made mandatory

New data from the Financial Ombudsman Service shows banks cannot be trusted to interpret the voluntary CRM code fairly or treat customers in the right way.

18/11/21: Win! Reimbursement to be made mandatory

11/11/21: FOS finds banks are failing to follow their own code

I, for one, do all my banking online. And when I say all my banking – I mean all of it. My bank statements are sent to my email, my bank card’s exist mostly as pictures on my smartphone that flash up with a tick as I make a contactless payment, and I use my banking app to send my friends and family money when settling the bill at a restaurant. 

But, as I pay for things in bytes and bits; ones and zeroes, I worry what would happen if something were to go wrong. What if the person on the other end of the transaction is not my bank, barista or buddy – but I’ve fallen victim to a sophisticated fraudster?

I’d like to think my bank would reimburse me fairly easily. Which is why new data from the Financial Ombudsman Service (FOS) – the place where customers go when they’re unhappy with how they’ve been treated by their bank – is so worrying.

The numbers speak for themselves

The data shows that the number of authorised fraud complaints made to the FOS more than doubled in 2020-21. Complaints rose from 3,600 to 7,770 in that time frame.

The vast majority of complaints are related to the sort of scam I was talking about above. An Authorised Push Payment (APP) scams is when someone is tricked into sending money to an account that’s being operated by a fraudster when they may think it belongs to a friend, family member or legitimate business. Scammers’ techniques are getting harder and harder to recognise. 

We spotted the threat to consumers from and the lack of protections for victims of APP scams years ago. And after our super-complaint to the regulator, the Payment Systems Regulator (PSR), five years ago, most major banks signed up to a voluntary code (Contingent Reimbursement Model code).

The code instructs banks to give customers their money back when they are not at fault and to provide them with adequate support.

Not following the code

Not only are the number of complaints to the FOS rising, but nearly three-quarters (73%) of complaints were upheld by the FOS in favour of the customer. Many complaints have been made about banks refusing to or delaying reimbursement. This means that the FOS have found the banks to be breaking their own code in nearly eight in ten cases. 

Figures show that NatWest and The Royal Bank of Scotland (RBS) – part of the same banking group – are getting it wrong in nearly nine in 10 (86%) cases, with Santander (82%) and Bank of Scotland (81%) following closely behind.

Why we need mandatory reimbursement

Having such a high percentage of decisions upheld in favour of victims shows that banks cannot be trusted to interpret the voluntary CRM code fairly or treat customers in the right way. 

That is why Which? wants the government to swiftly make the necessary changes to enable the PSR to introduce mandatory APP fraud reimbursement obligations on all firms, with robust oversight and enforcement. 

See how your bank ranked and the number of cases upheld by the FOS in favour of the fraud victim:

Have you been refused reimbursement by your bank after falling victim to an APP scam? Did you made a complaint to the Financial Ombudsman Service about your bank’s decision?

Was that complaint upheld by the Financial Ombudsman Service? Let us know by emailing yourstories@which.co.uk 


”Figures obtained exclusively from the FOS by Which? show that NatWest and The Royal Bank of Scotland (RBS) – part of the same banking group – are getting it wrong in nearly nine in 10 (86%) cases, with Santander (82%) and Bank of Scotland (81%) following closely behind. While challenger bank Starling (80%) also had a high complaint uphold rate, this was based on a much smaller number of closed cases than other firms.


Perhaps Which? would clarify this statement. Does it, as I assume, only apply to cases referred to the FOS? In which case it excludes cases where the issue has been agreed between the bank and customer, and the bank may not therefore be “wrong” up to 90% of the time. Customers may realise they were at fault.

It would be useful to know how how the situation has changed since Confirmation of Payee was introduced.

As far as determining cases is concerned it seems quite reasonable to have them properly and independently investigated to determine responsibility. We should not just assume that because a customer has lost money they have no responsibility. It is, of course, money from all customers that will be effectively used to repay them.

As the FOS is a public body established by Parliament, I would be interested to know how Which? have “exclusively” accessed these figures?

Or is the Which? Press Office just saving the publishers the trouble of tarting up the copy to provide more click bait? In which case, you forgot to include the word “shocking”.

Richard Williams says:
11 November 2021

I wonder if Em works for a Bank. Which is on our side

I do not work for a bank but, in the interests of disclosure that some MPs could learn from, I do consult for several large financial services companies.

I am not against Which?, but I would like them to report facts objectively and not pretend they are a tabloid newspaper.

I try not to take sides or indulge in political statements. And you are?

In times like we are having, mass unemployment and the pandemic, it is so easy. We turn to the net to find an income. People (like myself) are losing thousands. My bank has told that due to certain actions I agreed to my money will not be returned.
What I would like to see is a way for these websites (fake) from being set up and operating on the internet. Surely there must be a way to prevent them from operating. Soon I will be homeless and with many health issues unable to work. Happy Xmas !!

As far as I am aware, a customer decides to make a payment and instructs their bank to move money to a specific account. If that is a new account most banks will respond to the name on the account to ensure the numbers and name correspond. When such a payment is made the customer instigates the process and should make a reasonable assessment that they are not being duped. If there is any doubt about the authenticity of the payee then either the payment should not be made or further checks should be made by the customer. They can ask their bank to help.

This raises the question as to exactly what the bank did wrong to contribute to a fraud. Did they know the receiving account was fraudulent? Or did they, quite correctly, simply obey their customer’s instruction to move money in the normal way? If they had no part in occasioning the loss through any negligence, why should they be empowered to use customers’ money to “give money back” to the unfortunate person who responded to the fraud?

I would like to know specifically how banks can realistically do more to stop their customers making fraudulent transactions.

“I would like to know specifically how banks can realistically do more to stop their customers making fraudulent transactions.”

Banks could delay payments to new payees for a period to allow time for anyone who believes they have been scammed time to contact their bank and if appropriate the payment can be stopped. This would not be necessary for existing payees.

I wonder if the PSR or the banks have realised that part of the solution is in their own hands.

Customers are quite capable of delaying their own payments – at least they can when making transfers with my bank. Why should we always have to rely on others to do what we should do for ourselves.

But that does not answer the question as to how banks can stop fraudulent transactions – how should they know the transaction is fraudulent?

Sadly we live in a world where people are scammed and unless more action is taken the problem will get worse.

Some people have reported being aware that they have been scammed before they have ended a phone call but immediate payment may mean that their bank cannot recover their money, perhaps an unintended consequence of faster payment systems. In my view, payments to new payees should be delayed by default.

I’ve given you one example of how our banks could tackle fraud, Malcolm. Don’t forget that your bank and mine have signed up to the CRM voluntary Code of Practice and we will contribute to the costs of refunding other customers who have been tricked into making payments to fraudsters, as currently required by the Payments System Regulator.

“Customers are quite capable of delaying their own payments”

My 83 year old mum wouldn’t have a clue how to do that.

The Bank get paid enough and get bailed out by us tax payers when they get it wrong. By making banks pay for fraudulent scams, it will encourage them to put systems into place to protect their customers. Such as delaying payments to new payees.

“how banks can stop fraudulent transactions – how should they know the transaction is fraudulent?”

If banks can’t find ways to spot possible fraudulent transactions with all the experts and systems to hand, how do you expect their customers to spot fraudulent transactions?
Banks have the histories of all their customers that have been scammed and would be able to spot patterns using data mining tools along with experts in fraudulent measures.

Some one like my mum has none of that and is trusting and possibly more easily frightened into doing something she might later regret. (Hopefully not now, as I have told her to contact me if she is ever confused or worried over anything)

Delayed payments does not actually tackle the root cause. I wonder just what proportion of those defrauded would actually realise it, even with a delayed payment. Customers could be advised to delay any new payments by two days. But I believe that choice should be ours.

I have suggested we identify vulnerable customers who are less likely to be as careful as desirable in using their money and offer them restricted accounts. Limiting maximum payments, payments to new payees, for example without getting a second authority.

Banks already offer customers a check on new payee’s authenticity before a payment is made. If such a check is not made, or advice ignored, then perhaps any redress is forfeited.

Tackling fraud seems very difficult. Just how do you identify a fraudster in advance of being defrauded? Is their AI that can help? I’d like to see proposals so we can see where banks might be realistically able to intervene before the event.

I would also like to see those receiving banks who host fraudsters accounts (presumably inadvertently) identified to see if any stand out as more “popular”. I would also like to see the receiving bank responsible for making payments where appropriate rather than the payee’s bank. That might tighten up any weaknesses in approving new account applicants.

Simply paying those defrauded back is no cure and may well encourage less responsible behaviour by some if they know they cannot lose, and even prompt collusion by a payee with someone else to perpetrate both a fake fraud and fake claim.

We need to do more than just keep pretending that many of those defrauded have no responsibility for their actions.

A customer delaying a payment in an App is not particularly helpful to the retailer expecting payment. They don’t know you have done this; you might as well send a post-dated cheque.

What is necessary for retail is a system where the funds are taken from the payee’s account and held by the bank or a 3rd party – basically escrow. The retailer gets the funds released when they provide evidence of the goods being delivered.

I’m sure something could be worked out for service providers too, but what’s the point? Nobody is really interested in fixing this properly, as long as the consumers are compensated and the banks can still make a profit.

Insider comment says:
11 November 2021

As someone who has worked for the largest bank in the UK, these scams work because at some point, someone has opened up a fraudulent account in a UK bank using fake ID. As a consequence, the scammers predominantly (although not exclusively) use these accounts to steal monies and then close the accounts before the banks can stop the fraud.

If the scammers were not able to open up fraudulent account, the amount of scams would drop dramatically – the alternative being to use real ID to open accounts – which clearly no scammer in their right mind would do.

Therefore, when the banks turn round and tell you its nothing to do with them, the reality is that their own internal procedures which IS allowing scammers to continually open fake accounts, fleece innocent customers and walk away scot free.

Do the banks really care. No. They’re are massively understaffed to deal with the issue and once a fake transaction has left a clients bank account its not recorded or followed up (I saw this first hand many times).

Giving a fraudster my bank account number, sort code number, name and address will not enable a withdrawal under the faster payment service. That, in my case at least, also requires use of my debit card reader, plus a second use for any large sum of money in order to authenticate the transaction, by generating pass codes.

I cannot see how a fraudster can by-pass those security features and make a withdrawal while on the phone, even if they have managed to take control of their target’s device.

If victims have also followed fraudulent instructions to use their debit card reader to facilitate the transfer of funds then it is arguable that they were not competent to have functional access to the faster payment service and their bank should not have allowed them to have that facility.

The banks probably need to undertake appropriate tests of their account holders’ mental capacity before issuing card readers; unfortunately they have issued them indiscriminately so the genie is out of the bottle and cannot be put back except at the banks’ expense which ultimately falls on all their customers. If a bank were fined by the regulator for such a security deficiency it would be difficult to levy it only on the bank’s shareholders.

Of course, if someone acts instantly on the receipt of a fraudulent e-mail to generate a payment without verifying it then it is also arguable that they have not exercised due diligence and should not be reimbursed. An e-mail gives ample time for consideration and for verification that the sender is genuine and that the nominated bank account is correct for the payee.

In view of Pete’s comments above, I would hope that his 83-year old mother is not doing any internet banking without supervision. People, of any age, who cannot manage their personal finances safely need to grant a power of attorney or to appoint a deputy and their closest relatives should be trying to make the necessary arrangements.

There is nothing secret about account name, sort code and account number. I put this information in leaflets and on websites so that anyone can pay in money. Not to my account but ones for charities. They cannot withdraw money using only these details.

A scammer might persuade their victims to pay money into accounts belonging to fraudsters. ‘Insider comment’ has mentioned this.

We have seen improvement in the security procedures used by banks but they need to be on the look out for customers like Pete’s mother. There also needs to be a reliable way of recovering funds from accounts operated by fraudsters, hence my suggestion of a mandatory delay when transferring money to a new payee.

Without direct contact with customers it is difficult to see how banks can spot such customers, particularly online only like Starling. How might it be done? Surely it is up to family and close people to deal with it.

It’s difficult but if customers’ banks can recover money from those receiving banks that have provided accounts for fraudsters that would help tackle fraud. I have previously suggested that those who are refunded contribute to the costs involved.

I keep my account name, account number and sort code secret. If people choose to reveal these details in order to receive money, which businesses and charities need to do, they do so at their own risk. Personal account holders do not generally have such a need. If someone is paying me money I expect a cheque.

Fair enough, but anyone who pays by cheque will give the recipient their account name, account number and sort code.

Alan Whittaker says:
12 November 2021

ln my case, several years ago, l was notified via e-mail from Amazon, that they were going to take a payment from my bank account of a few pence under £200, to pay for a particular item. [l had been a customer of Amazon, on one occasion, about four years previously, which is how they knew my bank details]. As l had NOT ordered any such item, l immediately replied to Amazon [also via e-mail] that l hadn’t ordered it, didn’t want it, and NOT to remove money from my account. l also tried to get the bank, [Lloyds/TSB as they were at the time] to stop payment, but they said they couldn’t do so. The money was taken from my account, l complained to Lloyds, and they refunded the money, whilst they “investigated”. l was then told by Lloyds that, after talking to Amazon, they were satisfied that the transaction was genuine, and they removed the payment from my account again. l reported the matter to the Ombudsman, who wasn’t interested, but suggested that l contact the police fraudline, which l did, but with the same result. No item was ever ordered or delivered, yet l am nearly £200 out of pocket, Amazon, the Bank, the Ombudsman and the police are not interested. Lloyds’ tv adverts claim they “are on our side”, but this clearly shows they are not, they are on the side of big business, and will believe THEM, [if indeed they ever did contact them], rather than the “little man” !!!

Alan Whittaker says:
12 November 2021

lt WOULD be necessary with “existing” payees, as otherwise the likes of Amazon, [deliberately chosen as an example, as they did it to me], can use your bank details, to remove money from your account, to pay for goods they allege you order, even though you haven’t. The bank refused to stop payment prior to the money going out, and after “investigating”, refused to reimburse my loss of nearly £200 !!

Wavechange — I have been referring to the Authorised Push Payment [or payment diversion] fraud and tried to explain how it is virtually impossible if people comply with their bank’s instructions, use the authentication procedures correctly, and concentrate on what they are doing. The faster payment service is only available to those using internet banking which is not necessarily appropriate for every account holder.

People in business or who need to receive payments regularly from others they do not know will obviously have to give the details of the account they wish to use for that purpose; if they allow it to be connected to their personal account or keep such a high balance in it that it would be at high risk of a fraud attempt then they must exercise strict control over it. If they cannot do that I don’t see why their bank should bale them out.

Ensure they undertake a commonsense test before transferring monies from their account to a third party. Unfortunately far too many persons believe they are infallible and have an innate ability to recognise a fraud when it presents itself especially if those £££ signs are prominent on the horizon.

John – I’m still trying to find out about the risk of giving out account number, sort code and account name. I’ve done this frequently. The details we need to keep secure are PIN and CVV and I have suggested that these are referred to as Secret PIN and Secret CVV to highlight the importance of not divulging them.

Agree with what you say which clearly and correctly places the blame on the recipient banks. However unless they flag up suspicious activity on such accounts how can the banks sending the monies be put on enquiry and advise their customers accordingly.

I agree …intelligent people…many have been in business….should be responsible for their actions….banks give plenty of warnings on scams….the only people…in my opinion
, who should be reimbursed are the very elderly.mary w

There is nothing secret about account name, sort code and account number. I put this information in leaflets and on websites so that anyone can pay in money. Not to my account but ones for charities. They cannot withdraw money using only these details {my bold}.

Are you aware of Jeremy Clarkson’s challenge on this? In one of his Top Gear appearances many years ago he referred to an article in one of the red tops warning of indiscriminate disclosure of bank account details, cocked a snoot at the article referring to the fact that it was on the bottom of cheques, published his bank details and defied anyone to make a withdrawal, only to find that he was £500 light on his next bank statement because someone had “kindly” set up a £500 pcm direct debit to the British Diabetic Association in his name!

Thanks Roger. That was a few weeks ago: https://www.theguardian.com/money/2008/jan/07/personalfinancenews.scamsandfraud

Hopefully the perpetrator of the act received a commendation for identifying a weakness in the system. One of my criticisms is the printing of the CVV on the back of credit and debit cards, where the high security code of three digits could be spotted in a shop. That might have been OK in the days when card providers insisted that goods were delivered to the cardholder’s address. I delete my CVVs with a black marker.

Being an infrequent buyer I have deleted my bank details on my Amazon account although I still have an account with them, would doing that be a good way of not being charged for something I had not ordered without cancelling the account.

Yes Trish it would. And if they still managed to do so you could get them in real trouble for GDPR breach.

Robbing bankers!

Robert Mansfield says:
11 November 2021

Telephone companies and also broadband should bear some of this burden. They sell communication sources, be it telephone or broadband to the fraudsters and thus make money from this and enable fraudsters to carry out their deeds.
This whole thing would stop overnight if Telephone/broadband suppliers were made responsible for re-imbursing customers!

When the bank discover that your money has gone to a fraudsters bank, why can’t they get the money back?
I know that the fraudster may have moved the money elsewhere – but
a) do the banks liaise and close down the fraudsters accounts to stop more money going there? With the number of frauds going on do they really all have different bank accounts for each receipt of money?
b) do they chase the fraudsters to recover the money – surely they know who they are because you can’t open a bank account without no end of checks on your identity? Or do some banks not do those checks so well – in which they should be blacklisted!

Alan Wyatt says:
11 November 2021

Chinese bank are the worst offenders for not carrying out sufficient checks with new customers, therefore opening the doors to scammers.

Quite, Paul. We need to know more about this part of the chain. Also Alan. Perhaps warnings should be raised when a payment is destined to a bank that has a poor history. Maybe Which? could explore this.

Pete makes a good point in that his Mum would “not have a clue how to delay a payment”. When I make a bank transfer on line one step I must complete is stating whether the payment is to be immediate or at some time in the future; just a choice of two buttons. I would suggest that when someone does not have the capability of operating their account confidently they need help, either from family or, as I suggest, by having the facilities on their account restricted to help avoid it being badly used.

Unless the bank knows someone does not have the capacity, confidence or capability of using an online account safely I do not see how they can be held responsible for misuse due to lack of capability. Family, if around, should recognise this and perhaps discuss with the bank how the problems can best be addressed. I would criticise banks if they did not offer help. Mine has a department devoted to such help – a Specialist Support Team.

I would have hoped by now that Which? might have sought input from the banks so we can better understand the problems and possible solutions. Continual criticisms of the banks without input or constructive proposals does not seem…… constructive.

Alastair Fenwick says:
11 November 2021

Cash is king and to everyone’s taste irrespective of the age of the recipient.

The Action Fraud A-Z of fraud web page says: “Banking and credit fraud has occurred if transactions you have made show up on your bank statement.”

Where do I claim to get my money back? 🙂

Em, you missed out a crucial bit 🙂 n’t “Bank account fraud has occurred if transactions you haven’t made show up on your bank statement.”.

The question I ask is whether, when you have fallen for a fraud, someone else should refund you if they had no way of knowing you were being defrauded. Do we assume we have no responsibility for our actions? It would be different if the bank – for example – knew the payee was fraudulent and should have put known effective processes in place to stop the transaction.

But what about the situation when the bank’s own systems (as in COP) fail to recognise an authorised Payee? Especially when that payee is another major bank? If their own systems are that poor, then one wonders if they should shoulder a larger part of the repayment process in such cases.

malcolm r: Are you sure you are looking at the same web page as me?

www [dot] actionfraud [dot] police [dot ] uk/a-z-of-fraud

Em, I just copied and pasted the bit from their A-Z website. I’ll check the link when I’m home.

If that were general, but I don’t believe it is. CoP has so far worked for me. If CoP it doesn’t return a positive result then the transaction needs questioning to keep safe.Maybe Which? has information on the success of CoP.

malcolm r says: 11 November 2021
If that were general, but I don’t believe it is.

Having endured their systems refusing to accept the cop of another major British bank, and having pursued this with both the banks in question, I remain extremely unconvinced, especially as I got the sense that it could be ascribed to competition between banks.

I don’t believe I was an isolated case, either; it might be worth Which? investigating this in detail. I’ll happily supply all the information necessary. What I’m talking about, here, is incompetence, possibly fuelled by policy. That’s exactly why those seemingly intent on blaming the apparent transgressor in APP are, I feel, failing to see the whole picture.

And Which?’s line here is absolutely correct. They’re not calling for blanket reimbursement regardless of culpability; merely that all those who suffer are treated equally.

I’ve lost count of the number of times a consumer advice TV show report that a bank has said there was a error in dealing with the customer after it refused even to consider a refund, shortly after the show’s researchers contacted them.

Banks will go to great security measures before they will lend you their money, it seems this is not reciprocated when you lend them your money.

If the FOS figures are correct, and 73% of fraud claims are reimbursed in the victims favour, that should be sufficient cause for PSR intervention. and evidence that the banks CRM is unreliable and open to question.

You do not lend banks your money. You deposit it with them and can use it as you wish, by instructing your bank accordingly. Were you to lend them money there would be a loan agreement and the terms on which the loan would be repaid. That is not generally the case.

We need to ensure claims for reimbursement are properly based. I don’t want to see people who may not behave as responsibly as they should being paid off with other customers money.

I guess that Beryl knows that everyday banking is not ‘lending’, but it’s a common expression.

The parallel was drawn between banks lending us money and us lending them. That was the incorrect comparison I was drawing attention to.

Banks lend money to borrowers. The money you deposit with your bank is lent to them, when they then, in turn, lend it to other financial institutions, or wherever they choose to use or invest it.

Definition of lend
Grant someone the use of something on the understanding it will be returned.

Read what your bank does with your money after you lend it to them: themoneycharity.org.uk – What Does A Bank Do With My Money?

Malcolm, this does not apply to Building Societies, which are not Banks and operate on a different system, whereby the money that you lend them is loaned out to other members and not lent out to other financial institutions.

Edited out due to incorrect placement.

For the purposes of these Conversations, which are read by people who might not grasp the nuances of the meanings being debated here, I suggest it would be better for us to use the ordinary language for our retail banking deposits and not confuse them with loans. When people leave some money in an ordinary current account neither they nor the bank regard it as being on loan. As part of the terms and conditions of having a bank account, customers give their bank the right to use their balances [under authorised and regulated arrangements] for money management purposes which defray the costs of securely holding customers’ deposits. Using the term “lend” in such circumstances purports a behaviour that is neither an accurate description of the bank’s service nor an authorised activity by the account-holder.

The only thing I have lent to a bank is the occasional use of my pen because the bank’s has dried up.

I think Beryl is fully aware of the difference between depositing for safekeeping, and free to lend or use whenever or wherever you see fit.

I wonder who has the discourtesy to remove agreement thumbs? I gave one to John which has been removed, as have others. Please just give a comment of disapproval.

Although we can criticise Facebook for many things, anyone can see who has voted for a comment, and that system might be helpful here. Incidentally I did not touch John’s thumbs.

Perhaps we should ask for thumbs to be removed and try to return to a time when Which? Conversation was a more welcoming place.

Its extremely frustrating when you can clearly see what the problem is, but it is impossible to rectify when others repeatedly perceive things, without providing a shadow of any evidence, as they want them to be, instead of how they really are, and backed by reliable evidence.

For example, “For the purpose of these conversations” and “People who might not grasp the nuances of the meaning being debated here.” How patronising and condescending can that be? It creates a ‘them and us’ scenario which, if you are really serious about attracting more interest in Which?Conversations, in my humble opinion, is definitely not the way to go about it.

This particular topic is about helping consumers to retrieve money entrusted to them for safe keeping. Clearly your money is not safe when the banks open new accounts to fraudsters without carrying out the same stringent precautions they apply when they loan your money to their borrowers and receive handsome amounts of interest to boot.

Thumbs up or down are irrelevant when debating serious issues, and only serve to either feed already inflated egos, or provide another excuse to digress from the real issue at hand when it suits their purpose.

Recent changes have no doubt caused a few bruised egos which, when all is said and done, need addressing before Convo is confined to the basement archives of 2 Marylebone Road, London NW1 4DF

Convos are a place where differing views, experiences and perspectives can be expressed and respected. This includes discussing each others comments.

However, in my view, it is not a place to analyse other commenters’ intent.

If banks should know that an account is going to be used fraudulently then I agree they should be held to account. I would like to know the banks that might be lax in opening accounts, the extent of this, and in general how banks might know a customer is transferring their money to a fraudster. Such fraud needs properly investigating to decide if a customer has been let down by their bank and should be compensated or whether the customer has been careless or negligent.

Confirmation of Payee, if observed by the customer, should have made a difference. The relatively new service where a payee can be submitted for confirmation of authenticity should also be helping. It would be useful if Which? could tell us.

I would still like to see the “other side” of this issue presented by the financial services industry. I wonder if Which? have invited them to contribute?

The good thing is that banks are not free to lend or use personal account holders’ money whenever or wherever they see fit. They can do that with profits on services provided, interest received on loans, and the proceeds of currency and market trading, but not with our money which they effectively hold in trust. They can place it short term [‘overnight’] to assist with inter-banking liquidity but must maintain a percentage liquidity reserve. In these arrangements they must act in a risk-averse and prudent manner.

I agree with Malcolm. It would be interesting to know which banks have enabled fraudsters to open and operate accounts for receiving the proceeds of crime. I doubt any UK banks have done so knowingly but there are many business activities that would provide good cover for frequent in-&-out transactions in conjunction with collaborators.

malcolm r says: 12 November 2021
Confirmation of Payee, if observed by the customer, should have made a difference.

But again we return to the root of the problem: when one leading UK bank refuses to recognise the details of another leading UK bank, even warning the paying customer that they might be sending their money to a fraudster, what do we–the ordinary public–do?

John: apparently, the accounts are not opened by fraudsters but by legitimate individuals, often students but sometimes those who are returning to their country after a period working here, who choose to ‘sell’ their accounts. If this is not already illegal then perhaps it should be made so. Sufficiently large penalties might dissuade those seeking to make a quick buck.

Ian wrote: “But again we return to the root of the problem: when one leading UK bank refuses to recognise the details of another leading UK bank, even warning the paying customer that they might be sending their money to a fraudster, what do we–the ordinary public–do?”

I agree with you and will repeat one of the examples I have given. I wanted to make a payment to a friend and was given the account details including the account name WM & EL Gibson. That was no help because I was prompted to provide the first name and surname. I guessed William Gibson, since that was his name when we were school kids, and this was accepted. When the transaction appeared on my statement the entry showed Gibson WM & EL.

I’m very glad we have CoP and believe it should have been in place from the start. I’m no banking expert but feel that it is irresponsible for banks to have disregarded the name of the payee in the first place.

There may well be glitches in this but I have asked just how widespread or not problems with CoP are. I keep asking for information to be presented so we can debate this issue properly. It would be good if Which? invited those with knowledge from both sides to contribute so that we might see what works, what doesn’t, and how we can reduce fraud. Confirmation of Payee and requesting the authenticity of a new payee seem good ways forward.

Ian says that fraudulent bank accounts are ones that have been sold on by the original genuine applicants such as students. I’d be interested to see the evidence for this; it seems quite plausible but I wonder what proportion of fraudulently-used accounts come through this route. .

Thank you, Ian. I am aware that the banking equivalent of ‘mules’ were probably involved in this form of fraud, but if students — who are not notable for maintaining large credit balances and needing to transfer large amounts in and out at frequent intervals — are being used I am surprised the banks don’t know this and keep a close watch on the conduct of their accounts.

Students must be presumed to have above average intelligence and therefore not easily duped into allowing their bank account to be used for illicit purposes. Are the banks so desperate to have impecunious and foreign students on their books that they desist from undertaking adequate enquiries before giving them banking facilities and exercising proper supervision? If this is the case then I feel it is even more necessary that any refunds to customers who have been the victims of fraud are charged to the receiving bank [and if possible to the appropriate manager].

On a point of information, I do not understand how it is possible for an account holder to ‘sell’ their bank account. If that means they can allow criminals to pass money through their account in return for payment they remain liable and are just as guilty of a crime. I appreciate it is difficult to apprehend people if they have left the country but we do have reciprocal powers of arrest with many other jurisdictions around the world.

malcolm r says: Today 10:19
There may well be glitches in this but I have asked just how widespread or not problems with CoP

wavechange says: Today 09:51
I agree with you. I wanted to make a payment to a friend and was given the account details including the account name WM & EL Gibson. That was no help because I was prompted to provide the first name and surname.

Okay, then; so that’s two ‘regulars’ out of.., say 12? That’s one in six or 16.67% of those in here experiencing COP errors. Extrapolating from that (absurdly simplistic, I know, but still…) if we assume there are 20m UK current account holders, that makes the possibility of bank errors through COP alone to be 3,334,000. I’d say that’s grounds for not assuming the customer’s always at fault, as many of the banks currently tend to.

I have noticed that it has become more usual now for companies to state the proper name of their bank account in the small print on their invoices where their payment details are given.

From the Guardian :

“The student ‘mules’

Students are selling their bank accounts – giving someone else their account details such as logons – for as little as £50 to £100, often as they are finishing university and heading abroad for a period. These accounts are then used by fraudsters to evade the strict checking procedures when individuals try to open an account.

These “mule” accounts are a vital link for crooks moving money around the banking system. A common cry among victims of fraud is that banks must have an electronic record of where their money has gone. The mules are the way stolen money is transferred and laundered through the system.

Sometimes the scamsters ask students for their active cooperation – for example, they will tell them that £20,000 will come into their account and that they should send £19,800 to a different account, often overseas, and keep £200 themselves.

In one instance, the receiving bank froze thousands of pounds that had arrived into an account. “We blocked it and contacted the originating bank,” says Blomfield. “But that bank [one of the biggest UK players] said it was all fine. Then it rang a few days later to say it looked like the customer had been conned. Luckily, we were able to return the money.”

I agree with Ian and believe we cannot just take it on trust — because they say so — that the banks are entirely innocent in all this. Some form of independent supervision of the process for dealing with compensation claims is necessary in my view, as well as expediting the sign-up of all payment service providers operating in the UK to the Confirmation of Payee protocol. Additionally, banks could decline to process payment transfers to other banks that were not participating in the scheme.

John Ward says: “The good thing is that banks are not free to lend or use personal account holders money whenever or wherever they see fit.”

Are you confusing Banks with Building Society protocol John?

Some evidence to back up this statement would be appreciated.

That is not, of course, a valid extrapolation. I have asked for comprehensive information to be provided about the success, or otherwise, of Confirmation of Payee based on mass data. Then, I suggest, we have a better basis for discussion.

However, there is more to resolving responsibility for fraud than just CoP and I want to see how that can be best dealt with. I also want to see grounds for compensation properly investigated and done independently, both the see if it is justified and who should pay – the payer’s or the payee’s bank, for example.

But my original question has been, if the bank(s) involved have played no negligent part in a transaction, where a customer instructs them to transfer money from their account to another, why should the bank refund the money if the transaction proves fraudulent. The customer decides to make the transaction, so have they no responsibility?

If we can have input from those involved in banking systems – whatever side they are on – we might find out what procedures could realistically be put in place to identify fraud accounts, to identify negligent banks, to identify fraudulent payees, and thus reduce fraud.

I don’t think I am confusing the two types of institution, Beryl. Both are under a common duty of care, have a fiduciary duty to their customers, and are regulated for retail banking activities by the FCA, the PRA and the PSR. I cannot lay my hands on chapter and verse but, in view of the authorities involved, I would expect any rejection of that presumption to be supported by evidence.

I regard the notion that banks are free to act fast and loose with account holders’ money to the extent that it would not be available on demand as unsustainable. So far as I am aware, no one else is denying that the banks are constrained in how they deal with current account credit balances.

As I wrote before, the banks have so much other money at their disposal that they do not need to put your money and mine at risk, but they are allowed, under authorised conditions, to use it short-term for exchequer functions — and this is generally beneficial to customers since it avoids banks having to charge for the operation of current accounts. We all benefit from liquidity in the banking system and I believe the degree of official oversight under the Bank of England and the various regulatory bodies provides this in a secure and trustworthy manner.

Then you will provide the evidence I requested John. I have already provided that, but it would appear you failed to read the link I posted.

Beryl — I read the link you posted but considered it insufficiently detailed to support the point you made that banks were at liberty to do anything they like with personal account holders’ money. They cannot, and I have explained what they can do with it and with other money they have.

Managing money profitably but prudently is what banks do so that they can provide banking services [including secured loans, overdrafts and other facilities] . . . or are you suggesting that they should lock it in a vault leaving their operating expenses completely uncovered?

I see no point in continuing this line of discussion as it is a matter of fact that the credit balances in our current accounts are not, as you contended, being lent by us to our banks for unregulated use. In my opinion that is misinformation that could confuse readers and I take the view that we should strive here to be factually accurate.

malcolm r says: Today 11:06
…there is more to resolving responsibility for fraud than just CoP and I want to see how that can be best dealt with

Indeed there is. But the point of the extract was to demonstrate that the competitiveness of the banking structure renders it extremely unlikely that the banks will ever, of their own accord, certainly, introduce either adequate security or admit to lapses unless and until forced to do so through legalisation.

I wonder how much the customers of banks lost as a result of misdirected payments before Confirmation of Payee was introduced. I am not aware of any campaigns by the banks or the regulator to push all customers to make small trial payments prior to paying larger sums while we were waiting for years for the introduction of CoP.

You still haven’t provided the evidence I requested John. All we seem to get is long repeated narratives of the doctrine according to John, which is inclined to get a little irksome after a while.

Some real evidence to prop up your assertions may result in a more positive outcome, otherwise this could linger on ad infinitum and I have better things to do with my time.

”I wonder how much the customers of banks lost as a result of misdirected payments before Confirmation of Payee was introduced.”. This is the kind of information I would like to be provided together with what effect CoP has made.

Many customers are able to operate their accounts carefully – such as keying in the right account number and sort code. However, Confirmation of Payee will no doubt have prevented careless mistakes as well as checking on fraudsters. From what I read CoP was not straightforward system to set up but it would be useful to learn about this from the “other side”.

Malcolm – No doubt CoP has helped prevent careless mistakes but as I have explained several times there are many people who lack the ability to transcribe numbers and text reliably. There are different conditions but often they are regarded as suffering from dyslexia. During my time as a lecturer I was able to recognise individuals with these problems and obtain support for them. These people are not stupid and some are very bright and it might not be obvious that they have a problem without investigation.

One way of reducing ‘careless’ mistakes is to ask the user to insert the same information twice, for example when entering a password to access online services. That would have been a common sense approach when entering account numbers and sort codes, especially before CoP.

And, as I have suggested, if people are known to have problems that would prevent them using their accounts properly their banks should be informed so any help available can be given. I do not see how banks can second guess this. How might these people best be helped?

Not everyone is aware of the problem, Malcolm, as I have tried several times to explain.

There is no need for banks to guess. I have suggested that by delaying payments to new payees, that would give an opportunity to recover funds from the receiving bank before it is too late. Em has suggested a third party account, similar to escrow. Immediate payment is helping support fraud.

The banking industry is going to have to tackle payment fraud and the longer this takes the more that it will cost other customers.

I read what has been said. This problem, in my view, is more complex than simply expecting the banks to sort fraud out on their own. It is like expecting the police to prevent theft. I would like to see what possibilities might exist to identify fraudsters, fraudulent accounts, and who customers might be helped to prevent them making injudicious transactions. I think a number of parties are involved.

We might all make suggestions but to progress the issue I would like to see all parties inform the debate. Whether a Which? Convo is the place to resolve these issues is debatable. Perhaps they could collaborate with others and produce a report?

I believe we could, for example, tailor bank accounts to better match account holders capabilities. Delay payments (which customers can do currently, I believe, although as has been pointed out this may not be acceptable to many authentic payees); I am not clear though how this would help recover funds though but it would give payers time for second thoughts. And other possible actions that have been discussed here and elsewhere.

But, in the end, many fraudsters will stay one step ahead of all of us, as do other criminals. The basic question remains, how can banks do more to identify and prevent fraudulent transactions taking place, and how can customers be better informed to avoid making them.

I think there’s another aspect to all this: I’m pretty sure we don’t get all the details when cases are reported. Embarrassment, lack of confidence, fear of being ridiculed, pride–all these factors (and more) can contribute to cases only being reported in an abbreviated way.

In particular, we don’t get to know the precise circumstances of the scam. When we see a case in here, the armchair baristas (sic… may be inclined to rush to judgement, based on what they might perceive as a clear case of incompetence. It’s no coincidence that many of the victims are elderly, in a fragile state, have suffered a recent bereavement or are suffering from one form of dementia or another.

It’s also incredibly easy to argue ‘they should be helped’ or ‘dealt with in a appropriate way’. But one aspect of dementia is that many are unaware of its existence for many years. If the afflicted have no family, no sufficiently close friends who feel they could intervene, what can they do? If they’ve been with a bank for most of their life does the bank owe them a duty of care?

Sometimes we have contributors relating their own experiences or those of their family, but many of the comments in Conversations are posted by regulars who may have no first hand knowledge and are unlikely to be able to relate to circumstances such as those mentioned by Ian. I regard banks as an ‘essential service’, much in the same way as our utilities, and I agree that they must exercise a duty of care to their customers. We all decline mentally as we age and I doubt that our banks have much of a clue whether we are safe to continue using banking services. We probably all know people who should have given up driving voluntarily – a hard decision to make, but can be helped by the need to declare certain medical conditions, followed by assessment which removes the need to make the decision.

I have suggested introducing a mandatory delay in processing online payments to new payees. There would obviously need to be exceptions, such as where goods were collected. Malcolm has rejected this suggestion on the basis that we have the option of doing this when making a payment. Victims of scams can be put under pressure and panic and it might not occur to them to delay payment to a scammer. It’s clear that the ability to delay payments has not addressed the problem.

Customers can do a lot to protect themselves and banks can help by tailoring facilities to suit their needs, but it’s the banks that must tackle the problem of scams.

I have not rejected delayed payments. I have pointed out that, yes, we can do it for themselves, or it could be a default. However, what I have asked is for evidence that this delay would have a substantial effect.

The gist of my comments on this topic ha centred around realistic proposals as to how the banking system can better deal with fraud. It is fine to say “the banks must tackle the problem of scams” but there seems a shortage of realistic proposals put forward.

This Convo would benefit from informed input from all parties. Otherwise we end up going round the houses.

How are banks supposed to know when some customers decline mentally? Why should they be held responsible for the mistakes those customers make if they are unaware of their deficiencies? I just don’t see how banks can anticipate their problems. However, those with families or carers could, maybe, have an easier route to make the bank aware but, more importantly perhaps, have accounts available with more restricted facililities. I have used my bank’s support team successfully. Power of Attorney is something families should consider for elderly relatives at an early stage in their later lives.

The intended topic of this Conversation is the failure of the banks to comply with the voluntary code of practice that they have agreed to, and Which? has rightly pointed out that customers of different banks are being treated differently. I was a little surprised when the Code was introduced but hope that it will provide a way of forcing the banks into recovering money from receiving banks in event of a scam.

This Conversation may help us learn about the challenges and differences of opinion but whatever we say will have no impact on the future. I doubt that we will have input from the PSR or other regulators.

I’m very much in favour of educating customers and suspect that it would be possible to carry online assessment of their abilities before granting access to banking facilities. Young people need to learn about possible risks and some older people can become confused and unable to behave rationally under pressure.

The reason that I’m strongly in favour of delaying payments to new payees is that it gives the opportunity of recovering money. Not only could that protect customers but it will protect banks from having to refund money in accordance with the CRM Code of Practice or if instructed by the ombudsman. Once fraudsters know that they are likely to lose the proceeds of their activities we might help put an end to this type of crime.

The code of practice should ensure that when banks have failed in recognising a fraud that they could have prevented then they should recompense their customer. But, I would not support a code that is expected, by default, to compensate a customer when the bank has played no negligent part, or could not reasonably have intervened in a fraudulent transaction. Customers have a duty to conduct their financial transactions responsibly, but even if they fall for a fraud when they have been reasonably careful why should a bank be expected to repay them? What has the bank done wrong to deserve this?

We do need to think how vulnerable people should be helped but, if the bank does not know they are vulnerable, why should they be expected to repay?

If someone can demonstrate where the banks are failing to protect customers then please show how. But just expecting them to use depositors’ money to refund unfortunate victims as a right, money that would otherwise be used maybe to increase savings rates, reduce loan interest rates and overdraft charges for other struggling customers, when they a not blameworthy seems quite unfair, code or no code.

I’m happy to leave this up to the PSR and the ombudsman to ensure that banks comply with the rules. If the banks are not happy with the code of practice then let them push for change. I don’t believe that it’s up to the public to support the banks. Retailers have obligations to support customers under the Consumer Rights Act even where the manufacturer has provided substandard products liable to premature failure. If Which? members were polled about consumers losing money as a result of fraud, would they expect banks to be recover their money? In my opinion, we need banks to be able to recover our money and one way is delaying payment – which you have now accepted as a possibility.

As I have said I am in favour of banks’ customers paying a fee for recovery of their money from receiving banks, especially if they have been careless. The banks need to work together to make sure that fraudulent transfers can be reversed and work with the police so that fraudsters are prosecuted.

malcolm r says: 14 November 2021
But, I would not support a code that is expected, by default, to compensate a customer when the bank has played no negligent part, or could not reasonably have intervened in a fraudulent transaction.

Has anyone suggested this, Malcolm?

Customers have a duty to conduct their financial transactions responsibly,

That hinges on the definition of ‘responsibly”, which would differ across cases, surely? For example, in the hypothetical case of the elderly gentleman with no family, undiagnosed mental and intellectual deterioration, who implicitly trusts authority, who would be responsible if he believes a Bank manager has asked him to move his funds temporarily?

but even if they fall for a fraud when they have been reasonably careful why should a bank be expected to repay them? What has the bank done wrong to deserve this?

I suspect Wave and I have both provided good reason why banks are, at the very least, partially culpable and will remain so until and unless they are forced to work together by legislation.

I said above “The gist of my comments on this topic ha centred around realistic proposals as to how the banking system can better deal with fraud. It is fine to say “the banks must tackle the problem of scams” but there seems a shortage of realistic proposals put forward.

It would be useful if some contributions to this Convo made constructive proposals and gave information that would help reduce fraud.

Those of us without detailed knowledge of the problems and how the banks are currently dealing with them are not in a good position to make informed comment about how the banks can reduce fraud. Banks could withdraw privileges from account holders if they have had to refund money to the victim of a scam if the enquiry shows that they are no longer able to cope (see points made by Ian) or it was shown that they had ignored advice such as keeping a PIN secret.

“It would be useful if some contributions to this Convo made constructive proposals and gave information that would help reduce fraud.” I presume you are implying that our comments and suggestions are not constructive, in this and other Conversations where you have made the same point. That might be a topic for discussion in The Lobby. I’m just here for friendly discussion.

I agree with Wave. It’s not really up to us to produce potential solutions. Our task is to identify the problems. The banks will never say what is being done, because of security concerns.

” I’m just here for friendly discussion.”. As are most who contribute.
”It’s not really up to us to produce potential solutions.. There may be people who could. However, as I have repeatedly suggested, as this is a Which? forum they could look at solutions, including by asking knowledgeable people to inform us.

However, I asked what I consider a fundamental question at the outset of this Conversation. https://conversation.which.co.uk/scams/financial-ombudsman-service-psr-code/#comment-1640108. A question that seems to be avoided.

It might be helpful if the PSR provided some simple anonymised examples of how compensation cases have been judged. Like Ian, I don’t expect input from the banks.

In his introduction, George Elcock wrote: “New data from the Financial Ombudsman Service shows banks cannot be trusted to interpret the voluntary CRM code fairly or treat customers in the right way.” I strongly support replacement of the voluntary code with legislation, and extending this to include banks that are not currently signed up to the voluntary code. Outcomes of cases should not depend on which bank we use.

”Outcomes of cases should not depend on which bank we use” . An independent investigation and assessment of claims would cover that.

Hopefully the findings of the Financial Ombudsman have already triggered such an investigation or the publicity from Which? will help here.

Likewise, I would like to see an investigation about the way that small companies with inadequate resources have been allowed to sell energy to the public.

I believe quite a number of constructive and practical suggestions have been made by a few of us in relation to this problem. Unfortunately they have mostly fallen on deaf ears and languished out of sight in the earlier passages of the relevant Conversations. I suppose we get tired of repeating ourselves so these ideas have gone unnoticed.

”The voluntary CRM code was launched in May 2019 and requires signatory banks to provide effective warnings to customers, identifying vulnerable customers and acting quickly when a scam is reported.

If an APP scam In return, you’re expected to pay attention to take care, have a reasonable basis for believing the payment is genuine, and pay attention to warnings.

Crucially, signatory banks must reimburse customers even if both parties have done nothing wrong.

Read more: https://www.which.co.uk/news/2021/11/banks-wrongly-denying-fraud-victims-compensation-in-up-to-8-in-10-cases/ – Which?

It is the last paragraph that I have been concerned about, and to have justified.

As well as that concern, I have also been asking for those who have knowledge of what could be done to explain how (if at all) online fraud could be reduced by the banking system. At the same time some have contributed suggestions that could help. But surely they attack should be on reducing fraud rather than on simply providing “compensation”; unless some see that as the stimulus to get the banking system to do more, which comes back to the question – what could be done that is realistic and feasible to reduce the commission of fraud.

Compensation is perhaps not the best way of describing the return of money that has been stolen. If a car is stolen, recovered and returned to the owner we don’t refer to that as compensation.

The ball is in the court of the banks, the regulator and the government to come up with a practical solution to tackle the problem of bank accounts being operated by fraudsters.

The LSB claims to be an independent monitoring organisation n of companies in the UK operating as finance providers. The extent of its independence is rather tricky to ascertain, but one job seems to be monitoring of the banks’ adherence to the CRM code.

Registration is voluntary, and signatory firms make a commitment to reimburse customers who lose money where they were not to blame for the success of a scam. This is not quite the same as ‘doing nothing wrong’, a distinction which the banks may have used in some cases to justify not repaying people.

However, the LSB seem to work closely with the FCA–a body with some real clout, and on 29 June 2021 the FCA published a ‘Dear CEO’ letter to retail banks concerning common weaknesses in key areas of their financial crime systems and control frameworks. It followed hot on the heels of the Lending Standards Board’s 16 June 2021 warning that insufficient progress has been made by banks to provide reimbursement to customers who fall victim to Authorised Push Payment (APP) fraud. These two developments reflect different facets of the same overarching issue: what steps retail banks are taking as gatekeepers to the financial system to prevent financial crime and address the consequences of it.

Both organisations found five areas of concern :

Governance and Oversight
Risk Assessments
Due Diligence
Transaction Monitoring
Suspicious Activity Reporting

If your money is recovered (from the fraudster’s bank) then it doesn’t matter who was responsible. But if the money cannot be recovered and you own bank has not been negligent then it is best be described as an ex gratia payment.

Only if your car was insured would you be compensated if not recovered. Maybe we should take out insurance against losing money to fraudsters. I expect insurance companies would look hard at the attribution of responsibilities before making a payout.

You may remember I suggested the possibility of insurance long ago, Malcolm.

If a bank did not keep our money safe it would I hope be seen as negligent. If the banking system is allowing fraudsters to use banking services for illegal activities then I see this as negligent, though collectively rather than individually. Perhaps it is the banks that need insurance.

The banks that have agreed to operate under the voluntary code have been failing in their responsibility, judging from what Which? has told us and according to the Lending Standards Board – see Ian’s recent post. To start with I was I was surprised by the CRM Code but having read more – including explanations given by Which? – I understand the need for the Code.

Some customers have been defrauded of their savings and there are reports of depression and even suicide.

I also suggested insurance, but it would no doubt be quite careful to ensure the customer had not contributed to a loss by careless or negligent behaviour.

The question being avoided by some is why banks should repay losses when they have not been negligent in any way.

Because the definition of ‘negligence’ would prove infinitely debatable, I imagine. If you look at the post I made earlier, you’ll see that both the FCA and the LSB are actively concerned that the banks are seriously deficient in five key areas. Frankly, I doubt they’d even get insurance.

It’s not just Which?; it’s the two most significant bodies in the country involved with how financial institutions conduct their affairs who are telling the banks, loudly and clearly, to get their houses in order.

I see that as pretty incontrovertible. And so, I suspect, would insurers.

Negligence by banks would include, as examples,
– setting up bank accounts without proper checks on the applicants, (which may well be the case for some banks, particularly overseas)
– allowing customers to transfer money to accounts they know to be operated fraudulently
– not implementing any existing systems that are capable of detecting potential fraudulent transactions
– not participating in data sharing that can identify and reduce potential fraud
– not keeping customers informed of current and new fraud and advice on avoidance
– not implementing precautions that are known to help avoid fraudulent transactions
– not offering “limited facility” accounts to customers who are known to be vulnerable to fraud.
I am sure others could supply more examples. Negligence on this basis seems to be not too difficult to identify.

It is the examination and information on such ideas that I would like to see discussed. Improving the banking system should be the prime objective rather than simply paying back money lost.

The intention of insurance was for customers, not banks (who have sufficient funds to pay back without insurance).

Malcolm – Perhaps we should discuss another side of scams that has so far been ignored by most of us. Here is an article by Lauren Merryweather that I remember reading earlier this year: https://www.which.co.uk/news/2021/03/devastating-emotional-impact-of-online-scams-must-force-government-action/ What drew my attention was not scam victims but the call for government to take action over a consumer issue. You and I can think of other issues (e.g. dangerous products sold online) where the government should be taking action. I cannot relate to the effect of scams on people. I’ve not been scammed and no-one has told me that they have. It might be embarrassing to mention it. I do not discuss financial matters with others. The more I have read, the more I realise that the banking system is supporting fraud by providing accounts for scammers and failing to adequately protect its customers.

I wonder how many Which? subscribers have been victims of scams and have contacted Which? Maybe Which? is looking at both sides of the problem. You have often stressed the importance of taking a balanced view.

Having seen how long it took to introduce Confirmation of Payee I am not optimistic about banks tackling scams. From a programming point of view, account name matching is not a complex computer exercise and my understanding is that the delays were down to differences between banks.

Perhaps we should both look at the damage that scams are causing to citizens of this country.

Perhaps you or Lauren should start a new Convo on that topic. I’d prefer to focus on how fraud might be reduced.

We have discussed the introduction of Confirmation of Payee elsewhere. From what I read while at an individual bank level it might be fairly simple it was more complex to introduce it industry-wide. As we are not experts Which? could have sought explanations from those who are.

Examining the possible ways fraud could be tackled in APP would seem to me to be useful. That would help in your request.

In case it’s of use, here’s the ongoing discussion on what’s the emotional impact of scams: https://conversation.which.co.uk/scams/online-scams-emotional-impact-experiences/

@@jon-stricklin-coutinho, thanks Jon. I thought there had been such a Convo but couldn’t immediately find it.

malcolm r says: Today 11:02
…the introduction of Confirmation of Payee, from what I read, while at an individual bank level it might be fairly simple it was more complex to introduce it industry-wide.

I don’t doubt that, but the question is why was it inherently more complex? The answer, I strongly suspect, lies in the commercial competitive nature of the UK banking industry. That’s exactly why they need to be forced into doing this: by legislation.

malcolm r says: Today 09:21

Negligence by banks would include, as examples,
– setting up bank accounts without proper checks on the applicants, (which may well be the case for some banks, particularly overseas)
– allowing customers to transfer money to accounts they know to be operated fraudulently
– not implementing any existing systems that are capable of detecting potential fraudulent transactions
– not participating in data sharing that can identify and reduce potential fraud
– not keeping customers informed of current and new fraud and advice on avoidance
– not implementing precautions that are known to help avoid fraudulent transactions

I think you’ll find that three of the areas the FCA and LSB alleged were not being done properly centre around several of the points you make, Malcolm, and especially the one I’ve emboldened.

We want a competitive banking industry – well, I do.

The complexity was, I believe, on at least two fronts. One, if I remember rightly, may have been privacy considerations. Similarly I understood it was to do with disparity between banking software and systems; one reason why there have been two phases to CoP.

But they are only my recollections. I have in the past asked Which? to get input from the industry but don’t recall seeing any. It would be useful to confirm, or otherwise, what is suggested.

”I think you’ll find that three of the areas the FCA and LSB alleged were not being done properly centre around several of the points you make, Malcolm, and especially the one I’ve emboldened.

My comment concluded
”It is the examination and information on such ideas that I would like to see discussed. Improving the banking system should be the prime objective rather than simply paying back money lost.

What I cannot understand is that if your bank account has been compromised or you have paid a scammer, why can the banks, irrespective of location, cannot demand repayment into their client account? They all have a duty of care, and that includes a thorough check of the person or persons opening the account in the first place.

Joseph Masters says:
12 November 2021

Most interesting expose! I am very pleased that Barclays and HSBC with whom I bank do not appear on your list. Is it because they adhere to the code or that they reimburse?

Unbelievable but true – banks (without the apostrophe “bank’s”) need to have a major overhaul.

@gelcock, George, your Convo states that “Figures show that NatWest and The Royal Bank of Scotland (RBS) – part of the same banking group – are getting it wrong in nearly nine in 10 (86%) cases, with Santander (82%) and Bank of Scotland (81%) following closely behind.” as an example.

This could be interpreted as suggesting that of all the “frauds”, that are the subject of this Convo, 86% (in the example) are wrongly decided by the bank. I assume, however, that you mean only 86% of those that are referred to the FOS? I also assume far more may not be referred to the FOS. If so, the key information required is how many are decided satisfactorily between the banks and their customers. That could radically change the “getting it wrong” % assessment. Do you have this information?

I have been reading with interest the debate about whether, and in what circumstances, banks should refund customers for frauds. I don’t believe we can ever expect a clear statement about this, because to do so would play into the hands of faudsters more that ever.

Rather like the insurance “crash for cash” scam, fraudsters could collude between themselves to milk the system. (At this point I would like to claim first use of the word “colloiding” to mean the same.)

From what I have read, I believe that telephone is the primary means of instigating a push-payment fraud, since vishing attacks are the most effective way to engender panic in the hapless victim.

So rather than an all-out assult on the payment channels, who are simply carrying out the instructions of their account holders, why is there not more pressure on the telecoms companies to protect us from these practices in the first place?

I have previously suggested a simple system where any account holder or a trusted relative, could set up a pin using their telephone keypad. I can share the pin with my family, friends and institutions, like banks. To call me, you would need to dial my phone number, followed by the pin. I think they have a duty to do this, since ex-directory and TPS clearly does not work to stop these random calls.

I don’t see this would be any great overhead for companies to implement, since all computer systems I have designed already make provision for a 4-digit extension number, which could be used to store the pin for personal numbers.

To my naive way of thinking, this would dry up a lot of the scam calls. And I would be a lot happier to think that elderly relatives were not having to be suspicious of every phone call they receive.

Seems a constructive proposal, Em. Would unsolicited calls go to the answerphone – just in case they were from someone you had forgotten to give the PIN to?

I’ve had an “overseas” call today that rang off when I stayed silent, and two from “Amazon” about a renewal of Prime, again ignored. But I agree about the immediacy of a phone call and the response they can elicit from trusting or naive people.

BT have produced a ‘phone which they suggest will eliminate all scam calls. I suspect it works on a similar principle. Some excellent reports about it doing the rounds.

I hope so, but by now most people who are not in the vulnerable category must be aware that calls may be scams or marketing. I do not know what has happened but I have had only one call (about a shareholding) in the past two months.

Perhaps we should be looking at how vulnerable people can best be helped, and how they can be identified.

I have suggested elsewhere having accounts with restricted facilities so that if they do make unwise transactions the damage is limited. But this does mean the banks being aware of their special circumstances.

I do not know what accounts are available that would help protect such people. Maybe someone from Which? Money could tell us.

There are quite a few such services. However, none of this addresses the issue of the elderly single person with no close relatives or friends.

Do you have any suggestions that would help them?

It is very difficult to see what can be done to help single vulnerable people in these matters.

Thinking back to when my mother was widowed, she wished to remain as independent as possible but had little experience of current financial affairs. Luckily, as my father’s executor, I was able to do some of the work in connection with banking, making payments and transferring accounts but things were a lot more straightforward in those days. Fraudsters weren’t making distressing daily phone calls, there was no internet, and there was still a bank branch in the village. The bank were very helpful and the local manager was able to put a watch on her current account, transfer money out to a savings account if the balance exceeded a certain sum, and ensure that all cheques were made out to to regular or previous payees. That kind of supervision would not be available nowadays, even for a fee.

People are reluctant to recognise that they might be progressively becoming vulnerable to exploitation, forgetfulness, or confusion and they are also very hesitant to involve relatives, friends or neighbours in their personal arrangements; they might even think such people are more doo-lally than they are! But, really, before it’s too late, everyone should try to maintain at least one relationship or friendship if at all possible or join a local club, association or church group so that people can keep a look out for any unusual behaviour or activity. It’s not easy, but it could lead to forming a trustworthy friendship or bond that might eventually enable a lasting power of attorney to be granted. There are risks, of course, because knowing who to trust is problematic and there are malevolent people about.

I think it might still be the case, although I should not be surprised if it had fallen by the wayside under the onslaught of budget cuts, that the local social services department was in touch with every resident aged over 80. A specific social worker would be a designated contact and would have to check everyone on their list at specified intervals depending on the perceived level of vulnerability. I would imagine the present workload has made that sort of service very difficult to maintain if there are no other welfare reasons justifying intervention; it is hard enough to get essential domiciliary care now let alone extra-mural assistance. Most people cannot afford to live in a residential care home a minute before there is no practical alternative and the level of personal support available there is potentially unreliable.

I have painted a bleak picture, but the situation facing vulnerable people living entirely on their own is deeply worrying and society does not seem to have a satisfactory answer to it.

I think this is a case for local charity to provide “friends” for vulnerable people. They would need to be vetted in some way and probably share “customers” to minimise the possibility of financial abuse. I doubt Social Services have the resources.

I don’t recall who organised it but my daughter-in-law participated in a scheme where she visited, separately, two single elderly people each Saturday to give them, essentially, some company and friendship but she could also identify any problems.

We cannot, and perhaps should not have to, rely on the state or local authorities to cover all these people. Local charities, church groups, Salvation Army and such could maybe do more to encourage lay people to become involved.

I suspect local charities are stretched pretty thin these days; social services, always over-stretched, anyway, are now even more so.

I would hope appropriate local charities and others would tap into the local community to provide the “friends”. I, for example, would be happy to respond if approached.

I can’t remember when I last received a scam call on my phone since I purchased a phone with a blocking device. No one can get through to me without first announcing themselves to the operator. Once announced, I press 1 to accept the call, or not if I don’t recognise the caller. Only people entered in my phone book list are able to get straight through to me.

Recently, after making a call to a tradesperson who became rather belligerent when I requested a quote for work, I ended the call. He then immediately phoned me back, but I just pressed the block button and that put paid to him!

The technology is available, it just needs someone to instruct the elderly how to operate it! Those who are mentally disadvantaged should not be left alone to fend for themselves, and would need to be assessed by a qualified social worker, or local medical practitioner to establish their ability to live independently.

Gone are the days when women stayed home to care for a large family, but those few remaining who are still alive, have little knowledge of the families financial affairs, which used to be the responsibility of the breadwinner, usually the male.

Times have now changed with most women becoming more financially aware, having to seek paid employment in order to supplement the everyday household expenditure or contribute towards the annual family holiday.

Thought for today

Q. Why can’t you take electricity to social gatherings?

A. Because it doesn’t know how to conduct itself.

That kind of discrimination is quite shocking, Beryl, under current thinking. We should transform its behaviour.

A new Which? press release:

Which?: Huge win for consumers as Treasury commits to legislation for mandatory reimbursement for scam victims
18 November 2021
Anabel Hoult, Which? Chief Executive, said:

“Five years on from Which?’s super-complaint on bank transfer scams, this commitment from the Treasury to legislate to make reimbursement mandatory is a huge win for consumers.

“People are still losing life-changing sums of money every day, so the Treasury must move swiftly towards introducing the necessary legislation. The regulator must also ensure it is ready to put in place mandatory reimbursement rules the moment that legislation is passed, so fraud victims are treated fairly and consistently when trying to get their money back.

“Which? has been calling for banks to come clean on how they treat fraud victims, so it’s positive that the PSR is planning to direct firms to publish data that shows fraud case numbers and how often they reimburse customers. The banks must cooperate fully with putting in place these long overdue requirements.”

If scam victims are reimbursed then the banks are going to have to recover the money from scammers. The banks are going to have to work together.


The insurance industry already work with each other to limit fraudulent claiming. Wonder what’s stopped the banks?