A new code that comes into effect on 28 May aims to ensure that victims of complex bank scams are reimbursed. Moneywise investigates how customers can get their money back
More than 34,000 cases of authorised push payment (APP) fraud were reported in the UK in the first half of 2018, with bank customers losing £145 million.
In the majority of these cases, banks refused to return the lost funds to customers because they had authorised the payment after being tricked by scammers.
But a campaign by consumer groups and an investigation by the Payment Systems Regulator has finally persuaded the top banks to establish a voluntary code to tighten their security. The code also ensures that victims are reimbursed when neither the bank nor the customer is to blame for the fraud.
Scams are increasingly sophisticated
Criminals are stealing around £1 million a day via social engineering, in which they groom and manipulate people into transferring money from their bank into another account.
Often the fraudster will contact a customer by phone, text message, email or social media pretending to be a genuine organisation, such as a bank, the police, a utility company or a government department.
The scammers often claim there has been suspicious activity on a bank or card account and use a sense of urgency to persuade victims to act immediately. In other forms of APP, fraudsters have hacked into business email accounts and sent out fake invoices with altered bank details. A third popular type of scam is fraudulent investments.
“Being a victim or financial fraud can really affect your mental health”
Victims have lost their life savings in these scams, with one Essex couple losing £120,000 when they sent money to what they thought was their solicitor’s bank account.
Rachel Duffy, chief executive of PayPlan, says: “Being a victim of financial fraud can have disastrous consequences for people, often resulting in long-term money problems and even bankruptcy. It’s a frightening and distressing experience, which can really affect people’s mental wellbeing, particularly if they’re already vulnerable.”
What the new code means for victims
Until now, banks and payment service providers have been reluctant to refund victims of APP fraud, saying that the responsibility lies with the customer who authorised the payment.
But from the end of this month a new voluntary code of good practice will take effect, which will be backed up by a pot of money to reimburse genuine victims.
Hannah Nixon, managing director of the Payment Systems Regulator, says customers will now have “better protection from APP scams than they have ever had before”.
Rob Tharle, fraud expert at NICE Actimize, which helps financial institutions detect and prevent fraud, says although the code does not fix the problem it will significantly help victims.
“These crimes are often nasty and increasingly sophisticated. Not being refunded can be life changing. In the vast amount of cases now victims are likely to be refunded, while in the past the majority were not,” he adds.
The burden of proof will now be on banks rather than customers and they will have to prove that a customer acted carelessly when they were scammed. For example, if a customer ignores warnings when setting up a new payee it could still be argued that they were negligent.
Barclays, Lloyds, HSBC, RBS and Metro banks have all signed up to the code, and Santander and Nationwide have also agreed to join, according to the Payment Systems Regulator.
Katy Worobec, managing director of Economic Crime at industry body UK Finance, says the code means that customers will be reimbursed when their bank or payment service provider is at fault as long as the customer “has met the standards expected of them under the code”.
The funds will come from the sending or receiving bank depending on which is at fault.
Scam victims will also be reimbursed if neither the bank or the customer is at fault under the ‘no blame’ rules. Money for this will come from a dedicated reimbursement fund, which is bank rolled until the end of the year. A longer-term solution will be implemented from January 2020, the details of which are yet to be announced.
The code does not fix the problem but it will help victims
But the new system will only protect customers whose banks are signed up to the code. All other consumers will have to seek reimbursement via a complaint to the Financial Ombudsman Service (FOS), which is the current, largely unsatisfactory procedure. There is also no process under the code for reimbursing customers who transferred their money unwittingly to fraudsters before 28 May 2019.
Strengthening customer support
The new code is part of a wider range of measures that the banking industry is developing to protect customers from push payment fraud.
From January this year, victims of APP scams have been able to report complaints to both the sending and receiving payment service provider and escalate them to FOS. Until this date, victims could only make their complaint to the sending bank, even if it appeared the receiving bank was at fault for enabling a fraudulent account to be set up, for example.
A new security check, called Confirmation of Payee, where a money transfer is blocked if the recipient’s name and account number do not match is also due to be implemented next year.
This would potentially prevent scams where business invoices have been intercepted or falsified and bank details changed before being emailed to customers. If the business name on the reference does not match that on the receiving account the automatic payment would be prevented.
“We need radical changes to banking”
Retired professor David Canter nearly lost £18,000 when fraudsters fooled him in an elaborate push-payment con.
The scam began when hackers got into the 76-year-old’s email account and sent messages to his contacts saying he was in Turkey and needed money.
Professor Canter immediately changed his password but a week later, after lengthy conversations with his email provider, he realised messages were being automatically forwarded on to another address the fraudsters had set up.
The forwarding was stopped, but a few days later he received a phone call on his ex-directory home number saying his IP address had been compromised.
The woman on the phone claimed to be acting on behalf of his internet provider and took him through a series of ‘checks’ asking him to corroborate unique numbers on his computer, which he wrongly assumed meant the caller was legitimate.
“We should be able to chase the identity of people who have set up an account for fraudulent purposes”
The woman then passed him on to a man who asked him to download some ‘protective’ software before logging into his bank accounts.
The whole operation took several hours and at certain points his computer screen went blank but the man on the phone told him not to panic as this was normal.
As a result, the scammers were able to take £7,500 from his NatWest account and two lots of £3,919 from his Santander account. They also attempted to transfer £2,500 from his Lloyds account, but the bank blocked it and he was able to cancel it.
Lily Canter’s father, Professor Canter (above), was left feeling vulnerable
NatWest repaid all of the money the next day but it took six weeks for Santander to do the same after Professor Canter complained to the chief executive.
The bank initially said it could not refund the money because he authorised the payments but did a U-turn when he complained about how they handled the crime.
Santander customer Susan Grossman was also stung via a similar scam and lost £1,700. A second payment of the same amount was blocked.
The bank investigated her case but refused to reimburse her, stating in a letter that “Santander cannot be held responsible for the loss”.
The bank’s adviser could have been more sensitive
When asked why it had treated the two cases differently, Santander told Moneywise it reviews each case of fraud individually.
“In Professor Canter’s case, we identified errors in the way his claim was handled, therefore the decision was taken to refund the money he had transferred to the scammers.
It added: “We have the deepest sympathy for Ms Grossman and to all those who fall victim to scams. In Ms Grossman’s case, there was nothing to suggest the bank had acted incorrectly.”
Ms Grossman strongly disagrees and says Santander admitted to not offering the level of service expected and the letter from the Santander fraud complaint handler admits “the advisor [sic] was at times quite abrupt and could have been more sensitive given the circumstances.”
The situation is typical of the banks inconsistent and inadequate approach to tackling these scams, says Professor Canter.
“I knew the account numbers the money was transferred to and handed these over and yet the banks and police did not appear to be chasing the money.”
The crime left him feeling “violated and vulnerable” and unsupported by the banks and police. He has spoken about his experience at the University of the Third Age and been contacted by other victims, who were not so fortunate in getting a refund, including Ms Grossman.v
Although he welcomes the new code, he says it still fails to get to the heart of the problem. “It is great that the banks are making a start on this but the whole mechanism needs looking at including the banks, police and Action Fraud,” he says.
“With modern technology we should be able to put a block on an account and chase the identity of people who have set up an account for fraudulent purposes.
“We need radical change in the whole attitude towards banking. There needs to be a minister for information technology with a remit for dealing with fraud and bringing all the relevant bodies together.”
LILY CANTER writes on personal finance for publications such as The Daily Telegraph, The Guardian and The TImes