Many victims of bank transfer fraud are being treated unfairly or inconsistently when trying to get their money back, a new Which? report reveals, as it presses for the industry reimbursement scheme to be made mandatory.
The consumer champion found that some banks were regularly blaming customers for missing warnings or not doing enough to realise that they were being scammed, as reasons to deny people reimbursement.
The findings are revealed in a dossier of case studies that highlight the experiences of some of the 150 consumers who have been in contact with Which? since the code was introduced last year.
The code is based on the fundamental principle of fully reimbursing those who have lost money to criminals through no fault of their own. However, in many examples scrutinised by the consumer champion, firms were unfairly rejecting decisions that met this criteria, leaving people thousands of pounds out of pocket.
While Which? found some examples of good practice, it established several areas of concern relating to the way some banks were applying the rules. It believes these faults go some way to explain the woefully low figure for reimbursement under the code, which currently stands at just 41 per cent.
It found banks are relying far too heavily on their own judgements that customers ignored warnings, or have unreasonable expectations of the steps that customers should have taken to verify that the payment was legitimate, as reasons to deny customers the chance of getting their money back.
These denials occur even in instances of highly sophisticated scams where a fraudster was able to quote financial and personal details, or when criminals use manipulative tactics to pressure customers into making a transfer over days or even weeks.
For instance, a Lloyds Bank customer remains without £33,000 after falling victim to a number spoofing scam. The bank told her that it would not reimburse her because she did not take “sufficient steps” to verify that the communications were legitimate, despite not yet providing any explanation about what these steps should have been.
In another, Nationwide initially only offered partial reimbursement to a customer who was scammed out of £4,000 after his builder’s email account was hacked. This was despite the bank admitting that it had failed to provide adequate warnings to the customer before the payment was made – though it did eventually provide a full refund.
There are also concerns about how banks manage cases where a vulnerable customer has been scammed.
Which? heard from one customer who was defrauded out of £20,000 while undergoing extensive medical treatment. Santander initially refused reimbursement, on the basis that she confirmed that she had read the fraud message and was comfortable to continue with the payment.
This is despite the code providing a greater level of protection for customers who are identified as vulnerable, who should be reimbursed regardless of their actions. Santander returned the money after Which? asked it to review the case.
Following its analysis, Which? has set recommendations for improvement ahead of a review of the code by the Lending Standards Board, which is currently responsible for it.
The consumer champion believes that if firms are relying on using a customer’s response to warnings to reject reimbursement, then it must demonstrate that these warnings are actually successful at reducing the likelihood of a fraud succeeding.
These warnings should be subject to much more rigorous testing and customer feedback. It should consider how customers could be manipulated to ignore these alerts, and what changes can be made to the design and wording of warnings to make them more effective.
It also believes that firms need to take a more realistic approach when it comes to making reimbursement decisions based on whether the customer could have done more to verify whether a payment is legitimate.
This is particularly the case when a fraudster is able to spoof legitimate communications, as these practices can fundamentally change the circumstances under which victims are making judgements about who they are transferring money to. Which?’s view is that customers should be reimbursed in the vast majority of these cases.
Which? is also calling for the scams code to be made mandatory. As well as ensuring that all payment providers offer these protections, it would also help enable the requirements to be enforced effectively.
In addition, it wants all payment service providers to submit data on the number and level of bank transfer fraud and reimbursements.
Gareth Shaw, Head of Money at Which?, said:
“The scams code is a landmark milestone in the fight against fraud, but our analysis has found clear issues with how banks are meeting its core objective of reimbursing blameless people who have lost money through bank transfer scams.
“Even as this type of crime continues to surge, the lack of fairness, consistency or transparency across the industry means that the chances of people getting their money back is often a total lottery.
“A voluntary approach to tackling bank transfer fraud has failed. Banks, regulators and government must work together to make the code mandatory and ensure that strong standards on reimbursement are introduced.”
Notes to editors
A copy of Reimbursement for authorised push payment fraud: Consumer experiences of the Contingent Reimbursement Model Code is available on request.
Banks signed up to the code at launch: Barclays, HSBC Group (includes First Direct and M&S Bank), Lloyds Banking Group (includes Bank of Scotland and Halifax), Metro Bank, Nationwide, NatWest Group (includes Royal Bank of Scotland), Santander and Starling Bank. The Co-operative Bank is the only firm to sign up to the Code since its launch.
In relation to the case study who remains without £33,000, Lloyds Bank said although it has sympathy for the customer it will not reimburse her, on the grounds that she “did not take sufficient steps to verify that either the text message or the person she spoke to on the phone were genuine”, and that she authorised the payments despite receiving “specific warnings” stating that Lloyds would never ask a customer to move money to other banks.
In relation to the customer who lost £4,000 to a scammer Nationwide said: “On review of this case we became aware that the member was able to amend the existing payee details and as such, didn’t receive the tailored warning required under the CRM, so we took the decision to refund our member in full.”
In relation to the vulnerable consumer case study, Santander said: “in light of the new information that was shared about her medical condition, we have refunded her the full amount that was taken from her account.”
The Payment Systems Regulator has stated that rates of reimbursement are “well below” what they expected “given the Code presumes that customers should be reimbursed unless there are clear grounds for holding them liable.”
The Payment Systems Regulator recently published anonymised data for individual firms relating to reimbursement rates. Which? analysis has exposed that between May 2019 and February 2020:
Four of the eight signatory firms had fully reimbursed victims in 6% or fewer of cases, with one firm fully reimbursing just 1% of victims; whereas one firm had fully reimbursed 59% of victims. Some firms had chosen to partially reimburse a significant share of cases, including one firm that partially reimbursed 93% of cases; whereas another firm partially reimbursed just 1% of cases and another firm just 3% of cases. The value reimbursed also varies significantly, with one firm reimbursing just 6% of the value of cases compared to another firm that reimbursed 63% of the value of cases.