Banks must be made to come clean about how much money victims of bank transfer scams are being reimbursed, as Which? finds firms are not prepared to voluntarily publish data to ensure customers are treated fairly and consistently.
Which? contacted the UK’s major banks and building societies urging them to commit to publishing their reimbursement rates by Friday 28 May, which marked two years since the introduction of an industry code that many banks have signed up to, which pledges to reimburse losses to victims who are not at fault.
However, almost all banks failed to do so. Barclays, which last month provided reimbursement figures for the first two months of the year, was the only firm to say they were ready to publish “periodically”. This leaves it as the only organisation apart from TSB, which is not a member of the code but does have a ‘Fraud Refund Guarantee’, to provide any information on the amount of money it returns to customers who have fallen victim to this type of scam.
As a result of the responses from across the industry, the consumer champion is now urging the Payment Systems Regulator (PSR) to push through with its proposals to require firms to publish the data.
Currently, information about the levels of reimbursement individual banks provide to customers under the scams code is published anonymously – with reimbursement rates across firms last year ranging from from a low of 18 per cent to a high of 64 per cent, according to the PSR.
In contrast, TSB says it reimburses 99 per cent of customers. Barclays said its figure was 74 per cent for the first two months of 2021.
Banks that are not part of the voluntary code face even less scrutiny, and there is no clarity about how much money is being returned to customers by firms, even on an anonymous basis.
Which? believes the complete lack of transparency in how individual banks are treating customers is leading to unfair and inconsistent decisions, meaning that firms can easily wriggle out of their responsibility to reimburse victims, and is a contributing factor to low levels of reimbursement under the scams code.
Reasons that banks gave for not publishing included:
Publishing reimbursement rates alone would not give a full picture of an organisation’s ability to prevent fraud and protect its customers, and that a wider range of information – such as data on where scams have originated – is required to give a fuller picture.
A low reimbursement rate could signify that a bank has high levels of fraud prevention and that the scams that do get through could be more likely to involve customer error.
Releasing data publicly could potentially drive criminal behaviour towards specific firms perceived to have weaker fraud protections.
A belief that it detracts from the need to focus on the criminals and growing threat of financial crime.
Which? does not believe that any of the points raised prevent banks from being more transparent.
Banks should be publishing data beyond reimbursement rates if that is needed to evidence what they are doing to prevent and manage cases of bank transfer scams. The consumer champion also says that publishing data does not pose a significant fraud risk to firms, and could actually help to drive improvements that reduce scams.
While the regulator says there is a “possibility” that there is a connection between high levels of fraud prevention and low reimbursement rates, Which? believes firms’ interpretation of “customer error” is often flawed.
This has been highlighted by the Financial Ombudsman Service (FOS) , which says it continues to uphold a “high proportion” of bank transfer scam cases. Decisions published by the FOS have shown examples of firms placing unrealistic expectations on customers to spot they are being scammed, or that the warnings put in place are not sufficient.
And rather than detracting from a focus on crime, TSB has found that since introducing its guarantee, victims are willing to provide much more detailed information relating to their cases, which helps to inform the bank’s fraud preventative measures.
Which? believes that the response from industry shows that the regulator has no choice but to act on its proposals to improve transparency from firms on how they deal with bank transfer scams, including reimbursement. Stronger consumer protections, that all firms must follow, are also needed to fix an unfair and inconsistent industry approach to reimbursement for blameless victims.
Gareth Shaw, Head of Money at Which?, said:
“Banks are continuing to hide behind a cloak of anonymity instead of demonstrating their commitment to protecting customers from the devastating impact of bank transfer fraud by publishing their reimbursement rates.
“Without greater transparency, inconsistent and unfair treatment of scam victims will continue, and the chances of having their losses returned will remain a lottery.
“This situation cannot continue. The Payment Systems Regulator must now take action and order all firms to publish this information regularly and in full, as part of a range of measures to resolve the systemic problems with how victims of this crime are handled.”
Banks signed up to the scams code: https://www.
lendingstandardsboard.org.uk/ registered-firms/#contingent- reimbursement-model-code-crm- for-authorised-push-payment- scams
PSR details on reimbursement figures and connection between fraud prevention and reimbursement rates can be found here – Authorised push payment scams – call for views
Financial Ombudsman findings on APP complaints can he found here – Annual complaints data and insight 2020/21
Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. As an organisation we’re not for profit and all for making consumers more powerful.
The information in this press release is for editorial use by journalists and media outlets only. Any business seeking to reproduce information in this release should contact the Which? Endorsement Scheme team at email@example.com.
Responses from banks
Citibank, Monzo and Revolut did not respond to Which?’s request for comment.
AIB: “We have a concern shared with others in the industry that releasing such data into the public domain could potentially drive criminal behaviour towards specific brands perceived to have weaker controls. We believe receiving firm data would not be useful to customers as this is unlikely to drive decisions around with whom they choose to bank.”
AIB also said ensuring customers have access to easily understood and comparable information is paramount, and these aims could be achieved by broadening the range of available data, which could include statistics around the percentage and value of Authorised Push Payment (APP) cases which originated from “third party enablers”, such as online platforms, as well as prevention and reimbursement levels.
Bank of Ireland: “We will not be publishing reimbursement rates.”
Barclays: “Reporting data on scams is important to help drive down the rate of crime, thereby protecting consumers from falling victim in the first place. We are ready to share our own insights, including on reimbursement rates, periodically, but feel strongly that regulatory intervention is essential to ensure the approach is consistent, including through mandatory application of the Contingent Reimbursement Model (CRM), covers the whole ecosystem, not just financial services, and provides consumers with the information and protections that they need.”
It also said it believed that the prevention of scams must remain the central focus and that more collaboration is needed between industry and the broader ecosystem to protect consumers fully.
The Co-operative Bank: “As a UK Finance member we agree with its view that a more holistic picture of refund rates is required and we are not supportive of APP data being published without more detail and clarity being provided to consumers.”
Danske Bank: “Danske Bank does not currently have plans to publish its rates.”
HSBC, First Direct and M&S Bank: “We work hard to deliver on our commitments under the CRM Code, helping protect as well as support customers should they fall victim to scammers. We act with empathy and understanding when investigating a case and strive to ensure fair and reasonable outcomes for our customers. We continue to collaborate with others in the industry to explore ways in which we can provide a balanced picture of APP scams, combining scam originator data, prevention levels and reimbursement levels.”
Lloyds Banking Group: “We have submitted a response to the PSR ‘Call for Views’ on this topic and look forward to the outcome of the industry-wide consultation. We are fully committed to reimbursing victims of scams in line with the voluntary code, and have returned significant amounts of money to victims of fraud since it came into effect. Winning the fight against fraudsters is a team effort and obligations for prevention should be extended to all banks as well as online platforms and telecoms companies where the majority of scams typically start.”
Metro Bank: “Together with other UK Finance members, we believe publishing reimbursement rates alone does not give a comprehensive picture of an organisation’s ability to prevent fraud and therefore protect its customers. However, with fellow UK Finance members, we are committed to working and building out the right information to allow a complete position to be easily understood.”
Nationwide: “We are constantly looking at ways to help stop scammers being successful in duping our members into parting with their money. We will continue to review our approach regarding the publishing of our own fraud and scam data, although believe it largely detracts from the overwhelming need to focus on the criminals and growing threat of financial crime. It is why we are committed to working with the banks and cross industry to tackle the scourge through education and action.
“Each refund decision regarding scams, where the member has authorised the payment themselves, is made on an individual basis, looking at the actions taken by the Society and the member that led to the scam. However, we continue to take a sympathetic position and take into account a range of factors such as vulnerability.”
Natwest Group: “We will continue to publish our data at an industry level through UK Finance.”
Santander: “We are concerned that publishing reimbursement rates in isolation could present a misleading picture to consumers by failing to take into consideration relative levels of fraud prevention, which should be the overriding priority.”
It also stated that reimbursement rates should only be published alongside three additional measures to provide consumers with a balanced view, including information on prevention, where the scam orginates, and recipient account data – the level of scam payments received into banks’ accounts, and the value of funds frozen and subsequently repatriated.
It added that delivering this data across the industry will be a complex project that will take time to get right, and that it stands ready to work with UK Finance and its members to be in a position to publish this data as soon as possible.
Starling Bank: “The CRM Code was established to reduce both “the occurrence and impact of APP scams”. We question whether Which?’s campaign will further these aims and think it may have negative, unintended consequences.
“Publishing reimbursement rates alone could be misleading. A high reimbursement rate could indicate that a bank has weak fraud controls, making it easier for their customers to be scammed. A low reimbursement rate could signify that a bank has high levels of fraud prevention and that the scams that do get through could be more likely to involve some customer error.
“Further, some banks have a policy of automatically reimbursing all claims or all claims below a certain level, say £350, because it’s cheaper and easier than investigating them. To them it is just a cost of doing business. This approach pushes up their reimbursement rates, but doesn’t make their customers any safer. In fact it could, arguably, make their customers more vulnerable to fraud because it could mean that little effort is spent on fraud prevention. It also risks encouraging a claim culture, where customers are less alive to the risks of scams, or even make false scam claims, because they know they will be reimbursed regardless.”
Tesco Bank said it does not plan to publish it’s reimbursement rates as it believes that in isolation presents a one-dimensional view of the problem, does not help consumers understand the effectiveness of a banks capability in preventing APP fraud in the first place, and is a limited measure of a banks effectiveness at dealing with the aftermath of APP fraud.
It said it would prefer to see at least equal focus on APP prevention metrics as well as reimbursement rates, and believes it is essential that all bank’s report against the same principles in order to provide consumers with an unambiguous comparison of performance.
It said it agrees with UK Finance’s response to the PSR consultation on behalf of the industry, where they recommend publishing statistics on where scams originate, as it would give consumers a broader and more helpful set of measures regarding APP fraud.
Virgin Group: Virgin Group said it had no plans to publish reimbursement rates at this stage. It said its priority is to protect customers from becoming victims of scams and supports all activity which helps to achieve that. It said it is working with others in the sector to agree an approach which will allow customers to make meaningful comparisons on fraud.