Some banks actively look for ways to escape their new obligations to reimburse victims
In the great tsunami of fraud that is reducing to rubble the lifelong savings of millions, the wave of authorised push payment fraud is the most pernicious.
Not only does it steal your money — all of it in many cases — it also adds guilt and remorse to the natural anger and helplessness anyone feels after being robbed.
That is because APP involves the victim in the crime, persuading them to innocently provide information that allows the thieves to clean out their bank accounts. Most customers are not reimbursed despite a new code that was supposed to ensure they were.
These frauds normally begin with a call credibly claiming to be from a trusted place, such as BT, Microsoft, the police, even the bank itself. It warns of a threat to your savings due to a fraud or security failure, and says you must act to protect them. Using a detailed knowledge of how bank security works and behavioural psychology of the highest order they get you to take part in the transfer without realising it. Anyone can be fooled, not least those who think — as you, dear reader, are now — that it would not fool you. It could. Last year 122,437 people lost £455.8m. In the five minutes it takes you to read this article, another person has just lost more than £4,000.
In May 2019 the banks were finally bullied by the Payment Systems Regulator to sign up to a voluntary code. The snappily titled Contingent Reimbursement Model Code was supposed to ensure that where the victim was an innocent party they would be fully reimbursed by their bank.
However, in the last year or so some banks have set their find-the-loophole departments to discover ways to escape their new obligations. Data from the PSR reveals that two banks out of eight rejected 96 per cent of code claims and even the best of them accepted only 59 per cent in full. Data from UK Finance for 2019 showed that only 40 per cent of stolen money that came under the code had been reimbursed.
Typical reasons to deny a refund are that the customer ignored warnings about fraud or they were too credulous in accepting what the thieves said. Both of those excuses are allowed, but only with strict conditions. Warnings must be effective and to the point. And customers must have either been grossly negligent or not had a reasonable basis for believing that the call was genuine. There is also an overriding provision that a vulnerable customer should be reimbursed even if either exception applies.
Banks do not cross the high bar needed for those excuses to be used. That is one reason why when journalists run stories on the way a bank has treated a defrauded customer the bank usually coughs up, often just before publication. A cynic might suggest the banks reject cases knowing they are on thin ice, but also knowing few will complain effectively or get publicity for their case to get the decision reversed.
One high-street bank — TSB, which is not a signatory to the code — has chosen instead to give its own guarantee that it will refund innocent victims. It claims to have done so in 100 per cent of cases so far.
Several banks have told me in the past they do not think they should refund victims as the banks are not at fault. But they are at fault. They leave open three loopholes.
First, they let the thieves open a bank account or take over one that is already in use. Second, they fail to notice when there is an uncharacteristically large movement of money to a new payee. Third, when the crime is reported — and the victim usually comes to their senses fairly soon — they fail to act quickly enough to track down the money through the banking system to stop it before it has disappeared to a part of the world less concerned with due process than the UK.
The evidence so far shows that banks are not doing much to reduce these crimes. APP fraud cases in 2019 were 45 per cent up on 2018 and figures for the second half of 2019 — after the code was introduced — were still 29 per cent up on the same period a year earlier.
Another weapon in the fight against crime is also getting only patchy implementation. It is called confirmation of payee. On the first occasion a faster payment is made to a new payee the bank checks that the payee’s name filled in by the customer matches the name on the account to which it is going. Many people are surprised banks have not always done this. In fact, they have ignored the payee’s name and moved money just to the sort code and account number without checking the names.
After numerous delays by reluctant banks — the latest blamed on Covid-19 — CoP was fully implemented by the major banks from 1 July. If there is not a name match, then the customer is informed. However, many other banks have chosen not to implement this key fraud prevention measure.
Source: Money Marketing