Which? is calling for vital fraud protections to be made mandatory, as the consumer champion reveals more than £1 billion is estimated to have been lost to bank transfer scams in just three years.
With measures set to come in that should significantly reduce the amount of money lost to this type of fraud, Which? is also raising concerns that some banks are not committed to introducing the protections on time, or even at all.
Which? analysed bank transfer fraud statistics since the start of 2017, a few months after it first highlighted the threat from these devastating scams with a super-complaint.
The projected total lost since then, based on current trends, now stands at a staggering £1.1 billion, according to the research.
During that period, the sums lost to this type of scam, also known as authorised push payment (APP) fraud, have risen rapidly, while the payments regulator and banks have been slow to introduce much-needed protections for consumers.
According to Which?’s projections, £97 million could have already have been lost in the first three months of this year alone.
Alarmingly, analysis suggests that almost a third of the total losses since 2017, equating to £320 million, could have been prevented if a simple system of checking names on bank transfers had been in place during that period.
This important measure – known as confirmation of payee (CoP) – is finally due to be introduced by most of the UK’s major banks by the end of March.
CoP ensures that a check is made on whether or not the name a customer enters when making a payment matches the account details it is being sent to. It helps to stop fraudsters from posing as trusted organisations such as a bank or solicitor and tricking people into making payments to them.
The Payment Systems Regulator (PSR) has only directed the six biggest banking groups to sign up by 31st March, but Which? believes all banks must join the scheme in order for it to be effective.
The consumer champion asked all banks when they planned to introduce Confirmation of Payee. Of the banks that have been directed to sign up, RBS Group (including Royal Bank of Scotland, NatWest and Ulster Bank) and HSBC (including First Direct) were unable to confirm a specific date when asked if they would be ready by the regulator’s deadline.
On the other hand, Lloyds Banking Group is ahead of the pack, implementing CoP from 2 March 2020 for Bank of Scotland customers, before rolling it out to Halifax and Lloyds customers throughout the rest of this month.
Of the banks that haven’t been directed to sign up by the regulator, several have said that they plan to deliver the system by the end of the year.
However, Metro Bank told Which? that it has no current plans to implement CoP at all – despite this being a requirement of the voluntary industry code on APP scams launched in May 2019, which Metro Bank signed up to. It did not elaborate on why it is does not intend to introduce CoP, but says the voluntary code gives customers significantly increased protection against authorised push payment scams.
Amid concerning reports of banks failing to follow the code’s rules around reimbursing blameless APP scam victims, Which? is concerned that a voluntary approach to ensuring victims are treated fairly is no longer viable.
The next set of UK Finance figures on bank transfer scams is due for release in the coming days. It should show an increase in the amount of money being reimbursed to victims of bank transfer fraud, as banks signed up to the code begin implementing the greater protections it offers.
Which? believes the code and CoP should be made mandatory and that the government must consider directing the PSR to ensure all banks are signed up. The consumer champion is also encouraging all consumers to put pressure on their bank to sign up to both the code and CoP.
Gareth Shaw, Head of Money at Which?, said “The UK has been in the grip of a fraud crisis for years, but new security measures offered by the banking industry should finally give people better protection against increasingly sophisticated fraudsters.”
“At the end of this month, we should get a true sense of how well the industry is tackling the issue. It is vital for all banks to commit to basic name-check security, and the whole industry should sign up and follow through on the protections offered by the scams code.”
“If the banks fall short of making these commitments themselves, these initiatives must be made mandatory by the government.”
Responding to the Which? Chief Executive of UK Finance Stephen Jones said “The banking and payments industry is wholly committed to defending its customers from authorised push payment (APP) fraud and stopping stolen money going to criminals. The APP Code, developed on a voluntary basis by the larger firms together with consumer groups, has established stronger customer protection standards and meant more victims are receiving compensation.”
“However, a voluntary agreement alone is not enough and we share the view expressed by Which? that issues of liability and reimbursement would best be addressed by new legislation. Both the government and regulators must also urgently consider how customer data breaches and vulnerabilities in other sectors such as telecoms and social media are facilitating fraud, as part of a holistic strategy to protect consumers from harm.”
“While not currently mandatory under the Code, Confirmation of Payee is a major technical change to digital payments and another important tool in the fight against fraud. It is one of a range of measures used by the industry to help combat fraud, which include investing millions in sophisticated security technology, working with law enforcement to prosecute the criminals responsible and raising awareness of scams through the Take Five To Stop Fraud campaign.”
Peter Janes, Founder & CEO at Shieldpay, said “The runaway train, that is fraud in the UK, only continues to gain speed as banks fail to take firm action. Consumers are losing hundreds, and in some cases thousands, of pounds of their hard-earned money. These sums are life-changing and it is simply not good enough. The industry has to do more to protect people, as the fraudsters show no signs of slowing down.”
“Measures, like confirmation of payee, will help but there is not yet an industry wide consensus on its implementation , which is disappointing. The adoption of increasingly sophisticated technology which full verifies identity, and raises red flags about past transactions, must be made compulsory for banks. Only this way will we be able to prevent millions of people becoming victims.”