ne of the messages that we hear from the banks is that they are investing millions of pounds in detecting and preventing fraud, but have they done enough, and are they doing the rights things?
If either your bank (the sending bank) or the bank where you inadvertently sent the money to (the receiving bank) did not do enough to prevent, or respond to, an alleged authorised push payment fraud, then you have the right to make a complaint to the Financial Ombudsman Service. (FCA Handbook, DISP 2.7.7).
So what could and should the banks have been doing in the last 10 years?
This is my ‘Top 10’:
Lots of people that I speak with believe that when they make an electronic payment the bank uses the Sort Code, the Account Number and the Account Name to send the money from their account to the Payee’s account (i.e. to the person that they want to send the money too).
Since 2008 when the Faster Payment System (FPS) was introduced the banks have relied on just the Sort Code and the Account Number. They ignore the Account Name. It is not used. It is not checked. Even when you do a CHAPS payment or a BACS payment and fill in the Payee name on the form, the banks don’t check it if the Sort Code and the Account Number are OK.
Let’s say, for example, that you are having building work done on your home and ‘Bob the Builder’ sends you his invoice for £20,000. You create a new Payee with the name ‘Bob the Builder, and what you think are his Sort Code and his Account Number. But if the email had been intercepted, or wasn’t actually sent by Bob, then the Sort Code and Account Number could belong to ‘Sam the Scammer’. You have no way of checking that the Account Name is correct (well at least not until sometime in 2020) and the banks don’t check it for you, so you could easily pay your £20,000 to the wrong person.
A new system called ‘Confirmation of Payee’, which will allow account holders to check the name of the receiving account before making the payment, was due to be introduced in July 2019 but is now promised for sometime in 2020.
In my view the failure to develop a Confirmation of Payee system over the last 10 years is one of the most serious failings by the banks in the last 10 years.
CoP is not the ‘silver bullet’ that will prevent all APF but it will make a huge difference, and it should have been done years ago.
Is our ‘high speed world’ too fast for our own good?
Are there things that we should slow down - just a little?
A very large proportion of bank fraud happens within 24 hours of a new Payee being created. The reason is simple. If a fraudster wants to get money from your account to his then one of the first things that has to happen is the creation of a new Payee with the fraudsters bank details.
The second thing that happens is that the fraudster will find a way of moving as much of your money from your account to his as quickly as possible before you realise what is happening.
So let me ask you a question. Just pause before you answer it.“When was the last time that you made a payment of more than £500 to someone that you had never paid before and did not have the Payee’s account details at least 24 hours before they needed the money?”
Paying your builder? Does he really need your payment the same day that he sent you the first invoice? He could have sent you his details a few days earlier and you could have create the Payee details even before he sent you the invoice.
Deposit on a house purchase? The solicitor should give you their details in writing (not by email) as soon as you engage them, along with a commitment to not change them during the period of the purchase.
Moving your money to a ‘safe and secure’ new account? Your bank will NEVER ask you to do this but the fraudster needs you to do it immediately, before you realise that you’ve been scammed.
So, what would you say if your bank offered you the option, today, of saying that: “in future no high value payments (totalling over say £500) should be released from your account to a new Payee until a clear 24 hours after the new Payee was created”?
It is just possible that at some point in the future this might be mildly inconvenient – but then think back to your answer to my earlier question. If you’ve paid this person before – no need for a delay. If it’s a small amount – no need for a delay. It’s only about the first high value payment to a new Payee.
On the other hand I could introduce you to a long list of people who have lost life-changing amounts of money because FPS allowed instant high-value transfers.
What do you think now?
When you phone your bank they make you go through a security process so that they can be sure that you are who you say you are, but they do nothing to prove who they are. This is just not right!
Fraudsters are incredibly clever at pretending to be your bank so we need a process by which you can be sure that it is your bank that you are talking to.
There is no simple answer to this challenge but I suggest a three-step process.
- Your bank asks you for 2 digits from a secure number that should only be known to you and your bank.
- Your bank asks you which 3 digits you want them to give you from a secure word that they hold against your account. You will have chosen the word and given it to them when the account was created.
- Your banks asks you for 3 digits from your security word.
There are other hi-tech based solutions that could be developed but this would, in my view, be a significant improvement on the ‘no-proof’ scenario that we have now.
This issue cannot be resolved by the banks on their own, but they should have been putting pressure on the telecomm companies to deliver a solution.
The ability for a company to disclose a single central phone number that people can recognise and call back, irrespective of where in the business the call originated from, is important, but ‘spoofing’ is now such a serious problem that it needs an urgent solution.
Whilst recognising the importance of making bank accounts available to everyone, including those who have either recently arrived in or are only temporarily resident in this country, it is vital for the banks to improve their account opening procedures and record keeping.
For example, a temporary resident from an Eastern European country (who was welcome here to do the important job of harvesting fruit and vegetables) presented an ID card and a utility bill to open an account.
The bank failed to spot that the utility bill was fraudulent.
They could have phoned up the utility company and asked if they provided energy on a specific account number, to a named person at a specific address, but they didn’t. If challenged they would probably have said that the utility company could not have confirmed the details due to ‘data protection’.
This is all wrong!
All that the bank had to do was to find the correct number for the company, phone them, hand the phone to the person seeking to open the account, they give permission for the company to speak to the bank and all is well – unless the person was presenting fraudulent documents, in which they would probably have left the bank in a hurry.
And if the authenticity of an account is challenged then the banks should be able to provide high quality copies of the account opening documents to assist in Police investigations.
When questions are asked about accounts being used to process stolen money one of the common responses from the banks and from UK Finance (the bank’s ‘trade body’) is that these are ‘mule accounts’ that are opened legitimately and then used for fraudulent purposes.
They will say, and I don’t disagree, that many of these accounts are opened by students and young people (aged 16-25) which makes it difficult to spot when they are used for fraud.
Isn’t it about time that the banks developed effective account profiling and then monitored each account against its own profile?
If someone came to the UK as a temporary worker and declared an expected income of £17,000 why did the bank not spot it, and stop it, when he received £8,700 into the account a few days later?
If a student account receives more than say £5,000 in a single month then isn’t it time to invite them to visit their local branch and explain where it came from. I congratulate one bank who stopped a £100,000 fraud by doing just this. When will the others catch up?
But I must also express a note of caution. One of the people that I have assisted to resolve a dispute with their bank recently had their small business account frozen while the bank did an investigation. They were told it could take up to 10 days, and they were given no explanation for what was happening. We think that it was because he had received a single payment of a higher than average value from a new customer and the bank had concerns about possible money-laundering. Fine, but why freeze the whole £50,000 in the account and stop him from paying suppliers, employees and his VAT, when they could have just frozen the £10,000 that they were concerned about?
One of the very common comments that I get from people who come to me for advice is: “Why didn’t the bank stop the payment because it was clearly exceptional?”
This is one point on which I do have some sympathy for the banks.
What is “exceptional”?
I don’t pay £1,000’s to a holiday company very often, but I don’t want it stopped when I’m trying to make a booking. Paying by debit card, using chip-n-pin in the travel agent is often a great way of doing this.
It’s even more unusual for me to spend £10,000 on buying a car, and I might be upset if the bank challenged the payment? So ask the dealership for their account details and pay a small deposit to validate the Payee details in advance of collecting the car.
But when Lisa made 14 payments of £20,000 to a new Payee in the space of a few hours THIS was clearly exceptional and should have been challenged! The bank did ultimately refund it, but only after a heavy-weight challenge.
So, if it’s difficult for the banks to address this without upsetting us by repeatedly challenging payments that we want to make then how can we be better protected? Confirmation of Payee will be big step forward (and is years overdue). Authorised Payment Delay is something that I would opt for – even though it might mean being a bit more organised.
My own policy is never to make a high value payment to any new Payee without first doing a low value ‘validation’ payment. I create the new Payee, send them a random amount of less than £1 and then phone them (don’t email them) to confirm the amount I’ve just paid. This also makes it so much easier when you come to make the big payment.
This is an issue that annoys me, probably more than it should, but I am so frustrated that I can’t see any evidence of the banks doing something that is really very simple.
The police have limited resources to investigate bank fraud.
If I inadvertently pay £10,000 to the ‘wrong’ account, then unless there is some really good evidence for the Police to pursue as a line of enquiry, I don’t expect the Police to investigate it.
But if 20 people all fall victim to the same scam and the receiving (fraudster’s) account gets £200,000 paid into it, even if this is over a period of days, then I would expect the Police to investigate – only they don’t appear to know that it has happened.
If every time a customer reported a fraud to their bank, no matter whether it was large or small, the bank uploaded the details of the Payee’s account into a central database then it should be possible to identify the banks, the individual branches and the specific accounts that are receiving the stolen funds and this would surely assist the police in focussing their investigations.(If this is actually happening, but is being done without us knowing about, then please tell me and I will happily remove this point from my list.)
It concerns me when people come to me for advice or help and they tell me that the Police have to go through a whole process of applying to the court for a Court Order in order to get important information about the (fraudulent?) account into which they have inadvertently paid their money.
Is this just another case of over-application of ‘data protection’ or are the banks reluctant to share important information, such as account opening documents, because they don’t want their processes put under Police scrutiny?
It cannot be acceptable for the Police to have to spend so much time going through a court process that by the time they can access important information such as CCTV footage it has already been erased.
But let us not forget there is another, and wholly more positive side to this point.
The good news is that banks and police forces have joined forces to fight back against a particular type of fraud through a ground-breaking rapid response scheme called the Banking Protocol. This industry-wide initiative, developed by UK Finance in partnership with National Trading Standards, trains bank branch staff to spot when someone is about to fall victim to a scam and try to prevent them from withdrawing cash to give to a fraudster. The bank staff can request an immediate police response to the branch to investigate the suspected fraud and catch those responsible.
So how about the banks and the Police developing a new ‘Mule Protocol’? If a bank suspects that a high value payment into a student account is suspect then they invite the student to come for an interview, and they invite the Police to attend as well.
If you are the victim of a fraud and your bank (known as: the payer’s payment service provider) is unable to recover all of your money from the (fraudulent) account then the other bank (known as: the payee’s payment service provider) must provide you with enough information to allow you to take legal action against the account holder of the account where you sent the money.
But I have been told by people who have tried to do this that the banks are somewhat reluctant to disclose this information.
This appears to be a case where the banks are ‘using’ data protection as an excuse for not disclosing information that they are required to disclose under the Payment Services Regulations 2017 (PSR2017), which came into effect in mid-Jan 2018.
Yes, I know that they have to perform a difficult balancing act but PSR2017 is quite specific, and it says what it says for a very good reason. It is written to allow the victim to pursue the account holder of the account where they inadvertently sent their money.
PSR2017 Regulations 90(3) and 90(4) say:
(3) The payee’s payment service provider must co-operate with the payer’s payment service provider in its efforts to recover the funds, in particular by providing to the payer’s payment service provider all relevant information for the collection of funds.
(4) If the payer’s payment service provider is unable to recover the funds it must, on receipt of a written request, provide to the payer all available relevant information in order for the payer to claim repayment of the funds.
This is explained in a document that is issued by the Financial Conduct Authority (FCA) which says:
8.293 If the payer’s payment service provider is unable to recover the funds and the customer provides a written request, the PSP must, under regulation 90(4) of the PSRs 2017, provide to the customer all available relevant information in order for the payer to file a legal claim for repayment of the funds.
8.294 We would expect the relevant information provided pursuant to regulations 90(3) and (4) of the PSRs 2017 to include the payee’s name and an address at which documents can be effectively served on that person.
There is a framework letter on the resources page if you want to write to your bank for this information. Note: you write to your bank, not the receiving bank.