Which? is concerned by early signs that some of Britain’s biggest banks are refusing to reimburse blameless victims of devastating transfer fraud, despite the introduction of new industry standards intended to protect fraud victims.
Banking customers lose life-changing sums every day through bank transfer scams – with Which? even hearing from a victim who lost £500,000 through his restaurant business.
It was hoped that the introduction of a voluntary industry code in May 2019 would ensure that all blameless victims get their money back, finally reversing the trend of people being left out of pocket.
But Which? has heard from a number of people who say they have been denied reimbursement unfairly – with a worrying trend emerging of banks relying on fraud warnings to justify not refunding customers. These decisions from banks fly in the face of the voluntary code most banks have signed up to, which pledges to reimburse all blameless victims.
It is now much more common for online or mobile banking customers to see fraud warnings when transferring money, as banks seek to meet new code standards by introducing a range of different features aimed at making a customer think twice about whether they are being scammed.
However, a Which? survey found that almost half (49%) of people are not even aware that new fraud warnings had been introduced by banks – further evidence that victims should not be arbitrarily turned down for reimbursement because they have “ignored warnings”.
Case study – Michelle, 38, London
Which? spoke to Michelle, 38, who lost almost £33,000 after responding to a text message about a ‘suspicious payment to Airbnb’ in August 2019. It appeared to come from Lloyds Bank’s usual phone number, sandwiched between two genuine messages, so she called the number supplied. Over the course of an hour Michelle was persuaded to transfer her money to a new account, in the belief that hers had been hijacked by criminals.
Lloyds says although it has sympathy for Michelle it will not reimburse her, on the grounds that she ‘did not take sufficient steps to verify that either the text message or the person she spoke to on the phone were genuine’, and that she authorised the payments despite receiving ‘specific warnings’ stating that Lloyds would never ask a customer to move money to other banks.
Michelle had no reason to believe the text was fake, and Lloyds is yet to explain the ‘sufficient steps’ she ought to have taken. And, while she did notice an online warning about fraud when she made the first payment, the criminal on the phone was able to quickly dismiss her concerns.
She said: “It was very urgent and compelling. My two-year-old daughter was running around while I was on the phone to them for an hour. I saw the warning about Lloyds never asking me to move money into a safe account and flagged this over the phone. They assured me that these were not “safe” accounts but “new” accounts.”
Which? has advised Michelle to escalate her case to the Financial Ombudsman Service.
Which? – working with two leading academics – also analysed the effectiveness of banks’ fraud warnings, to establish whether they are adequately ‘understandable, clear, impactful, timely and specific’ – as set out in the code.
The experts raised concerns about elements of the warnings from some of Britain’s biggest banks.
One researcher voiced concerns over the ‘generic’ messages displayed by First Direct, HSBC, Lloyds, Natwest and Royal Bank of Scotland. Petko Kusev, from Huddersfield Business School, said that it was perfectly rational for customers to ignore generic information when conducting bank transfers.
A second researcher, Patrick Fagan from Goldsmiths University, suggested that some warnings can come too late, as once people have already been targeted by scammers they typically commit to seeing the action through. Mr Fagan suggested that banks use targeting and personalisation to make these warnings more persuasive.
Which? supports the introduction of fraud warnings as an important defence in preventing scams. However, Which? believes that banks must prove their fraud warnings are fit for purpose and should not be used as a means to simply deny reimbursing blameless victims. If a bank can’t prove its warnings are effective then the customer should not be deemed at fault.
The consumer champion also wants the industry code to be made mandatory for all current account providers as many providers still haven’t signed up to the vital fraud protections.
Jenny Ross, Which? Money Editor, said: “People are losing life-changing sums of money every day to devastating bank transfer fraud – so it’s shocking that some current account providers still haven’t signed up to offer their customers vital protections.
“All banks must prove that their online warnings are up to scratch – especially if they are denying victims reimbursement, as we’ve seen in some cases.”
The consumer champion put banks’ fraud warnings under the spotlight, and found:
-
Asking customers to tick a box to confirm they have understood the warning could prove more effective than warnings that take consent for granted.However, Which? believes this is still a low bar for establishing consent.
-
Nationwide’s ‘STOP AND THINK’ message ahead of a transfer was deemed to be effective at providing customers with concrete, clear imperatives.
-
Which? is critical of HSBC’s approach that gives customers the option of hiding warnings, raising the likelihood that customers might not see them at all.
-
Meanwhile, customers could easily miss important wording and rush through a transfer if it is towards the bottom of a screen, such as First Direct’s warning.
Banks that have not signed up to the code:
Bank of Ireland, Citibank, Clydesdale and Yorkshire Bank, Danske Bank, First Trust Bank, Monzo, N26, Tesco Bank, and Virgin Money. Although TSB is not a signatory of the code, it promises to reimburse all victims of fraud under its ‘Fraud Refund Guarantee’, launched on 14 April 2019.
The Lending Standards Board is responsible for overseeing the new voluntary code and assessing how firms are implementing the standards set out in the code.