Authorised Push Payment (APP) scams are where consumers are tricked into transferring money to a seemingly genuine account but it is in fact controlled by a fraudster.

Under a voluntary code launched in May 2019, a number of banks and building societies committed to reimburse customers where the scam falls under a ‘no blame’ scenario for both the provider and saver.

However, analysis of bank transfer statistics since the start of 2017 by campaign group Which? revealed sums lost to this type of fraud now stands at £1.2bn. Further, £97m could have already been lost in the first three months of 2020.

It said the payments regulator and banks have been slow to introduce much-needed protections for consumers and suggests a third of losses since 2017 (£320m) could have been prevented if a simple system of checking names on bank transfers had been in place during this time.

New fraud prevention measures

A new measure called Confirmation of Payee (CoP) is due to be introduced by most of the UK’s major banks by the end of March which should reduce the amount of money lost to APP fraud.

It checks a recipient’s name and matches the account details held for them, helping to stop fraudsters from posing as a bank or solicitor, tricking people into making payments.

However, the Payment Systems Regulator (PSR) has only directed the biggest six banking groups to sign up to CoP by 31 March.

Which? said some banks are not committed to introducing the protections on time, or even at all,

RBS Group (including Royal Bank of Scotland, NatWest and Ulster Bank) and HSBC (including First Direct) were unable to confirm a specific date when asked if they would be ready by the regulator’s deadline.

Lloyds Banking Group is ahead of the pack, implementing CoP from 2 March for Bank of Scotland customers, before rolling it out to Halifax and Lloyds customers this month.

Of the banks that haven’t been directed by the regulator to sign up, several said they plan to deliver the system by the end of the year.

However, Metro Bank told Which? it had no current plans to implement CoP at all – despite this being a requirement of the voluntary code which Metro Bank signed up to.

Mandatory not voluntary protection for consumers

Which? added that a voluntary approach to ensuring victims are treated fairly is “no longer viable” and calls for the APP code and CoP to be mandatory.

Gareth Shaw, head of money at Which?, said: “The UK has been in the grip of a fraud crisis for years, but new security measures offered by the banking industry should finally give people better protection against increasingly sophisticated fraudsters.

“At the end of this month, we should get a true sense of how well the industry is tackling the issue. It is vital for all banks to commit to basic name-check security, and the whole industry should sign up and follow through on the protections offered by the scams code.

“If the banks fall short of making these commitments themselves, these initiatives must be made mandatory by the government.”

Stephen Jones, chief executive of banking trade body UK Finance, said: “The banking and payments industry is wholly committed to defending its customers from authorised push payment (APP) fraud and stopping stolen money going to criminals.

“However, a voluntary agreement alone is not enough and we share the view expressed by Which? that issues of liability and reimbursement would best be addressed by new legislation.”