The consumer champion is calling for the industry reimbursement scheme to be made mandatory.

Which? found that some banks were regularly blaming customers for missing warnings or not doing enough to realise that they were being scammed, as reasons to deny people reimbursement.

What is authorised push payment fraud?

Authorised push payment fraud is where someone tricks you into sending them money from your account. They often do this by contacting you via phone, email or social media and pretending to be someone else – such as your bank, a contractor, a conveyancing solicitor, or the police.

A voluntary industry code to protect consumers from this type of fraud came into effect on 28 May 2019. The code offers increased protection from scammers, including reimbursement to blameless victims.

However, not all banks have signed up and those that have are not treating customers consistently.

Which?’s findings

The group’s findings are revealed in a dossier of case studies that highlight the experiences of some of the 150 consumers who have been in contact with Which? since the code was introduced last year.

The code is based on the fundamental principle of fully reimbursing those who have lost money to criminals through no fault of their own.

However, in many examples scrutinised by the consumer champion, firms were unfairly rejecting decisions that met this criteria, leaving people thousands of pounds out of pocket.

Different ways of applying the rules

While Which? found some examples of good practice, it established several areas of concern relating to the way some banks were applying the rules. It believes these faults go some way to explain the low figure for reimbursement under the code, which currently stands at just 41%.

It found banks are relying far too heavily on their own judgements that customers ignored warnings, or have unreasonable expectations of the steps that customers should have taken to verify that the payment was legitimate, as reasons to deny customers the chance of getting their money back.

These denials occur even in instances of highly sophisticated scams where a fraudster was able to quote financial and personal details, or when criminals use manipulative tactics to pressure customers into making a transfer over days or even weeks.

Bank fraud examples

In one example a Lloyds Bank customer had £33,000 stolen after falling victim to a number spoofing scam.

The bank told her that it would not reimburse her because she did not take “sufficient steps” to verify that the communications were legitimate, despite not yet providing any explanation about what these steps should have been.

In another example, Nationwide initially only offered partial reimbursement to a customer who was scammed out of £4,000 after his builder’s email account was hacked.

This was despite the bank admitting that it had failed to provide adequate warnings to the customer before the payment was made – though it did eventually provide a full refund.

Vulnerable customers

There are also concerns about how banks manage cases where a vulnerable customer has been scammed.

Which? heard from one customer who was defrauded out of £20,000 while undergoing extensive medical treatment. Santander initially refused reimbursement, on the basis that she confirmed that she had read the fraud message and was comfortable to continue with the payment

This is despite the code providing a greater level of protection for customers who are identified as vulnerable, who should be reimbursed regardless of their actions. Santander returned the money after intervention from Which?

Recommendations for improvement

Following its analysis, Which? has set recommendations for improvement ahead of a review of the code by the Lending Standards Board, which is currently responsible for it.

Which? recommends that:

• Banks must demonstrate that its scam warnings are actually successful at reducing the likelihood of a fraud succeeding.
• Scam warnings should be subject to much more rigorous testing and customer feedback.
• Banks need to take a more realistic approach when it comes to making reimbursement decisions based on whether the customer could have done more to verify whether a payment is legitimate.
• The scams code should be made mandatory.
• All payment service providers should be obliged to submit data on the number and level of bank transfer fraud and reimbursements.

“A total lottery”

Gareth Shaw, head of money at Which?, said: “The scams code is a landmark milestone in the fight against fraud, but our analysis has found clear issues with how banks are meeting its core objective of reimbursing blameless people who have lost money through bank transfer scams.

“Even as this type of crime continues to surge, the lack of fairness, consistency or transparency across the industry means that the chances of people getting their money back is often a total lottery.

“A voluntary approach to tackling bank transfer fraud has failed. Banks, regulators and government must work together to make the code mandatory and ensure that strong standards on reimbursement are introduced.”