Banks will start refunding victims of so-called ‘authorised push payment fraud’ under a voluntary code. The code comes into force from 28 May 2019.
Here, we explain how the new code will work and what will change.
What are authorised push payment frauds?
An authorised push payment fraud is when a bank customer unwittingly gives permission to a fraudster to take a payment from their bank account. These authorised push payment frauds occur when a fraudster convinces someone that they’re a genuine supplier (such as a solicitor, computer help specialist, builder or trader) or that they can help you avoid fraud on your account.
Banks have taken the view that because the customer has authorised the payment, they and not the bank should bear the loss. This is the case even when the customer has been convinced by a very plausible fraudster to make the payment.
It has to be said that banks have repaid some victims of these frauds, but it’s been hit and miss. Some banks have been better than others and taken a more compassionate view.
Banks that aren’t signed up to the new code may not refund people who’ve unwittingly authorised a payment to a scammer.
What does the voluntary code say?
Banks that sign up to the voluntary code will commit to refunding customers who’ve had money stolen on or after 28 May. The banks have to:
- Protect their customers from authorised push payment fraud. They’ll have to make sure they have procedures in place to detect and prevent this fraud. If customers are identified by the bank as vulnerable, the bank will have to have more protection in place. If a family member is vulnerable, perhaps because they are in the early stages of an illness like dementia, ask them to tell the bank or tell the bank on their behalf. That way the bank will be obliged to take extra care. Banks will have to identify vulnerable customers themselves, through behavioural analytics etc, but if you tell them yourself, you know they’re aware.
- Delay payments where they suspect APP fraud is being committed. The payment shouldn’t be made while the bank investigates whether or not fraud could be involved.
- Prevent accounts from being used to launder the proceeds of advanced push payment fraud. One of the problems at the moment is that once the fraudster has stolen the money, they clear out the account they pay the stolen money into very quickly. In the past banks that have processed this stolen money have been reluctant or unable to help fraud victims.
- Freeze payments if they think there’s been a fraud. Banks also should do adequate checks when someone opens an account.
- Refund money that’s been stolen, where neither the bank nor the customer is to blame for the fraud. Before the code came into force, banks would only refund customers if they (the bank) was at fault. This code does change things, but it doesn’t mean everyone will get refunded. If the bank thinks you’ve been negligent, you probably won’t get your money back.
When won’t you get refunded?
You may not get refunded in the following circumstances:
- If you ignored warnings from the bank, for example – a message on your mobile banking app not to make the payment if it was the result of a cold call. These warnings typically appear when you set up a new payee, or amend details of an existing payee. Your bank may also contact you once you’ve made the payment to check that you definitely wanted to pay them.
- If you made the payment without ‘a reasonable basis for believing that’ you were paying the person you expected to pay, or were paying for goods or services that were genuine, or that the person you were paying was genuine. This feels like it gives the banks a reasonable amount of wriggle room. I do hope they don’t use it, but it doesn’t instil me with complete confidence, to put it mildly.
- Banks must take into account the ability of the person to make the decision at the time they make the payment. So, for example, the bank must take into account someone’s vulnerability – such as dementia or a learning disability. However, they must also take into account how familiar someone is with online banking. If they’ve never made an online banking payment before and a fraudster tricks them into transferring money to their account, they may be treated differently to someone who regularly banks online.
When will you get your money back?
The bank should make a decision about whether or not to refund your money quickly and generally no later than 15 business days (three weeks) after the APP fraud occurred. In some cases, this can be extended to up to 35 days (seven weeks). Once the bank has decided that it will refund you, it should pay out the money quickly.
If the bank says it won’t refund your money, you can complain. Normally banks have up to eight weeks in which to look into complaints. However, in this case it will be up to three weeks (15 business days) or seven weeks (35 days) in some circumstances.
If you’re not happy with the bank’s response, you can then complain to the Financial Ombudsman Service.
Which banks will do this?
The code is voluntary so only banks that have signed up to the code by 28 May will commit to offering these refunds. The banks that have signed up to the code so far include:
- Bank of Scotland
- Barclays
- Carter Allen
- First Direct
- Halifax
- HSBC
- Intelligent Finance
- Lloyds Bank
- M&S Bank
- Metro
- Nationwide Building Society
- NatWest and RBS
- Santander (includes Cahoot)
- Starling Bank
- Ulster Bank
Are the banks doing enough?
At the moment you only have to put in the sort code and account number of the person you’re paying. The banks are due to introduce something called ‘confirmation of payee’, which means that they will have to match the name you put in, as well as the sort code and account details. This was due to come into force in July (2019), but has been delayed until sometime in 2020.
What is TSB doing?
A few weeks ago, TSB announced that from 14 April 2019, it would refund its customers who are defrauded. The bank will pay them back if money was taken fraudulently (as banks have to do currently) and if they were tricked into paying a thief who they thought was genuine. It launched its Fraud Refund Guarantee, which TSB says will pay out if customers contact the bank on 0800 096 8669 (or on the number on their card):
- TSB will still investigate the fraud claim, including what happened and how it happened. TSB says this is so it can tell the customer and ensure they’re protected from future fraud.
- TSB will not repay losses due to fraud committed by an individual on their own account. Customers who abuse the Fraud Refund Guarantee, for example by repeatedly ignoring account safety advice, may not get money refunded in the future.
- TSB will not refund losses for retrospective claims; the Fraud Refund Guarantee applies to fraud losses incurred on or after Sunday 14 April 2019.
- The guarantee covers authorised and unauthorised transactions for claims meeting the criteria. For authorised transactions the guarantee is limited to £1 million for each claim.
- The fraud guarantee will also cover any new customers joining TSB from 14th April.
TSB says that the voluntary code that many of the high street banks have signed up to doesn’t go as far as its own Fraud Refund Guarantee. TSB says that its own refund guarantee will pay out in these situations when the banks’ voluntary code does not:
- If a customer has been socially engineered into resetting their login details or withdrawing money from a branch and handing it over to fraudsters.
- If a customer’s account has been taken over after they gave access away to a fraudster without realising.
- If a customer has been negligent and handed over memorable information to the fraudster.
- In cases of push payments, where warnings are displayed to the customer, but they authorised the payment regardless, they will get a refund.