Banks will have to repay bank transfer scam victims under new law
Plans are in motion to force all UK banks to reimburse victims of authorised push payment (APP) scams, marking a landmark win for scam victims.
What is changing?
The Payment Systems Regulator (PSR) announced today that the UK Treasury will make the necessary legislative changes to provide for mandatory reimbursement for scam victims. In its latest consultation, open until 14 January 2022, the PSR has also set out various proposals so that it is âready to act as quickly as possibleâ when the law is changed:
Publication of fraud data by banks: banks and building societies in the 12 largest banking groups in Great Britain plus the two largest banks in Northern Ireland outside those banking groups, must publish data on their performance in relation to APP scams. This must include reimbursement levels for victims, and which banks and building societiesâ accounts are being used to receive the fraudulent funds.
Improve scam prevention: the industry will improve intelligence sharing to enhance detection and prevention of APP scams.
Reimbursing victims: developing how best to make reimbursement mandatory to victims of APP scams once legislative changes have been made.
Full article is available from Which ? UKâs equivalent to Choice.
There is little detail available on the thinking behind this move or how it might work. They say that authorised direct payments to fraudsters should be treated like card fraud.
In the case of card fraud it is reasonably clear to me who is responsible, if the card holder does not authorise the payment then the bank has paid out an unauthorised transaction and is responsible. It is their fault if the operation of the system allows payments to be made without the card holderâs permission. This is equivalent to paying out on fake cheques where the bank does not verify the signature.
In the case of an authorised payment going to a fraudster it is less clear that the bank and its systems bears responsibility. Aside from the philosophical questions there are practical ones.
Who decides which transactions are to be reversed and how do they decide? Where do you draw the line between payment for a non-existent good or service and change of mind over those that might be of questionable value? Consider the situation where the good is real and is delivered but the price is excessive for what it does - take the example of the Pete Evens magic machine and detox foot wraps.
Until I hear how these issues will be dealt with I reserve judgement.
On the face of it, it doesnât address the underlying problem. It merely changes who the victims are.
If it really worked the way credit cards do then it could spread the cost of fraud across all users of the banking system, in higher fees and charges, to the benefit of course of the direct victims of the fraud (and the detriment of everyone else).
Indeed. Itâs a consultation not legislation - so Australia should most definitely not follow the UK.
One question in my mind is: what is the standard of proof to claim a scam? In other words, maybe the anti-scam becomes the scam.
Getting everything right with this kind of legislation is challenging no doubt. In the UK this campaign was first muted in 2016 so itâs taken 6 years to get it to this point. I trust that those questions you have wouldâve been addressed in this proposed legislation.
The scams that have become more sinister and widely spread during these last 2 Covid years in particular are those that have brought matters to a head. One very good example of this is the Chinese organised crime inspired Shazupan or âPig Butcheringâ scam.
The evidence shows clearly that the Banks are simply not doing enough to protect the public from these criminals. They are still too easily able to access the electronic banking system and exploit it to profit from their criminal activities. This is due in no small part to the ineffective application of and compliance with KYC, CDD, and AML rules that were supposedly strengthened in the aftermath of the Royal Commission into Financial services back in 2018. Their systems around the opening of accounts (especially for business practice), regular required auditing, and the monitoring and reporting of frequent and large foreign bank transfers, demands far more scrutiny in order to reduce the impact of these insidious money laundering crimes on innocent victims.
That could leave the âvictimâ out of pocket for years though.
The government doesnât necessarily even want to go after a money mule, since they are low level grunts, and potentially even unwitting. So letâs say that the government takes no action against the money mule in order to keep the money mule under surveillance, in order to penetrate further into organised crime and get to the Mister Bigs.
The number of complicating what ifs would be an open ended discussion. Reality appears that the UK government is discussing something, more than our own seems to be doing, and since the UK is out front, awaiting to read their legislation if it comes to pass is a logical step to get some answers. I doubt our government would run around that of the UK to take a lead.
One might give the UK âdiscussionâ some credibility since Which? is behind it or contributing to it as something achievable to improve protection from the target scams, even if not perfect.
Logically we would let them pass their legislation, then let them measure whether total dollars per annum lost to scams of the relevant type a) goes down, or b) goes up, or c) stays about the same.
The counter argument is that all of us benefit from being able to access and use electronic financial systems. As consumers weâve accepted (some might disagree) the continual reduction in access to any other form of payment systems. Weâve been encouraged to do so. And we all share the same risks.
The providers of the services actively promote their products, and their integrity. They take little responsibility for educating their customers or assisting consumers to reduce the risks IMO. It is inherently a flawed product lacking integrity where the providers allow consumers without adequate knowledge and ability to enter into risky transactions. The industry has the ability, if it so chooses to control who it allows access to accept payments.
Itâs too easy for the financial businesses involved to blame the consumer for something they the industry have created. It may be complicated for some to accept. There are many who regardless take profit the misfortune of consumers caught in the scams. From the banks to the internet âŠ
Even so, measuring whether the legislation is successful at all would seem to be a pre-requisite for Australia to follow, rather than blindly following.
For sure. It is not entirely clear that it is the role of a bank to educate people. I think you can equally well argue that it is the role of government to educate people.
The main goal that I would advocate for is to reduce risk (and reduce fraud). Education is a part of that. Other measures could be part of that.
Just changing who the victims are is not a solution.
One thing that banks could do is make 2FA mandatory for all internet transactions over $X, where the customer gets to choose X and the default is relatively low e.g. 100.
My bank has effectively made having 2FA mandatory but unfortunately it does not seem to have triggered yet on any transaction that I have carried out since it became mandatory i.e. when doing internet banking transactions it has not so far challenged me to enter a code that would be obtained via the second factor.
What other changes could be made that would reduce risk and fraud?
Do we want automatic delay on any internet transaction over $Y for personal accounts (but not for BPAY?)?
Not in this instance. The Banks are businesses.
As consumers we have the choice to make and hold them accountable. Itâs siding stepping the responsibilities they have to their consumers, to suggest itâs someone elseâs problem. The banks take their profits even through fraudulent transactions. Are they victims? Only if legislation fails to hold them accountable?
Itâs interesting that Govt insists on banks being accountable for fraudulent transactions when it comes to money laundering. There have been some massive fines imposed (compared to average consumer wealth) on the banks for being the agents.
Isnât it actually the case that the bank is fined for failing to meet its legal obligations rather than for being an innocent party to a potentially (not actually) illegal transaction?
In other words, as long as the bank is doing what the law requires it to do, it doesnât matter whether money launderers are laundering, and terrorists are being financed.
In other words, it encourages a tick-a-box mentality.
In that sense, the above proposal is the exact opposite. It imposes no specific requirement to do anything to prevent fraud but makes the bank financially responsible for the fraud (an approach by government that would be completely immoral if applied to e.g. terrorism).
Maybe the above proposal is really the UK government giving up on the approach it has taken with AML/CTF (assuming that their regime is similar to ours).
It is the case that some of our major banks and at least one major casino operator got into trouble, not for money transfers as such, but because they failed to report the transfer to Austrac. This was almost entirely due to computer system failures to have the Austrac reporting rules in place.
Very true, and could make individuals more likely to follow a scam knowing that the risk of their decision lies with the bank.
The ACCC seems to be focusing on the source and may be taking Facebook on for knowingly allowing scammers to use the platform to perpetuate their scams. Blocking and closing down scammers as soon as they are known has a chance at solving the problem, passing on the responsibility to the banks only increases the likelihood that scams will be more successful.
Yes, unless somebody can show how the banks can take this problem and solve it the cost would be passed on the banksâ customers and we would all pay for it. I see nothing to show how the banks can solve it so far or that it is their responsibility to solve.
If that is how it works out we then have the prospect of a perverse outcome when the individual is no longer responsible because the bank will make good their losses and consequently the individual takes less care of their money. So instead of the problem being reduced it increases.
The Which organisation made a âSuper complaintâ in 2016 which is here. My reading of it is that it does not address any of the important questions properly and assumes that banks have the power to deal with it. They also provide arguments as to why customers should not be held responsible which do not stack up to me.
The more I read about this scheme the less I am impressed.
This plan would only cover banks in the UK. So which bank is responsible for paying back the scammed party? Seems to me that the responsibility should be with the bank hosting the scammers account. But that could be anywhere.
Do UK banks just block APPs to destinations outside the UK? Hardly.
Do the banks impose a payment charge on all APPs to provide a source of funds to compensate the scammed?
As usual, the detail in any legislation will reveal the extent of exemptions, exceptions, legalese get out clauses that will generally make such ideas useless.
