A decision by the UK’s Financial Ombudsman Service (FOS) could ultimately cost banks up to £500 million as they are forced to change how they respond to one of the two main types of Authorised Push Payment Fraud (APPF), experts say.
The claim comes after the FOS last week ordered Santander to refund a customer who had £12,000 by scammers who tricked them out of their online banking credentials.
UK retail banks typically refuse to refund victims in these instances on the grounds they authorised the payment or were negligent with their banking, but FOS determined that the customer was ‘a victim of a sophisticated scam with social engineering at the very heart of it’ and had not authorised the transaction or acted with gross negligence.
Ruling Tackles One of Two Main Types of Authorised Push Payment Fraud (APPF)
Industry expert Bob Lyddon told Computer Business Review: “This gives real hope of reimbursement to those who have been defrauded because they were gulled into revealing their online banking credentials, one of the two main types of Authorised Push Payment Fraud (“APPF”).
(The other type is where the victim is sent a false invoice, or an email trail is hijacked so as to give false banking details).
The director of Lyddon Consulting added: “The important thing about the FOS decision is that it establishes commonality of the legal principles for determining liability, extending those that already apply to the card method and applying them to the bank transfer method, albeit not yet comprehensively.”
Caroline Wayman, chief executive of the Financial Ombudsman Service, said: ‘Each year, we see more than 8,000 cases involving fraud and scams. It’s not fair to automatically call a customer grossly negligent simply because they’ve fallen for a scam. That’s especially true in light of the sophisticated way criminals exploit banks’ security systems – and convince customers that their money is at risk.”
Lyddon added in an emailed comment: “The FOS ruling will probably cost the banks £50 million per annum, and its extension to the other main sub-type the same again – and then miraculously the banks will make the investments needed to cause the problem to 95 percent disappear, because £500 million spent once is better than £100 million per annum with no end date”.
Yet extension of the ruling to other forms of APPF may not happen soon amid an industry push to introduce “confirmation of payee”.
The rules and standards for this ‘confirmation of payee’ service were published by Pay.UK in October 2018 and will go live in July 2019.
Confirmation of payee refers to a new initiative where banks will check the name of the payee before transferring money to a sort code and account number. (No, that does not already happen, perhaps shockingly to consumers).
As Pay.UK said at the time: “Currently, the account name is not checked when sending an electronic payment – and fraudsters have become increasingly sophisticated in using this to trick people into sending money to the wrong account.”
“Confirmation of payee can help prevent many fraudulent payments from being made in the first place, by introducing another hurdle for fraudsters and giving effective warnings to customers about the risks of sending to an account where the name did not match.”
Which?, the consumer rights group, has raised a super complaint about this topic and the Payment Systems Regulator (PSR) has been busy trying to tackle the problem.
Yet, as Lyddon puts it, this may cause issues.
As he told Computer Business Review: “The stumbling blocks in the way of achieving the extension [to the other form of APPF] are, in my view, the collaborative industry initiatives underway to combat it.
These comprise “all of the Payment Systems Regulator responses to the original Which? supercomplaint on APPF (11 workstreams of irrelevance), the Payment Strategy Forum (creator of several of the 11 workstreams), Confirmation of Payee (a tautologous service designed by Pay.uk and also one of the PSR/PSF workstreams) and the Contingent Reimbursement Model that is the joint brainchild of a cast-of-thousands, and which necessitates that a customer use Confirmation of Payee to have any chance of reimbursement.”
“All these initiatives compromise in the banks’ favour i.e. they compromise on the absolute result that has been achieved via the FOS test case, in favour of the victim.”
He concluded: “In consequence and unfortunately it will need another test case to explicitly get victims covered for this other type of payment fraud using bank transfer, a test case that slices through and bypasses all of the B/S and goes to the FOS again, but with the yardstick already established.”