Skip to main content

Banks: Authorised Push Payment Fraud

Volume 803: debated on Thursday 11 June 2020


Asked by

To ask Her Majesty’s Government what plans they have to introduce legislation requiring banks to reimburse their customers who have been subject to Authorised Push Payment fraud.

My Lords, it is vital that victims of authorised push payment scams are protected. The voluntary contingent reimbursement model code for APP scams, launched in May 2019, sets standards for the prevention of APP scams and for the reimbursement of victims. The Lending Standards Board will review the operation of the code this year. Meanwhile, the Payment Systems Regulator continues to work with the industry to ensure better outcomes for consumers in the fight against APP fraud.

I thank the Minister for her reply, but the fact is that the PSR believes that, last year, innocent victims lost nearly half a billion pounds to this scam, having been tricked into believing that they were transferring money to a correct account. Only a quarter of that money was reimbursed; some banks reimbursed fewer than one in 20 victims. The voluntary code is not working. Defrauded customers are being betrayed. I am not persuaded by the PSR’s argument that EU payment services law bars a statutory obligation—it was not raised when I asked about this last year. Even if it does, this is one area where the Government’s determination to diverge from EU law in future could have a silver lining.

The noble Baroness is right that the Lending Standards Board has looked at reimbursements and found that, under the voluntary code, they have not been as high as expected. It has issued individual reports to each firm, with actions that they should take to improve matters. The industry continues to work on a longer-term solution and, where voluntary solutions are not possible, there is scope for further regulatory action.

My Lords, evidence from the Financial Ombudsman Service, of which I was a director, shows a wide variation in how banks are handling this. It sees firms making decisions based on assertion and not evidence; firms relying on generic warnings, even if they do not work; firms taking an unreasonable view of what an ordinary consumer ought to know, or do, before making a payment; and refunds making only half payments, instead of full. Why is the Minister confident that the code is working? How long will the Government wait before considering giving the PSR stronger enforcement powers?

The code is little over a year old. However, the Lending Standards Board will follow up on the review it has made of reimbursements with each of those firms. The follow-up exercise will take place later in 2020, to ensure that all actions recommended are fully embedded and that customers are properly reimbursed.

My Lords, the code is clearly not perfect, but it is better than nothing, yet several significant banks have not signed up to it. Does the Minister believe that those banks should make it crystal clear to their customers that they have not signed up to the code?

Some banks have not signed up to the code, because they believe that their actions go further than it but take a slightly different approach. However, 90% of the total volume of transactions is covered by banks signed up to the code, and we welcome further banks signing up.

My Lords, regulations have failed to keep pace with evolving technology, so scammers are always two steps ahead. Does my noble friend agree that banks need a clearer legal and regulatory framework to help customers, such as being able to prevent payment if they suspect fraud, not being required to make payments within two hours, and not being required to have a court order before retrieving money from a fraudulent account?

One of the steps being taken to protect consumers further from the risk of fraud is the introduction of confirmation of payee. That is a new service intended to reduce the number of APP scam attempts succeeding. That was due to be rolled out by the end of March. However, due to Covid, the timeframe was extended to the end of June, with the clear understanding that if any customers had been affected by that delay in rollout—should any fraud have taken place during that time—the banks would compensate them.

Articles 4 and 45 of the relevant directive and paragraph 8.298 of the FCA documentation make it clear that it is the payment service provider that will specify the unique identifier to the user in the first instance. Therefore, the point where this is all going wrong is when providers do not specify or check the identifier against the name and address. Is not the confirmation of payee being introduced for just the six largest banks doing only what was intended in the first place, and should it not be rolled out across all payment providers?

I am sure that once the confirmation-of-payee scheme has been rolled out across the six largest banks, the regulator will look at how that has worked and any further measures that need to be taken. One of the benefits of the code that is in place is that it ensures that, where victims have done everything that should be expected of them, they receive reimbursement and compensation from the bank.

My Lords, this crime is so prevalent because of the ease with which fraudsters can open bank accounts with false details. Does my noble friend agree that responsibility for paying compensation should rest not with the innocent customer’s bank, as at the moment, but with the bank that allowed the fraudulent account to be opened and the money to be stolen?

My noble friend is right that it is essential that banks take proper steps to ensure that bank accounts are not opened fraudulently. The Financial Conduct Authority requires banks to maintain effective systems and controls to prevent the risk that they may be used to further financial crime. However, the code that specifies who pays compensation was drawn up with both industry and consumer groups and is getting reimbursements and compensation to those innocent victims. We should support a model that is supported by industry and consumer groups.

I thank the noble Lord, Lord Young of Cookham, for asking the previous question, which I was going to ask. Does the Minister agree that, if we made the fraudster’s bank liable—it receives and handles the stolen money —it would greatly incentivise banks to vet customers and monitor suspicious activities much more rigorously, and that it would be more effective than the current situation of the victim’s bank deciding whether the victim has been acting reasonably?

As I said to my noble friend Lord Young, there are requirements on banks to ensure that, when bank accounts are set up, the firms identify and verify the customer’s identity. Under the voluntary code which was drawn up with industry, it is currently with the victim’s bank to pay reimbursements if the victim is at no fault in the fraud. Those arrangements expire at the end of this year, and the points that my noble friend and the noble Lord made may be raised with industry when looking at a long-term solution to the issue of reimbursing consumers.

My Lords, Covid-19 is providing fraudsters with new opportunities to prey on the vulnerable, and there are clearly substantial problems with how APP fraud is handled. I return to the point raised by my noble friend Lady Sherlock. Does the Minister believe that the Payment Systems Regulator has sufficient powers to force banks to reimburse customers if they refuse to do so?

I believe that the regulator has sufficient powers. However, the voluntary code is just over a year old. There will be a review of the operation of that code by the end of the year and, should that review reveal that further powers are necessary, of course the Government would consider the case for that.

My Lords, in February, the PSR allowed banks a three-month delay in implementing the sensible and effective confirmation-of-payee rule. One of the conditions attached to this delay was that customers were not to be disadvantaged. It is very hard to see how that would be possible, since we know the new rule to be effective in reducing scams. How will we know whether the banks have observed this condition and, if they have not, what sanctions will be applied?

The implementation of this is monitored by the regulator, and it will be responsible for ensuring that banks comply with that condition. Should anyone have needed to delay confirmation of payment and suffered fraud as a consequence, they will be fully compensated for it.