Skip to main content

Authorised Push Payment Fraud

Volume 728: debated on Wednesday 1 March 2023

I will call Kirsten Oswald to move the motion and then the Minister to respond. As is conventional in 30-minute debates, there will not be an opportunity for the Member in charge of the debate to wind up.

I beg to move,

That this House has considered authorised push payment fraud.

It is a pleasure to serve under your chairship, Mr Dowd. I am pleased to bring forward this debate, because I have had protracted discussions with a business in my constituency that has been targeted by fraudsters, resulting in some of its clients losing thousands of pounds through authorised push payment scams. Those scams deceive an individual into unknowingly transferring funds to a criminal. They now represent the largest type of payment fraud in the UK, both in the number of scams and value of losses.

I do not normally intervene this early, but this issue is critical for my constituents in Strangford—and indeed for everyone, I suspect. I congratulate the hon. Lady on bringing forward this debate. The latest figures are astounding: £249.1 million was lost to APP scams in the first half of 2022. That indicates how prevalent these scams are. Messaging about these scams is not as effective as it should be. Does she agree that more steps need to be taken to safeguard vulnerable people who are losing money? They are not great at tech, and have been taken advantage of.

I share the hon. Gentleman’s concerns. In 2021, losses to this type of fraud totalled £583.2 million. That represents a 38% increase on the previous year. It is worth noting that a lot of cases of authorised push payment fraud go unreported, so those figures are likely to underestimate the true amount lost to these scams. As he suggested, the impact of fraud can be devastating. Victims can lose substantial sums of money. The impact on their health and wellbeing cannot be over-stated. Research from Which? showed that 71% of fraud victims felt that their experience had a detrimental impact on their stress levels; 63% said it was harmful to their mental health, and 39% said it affected their physical health.

I too am very grateful to my hon. Friend for bringing this subject before the House. She is right to mention the huge damage this fraud can cause to individuals and families, including in my constituency. I have two constituents who were caught up in the episode that she described. Does she agree that progress in making compulsory both full reimbursement and the code has been slower than we would like? It is crucial that we make fast progress on ensuring that full reimbursement and full compliance with the code are in place by the end of this year.

I am grateful to my hon. Friend. He is absolutely right, both about the people we are discussing who are directly affected, and about the framework generally. Progress is needed now. I will come back to both those points.

My constituent owns a successful business. Despite proper security controls, its email server was unfortunately infiltrated by sophisticated fraudsters, who then sent emails to business clients. The emails sent by the scammers looked just like genuine emails that would be sent from the business. That allowed the fraudsters to cloak their identity. I have heard of other cases of this, too. It is worth stressing that the emails were sent to clients who were due to make payments, which made the fraudulent emails seem entirely credible. This type of fraud is highly sophisticated. In fact, it is a huge and growing industry, which should be of deep concern to us all. I hope to hear the Government’s reaction to it from the Minister. Little wonder that many people unknowingly end up transferring funds to fraudsters when the scams are so sophisticated and complex.

My constituent’s case was only one type of APP scam, namely that of impersonation. There are other types. For example, there are purchase scams, in which a victim is tricked into buying goods or services that are never received. They are regularly found on Facebook and Instagram, and victims are lured in by the promise of cut-price goods. Quite commonly, it will be something like a reduced-price games console, which the victim pays for online but does not receive. Another type of APP fraud is the investment scam: victims are tricked into handing over money for bogus investment schemes that never materialise. Romance scams are obviously less common, but are deeply distressing; people are persuaded to make a payment to a person online with whom they believe they are in a relationship, but who they have never met.

The need to prevent all those types of fraud is paramount. An individual can take steps, particularly in cases such as the one I outlined, to ensure that their money is transferred to the correct bank account. For instance, a straightforward step is to never hesitate to question a payment request robustly. Ideally, an individual should make contact via means other than the ones through which the payment request was made. They should not just reply to an email or click a link, but find another way of contacting the business. We are essentially asking consumers to be responsible for working out where a sophisticated and complex crime is being committed. We need to strike the right balance, and recognise that those actually responsible for this terrible crime are the criminals.

A client of my constituent’s business was asked by their own bank to confirm with the business that it had requested a payment before the bank proceeded with the transfer. At that point, the business became aware that there had been an intrusion into its systems, and it took proactive steps to prevent customers from making any further payments. I welcome the way the business has dealt with the issue throughout.

I welcome the efforts made by several banks to introduce confirmation of payee services. They check the account name and details to ensure that the payment arrives at the correct destination, providing an additional layer of security. However, only some banks have set up such services. TSB Bank believes that all payment service providers should be required to introduce confirmation of payee services, because it seems that organised criminal gangs have shifted to using banks that do not have those checks enabled. It is noticeable, certainly to me, that there is not a unified view in the banking sector on how best to prevent this kind of scam, or on the issue of mandatory reimbursement. The UK Government could do more to take the lead on bringing the banking and payment sectors together to solve these issues. I would welcome the Minister’s thoughts on that.

I thank Lloyds Banking Group, which took the time to meet me this week, ahead of the debate, to discuss these issues and some of the cases I am raising. I hope that a satisfactory conclusion can be reached. My hon. Friend the Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald) very clearly laid out the distress caused to the people who are caught up in these situations. I encourage Lloyds to look further at this particular case, but I am grateful for its positive discussions with me about fraud prevention.

In total, four clients of my constituent’s business were targeted by fraudsters. As my hon. Friend the Member for Cumbernauld, Kilsyth and Kirkintilloch East suggested, the first case involved a couple unknowingly transferring £40,000 to an HSBC-held bank account. They have been reimbursed over £19,000 by their bank, which is the Bank of Scotland. The second case involved an individual who, again unknowingly, sent £12,500 to an HSBC-held bank account. In the third and fourth cases, clients received emails asking them to transfer money to fraudulent HSBC-held accounts, but thankfully they did not do so.

The contingent reimbursement model is a voluntary code that 10 firms covering 21 banking brands have signed up for. That code aims to reduce the occurrence and the impact of authorised push payment scams. It was designed to give people confidence that if they fell victim to that kind of scam, they would be reimbursed if they had acted properly. The responsibility for reimbursement, according to the contingent reimbursement model code, lies solely with the sending bank.

With that in mind, I return to the case that I outlined, where only half the funds have been returned. I wonder how that can be. The couple has been reimbursed £19,555 by the Bank of Scotland—the sending bank, if you like. Now, the Bank of Scotland has signed up to the contingent reimbursement mechanism, so I would have expected it to reimburse its client to the tune of the full £40,000. However, it did not do that and instead suggested that HSBC should refund the other half of the £40,000 because it was the bank with whom the fraudulent account was held. The individual who mistakenly sent £12,500 to an HSBC-held account has in fact received no reimbursement at all.

Both those cases are now with the Financial Ombudsman Service. I hope—although I am not sure this will be borne out in reality—that there will be a sensible resolution to the situation, because none of these people deserves to be impacted in the way that they have been. It is important to stress that terms such as “blame” and “fault” are used too often in these conversations, in a way that is both unhelpful and unfair, given the sophistication of these scams. The only people to blame for authorised push payment scams are the criminals who create these fraudulent ventures, not the people who fall victim to what are designed to be highly convincing criminal efforts to part them from their money.

With that in mind, I would like to make several points to the Minister. First, the banking sector must improve its internal mechanisms for identifying accounts engaged in fraudulent activity. During my correspondence with HSBC regarding the situation I have set out it stated:

“HSBC undertakes robust due diligence as part of our account opening process, and has payment screening in place to identify fraud.”

I have no doubt that HSBC has internal mechanisms to detect potential fraudsters, and I do not seek to suggest otherwise, but my constituent’s clients were targeted by fraudsters with four different accounts, all of which were held by HSBC. We should remember that this particular case of fraud was stopped at an early stage, so I cannot say how many potential frauds the fraudsters may have wanted to carry out or how those would have related to particular banks. However, all the cases I am aware of involved HSBC, so HSBC—and every other bank—can and must do more to identify and shut down accounts engaged in fraud.

Secondly, I welcome the move towards making the contingent reimbursement model a mandatory code covering all banking firms. I note that clause 62 of the Financial Services and Markets Bill, which is currently in Committee in the other place, enhances protections for victims of authorised push payment scams by putting a duty on the Payment Systems Regulator to take regulatory action on APP scam reimbursement, ultimately giving it the power to make reimbursement mandatory across the faster payments service.

The introduction of a voluntary contingent reimburse-ment model code has resulted in the rate of victim reimbursement rising from 19% in the first half of 2019 to 41% in 2020. With a mandatory CRM, I am sure that that number will rise further, meaning that more and more victims of this type of fraud should receive reimbursement. Some banks, such as TSB, offer an authorised push payment scam refund guarantee, fully reimbursing all authorised push payment scam victims up to £1 million, unless the customer has been grossly negligent. Some 97% of fraud claims with TSB have been refunded since the refund guarantee was introduced, which is well above the industry average and should give food for thought to others.

Last November, the Payment Systems Regulator consulted on a package of measures to combat authorised push payment scams, including mandating reimbursement for victims. The regulator is now consulting on specific proposals that would put that mandatory reimbursement in place for all online and mobile payments. In line with protections for other payments and financial services, reimbursement would be on all payments over £100, and a time limit of no less than 13 months would be set for claims. A mandatory reimbursement code would ensure that, regardless of what bank or building society individuals choose as their provider, they would be protected from massive financial loss due to these scams.

To come back to the situation I am dealing with, two clients of my constituent’s business have lost £20,000 and £12,500 each. These are significant sums of money. Who could possibly afford to lose them? I welcome all legislative changes that will help to bring about a mandatory reimbursement code, but what steps will the UK Government take to ensure that people who have been affected before the code comes into place are reimbursed, particularly where their payment service provider signed up to the voluntary code but failed to carry through on its commitment, as the sending bank, to reimburse?

I would also like to hear the Minister’s views on social media firms and tech giants taking fraud more seriously and on what action they can take to stop fraudsters using their platforms to target people. It is also incumbent on them to take steps to clamp down on bad actors but, at the moment, they have no financial incentive to remove fraudsters from their platforms, because banks are ultimately held responsible for refunding lost money. That is a conversation that needs to take place with Government.

I welcome some of the progress that has been made and the action by banks, Government and other organisations but, although mandatory reimbursement is desirable, some are still concerned about how it will be enforced. The Treasury Committee recently published a report entitled “Scam reimbursement: pushing for a better solution”, which highlighted some of these concerns. That report supported the principle of mandatory reimbursement but noted concerns about how the plans would be implemented. The Payment Systems Regulator proposes that Pay.UK will make, maintain and enforce reimbursement rules. That is problematic for several reasons set out in the report. Pay.UK is not independent; it is an industry body and guaranteed by the very banks and other service providers it would be asking to reimburse fraud victims. More worryingly, it is not a regulator and lacks the powers necessary to enforce its rules, so there could be foot-dragging and other challenges.

The other reason the Treasury Committee gave for not liking that solution was the potential for further delay and kicking the can down the road. Given the earlier point that this has been ongoing for a few years, the last thing we need is more delay.

It is almost as if my hon. Friend had read the end of my speech. He is absolutely right; that is it in a nutshell. We want to prevent fraud, punish fraudsters and ensure that victims are reimbursed. That is the way to reduce the harm that these scams cause. Surely, we should all support those principles. I ask the Minister to give serious consideration to the credibility of the Payment Systems Regulator’s current suggestions, to look closely at how social media interacts with these systems and to commit to listening to victims such as those I have talked about today.

To conclude, I ask that the banks involved in the cases I have outlined give serious consideration to their part in the challenges that people are facing through no fault of their own. They should look to ensure both that people are reimbursed and that they clamp down on fraudsters using their services.

It is a pleasure to serve under your chairmanship, Mr Dowd. I commend the hon. Member for East Renfrewshire (Kirsten Oswald) for securing this debate, which addresses an issue that she clearly cares about deeply. I know from my own constituency and from conversations with colleagues across the House that it is, sadly, one that we see across the country, which is why the Government also care deeply about it. It is a growing issue and demands urgent intervention.

As the hon. Lady set out articulately, authorised push payment scams are becoming increasingly sophisticated and often target the most vulnerable in our society. Because they are so sophisticated, they are also able to target professionals, businesses and so on—people who would otherwise consider themselves to be alive to these sorts of risks. It is a very clever form of fraud.

Under the European regulatory system that we have inherited, there is no statutory or regulatory requirement for banks to reimburse the victims of these scams. Although the creation of a voluntary reimbursement code has improved matters, reimbursement for victims has, as the hon. Lady set out, been inconsistent across banks and for victims, and only about half the stolen money is reimbursed. As a result, many victims are left facing significant losses; in the worst cases, they can lose their life savings. From the hon. Lady’s descriptions, we know the impacts that that can have on people and businesses. We are acutely aware of the impact of this type of fraud, so we are determined to help victims and to crack down on these scams and the impact that these fraudsters have on people and businesses.

Front and centre of those efforts is our action on victim reimbursement. As part of the Financial Services and Markets Bill, we are introducing world-leading legislation to protect people as a matter of urgency. Once passed, the Bill will remove legal barriers in retained EU law that currently prevent regulatory action on reimbursement by the Payment Systems Regulator. That will enable the regulator to mandate reimbursement for any payment system under its supervision. However, the legislation goes even further: it will also place a specific duty on the regulator to implement a reimbursement mandate for the faster payments system within six months. I hope that the hon. Lady and other hon. Members will be assured that there will be swift regulatory action once the Bill receives Royal Assent.

This issue does not just require timely action; it also demands effective action. We are confident that the regulator has the appropriate objectives, expertise and powers to design the details of mandatory reimbursement in a way that ensures strong and consistent protections for victims. In its recent consultation on the matter, it stated its intention to require firms to fully reimburse victims of all APP fraud occurring through faster payments, with very limited exceptions. That would ensure that victims are reimbursed in the vast majority of cases and at far higher rates than under the existing voluntary reimbursement codes.

I hear what the Minister says. What does she think about the people I described in my contribution, who will not be covered by the measures she outlined?

I was going to attempt to answer the question posed by the hon. Lady later, but I will answer it now. Regarding current victims, the legislation is not retrospective—she will know that it is very rare for this place to pass retrospective legislation—but we expect banks to honour past voluntary commitments. That may well be something that the Economic Secretary to the Treasury, who has primary responsibility for this area, has put his mind to. I will ask him to write to her with his thoughts on it.

Given that the hon. Lady has intervened on me, I will respond to the interesting points she raised about social media and tech companies. I will do the same as on the previous point, and ask the Economic Secretary to the Treasury to write to her. From my own portfolio, I know some of the challenges with the use of social media when it comes, for example, to repayment agents who are not behaving as they should. As the hon. Lady says, the ability of fraudsters to present themselves as legitimate, by stealing people’s business logos or details, is highly sophisticated. It requires a joined-up reaction from across Government, law enforcement and so on.

That brings me to what we are doing across Government. Although this is an insidious form of fraud, it is not the only one our constituents face. We will therefore shortly publish a new, broad-based fraud strategy, which will detail how we will prevent fraud, so that people do not lose their life savings and money in the way the hon. Lady set out and we can crack down on these gangs.

In the meantime, the Treasury has worked diligently with the Financial Conduct Authority and the Payment Systems Regulator on the roll-out of fraud prevention measures such as confirmation of payee, which the hon. Lady referred to, which can help and has been designed to stop some forms of APP fraud and accidentally misdirected payments. I know that the hon. Lady and other hon. Members will welcome the regulator’s action to mandate that service for the vast majority of faster payments transactions, and I highlight its intention to achieve near-universal coverage in the near future.

The Treasury continues to assess industry proposals for legislation to enable further delay to high-risk payments. The hon. Lady asked me about internal banking processes, and that is one way that we have looked to address that form of fraud.

The regulator has consulted on further measures to prevent payment fraud, including enhanced information sharing between payment providers so that scammers can be identified and shut down quickly. That is in addition to mandating confirmation of payee, which I have already described. That will enable payers to check that they are, in fact, sending payments to the right person.

In short, we very much understand why the hon. Member for East Renfrewshire has raised this important issue. We share her determination to tackle it, and look forward to working with law enforcement agencies, banks, the regulators and colleagues across the House to ensure that our constituents are protected from this invidious form of fraud, which I know we all want to see stopped.

Question put and agreed to.

Sitting suspended.