Who should pay the costs of banking fraud?

Old lady on the phone while holding credit card © Getty Images
Around 78,000 people fell victim to authorised push payment fraud last year

Say you have a large amount of cash in your current account. Perhaps you’ve just downsized. You aren’t sure what to do with it. So you leave it there for now. Then a competent-sounding man gets in touch. Perhaps he says he is a policeman; he persuades you, one way or another, that your cash is in danger where it is and you should transfer it to another account. His.

Or perhaps the scam is harder to spot – a hacked email that looks to be from your solicitor asking you to settle a stamp duty bill by sending £25,000. Or your builder emailing his bank details, adding that he needs to be paid before the weekend. Either way, if you transfer the cash, you will have fallen victim to authorised push payment fraud (APP) – “authorised” because you agreed to it and “fraud” because you were tricked and the money is gone.

It’s more likely to happen to anyone who is a mixture of anxious and unwary – but the fraudsters are so sophisticated that even journalists at the Financial Times have been conned. Last year, 78,000 UK bank account holders lost nearly £350m this way, mostly from personal accounts. Another £700m worth of attempted APPs were caught and stopped. No wonder safety deposit boxes are rising in popularity. (Metro Bank offers them at all branches by the way, at an annual cost of £270 for the smallest and £750 for the largest).

But here’s the really important question: if you fall for APP fraud, who is responsible? Is it you because you were stupid enough to transfer money to – or hand your passwords to – a stranger? Why should other bank customers or shareholders take a hit because you’ve been a bit of a nitwit? Or is it the bank’s fault for not having proper security in place?

This wouldn’t have happened in the past when shifting cash involved physical trips to the bank (and fraud involved stealing people’s chequebooks). Why should digitalisation transfer risk to the customer?

It wouldn’t happen now if there were more firewalls protecting your cash. These range from the simple, such as calling people with too much money in a current account and advising them to put it in an interest-paying savings account; to the complicated, including behavioural alerts and biometric barriers.

Most banks say that the innocent will be reimbursed – a new voluntary code of practice came into force this year – and TSB even offers a “fraud refund guarantee” to customers. But speak to anyone who has fallen victim to this type of fraud and the shock of losing their money is second only to that of how dreadful banks’ customer services teams are at dealing with the aftermath.

There is little sympathy and seemingly little urgency to trace the stolen cash on its journey through the banking system. Filling in forms and waiting days or weeks for an acknowledgment is a common experience. The banks view losses as a cost of doing business; for those who have lost life-changing sums, the impact is felt more deeply.

The next question is who pays the victims back? There had been an idea that banks would set up an insurance-style fund together. The likes of Lloyds and RBS proposed a 2.9p charge on every cash transfer over £30 made via the Faster Payments System. This would be popped into a central fraud fund and then used to reimburse any “no blame” victims – those who do “everything expected of them” to stop it happening.

But not all banks like the idea. They don’t want to absorb a charge like this, or pass it on to customers. And they especially don’t want to if their own security is so good that their customers don’t experience much fraud.

As far as some of the digital challenger banks are concerned, if they agree to this levy they will effectively be agreeing to have their customers bail out those of the old banks – who have worse security than the newcomers say they do. In the absence of industry consensus, this means the banks will now have to self-fund compensation.

That’s good news for us for the simple reason that the big banks will have to invest in improving their IT systems to cut the material cost of compensation.

The challenger banks already have lower fixed-cost bases than the big banks – a newly built, resilient, reliable cloud-based high-security system that’s mostly automated and scalable is cheaper and easier to deal with than a patchwork of old and new systems.

All banks like to say they are tech companies with a banking licence attached, but it is more true of some than of others. The incumbents can do without another cost that hits them more than their new rivals. You may have already noticed their attempts to mitigate this in the shape of a relentless parade of on-screen warnings to customers making transfers.

This stuff matters. Being reimbursed is good, but it doesn’t take away from the trauma of being scammed in the first place – or the admin involved in trying to get your money back. The more the banks are incentivised to stop it happening in the first place, the better.

In the meantime, what do you do? Maybe look to an account at the challenger banks if you do keep a lot of cash – I have no evidence to prove that their security procedures are generally better, but the argument that digital banks are more fit for purpose in a digital age makes sense.

Younger people are very security conscious – 80% of them have opened a challenger bank account in the past five years, and a third of them told a survey this month that they would pay between £3 to £5 extra to have biometric security on their debit cards.

They may still have the Lloyds account that their mum opened for them 20 years ago, but they aren’t loyal to it. If you are an investor in the big UK banks, this is something to remember – we need banking, but we don’t necessarily need old-style retail banks.

Otherwise, my advice is the usual: assume the worst of anyone who calls claiming to be from your bank or giving any reason for you to transfer money. Don’t provide a password or a PIN. Don’t agree to repay money put into your account by mistake. Be particularly suspicious of any requests for cash outside normal working hours – or any that sound urgent. Never agree to remote access to your computer. Hang up and call your bank back (on a different line if possible) on the number on your debit card. Don’t open suspicious links. And this time of year, watch out in particular for failed transaction fraud – when an email arrives from a retailer saying your payment hasn’t gone through and could you input details again.

You might think you are too clever for all this, but 78,000 people would disagree with you.

  • This article was first published in the Financial Times