Payment Fraud: Where does blame lie?

This article exposes some of the difficulties involved in such matters and, sadly, demonstrates why there are no easy answers.

1. It is critical of the APP CRM Code (which came into effect in May 2019) 

The Code is voluntary. Very simply, it offers consumers and micro-enterprises a more generous refund approach if they become a victim to APP fraud than is required by the law (under the Payment Services Regulations).

Currently 9 Payment Service Providers (PSPs), including the 5 major banking groups and some smaller banks, have committed to it. 

However, some PSPs have opted to go further (see TSB) and others are yet to commit (for example, newer entrants who may consider their payment system more secure).

There are legitimate criticisms that could be made of the Code – which no doubt will be made in the forthcoming review (one year on from its inception) - but the alternative is to rely on the baseline legal protection which would not be in the interests of the victim of fraud.

If fraud prevention measures are only as good as the weakest link, the same must be said of any industry code of practice. Without universal commitment there will be inconsistent approaches/incentives for PSPs to combat fraud both in relation to refunding victims and fraud prevention strategies.

2. It highlights the sophistication of the fraudsters

In describing the fraudster's modus operandi (i.e. a cold call, social engineering, line blocking, courier collection, negating bank warnings) it demonstrates both (a) how adaptable scammers are; and (b) it was not any inherent vulnerability in the victims that allowed the fraud to occur (as the couple's daughter accepts she would have been equally susceptible).

Vulnerability is a key factor for banks to assess in any given scenario and will, no doubt, have been considered here. However, where sophistication (not vulnerability) is the causative factor, it is hard to see what practical measures a PSPs could adopt to stop the fraud in action.

3. It describes a rare intervention by the police to attempt to catch the fraudsters 

I have previously highlighted the increasing demand for the police to do more when it comes to fraud (see here), leaving the payments industry bearing the responsibility if they do not.

However, it is interesting to note that even in a case where they did intervene, the fraudsters evaded arrest.

It is, of course, accepted that the police do not always "get their man" but it is also accepted that they do not then become liable for the victims losses. The contrast to where PSPs (simply a conduit through which a fraud can occur) have adopted reasonable fraud preventions measures – but which are evaded - is stark. Until policy-makers determine these losses should be borne by the payments industry (as suggested here) there is a limit as to what is fair criticism. 

4. It touches on the warnings and attempted interventions by the PSP

Successful fraud prevention is about layers and warnings are just one. However, even those of us who have been warned time and time again can become a victim (especially at times of stress and/or distraction). Warning fatigue can be a real issue and dynamic measures should be adopted by PSPs to be effective.

Where the fraud requires some branch interaction as in this case, the Banking Protocol has been remarkably successful in preventing fraud (see here). But fraudsters adapt and in this case, convinced the victims to ignore such warnings.

5. It flags the forthcoming introduction of Confirmation of Payee on 31 March 2020

Whilst long awaited and incredibly difficult to implement across the payments industry, it should not be hailed as a silver bullet.

Given the methods present in this example, is it beyond a sophisticated fraudster to persuade a victim to ignore the account name or that [J Bloggs] is simply a "dummy" or a trading name of the true intended recipient?

Comment

To be fair to the author, he recognises the issue: "this case raises difficult questions. To what extent can the banks be liable in situations such as this?"

So, what are the (difficult) answers?

I tentatively suggest that the banks can be liable, but raise a further question: should they? Certainly, there is room for:

1. Better education about the basic legal protections and what the Code is (and is not) expected to cover
2. Criticism and improvement to the Code to ensure it functions well and is sustainable (which includes industry-wide commitment)
3. Recognition that "blame" is a term only useful to apply to the fraudster. Even if a victim is blameless, it does not equate to PSP liability.

Whilst this article focusses on the consumer (as does the Code), the issues apply to many different payment frauds typologies and victims (i.e. the SME and the corporate).

If you would like to consider any issues further, please do get in touch.

A retired couple who lost £43,000 to persistent and expert fraudsters have become the latest victims to complain that banks’ voluntary fraud code promising refunds to victims is worthless. In May last year, the UK’s biggest banks all agreed to abide by a new code that would see the victims of what is known as “authorised push payment fraud” refunded in full. Victims duped into sending money to an account operated by criminals were to be refunded, where they had been the victim of a complex fraud – a so-called no-blame scenario.

https://www.theguardian.com/money/2020/feb/08/bank-couple-lose-43000-but-cant-get-a-refund