New Law Will Require Banks to Refund Victims of Bank Transfer Scams

New legislation will require banks to reimburse customers who have lost money to bank transfer scams, ending a “refund lottery” in which many financial institutions pin the blame on victims.

The Payment Systems Regulator (PSR) this week announced a consultation on a mandatory reimbursement scheme to replace the voluntary code on scams. The Treasury confirmed it will “legislate to address barriers to [this] regulatory action at the earliest opportunity,” meaning the law could come into force next year. 

Under the proposals, the PSR would require banks to issue refunds to customers who have lost money to bank transfer scams, also called authorised push payment (APP) fraud. 

In this type of fraud, consumers are tricked into sending money to accounts controlled by criminals, who may pose as legitimate vendors, tradespeople, banks, or government departments, sometimes using spoofed phone numbers and duplicated websites. Figures from UK Finance reveal that Brits lost £355 million to these types of scams in the first half of 2021, overtaking debit and credit card fraud losses for the first time.

Because victims authorise these bank transfers, believing they are paying someone legitimate, they aren’t entitled to the refunds banks issue following typical theft from their accounts.

To patch this hole in consumer protection, in the spring of 2019 some banks signed onto a voluntary code pledging to reimburse some scam victims. However, research has revealed that banks frequently put the blame on fraud victims, denying them compensation. 

The Lending Standards Board (LSB) revealed this year that banks signed onto the code tell 77% of fraud victims they’re partly or fully responsible for their losses, making them ineligible for refunds. Just 42% of lost funds were reimbursed in the first half of the year.

In June the LSB, which oversees the code, highlighted “systemic failings” in the way the firms apply the code’s guidance and said they must urgently improve.

Consumer group Which? also highlighted the massive discrepancy in the treatment of fraud victims between banks, with two banks holding fraud victims liable in nine out of ten cases. The data is also anonymised, meaning consumers can’t see how their bank stacks up. 

The PSR’s proposals also address this issue: they’ll require banks and building societies in the 12 largest banking groups in Great Britain plus the two largest banks in Northern Ireland outside those groups to publish data on their performance in relation to bank transfer scams and refunds. This data must include reimbursement rates for victims and which banks’ accounts are being used to receive the stolen funds.

The banks required to publish this data would be the AIB Group (UK), Bank of Scotland, Barclays, Clydesdale Bank, the Co-operative Bank, HSBC, Lloyds, Metro Bank, Monzo, NatWest/RBS, Nationwide Building Society, Northern Bank, Santander, Starling Bank, TSB, Ulster Bank and Virgin Money.

Finally, the PSR will require banks to improve their intelligence sharing to better detect and prevent APP scams.

The regulator will consult on these proposals until January.