Every year we see thousands of complaints involving fraud and scams. The circumstances are wide-ranging, from disputed card transactions and cash machine withdrawals to online banking fraud and identity theft. Fraud causes both financial and emotional damage so it’s very important that businesses take that into account as part of investigating a complaint.
Customers typically bring their complaint to us when their bank refuses to refund the money that’s been lost.
One of the important questions to consider is whether the payment in question is authorised. In broad terms, ‘authorised’ in this context means that a consumer gave their bank an instruction to make a payment from their account, in line with its terms and conditions. In other words, they knew that money was leaving their account – wherever that money actually went.
Regulations state that where a customer hasn’t authorised a payment, the bank should refund the money – so long as the customer hasn’t acted fraudulently, or with intent or ‘gross negligence’. Note that, we take the view that ‘gross negligence’ is an appropriately high bar and goes well beyond ordinary carelessness.
When it comes to payments that customers have authorised themselves, the starting point at law is that their bank won’t be liable for the customer’s loss, even when it’s the result of a scam.
There are, however, some situations where we believe that banks, taking into account relevant rules, codes and best practice standards, shouldn’t have taken their customers’ authorisation instruction at ‘face value’ – or should have looked at the wider circumstances surrounding the transaction before making the payment. And on 28 May 2019, a voluntary code came into force to give consumers further protection.
We’ll look carefully at the circumstances behind each complaint, examine the evidence and decide – on balance – what we think has happened, and who should fairly and reasonably bear the loss.
Types of complaints we see
The range of complaints we see is constantly evolving as fraudsters develop new and increasingly sophisticated methods. These often rely on highly manipulative techniques known as ‘social engineering’ to trick the customer into parting with their cash, or sharing confidential information. In other instances, the customer tells us their card or banking details, or their identity, were obtained and used fraudulently. Sometimes customers simply have no idea how so many of their personal details were obtained by the fraudster.
A large portion of the complaints we see fall into the following three categories:
- plastic card transactions that the customer tells us they didn’t make or authorise – such as purchases of goods or services online or in stores or nightclubs, for example
- scams where the customer was tricked into handing over their bank details, allowing the fraudster to take money from their account without their consent
- scams where the customer was tricked into transferring money to the fraudster’s account – often because they believed they were making a payment to their bank or another trusted organisation
Examples of other complaints we see involving fraud and scams include:
- ID theft, where a fraudster has used the customer’s identity to obtain goods or services – typically a loan from a payday loan company
- cheque conversion, where a cheque has been stolen by a third party
- cases where a customer feels they’ve been unfairly placed on a fraud prevention database
What we look at
As with every case, in reaching a decision about what’s fair and reasonable, we consider:
- the relevant law and regulations
- any regulator’s rules and guidance that applied at the time
- any industry codes of conduct in force at the time
- what we consider was good industry practice at the time
If there are disagreements about the facts, we’ll make our decision about what probably happened using evidence provided by you, your customer and relevant third parties.
Complaints involving plastic card transactions
Plastic card fraud involves any kind of spending on a plastic card that wasn’t authorised by the cardholder. It happens in a variety of places, including shops, bars and restaurants, and also with goods or services bought online or over the phone.
Typically, the customer notices the transaction on their account and complains that they didn’t make or authorise it. The transaction may have been made with a debit or credit card and by presenting the card in person or remotely.
We may never know in many of these cases with certainty what happened. Our role will be to establish what we think is most likely to have happened. To help us understand this, we’ll ask for information from the customer and you, including:
- where the customer was at the time of the disputed transaction
- how the transaction was made – whether in person, by phone or over the internet
- the nature of the transaction, including when and where it was made, and what it was used to pay for
- the outlet where the transaction was made
- how the transaction was verified by the system, for example, by personal identification number (PIN) or password
- the electronic audit trail for the transaction
- the customer’s previous use of the plastic card
If we decide that the customer didn’t make or authorise the disputed transaction, we’ll then assess whether they have any liability for it – and, if so, how much.
In making that assessment, we’ll take into account:
- the account terms and conditions
- the law, such as the Payment Services Regulations
- industry codes of practice
- sections 83 and 84 of the Customer Credit Act 1974, when the withdrawal was made using a credit facility
Scams complaints – transactions unauthorised by the customer
Many of the complaints we see are from customers who tell us they were tricked into handing over confidential information that enabled fraudsters to access their money. For example, the customer may have:
- received an official-looking email or text message they believed to be from their bank or another trusted organisation, with a link to a fake website – where the customer then entered confidential banking details
- got a phone call claiming to be from their bank or another organisation they believed to be genuine, and were tricked into handing over confidential information about their account
Generally, when a customer has not authorised a transaction, they’re not liable for the loss – unless they’ve failed with intent, or ‘gross negligence’ to keep their payment and security information safe. Frequently, then, the dispute will centre on whether the customer acted in a ‘grossly negligent’ way. We consider the bar for gross negligence to be a very high one.
If we’re satisfied the customer didn’t authorise the transaction and was the victim of a scam, we’ll want to understand how the customer was manipulated into sharing sensitive information. For instance, if the customer received a fraudulent email or text message, we’ll want to see it.
A common feature of many scams is that the fraudster will often create an environment which plays on the emotions of the consumer – for example fear of losing all their money. We’ll take into account the environment created by the fraudster as part of our considerations.
Scams complaints – transactions authorised by the customer
One of the fastest-growing types of fraud is ‘authorised push payment’ (APP) fraud – where people unwittingly act on fraudsters’ instructions and carry out the transactions themselves. Fraudsters use a wide variety of methods to carry out APP fraud. The following two scenarios are typical of the complaints we see.
- The customer is expecting to make a payment for goods or services, but is tricked into making the payment to an account controlled by the fraudster. Typically this happens after the customer responds to an invoice attached to a fake or intercepted email claiming to be from the person or organisation the customer was expecting to pay.
- The customer receives a phone call from ‘their bank’, telling them that their account is at risk and they need to temporarily move their money to another account to keep it safe. The fraudster will use information they’ve researched about the customer in advance to sound convincing. They can even make the bank’s official phone number display in the caller ID screen on the customer’s phone (often referred to as ‘spoofing’).
Our approach to APP fraud complaints
Investigating complaints involving APP fraud can be a complex process. The starting position at law – based on current regulations – is that liability rests with the customer if they consented to the transaction. But this isn’t the end of the story.
So, as well as wanting to understand how the scam unfolded, and how the customer was deceived, we’ll want to consider the bank’s behaviour, too. Businesses, for example, are more likely to have greater knowledge of the range of frauds that exist today then the average customer and are sometimes in a better position to identify a potential fraud.
This means we’ll ask you a range of questions to understand how you handled the transaction – for example:
- what security checks did you carry out?
- were there any triggers that should have made you question the customer about the transaction? (For example, was it a large or unusual transaction? Did the transaction seem out of character? Was it to a new payee?)
- if you’d asked more or different questions, is that likely to have made a difference to the outcome?
We’ll also consider relevant industry guidance and codes of practice in place at the time of the scam, including:
- UK Finance best practice standards for responding to APP scam claims
- the Banking Protocol
- BSI PAS 17271:2017 – ‘Protecting customers from financial harm as a result of fraud or financial abuse – code of practice’
And if the transaction involves a vulnerable customer, we’ll consider the best-practice principles set out in ‘BBA – improving outcomes for customers in vulnerable circumstances.’
Identity theft complaints
ID theft happens when a fraudster uses someone else’s identity to obtain goods and services. The most common example we see is where a customer tells us a fraudster has applied for a loan (usually from a payday loan company) in their name, and then withdrawn the loaned money from their current account. Often the complaint centres on who should bear the loss, and to what extent.
In cases like this, where the consumer did not make the loan application, its usually appropriate for the lender to put things right. So we’d take the view that the complaint should be directed against the loan company in the first instance.
When we investigate this type of complaint, key things we’ll want to establish are:
- did the customer play any part in the loan application?
- did the customer play any part in the withdrawal of the proceeds from their account?
To help us decide, we’ll ask for a range of information from the customer, the bank and the lender – along with evidence to back up what they tell us.
Questions we’ll ask the customer might include:
- how did they become aware of the problem?
- have any important documents, such as passports or driving licenses, gone missing?
- if so, did they report the loss in order to get a replacement, and can they show us evidence to prove this?
We’ll ask the lender to explain the reasons why they believe the customer is responsible for the loan. We’ll also ask the lender to give us:
- a copy of the loan application documents (including any ID documents provided)
- a copy of their investigation and customer notes
- details of any technical information such as the IP address from which the application was made, if it was made online
- details of their customer ID processes
We’ll ask the bank to give us:
- an audit trail showing the transactions in question
- statements for the period in question
- the customer’s address history
- the card and PIN history (where a card was used)
- details of the customer reporting the card as lost or stolen (where a card was used)
- the online/mobile banking security credential issue history
- the online/mobile banking access history
- a copy of their customer and investigation notes
After we’ve looked at the evidence, we may decide the customer didn’t take out the loan, but did withdraw or use the proceeds of the loan . We’ll consider carefully what happened and whether it’s appropriate or not to ask the loan company to write off the debt in all the circumstances.
Complaints involving fraud prevention agencies
Fraud prevention agencies hold information about people who’ve committed fraud in the financial services sector. They also hold information about people who’ve been the victim of fraud or identity theft. The largest cross-sector fraud prevention agency in the UK is CIFAS.
We can’t look at complaints against fraud prevention agencies themselves. But we can look at complaints about financial businesses that have passed information on to a fraud prevention agency.
Whilst fraud prevention markers are a valuable tool in the fight against fraud, they can have serious consequences for consumers if not applied fairly. Things we typically hear from customers experiencing problems as a result of a fraud prevention marker applied by their bank are:
- ‘I haven’t been able to open a bank account’
- ‘my bank closed my account and I can’t open another one’
- ‘I applied for a mortgage but it was rejected – the lender said there was adverse information about me, but I can’t find anything on my credit file’
- ‘I was scammed but the business recorded information about me with a fraud prevention agency – I want it removed as it wasn’t my fault’
- ‘I did a subject access request to a fraud prevention agency and found out my bank recorded information with it – I want the bank to remove it’
The questions we might have to consider when deciding what’s fair and reasonable include:
- Was it fair and reasonable for the business to report information to a fraud prevention agency in all the circumstances? When deciding this, one thing we’ll think about is whether the business can demonstrate it met the test for recording fraud markers set by the fraud prevention agencies – typically that it had reasonable grounds to believe that fraud or a financial crime has been committed or attempted; and the evidence of it is clear, relevant and rigorous, such that the conduct could confidently be reported to the police.
- Did the financial business make a mistake when it recorded information about a customer with a fraud prevention agency? We’ll review the information about the customer on the database and check whether it’s accurate.
Handling a complaint like this
When you receive a complaint involving fraud and scams, you should reply to your customer within 15 days, as set out in the Payment Services Regulations (PSR) and the Electronic Money Regulations (EMR).
If you don’t reply within the time limits, or the customer disagrees with your response, they can bring their complaint to us. We’ll check it’s something we can deal with, and if it is, we’ll investigate.
We’ll expect you to be able to show us that you’ve investigated the complaint thoroughly, and have reflected carefully on the circumstances of the events. In cases where you believe your customer was grossly negligent, we’ll expect you to bear in mind that ‘gross negligence' has a very high bar.
Find out more about how to resolve a complaint.
Putting things right
If we decide you’ve treated the customer unfairly, or have made a mistake, we’ll ask you to put things right. Our general approach is that the customer should be put back in the position they would have been in if the problem hadn’t happened. We may also ask you to compensate them for any distress or inconvenience they’ve experienced as a result of the problem.
The exact details of how we’ll ask you to put things right will depend on the nature of the complaint, and how the customer lost out. The following examples give an idea of our approach.
- In complaints involving plastic card fraud, or scams where the customer didn’t authorise the transaction, if we decide the customer didn’t act with intent or gross negligence, we’ll ask you to refund the loss along with appropriate interest from the date of the loss to the date of the settlement.
- In complaints involving fraud or scams where the customer authorised the payment, we may find that you didn’t follow industry guidance or codes of practice designed to protect the customer from fraud. If we think the outcome is likely to have been different had you done so, we might ask you to refund all or some of the customer’s loss. We may also award interest and a trouble and upset payment depending on the circumstances.
- In cases of ID theft where we decide the customer played no part in the application for, or use of, the product taken out in their name, we’re likely to ask the provider of the product (such as the lender of a payday loan) to write off any debt incurred and we’ll also consider the impact this has had on the customer’s credit file.
- If we think a customer has been unfairly placed on a fraud prevention agency’s database, we may ask you to remove their information from the database and we’ll also consider whether it’s appropriate to compensate the customer for any resulting losses.
A customer was asked to transfer money as her account was under threat
A customer was told she needed to pay a tax bill - or face arrest
A customer was called by someone pretending to be his telephone provider
A customer transferred money to a fake landlord
A customer bought a phone from an online auction site
Refer to the Payment Services Regulations setting out the laws affecting fraud and scams complaints.
Read more about relevant industry guidance and codes of practice:
- Best practice standards for responding to APP scam claims
- the British Standards Institution’s ‘Protecting customers from financial harm as a result of fraud or financial abuse – code of practice’
- Action Fraud
- The Financial Conduct Authority’s approach to what constitutes ‘gross negligence’ in cases involving unauthorised transactions
- Find out about the work of the Joint Fraud Taskforce.