Fraud and scams

Plastic-card fraud involves any kind of spending on a plastic card that wasn’t authorised by the cardholder. It happens in a variety of places, including shops, bars and restaurants, and also with goods or services bought online or over the phone.

Typically, the customer notices the transaction on their account and complains they didn’t make or authorise it. The transaction may have been made with a debit or credit card and by presenting the card in person or remotely.

In many of these cases we may never know for certain what happened. Our role will be to establish what we think is most likely to have happened. To help us understand this, we’ll ask for information from the customer and you, including:

• where the customer was at the time of the disputed transaction
• how the transaction was made – whether in person, by phone or over the internet
• the nature of the transaction, including when and where it was made, and what it was used to pay for
• the outlet where the transaction was made
• how the transaction was verified by the system, for example, by personal identification number (PIN) or password
• the electronic audit trail for the transaction
• the customer’s previous use of the plastic card

If we decide the customer didn’t make or authorise the disputed transaction, we’ll then assess whether they have any liability for it – and, if so, how much.

In making that assessment, we’ll take into account:

• the account terms and conditions
• the law, such as the Payment Services Regulations
• industry codes of practice
• sections 83 and 84 of the Customer Credit Act 1974, if the withdrawal was made using a credit facility

Many of the complaints we see are from customers who tell us they were tricked into handing over confidential information that enabled fraudsters to access their money. For example, the customer may have:

• received an official-looking email or text message they believed to be from their bank or another trusted organisation, with a link to a fake website – where the customer then entered confidential banking details
• got a phone call claiming to be from their bank or another organisation they believed to be genuine, and were tricked into handing over confidential information about their account

Generally, when a customer has not authorised a transaction, they’re not liable for the loss – unless they’ve failed with intent or “gross negligence” to keep their payment and security information safe. Often, then, the dispute will centre on whether the customer acted in a “grossly negligent” way. We consider the bar for gross negligence to be very high.

If we’re satisfied the customer didn’t authorise the transaction and was the victim of a scam, we’ll want to understand how the customer was manipulated into sharing sensitive information. For instance, if the customer received a fraudulent email or text message, we’ll want to see it.

A common feature of many scams is that the fraudster will often create an environment which plays on the emotions of the consumer – for example fear of losing all their money. We’ll take into account the environment created by the fraudster as part of our considerations.

ID theft happens when a fraudster uses someone else’s identity to obtain goods and services. The most common example we see is where a customer tells us a fraudster has applied for a loan (usually from a payday loan company) in their name, and then withdrawn the loaned money from their current account. Often the complaint centres on who should bear the loss, and to what extent.

In cases like this, where the consumer did not make the loan application, it’s usually appropriate for the lender to put things right. So we’d take the view that the complaint should be directed against the loan company in the first instance.

When we investigate this type of complaint, key things we’ll want to establish are:

• did the customer play any part in the loan application?
• did the customer play any part in the withdrawal of the proceeds from their account?

To help us decide, we’ll ask for a range of information from the customer, the bank and the lender – along with evidence to back up what they tell us.

Questions we’ll ask the customer might include:

• how did they become aware of the problem?
• have any important documents, such as passports or driving licences, gone missing?
• if so, did they report the loss in order to get a replacement, and can they show us evidence to prove this?

We’ll ask the lender to explain the reasons why they believe the customer is responsible for the loan. We’ll also ask the lender to give us:

• a copy of the loan application documents (including any ID documents provided)
• a copy of their investigation and customer notes
• details of any technical information such as the IP address from which the application was made, if it was made online
• details of their customer ID processes

We’ll ask the bank to give us:

• an audit trail showing the transactions in question
• statements for the period in question
• the customer’s address history
• the card and PIN history (where a card was used)
• details of the customer reporting the card as lost or stolen (where a card was used)
• the online/mobile banking security credential issue history
• the online/mobile banking access history
• a copy of their customer and investigation notes

After we’ve looked at the evidence, we may decide the customer didn’t take out the loan, but did withdraw or use the proceeds of the loan. We’ll consider carefully what happened and whether it’s appropriate or not to ask the loan company to write off the debt in all the circumstances.

Fraud-prevention agencies hold information about people who’ve committed fraud in the financial services sector. They also hold information about people who’ve been the victim of fraud or identity theft. The largest cross-sector fraud-prevention agency in the UK is CIFAS.

We can’t look at complaints against fraud prevention agencies themselves. But we can look at complaints about financial businesses that have passed information to a fraud prevention agency.

Fraud-prevention markers (on customer files) are a valuable tool in the fight against fraud but can have serious consequences for consumers if not applied fairly. Things we typically hear from customers facing problems as a result of a fraud-prevention marker applied by their bank are:

• “I haven’t been able to open a bank account”
• “My bank closed my account and I can’t open another one”
• “I applied for a mortgage but it was rejected – the lender said there was adverse information about me, but I can’t find anything on my credit file”
• “I was scammed but the business recorded information about me with a fraud prevention agency – I want it removed as it wasn’t my fault”
• “I did a subject access request to a fraud prevention agency and found out my bank recorded information with it – I want the bank to remove it”

The questions we might have to consider when deciding what’s fair and reasonable include:

• Was it fair and reasonable for the business to report information to a fraud-prevention agency in all the circumstances? When deciding this, one thing we’ll think about is whether the business can demonstrate it met the test for recording fraud markers set by the fraud prevention agencies – typically that it had reasonable grounds to believe that fraud or a financial crime has been committed or attempted; and the evidence of it is clear, relevant and rigorous, such that the conduct could confidently be reported to the police.
• Did the financial business make a mistake when it recorded information about a customer with a fraud-prevention agency? We’ll review the information about the customer on the database and check whether it’s accurate.