Fraud and scams

Plastic card fraud involves any kind of spending on a plastic card that wasn’t authorised by the cardholder. It happens in a variety of places, including shops, bars and restaurants, and also with goods or services bought online or over the phone.

Typically, the customer notices the transaction on their account and complains that they didn’t make or authorise it. The transaction may have been made with a debit or credit card and by presenting the card in person or remotely.

We may never know in many of these cases with certainty what happened. Our role will be to establish what we think is most likely to have happened. To help us understand this, we’ll ask for information from the customer and you, including:

• where the customer was at the time of the disputed transaction
• how the transaction was made – whether in person, by phone or over the internet
• the nature of the transaction, including when and where it was made, and what it was used to pay for
• the outlet where the transaction was made
• how the transaction was verified by the system, for example, by personal identification number (PIN) or password
• the electronic audit trail for the transaction
• the customer’s previous use of the plastic card

If we decide that the customer didn’t make or authorise the disputed transaction, we’ll then assess whether they have any liability for it – and, if so, how much.

In making that assessment, we’ll take into account:

• the account terms and conditions
• the law, such as the Payment Services Regulations
• industry codes of practice
• sections 83 and 84 of the Customer Credit Act 1974, when the withdrawal was made using a credit facility

Many of the complaints we see are from customers who tell us they were tricked into handing over confidential information that enabled fraudsters to access their money. For example, the customer may have:

• received an official-looking email or text message they believed to be from their bank or another trusted organisation, with a link to a fake website – where the customer then entered confidential banking details
• got a phonecall claiming to be from their bank or another organisation they believed to be genuine, and were tricked into handing over confidential information about their account

Generally, when a customer has not authorised a transaction, they’re not liable for the loss – unless they’ve failed with intent, or ‘gross negligence’ to keep their payment and security information safe. Frequently, then, the dispute will centre on whether the customer acted in a ‘grossly negligent’ way. We consider the bar for gross negligence to be a very high one.

If we’re satisfied the customer didn’t authorise the transaction and was the victim of a scam, we’ll want to understand how the customer was manipulated into sharing sensitive information. For instance, if the customer received a fraudulent email or text message, we’ll want to see it.

A common feature of many scams is that the fraudster will often create an environment which plays on the emotions of the consumer – for example fear of losing all their money. We’ll take into account the environment created by the fraudster as part of our considerations.

One of the fastest-growing types of fraud is ‘authorised push payment’ (APP) fraud – where people unwittingly act on fraudsters’ instructions and carry out the transactions themselves. Fraudsters use a wide variety of methods to carry out APP fraud. The following two scenarios are typical of the complaints we see.

• The customer is expecting to make a payment for goods or services, but is tricked into making the payment to an account controlled by the fraudster. Typically this happens after the customer responds to an invoice attached to a fake or intercepted email claiming to be from the person or organisation the customer was expecting to pay.
• The customer receives a phone call from ‘their bank’, telling them that their account is at risk and they need to temporarily move their money to another account to keep it safe. The fraudster will use information they’ve researched about the customer in advance to sound convincing. They can even make the bank’s official phone number display in the caller ID screen on the customer’s phone (often referred to as ‘spoofing’).

Our approach to APP fraud complaints

Investigating complaints involving APP fraud can be a complex process. The starting position at law – based on current regulations – is that liability rests with the customer if they consented to the transaction. But this isn’t the end of the story.

So, as well as wanting to understand how the scam unfolded, and how the customer was deceived, we’ll want to consider the bank’s behaviour, too. Businesses, for example, are more likely to have greater knowledge of the range of frauds that exist today then the average customer and are sometimes in a better position to identify a potential fraud.

This means we’ll ask you a range of questions to understand how you handled the transaction – for example:

• what security checks did you carry out?
• were there any triggers that should have made you question the customer about the transaction? (For example, was it a large or unusual transaction? Did the transaction seem out of character? Was it to a new payee?)
• if you’d asked more or different questions, is that likely to have made a difference to the outcome?

We’ll also consider relevant industry guidance and codes of practice in place at the time of the scam, including:

• UK Finance best practice standards for responding to APP scam claims
• the Banking Protocol
• BSI PAS 17271:2017 – ‘Protecting customers from financial harm as a result of fraud or financial abuse – code of practice’

And if the transaction involves a vulnerable customer, we’ll consider the best-practice principles set out in ‘BBA – improving outcomes for customers in vulnerable circumstances.’

ID theft happens when a fraudster uses someone else’s identity to obtain goods and services. The most common example we see is where a customer tells us a fraudster has applied for a loan (usually from a payday loan company) in their name, and then withdrawn the loaned money from their current account. Often the complaint centres on who should bear the loss, and to what extent.

In cases like this, where the consumer did not make the loan application, its usually appropriate for the lender to put things right. So we’d take the view that the complaint should be directed against the loan company in the first instance.

When we investigate this type of complaint, key things we’ll want to establish are:

• did the customer play any part in the loan application?
• did the customer play any part in the withdrawal of the proceeds from their account?

To help us decide, we’ll ask for a range of information from the customer, the bank and the lender – along with evidence to back up what they tell us.

Questions we’ll ask the customer might include:

• how did they become aware of the problem?
• have any important documents, such as passports or driving licenses, gone missing?
• if so, did they report the loss in order to get a replacement, and can they show us evidence to prove this?

We’ll ask the lender to explain the reasons why they believe the customer is responsible for the loan. We’ll also ask the lender to give us:

• a copy of the loan application documents (including any ID documents provided)
• a copy of their investigation and customer notes
• details of any technical information such as the IP address from which the application was made, if it was made online
• details of their customer ID processes

We’ll ask the bank to give us:

• an audit trail showing the transactions in question
• statements for the period in question
• the customer’s address history
• the card and PIN history (where a card was used)
• details of the customer reporting the card as lost or stolen (where a card was used)
• the online/mobile banking security credential issue history
• the online/mobile banking access history
• a copy of their customer and investigation notes

After we’ve looked at the evidence, we may decide the customer didn’t take out the loan, but did withdraw or use the proceeds of the loan . We’ll consider carefully what happened and whether it’s appropriate or not to ask the loan company to write off the debt in all the circumstances.

Fraud prevention agencies hold information about people who’ve committed fraud in the financial services sector. They also hold information about people who’ve been the victim of fraud or identity theft. The largest cross-sector fraud prevention agency in the UK is CIFAS.

We can’t look at complaints against fraud prevention agencies themselves. But we can look at complaints about financial businesses that have passed information on to a fraud prevention agency.

Whilst fraud prevention markers are a valuable tool in the fight against fraud, they can have serious consequences for consumers if not applied fairly. Things we typically hear from customers experiencing problems as a result of a fraud prevention marker applied by their bank are:

• ‘I haven’t been able to open a bank account’
• ‘my bank closed my account and I can’t open another one’
• ‘I applied for a mortgage but it was rejected – the lender said there was adverse information about me, but I can’t find anything on my credit file’
• ‘I was scammed but the business recorded information about me with a fraud prevention agency – I want it removed as it wasn’t my fault’
• ‘I did a subject access request to a fraud prevention agency and found out my bank recorded information with it – I want the bank to remove it’

The questions we might have to consider when deciding what’s fair and reasonable include:

• Was it fair and reasonable for the business to report information to a fraud prevention agency in all the circumstances? When deciding this, one thing we’ll think about is whether the business can demonstrate it met the test for recording fraud markers set by the fraud prevention agencies – typically that it had reasonable grounds to believe that fraud or a financial crime has been committed or attempted; and the evidence of it is clear, relevant and rigorous, such that the conduct could confidently be reported to the police.
• Did the financial business make a mistake when it recorded information about a customer with a fraud prevention agency? We’ll review the information about the customer on the database and check whether it’s accurate.