Fraud and scams

Information we will ask for when we receive a complaint

• Complaints about tansactions covered by the Contingent Reimbursement Model (CRM) code

  Complaints about Authorised Push Payment (APP) scam

  We would expect to see:

  • a summary of the main reasons why you believe the customer shouldn’t be reimbursed
  • the specific exceptions under the CRM code you’re relying on. For declined claims, we need to know which reason under the code you have applied
  • if the claim has not been considered under the code, we need to know why
  • any assessment of consumer vulnerabilities
  • evidence of any warnings provided to the customer during the payment journey (screenshot)
  • evidence of such warnings in the audit trail/evidence of the payment purpose selected
  • evidence how long the customer was on the screen for
  • evidence of any confirmation of payee (CoP) checks and results
  • evidence of the CoP check and result displayed to the customer (screenshot)
  • fraud investigation notes
  • evidence of the contact  and any responses, showing date and time contact was made
  • confirmation of any funds recovered and when these were paid back
  • confirmation of any liability assessment from the
    complaint notes
  • call recordings of the scam being reported and any other relevant calls discussing the scam
  • evidence of the date and time the scam was first reported
  • if any of the payments were flagged or held
  • evidence of any intervention (call recordings, SMS, branch staff notes)
  • account statements from six months prior to the scam
  • terms and conditions applicable at the time
  • audit trail of the payment in dispute (for example, online banking audit trail) and any supporting key code
  • process for transactions if the transaction was made in your branch, such as scripts/checklists read or completed and the branch staff version of events
  • electronic slip/audit trail for the transactions
  • fraud case correspondence sent to the consumer
  • any supporting evidence the firm requested from the customer
  • any other evidence relied on
  • a summary of the main reasons why the bank believes the customer shouldn’t be reimbursed
  • If the customer contacted you to discuss the transaction before carrying it out,  please provide details and any call recording at the time.
  • if the warning was provided when the customer chose a payment purpose from a menu of options, please provide the menu of payment options and which option they chose

  Complaints about the bank who received the funds

  For complaints about account opening (prevention)

  We would expect to see:

  • date when the account was opened
  • evidence of the PSP’s account opening process
  • copy of the identification verification documents obtained
  • copy of the address verification documents obtained
  • confirmation of checks completed (electronic or manual)
  • completed application form
  • information gathered at account opening about intended and expected use of the account

  For complaints about ongoing monitoring (detection)

  We would expect to see:

  • unredacted account statements from 31 January 2019 (or opening if later) till disputed payments spent and/or account blocked
  • confirmation if incoming payments had beneficiary name match or mis-match
  • confirmation of any systems triggers or alerts
  • confirmation of notifications of fraud – time and dates these arrived
  • call recordings of any conversations with the customer about the account activity
  • if applicable, share what the accountholder provided as evidence of source of funds/entitlement
  • confirm what happened when fraud was reported – did account holder respond? If so what did they say about the account activity

  Complaints about notification of fraud (response)

  We would expect to see:

  • confirmation of time and date notification received
  • account statements showing what funds were remaining in the account at the time
  • evidence to show that these were returned to sending bank

• Complaints about transactions not covered by the Contingent Reimbursement Model (CRM) code

  Complaints about Authorised Push Payment (APP) scam

  We would expect to see:

  • explanation why you are holding the consumer liable
  • assessment of consumer vulnerabilities
  • evidence of any warnings provided to the consumer during the payment journey (screenshot)
  • evidence of such warnings in the audit trail
  • evidence of the payment purpose selected
  • evidence of how long the customer was on the screen for
  • evidence of any confirmation of payee (CoP) checks and results
  • evidence of the CoP check and result displayed to the customer (screenshot)
  • how long the customer was on the screen for
  • evidence of any intervention (call recordings, SMS, branch staff notes)
  • statements from six months prior to the scam
  • terms and conditions applicable at the time
  • audit trail of the payment in dispute (for example online banking, audit trail) and any supporting key code
  • a summary of the effort to try and recover the funds when the scam was reported
  • a clear timeline including accurate details of when you were made aware of the scam and when you were contacted
  • fraud case correspondence sent to the consumer
    

  For branch transactions, we would expect to see:

  • the branch processes for the transactions, for example any scripts/checklists read or completed
  • the branch staff version of events and electronic slip/audit trail for the transactions
  • the procedures for vulnerable consumers and identifying fraud and scams (if applicable)

  Complaints about the bank who received the funds

  Complaints about account opening

  We would expect to see the following information if the account was opened on or after 31 January 2019:

  • evidence of the PSP’s account opening process
  • copy of the identification verification documents obtained
  • copy of the address verification documents obtained
  • confirmation of checks completed (electronic or manual).
  • completed application form
  • information gathered at account opening about intended and expected use of the account

  Complaints about ongoing monitoring (detection)

  We would expect to see:

  • unredacted account statements from 31 January 2019 (or opening if later) till disputed payments spent and/or account blocked
  • confirmation if incoming payments had beneficiary name match or mis-match
  • confirmation of any systems triggers or alerts
  • confirmation of notifications of fraud – time and dates these arrived
  • call recordings of any conversations with the customer about the account activity
  • if applicable, share what the accountholder provided as evidence of source of funds/entitlement
  • confirm what happened when fraud was reported – did account holder respond? If so what did they say about the account activity

  Complaints about notification of fraud (response)

  We would expect to see:

  • confirmation of time and date notification received
  • account statements showing what funds were remaining in the account at the time
  • evidence to show that these were returned to sending bank

• Card payments to investment scams

  For complaints where the customer was tricked into making a payment with their credit or debit card to an investment scam, we would need to see:

  • details of why the bank declined to refund the customer
  • evidence to show if any of the disputed payments were flagged on your fraud prevention system 
  • evidence of any interventions (for example phone calls or texts) and why they were carried out
  • statements covering the disputed period and 12 months prior to the first payment to the scam, making clear what payments are disputed
  • any information provided to report the scam including any call recordings, please make sure they are dated 
  • evidence, dates and times of the attempts to recover the loss for example, when the contact was made or the outcome of a chargeback claim
  • if the customer got anything back from the merchant and what the MCC Code was
  • if the payment was to a UK or international account
  • if the payment was to the customer’s own account or the fraudster’s account
  • if this is a merchant/payee that you’ve banned payments
  • details of why the payment has not been refunded if it is a banned payee and the payments before the ban
  • any consideration under Section 75  if the complaint involves a credit card account
  • how the loss was funded for example, if the money was in the customer’s account at the time, or in a savings account or borrowed from a loan or family/friends
  • if funded by a loan, we need to see the paperwork for the account and details about the loan such as who it was with and what the reason of the loan was
  • the type of account the payment was from, for example a sole or joint account, a current account, credit card 
  • details of any known vulnerabilities about the customer
  • any supporting information the customer provided about the scam
  • warnings provided to the customer during the payment journey and any options they selected
  • evidence/supporting information if this is considered to be a civil dispute or anything other than a scam

• Complaints involving plastic-card transactions

  For complaints that involve unauthorised payments or withdrawals taken from customer account, you will need to provide us with:

  • statements from the period of the disputed transactions and six months leading up to the transactions
  • terms and conditions of the account
  • electronic records (an audit trail) to show how the disputed transactions were authenticated. For example, chip read, PIN entered, card not present, contactless
  • If 3D Secure was used. Any biometrics used such as the customer’s fingerprint
    electronic record key so we can understand the report
  • online/mobile banking records covering the same time period as the disputed transactions
  • all relevant call recordings including the call when the disputed transactions were reported if applicable
  • card/PIN history
  • CCTV (where available) or an explanation why it is not available if applicable
  • for distance contracts (card not present transactions), all information obtained from the merchants in question. Or, if this wasn’t requested, please explain why

  For complaints where the customer lost money by depositing money or withdrawing money from their account at an ATM, you will need to provide us with:

  • evidence of the ATM balanced before and after the disputed withdrawal
  • information about any notes located in the purge boxes after the withdrawal was attempted, why this hasn’t been linked to the disputed withdrawal and if this hasn’t been obtained, please explain why
  • CCTV of the ATM at the time of the disputed withdrawal. If unavailable, please explain why

  For complaints where the customer lost money by depositing money or withdrawing money from their account at the bank’s branch, you will need to provide us with:

  • evidence of the balancing sheets at the end of the day
  • a statement from the member of staff who served the customer to understand their recollection of the event
  • if there have been other reports of withdrawal discrepancies within that branch around the same time
  • CCTV from within the branch at the time of the withdrawal. If unavailable, please explain why

• Complaints involving fraud-prevention agencies

  For complaints about fraud prevention agencies (CIFAS), you will need to provide us with:

  • explanation why the customer’s details have been reported to CIFAS, including the category it was reported under and the date
  • explanation why the customer’s details have been reported to CIFAS, including the category it was reported under and the date
  • the evidence as to why the customer was reported needs to be rigorous. This should include any fraud reports received from other banks and why the bank thinks the consumer was involved, rather than just being an innocent party
  • call recordings from when the bank questioned the customer about any fraud report, or any activity on the account that led to the CIFAS reporting
  • statements from the period of the disputed transactions and six months leading up to the transactions
  • terms and conditions of the account
  • electronic records (an audit trail) to show how the disputed transactions were authenticated. For example, chip read, PIN entered, card not present, contactless, if 3D Secure was used. Any biometrics used such as the customer’s fingerprint 
  • electronic record key so we can understand the report
  • online/mobile banking records covering the same time period as any disputed transactions
  • card/PIN history
  • CCTV (where relevant) or an explanation why it is not available if applicable
  • for distance contracts (card not present transactions), all information obtained from the merchants in question. Or, if this wasn't requested, an explanation why
  • records of any other fraud markers (Hunter, CIRA etc)

• Identity theft complaints

  For complaints where the customer said a loan or other form of credit taken out in their name without their knowledge, you will need to provide us with

  • full details of the loan application and how it was processed (online, phone, in person)
  • all details provided on the application (email address, contact number, address)
  • evidence of checks conducted to confirm identity, CRA searches, existing connection
  • evidence of correspondence/information/welcome pack including where and how it was sent
  • full statements for account including details of any payments and account from where any direct debit was set up
  • full contact history from the customer, to include when the ID Theft was first reported, contact number/email address used for that contact
  • full investigation notes with explanation for how you reached the outcome 
  • details of any contact between the lender and any other firm (such as the bank that received the funds)
  • if a scam is involved, any information the customer has shared
  • if the complaint includes an allegation of irresponsible lending – full details of how the lending decision was assessed and made

• Sharing information with third-party

  For complaints where the customer has shared confidential information with a third party, you will need to provide us with:

  • statements from the period of the disputed transactions and six months leading up to the transactions
  • terms and conditions of the account
  • electronic records (an audit trail) to show how the disputed transactions were authenticated. For example, chip read, PIN entered, card not present, contactless, if 3D Secure was used, any biometrics used such as the customer’s fingerprint
  • where and how someone else other than the customer has been able to carry out the transactions, for example was it a change of IP address
  • electronic record key so we can understand the report
  • online and mobile banking records covering the same time period as the disputed transactions
  • all relevant call recordings including the call when the disputed transactions were reported if applicable
  • card and PIN history
  • for distance contracts (card not present transactions), all information obtained from the merchants in question or details why it wasn’t requested if applicable

• Complaints involving plastic-card transactions

  Plastic-card fraud involves any kind of spending on a plastic card that wasn’t authorised by the cardholder. It happens in a variety of places, including shops, bars and restaurants, and also with goods or services bought online or over the phone.

  Typically, the customer notices the transaction on their account and complains they didn’t make or authorise it. The transaction may have been made with a debit or credit card and by presenting the card in person or remotely.

  In many of these cases we may never know for certain what happened. Our role will be to establish what we think is most likely to have happened. To help us understand this, we’ll ask for information from the customer and you, including:

  • where the customer was at the time of the disputed transaction
  • how the transaction was made – whether in person, by phone or over the internet
  • the nature of the transaction, including when and where it was made, and what it was used to pay for
  • the outlet where the transaction was made
  • how the transaction was verified by the system, for example, by personal identification number (PIN) or password
  • the electronic audit trail for the transaction
  • the customer’s previous use of the plastic card

  If we decide the customer didn’t make or authorise the disputed transaction, we’ll then assess whether they have any liability for it – and, if so, how much.

  In making that assessment, we’ll take into account:

  • the account terms and conditions
  • the law, such as the Payment Services Regulations
  • industry codes of practice
  • sections 83 and 84 of the Customer Credit Act 1974, if the withdrawal was made using a credit facility

• Scams complaints – transactions unauthorised by the customer

  Many of the complaints we see are from customers who tell us they were tricked into handing over confidential information that enabled fraudsters to access their money. For example, the customer may have:

  • received an official-looking email or text message they believed to be from their bank or another trusted organisation, with a link to a fake website – where the customer then entered confidential banking details
  • got a phone call claiming to be from their bank or another organisation they believed to be genuine, and were tricked into handing over confidential information about their account

  Generally, when a customer has not authorised a transaction, they’re not liable for the loss – unless they’ve failed with intent or “gross negligence” to keep their payment and security information safe. Often, then, the dispute will centre on whether the customer acted in a “grossly negligent” way. We consider the bar for gross negligence to be very high.

  If we’re satisfied the customer didn’t authorise the transaction and was the victim of a scam, we’ll want to understand how the customer was manipulated into sharing sensitive information. For instance, if the customer received a fraudulent email or text message, we’ll want to see it.

  A common feature of many scams is that the fraudster will often create an environment which plays on the emotions of the consumer – for example fear of losing all their money. We’ll take into account the environment created by the fraudster as part of our considerations.

• Scams complaints – transactions authorised by the customer

  One of the fastest-growing types of fraud is “authorised push payment” (APP) fraud – where people unwittingly act on fraudsters’ instructions and carry out the transactions themselves. Fraudsters use a wide variety of methods to carry out APP fraud. The following 2 scenarios are typical of the complaints we see.

  • The customer is expecting to make a payment for goods or services, but is tricked into making the payment to an account controlled by the fraudster. Typically this happens after the customer responds to an invoice attached to a fake or intercepted email claiming to be from the person or organisation the customer was expecting to pay.
  • The customer receives a phone call from “their bank”, telling them their account is at risk and they need to temporarily move their money to another account to keep it safe. The fraudster will use information they’ve researched about the customer in advance to sound convincing. They can even make the bank’s official phone number display in the caller ID screen on the customer’s phone (often referred to as “spoofing”).

  Our approach to APP fraud complaints

  Investigating complaints involving APP fraud can be a complex process. The starting position at law – based on current regulations – is that liability rests with the customer if they consented to the transaction. But this isn’t the end of the story.

  So, as well as wanting to understand how the scam unfolded, and how the customer was deceived, we’ll want to consider the bank’s behaviour, too. Businesses, for example, are more likely to have greater knowledge of the range of frauds that exist today than the average customer and are sometimes in a better position to identify a potential fraud.

  This means we’ll ask you a range of questions to understand how you handled the transaction – for example:

  • what security checks did you carry out?
  • were there any triggers that should have made you question the customer about the transaction? (For example, was it a large or unusual transaction? Did the transaction seem out of character? Was it to a new payee?)
  • if you’d asked more or different questions, is that likely to have made a difference to the outcome?

  We’ll also consider relevant industry guidance and codes of practice in place at the time of the scam, including:

  • UK Finance best-practice standards for responding to APP scam claims
  • the Banking Protocol
  • BSI PAS 17271:2017 – ‘Protecting customers from financial harm as a result of fraud or financial abuse – code of practice’

  And if the transaction involves a vulnerable customer, we’ll consider the best-practice principles set out in ‘BBA – improving outcomes for customers in vulnerable circumstances.’

  Example decisions

  We publish all final decisions made by our ombudsmen in our database. Below are a selection of final decisions made on cases involving APP fraud.

  Examples of cases we upheld:

  • Mr R's complaint about Lloyds Bank Plc. Final decision on 21 November 2019.
  • Mrs H's complaint about Santander UK Plc. Final decision on 1 November 2019.
  • Mr and Mrs S's complaint about National Westminster Bank Plc. Final decision on 14 November 2019.
  • Mrs S's complaint about Santander UK Plc. Final decision on 1 November 2019. 

  Examples of cases which were not upheld:

  • Mr and Mrs G's complaint about Lloyds Bank Plc. Final decision on 28 November 2019.
  • Mrs T's complaint about Bank of Scotland Plc. Final decision on 3 December 2019. 

• Identity theft complaints

  ID theft happens when a fraudster uses someone else’s identity to obtain goods and services. The most common example we see is where a customer tells us a fraudster has applied for a loan (usually from a payday loan company) in their name, and then withdrawn the loaned money from their current account. Often the complaint centres on who should bear the loss, and to what extent.

  In cases like this, where the consumer did not make the loan application, it’s usually appropriate for the lender to put things right. So we’d take the view that the complaint should be directed against the loan company in the first instance.

  When we investigate this type of complaint, key things we’ll want to establish are:

  • did the customer play any part in the loan application?
  • did the customer play any part in the withdrawal of the proceeds from their account?

  To help us decide, we’ll ask for a range of information from the customer, the bank and the lender – along with evidence to back up what they tell us.

  Questions we’ll ask the customer might include:

  • how did they become aware of the problem?
  • have any important documents, such as passports or driving licences, gone missing?
  • if so, did they report the loss in order to get a replacement, and can they show us evidence to prove this?

  We’ll ask the lender to explain the reasons why they believe the customer is responsible for the loan. We’ll also ask the lender to give us:

  • a copy of the loan application documents (including any ID documents provided)
  • a copy of their investigation and customer notes
  • details of any technical information such as the IP address from which the application was made, if it was made online
  • details of their customer ID processes

  We’ll ask the bank to give us:

  • an audit trail showing the transactions in question
  • statements for the period in question
  • the customer’s address history
  • the card and PIN history (where a card was used)
  • details of the customer reporting the card as lost or stolen (where a card was used)
  • the online/mobile banking security credential issue history
  • the online/mobile banking access history
  • a copy of their customer and investigation notes

  After we’ve looked at the evidence, we may decide the customer didn’t take out the loan, but did withdraw or use the proceeds of the loan. We’ll consider carefully what happened and whether it’s appropriate or not to ask the loan company to write off the debt in all the circumstances.

• Complaints involving fraud-prevention agencies

  Fraud-prevention agencies hold information about people who’ve committed fraud in the financial services sector. They also hold information about people who’ve been the victim of fraud or identity theft. The largest cross-sector fraud-prevention agency in the UK is CIFAS.

  We can’t look at complaints against fraud prevention agencies themselves. But we can look at complaints about financial businesses that have passed information to a fraud prevention agency.

  Fraud-prevention markers (on customer files) are a valuable tool in the fight against fraud but can have serious consequences for consumers if not applied fairly. Things we typically hear from customers facing problems as a result of a fraud-prevention marker applied by their bank are:

  • “I haven’t been able to open a bank account”
  • “My bank closed my account and I can’t open another one”
  • “I applied for a mortgage but it was rejected – the lender said there was adverse information about me, but I can’t find anything on my credit file”
  • “I was scammed but the business recorded information about me with a fraud prevention agency – I want it removed as it wasn’t my fault”
  • “I did a subject access request to a fraud prevention agency and found out my bank recorded information with it – I want the bank to remove it”

  The questions we might have to consider when deciding what’s fair and reasonable include:

  • Was it fair and reasonable for the business to report information to a fraud-prevention agency in all the circumstances? When deciding this, one thing we’ll think about is whether the business can demonstrate it met the test for recording fraud markers set by the fraud prevention agencies – typically that it had reasonable grounds to believe that fraud or a financial crime has been committed or attempted; and the evidence of it is clear, relevant and rigorous, such that the conduct could confidently be reported to the police.
  • Did the financial business make a mistake when it recorded information about a customer with a fraud-prevention agency? We’ll review the information about the customer on the database and check whether it’s accurate.