We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.

Coronavirus Read our latest advice

Co-operative Bank adopts new rules to protect and refund fraud victims

Has your bank signed up to protect you?

Co-operative Bank adopts new rules to protect and refund fraud victims

The Co-operative Bank has become the ninth bank to sign up to a code to protect customers from bank transfer scams and reimburse victims. But as many as 10 banks are still dragging their heels.

The Contingent Reimbursement Model (CRM) Code was introduced in May 2019 and sets out standards to detect and prevent bank transfer fraud – also known as authorised push payment (APP) fraud.

APP scams involve a victim being tricked into authorising a payment to an account that they believe belongs to a person or company they know and trust, but is in fact held by a scammer. In the first half of 2019, 57,549 victims lost £208m as a result of this type of fraud.

Crucially, as well as preventative measures, banks that sign up to the code have to commit to reimbursing those who lose money through no fault of their own.

Here, Which? explains how the code works and identifies the banks that have yet to sign up.


How do new bank transfer fraud rules work?

The code sets out standards for banks and building societies to follow to make sure they are protecting customers from the risk of bank transfer fraud.

This includes detecting payments at high-risk of resulting from a scam, providing warnings to customers about the risks of sending money via a bank transfer and identifying customers who might be vulnerable to scams.

Under the rules, victims who have lost money via a bank transfer through no fault of their own will get their money back.

Compensation will be paid either by their own bank, or the bank that received the money if either bank failed to meet the standards set out in the code. If the banks did everything right, victims will be reimbursed from a fund contributed to by major banks, although this is only guaranteed until the end of March.

However, to be reimbursed, you’ll need to have followed a set of standards. Your bank could refuse to compensate you if:

  • You ignored warnings about scams when setting up and amending payees, or before making a payment
  • You did not take care to establish that the person you were sending money to was legitimate
  • You were ‘grossly negligent’ – although this is not defined in the code
  • You’re a small business or charity and did not follow internal procedures for making payments
  • You acted dishonestly when you reported the scam

Which banks have and have not signed up to the code?

Currently, 10 major current account providers have yet to sign up to the code including:

  • Bank of Ireland
  • Citibank
  • Clydesdale Bank
  • Danske Bank
  • First Trust Bank
  • Monzo
  • N26
  • Tesco Bank
  • Virgin Money
  • Yorkshire Bank

You can use the table below to find out if your bank is signed up and if not when it plans to.

The last time we contacted Monzo it told us the code would be implemented ‘by the end of July’, although this had not happened as of 17 December.

A further three – Danske Bank, First Trust Bank and N26 – told us they were still assessing what becoming a signatory involves.

TSB, meanwhile, has gone beyond the requirements of the code by committing to compensate any blameless customer that is a victim to a scam.

‘Protection should be mandatory’

Which? is urging all banks and building societies to sign up to the voluntary code, but ultimately we believe this level of protection should be made mandatory.

Gareth Shaw, head of money at Which?, said: This is an important step from the Co-operative Bank and its customers should now be better protected against devastating transfer fraud.

‘However, many other current account providers are still not signed up to these vital protections, exposing their customers to a greater risk of losing life-changing sums of money.

‘A voluntary approach to protecting scam victims is not enough. The code should be made mandatory and the government must work together with regulators and the industry to put in place long-term plans to ensure no blameless victims are left out of pocket.’

What to do if you’re the victim of a bank transfer scam

If you’ve sent money to a scammer, contact your bank immediately. It should try to get your money back from the bank you sent it to.

If your bank has signed up to the CRM code, and the scam happened after 28 May 2019, you should be told whether you’ll be reimbursed within 15 business days (or 35 days if it needs to investigate).

If your bank hasn’t signed up, and it can’t retrieve the funds, compensation may depend on whether your bank believes you authorised the transaction, and whether you were ‘grossly negligent’.

Whether a signatory or not, if your bank unfairly refuses a refund, you can make a complaint to the Financial Ombudsman Service.

You can also report any scams to Action Fraud, the national fraud and cyber crime reporting centre.

Back to top
Back to top