The Co-operative Bank has become the ninth bank to sign up to a code to protect customers from bank transfer scams and reimburse victims. But as many as 10 banks are still dragging their heels.
The Contingent Reimbursement Model (CRM) Code was introduced in May 2019 and sets out standards to detect and prevent bank transfer fraud – also known as authorised push payment (APP) fraud.
APP scams involve a victim being tricked into authorising a payment to an account that they believe belongs to a person or company they know and trust, but is in fact held by a scammer. In the first half of 2019, 57,549 victims lost £208m as a result of this type of fraud.
Crucially, as well as preventative measures, banks that sign up to the code have to commit to reimbursing those who lose money through no fault of their own.
Here, Which? explains how the code works and identifies the banks that have yet to sign up.
How do new bank transfer fraud rules work?
The code sets out standards for banks and building societies to follow to make sure they are protecting customers from the risk of bank transfer fraud.
This includes detecting payments at high-risk of resulting from a scam, providing warnings to customers about the risks of sending money via a bank transfer and identifying customers who might be vulnerable to scams.
Under the rules, victims who have lost money via a bank transfer through no fault of their own will get their money back.
Compensation will be paid either by their own bank, or the bank that received the money if either bank failed to meet the standards set out in the code. If the banks did everything right, victims will be reimbursed from a fund contributed to by major banks, although this is only guaranteed until the end of March.
However, to be reimbursed, you’ll need to have followed a set of standards. Your bank could refuse to compensate you if:
- You ignored warnings about scams when setting up and amending payees, or before making a payment
- You did not take care to establish that the person you were sending money to was legitimate
- You were ‘grossly negligent’ – although this is not defined in the code
- You’re a small business or charity and did not follow internal procedures for making payments
- You acted dishonestly when you reported the scam
Which banks have and have not signed up to the code?
Currently, 10 major current account providers have yet to sign up to the code including:
- Bank of Ireland
- Clydesdale Bank
- Danske Bank
- First Trust Bank
- Tesco Bank
- Virgin Money
- Yorkshire Bank
You can use the table below to find out if your bank is signed up and if not when it plans to.
The last time we contacted Monzo it told us the code would be implemented ‘by the end of July’, although this had not happened as of 17 December.
A further three – Danske Bank, First Trust Bank and N26 – told us they were still assessing what becoming a signatory involves.
TSB, meanwhile, has gone beyond the requirements of the code by committing to compensate any blameless customer that is a victim to a scam.
- Find out more: best and worst banks for dealing with card fraud
‘Protection should be mandatory’
Which? is urging all banks and building societies to sign up to the voluntary code, but ultimately we believe this level of protection should be made mandatory.
Gareth Shaw, head of money at Which?, said: ‘This is an important step from the Co-operative Bank and its customers should now be better protected against devastating transfer fraud.
‘However, many other current account providers are still not signed up to these vital protections, exposing their customers to a greater risk of losing life-changing sums of money.
‘A voluntary approach to protecting scam victims is not enough. The code should be made mandatory and the government must work together with regulators and the industry to put in place long-term plans to ensure no blameless victims are left out of pocket.’
- Which? has been campaigning for better protect people from fraudsters. If you want to support our campaign sign our petition: Stamp Out Scams.
What to do if you’re the victim of a bank transfer scam
If you’ve sent money to a scammer, contact your bank immediately. It should try to get your money back from the bank you sent it to.
If your bank has signed up to the CRM code, and the scam happened after 28 May 2019, you should be told whether you’ll be reimbursed within 15 business days (or 35 days if it needs to investigate).
If your bank hasn’t signed up, and it can’t retrieve the funds, compensation may depend on whether your bank believes you authorised the transaction, and whether you were ‘grossly negligent’.
Whether a signatory or not, if your bank unfairly refuses a refund, you can make a complaint to the Financial Ombudsman Service.
You can also report any scams to Action Fraud, the national fraud and cyber crime reporting centre.
- Find out more: what to do if you’re the victim of a bank transfer scam