Banks are failing to properly implement a code designed to protect customers who fall victim to bank transfer scams, a banking watchdog has found.
The Lending Standards Board (LSB), which oversees the code, has written to banks after its latest review found they failed to act on recommendations it made more than a year ago.
Here, we explain how bank transfer fraud works and what more banks can do to protect their customers.
One of the most common methods scammers use is to call you and pose as a member of your bank's fraud team, warning you that you need to move your money to a safe account.
In May 2019, some of the UK's biggest banks signed up to a voluntary code, based on the principle that blameless victims should be reimbursed their losses.
But more than two years on, banks are still reluctant to say how many customers they've refunded.
In a damning new report, the LSB has raised a host of concerns about how banks are implementing the code.
It says it found 'systemic failings' in how banks are applying the guidance, and has written to firms demanding that they take action.
The LSB's review also concluded that banks have failed to fully address a series of recommendations it raised in its previous report in April 2020.
Emma Lovell, chief executive of the LSB, says: 'Firms must act immediately to implement the recommendations that were issued to them in the original review and those now raised in the follow up.
'Timebound action plans are in place and firms are clear on our expectations as governor of the code.'
Which? is concerned that banks are only reimbursing scam victims in a small number of cases, and as reimbursement data is anonymous, there is no way of knowing which banks offer the best support to victims, and which need to do better.
In May, we wrote to all major banks signed up to the code urging them to commit to regularly publishing data, but Barclays was the only respondent to agree to do so 'periodically'.
Which? has asked the Payment Services Regulator (PSR) to order firms to publish this information. In response, it said it would consult on next steps in the coming months.
The voluntary code designed to protect blameless fraud victims was launched in 2019, but not all banks have signed up.
Which? has long campaigned for the code to be made mandatory, to offer consumers a greater level of protection and ensure a level paying field.
We believe that a voluntary approach to protecting scam victims isn't enough, and that banks who fail to sign up to offer protections are exposing their customers to a greater risk of losing life-changing sums of money.
The LSB has expressed concerns about how quickly banks are dealing with complaints from customers who fall victim to APP fraud.
The code states that banks should let you know within 15 business days (or 35 days in 'exceptional circumstances') whether you're entitled to get your money back under the code.
Some banks are failing to meet this requirement. The LSB also says it has seen 'little evidence' of banks providing updates to customers who face delays to their claims, prolonging uncertainty and stress.
The LSB says banks are placing disproportionate responsibility on their customers.
When looking at decisions published by the Financial Ombudsman (FOS), we can see that some banks are interpreting the code in a way that allows them to avoid reimbursing victims.
In one instance, HSBC refused to refund a customer on the basis they should have checked whether a company was registered at Companies House before sending money.
The FOS described this as 'a step many reasonable customers would not take', and ruled that the bank should reimburse the customer in full.
The LSB found that many banks are providing incorrect information about timescales and giving poor explanations of how reimbursements work.
In addition, it says there is a 'clear indication' that some employees require further training about the code.
It says documentation of the rationale for refusing to reimburse customers was 'non-existent' in some cases, and customers were not given an opportunity to address the reasons why they were held liable.
The review found that the identification of customers' vulnerability and susceptibility to scams was 'not very well developed'.
It says customers faced close questioning when they reported scams, making it difficult to identify any vulnerability.
In a small number of cases, banks did not use evidence of vulnerability when considering reimbursement.
Finally, the government is considering a proposal from banks to use money from criminals' frozen bank accounts to refund scam victims.
A YouGov survey of 1,700 people found that such a method could be popular, with three quarters of respondents in favour.
There are, however, significant concerns about whether the amount frozen in such accounts would be sufficient to reimburse victims.
If you think you've been scammed, it's important to contact your bank immediately.
Time is of the essence, as your bank may be able to stop the transaction from going through or recover the money.
You should also contact the bank the money was sent to and provide it with the account number the fraudster gave you.
If your bank is signed up to the code, it should reimburse you the money, as long as you can show you've paid attention to warnings it provided before making the transfer, had a reasonable basis for believing that the person you were paying was genuine, or are considered vulnerable.
If your bank isn't signed up to the code, you should make a formal complaint after reporting the scam.