Which? is calling on the regulator to ensure banks do more to protect fraud victims and provide them with fair reimbursement.
Here, we unpick the unpredictable and unrealistic expectations of the banks that are meant to protect customers from APP scams.
Despite the worthy intentions of the code, losses to APP fraud remain high () while reimbursement rates are shockingly low. Banks found victims at least partly responsible for their losses in 77% of cases assessed in the first 14 months of the code. Two banks found the customer fully liable in more than nine in 10 decisions.
Financial Ombudsman Service (FOS) data indicates that banks are getting most of these decisions wrong: 73% of complaints about APP fraud were upheld in favour of consumers in 2020-21.
When refusing to reimburse scam losses, banks typically tell customers they failed to make 'sufficient checks' before making a payment.
But the code states that victims should be reimbursed unless the firm can establish that their customer didn't have a 'reasonable basis' for believing the person or organisation they are sending money to is genuine.
Despite this, First Direct told pensioner John, 78, from Cambridge, that it wouldn't fully reimburse his £180,000 loss to an investment scam as he didn't check online reviews of Grandefex - the trading platform he invested with.
First Direct told us: 'He could have carried out greater checks before making the payment. For example, reviews on TrustPilot and Google gave a clear red-flag warning.'
We think this is unfair. In November 2020, shortly after John was scammed, Grandefex had nearly as many excellent TrustPilot ratings (43%) as bad (47%).
Google is a hotbed of and online reviews can easily be faked by scammers or their accomplices. Grandefex is now subject to a Financial Conduct Authority (FCA) scam warning, but this came long after John invested.
To make matters worse, First Direct took more than 35 days to reach a decision (banks should respond to reimbursement claims within 15 working days or 35 in 'exceptional cases') and failed to warn John that he was at risk of identity fraud because the scammers had copies of his passport and recent bills.
We advised John to take his case to the FOS.
Other cases lay bare a lack of consistency in how banks are applying the code.
Kevin, 69, from Cornwall, lost £400 to a WhatsApp scam and has been told by his bank, Lloyds, that he won't be reimbursed. A message sent to the family WhatsApp group appeared to come from his daughter. It began 'Hi Mumu2026' and explained that she was using a temporary number while she was waiting for her number to switch to a new provider.
'We had no reason to believe that this wasn't from our daughter,' says Kevin. 'About 30 minutes later, another message said she needed help to pay a bill because she couldn't use the temporary phone number with her online banking. We agreed to make the payment on her behalf and settle up later. Our [real] daughter texted in the afternoon and we realised our error.'
Kevin reported the scam to Lloyds that same evening. However, only £16 was recovered. The bank refused to refund the rest because it said that Kevin didn't act on the warnings given and failed to confirm that the person was who they said they were. This is in spite of a recent victim of an identical WhatsApp scam being given a full refund from Bank of Scotland, also part of Lloyds Banking Group.
Lloyds Bank said: 'We carefully review the individual details of each case reported to us and consider a number of factors, including whether the bank could have taken any additional steps to help prevent the scam taking place, if the customer took reasonable care when making payments and also a customer's personal circumstances.'
The Payment Systems Regulator (PSR) is due to make an announcement imminently on how to improve consumer protections against APP fraud - and Which? is calling for strong and urgent action from the regulator to ensure that banks do more to protect consumers, and treat victims fairly and consistently.
Instead of continuing to pursue another version of a code, we believe the right option to address the serious shortcomings of bank transfer scam protections is for the PSR to introduce mandatory consumer protections across all payment providers, including a reimbursement obligation.
Which? is urging the PSR to outline publicly the powers it wants from the government to enable this to be possible.
Properly enforced, this would help tackle the current reimbursement lottery that leaves many victims facing an uphill struggle to recover their money.
Most banks are signed up to the APP scam code, but there are exceptions, including Bank of Ireland, Dankse Bank, Monzo and Tesco Bank (TSB offers its own fraud refund guarantee). The code doesn't cover bank transfers to foreign accounts.
Being with a bank that hasn't signed up can make it harder to get your money back, but don't let this stop you from making a formal complaint asking to be refunded.
The Banking Protocol adds another level of protection. This is a rapid response scheme where bank staff are trained to detect the signs of a scam and make an emergency call to the police. It has recently been as well as branch payments.
Even if your bank refuses to reimburse you, . It will look at what happened and decide if the bank was right to reject your complaint. This is a free and impartial service, but many cases are taking more than a year to be assessed due to the volume and backlog of scam complaints.
Magazine subscribers also get access to tailored one-to-one guidance from the Which? Money Helpline.