We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies. You can understand more and change your cookies preferences here.


When you click on a retailer link on our site, we may earn affiliate commission to help fund our not-for-profit mission.Find out more.

15 Sep 2021

Which? calls for an end to banks blaming fraud victims

Urgent action is needed to ensure more fraud victims get their money back

Which? is calling on the regulator to ensure banks do more to protect fraud victims and provide them with fair reimbursement.

Despite the introduction of a voluntary industry code in May 2019, most victims of authorised push payment (APP) scams are still being let down by their banks.

Previous Which? investigations have found that banks are too quick to blame victims who ignore warnings and that they often fail to assess their vulnerability properly.

A recent review by the Lending Standards Board (LSB), which is responsible for the code, issued an alert in June 2021. It identified new areas of concern, including disproportionate responsibility put on customers.

Here, we unpick the unpredictable and unrealistic expectations of the banks that are meant to protect customers from APP scams.

Be more money savvy

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

Low fraud reimbursement rates

Despite the worthy intentions of the code, losses to APP fraud remain high (£479m in 2020) while reimbursement rates are shockingly low. Banks found victims at least partly responsible for their losses in 77% of cases assessed in the first 14 months of the code. Two banks found the customer fully liable in more than nine in 10 decisions.

Financial Ombudsman Service (FOS) data indicates that banks are getting most of these decisions wrong: 73% of complaints about APP fraud were upheld in favour of consumers in 2020-21.

Banks expecting too much of customers

When refusing to reimburse scam losses, banks typically tell customers they failed to make 'sufficient checks' before making a payment.

But the code states that victims should be reimbursed unless the firm can establish that their customer didn't have a 'reasonable basis' for believing the person or organisation they are sending money to is genuine.

Despite this, First Direct told pensioner John, 78, from Cambridge, that it wouldn't fully reimburse his £180,000 loss to an investment scam as he didn't check online reviews of Grandefex - the trading platform he invested with.

First Direct told us: 'He could have carried out greater checks before making the payment. For example, reviews on TrustPilot and Google gave a clear red-flag warning.'

We think this is unfair. In November 2020, shortly after John was scammed, Grandefex had nearly as many excellent TrustPilot ratings (43%) as bad (47%).

Google is a hotbed of scam investment adverts and online reviews can easily be faked by scammers or their accomplices. Grandefex is now subject to a Financial Conduct Authority (FCA) scam warning, but this came long after John invested.

To make matters worse, First Direct took more than 35 days to reach a decision (banks should respond to reimbursement claims within 15 working days or 35 in 'exceptional cases') and failed to warn John that he was at risk of identity fraud because the scammers had copies of his passport and recent bills.

We advised John to take his case to the FOS.

Find out more: behavioural experts say fraud warnings often come too late to help victims

Erratic reimbursement decisions

Other cases lay bare a lack of consistency in how banks are applying the code.

Kevin, 69, from Cornwall, lost £400 to a WhatsApp scam and has been told by his bank, Lloyds, that he won't be reimbursed. A message sent to the family WhatsApp group appeared to come from his daughter. It began 'Hi Mumu2026' and explained that she was using a temporary number while she was waiting for her number to switch to a new provider.

'We had no reason to believe that this wasn't from our daughter,' says Kevin. 'About 30 minutes later, another message said she needed help to pay a bill because she couldn't use the temporary phone number with her online banking. We agreed to make the payment on her behalf and settle up later. Our [real] daughter texted in the afternoon and we realised our error.'

Kevin reported the scam to Lloyds that same evening. However, only £16 was recovered. The bank refused to refund the rest because it said that Kevin didn't act on the warnings given and failed to confirm that the person was who they said they were. This is in spite of a recent victim of an identical WhatsApp scam being given a full refund from Bank of Scotland, also part of Lloyds Banking Group.

Lloyds Bank said: 'We carefully review the individual details of each case reported to us and consider a number of factors, including whether the bank could have taken any additional steps to help prevent the scam taking place, if the customer took reasonable care when making payments and also a customer's personal circumstances.'

Scam alert: watch out for this WhatsApp verification scam

What needs to change

The Payment Systems Regulator (PSR) is due to make an announcement imminently on how to improve consumer protections against APP fraud - and Which? is calling for strong and urgent action from the regulator to ensure that banks do more to protect consumers, and treat victims fairly and consistently.

Instead of continuing to pursue another version of a code, we believe the right option to address the serious shortcomings of bank transfer scam protections is for the PSR to introduce mandatory consumer protections across all payment providers, including a reimbursement obligation.

Which? is urging the PSR to outline publicly the powers it wants from the government to enable this to be possible.

Properly enforced, this would help tackle the current reimbursement lottery that leaves many victims facing an uphill struggle to recover their money.

What if your bank isn't signed up to the code?

Most banks are signed up to the APP scam code, but there are exceptions, including Bank of Ireland, Dankse Bank, Monzo and Tesco Bank (TSB offers its own fraud refund guarantee). The code doesn't cover bank transfers to foreign accounts.

Being with a bank that hasn't signed up can make it harder to get your money back, but don't let this stop you from making a formal complaint asking to be refunded.

The Banking Protocol adds another level of protection. This is a rapid response scheme where bank staff are trained to detect the signs of a scam and make an emergency call to the police. It has recently been extended to cover online and phone transfersas well as branch payments.

Even if your bank refuses to reimburse you, escalate your complaint to the FOS. It will look at what happened and decide if the bank was right to reject your complaint. This is a free and impartial service, but many cases are taking more than a year to be assessed due to the volume and backlog of scam complaints.

First featured in October's Which? Money magazine

Each month we publish investigations, news and advice features covering all areas of money.

Magazine subscribers also get access to tailored one-to-one guidance from the Which? Money Helpline.

Join Which? Money today and take control of your finances.