By clicking a retailer link you consent to third-party cookies that track your onward journey. This enables W? to receive an affiliate commission if you make a purchase, which supports our mission to be the UK's consumer champion.

Which? calls for an end to banks blaming fraud victims

Urgent action is needed to ensure more fraud victims get their money back
Chiara CavaglieriSenior researcher & writer

Which? is calling on the regulator to ensure banks do more to protect fraud victims and provide them with fair reimbursement.

Despite the introduction of a voluntary industry code in May 2019, most victims of authorised push payment (APP) scams are still being let down by their banks.

Previous Which? investigations have found that banks are too quick to blame victims who ignore warnings and that they often fail to assess their vulnerability properly.

A recent review by the Lending Standards Board (LSB), which is responsible for the code, issued an alert in June 2021. It identified new areas of concern, including disproportionate responsibility put on customers.

Here, we unpick the unpredictable and unrealistic expectations of the banks that are meant to protect customers from APP scams.

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

Low fraud reimbursement rates

Despite the worthy intentions of the code, losses to APP fraud remain high (£479m in 2020) while reimbursement rates are shockingly low. Banks found victims at least partly responsible for their losses in 77% of cases assessed in the first 14 months of the code. Two banks found the customer fully liable in more than nine in 10 decisions.

Financial Ombudsman Service (FOS) data indicates that banks are getting most of these decisions wrong: 73% of complaints about APP fraud were upheld in favour of consumers in 2020-21.

Banks expecting too much of customers

When refusing to reimburse scam losses, banks typically tell customers they failed to make 'sufficient checks' before making a payment.

But the code states that victims should be reimbursed unless the firm can establish that their customer didn't have a 'reasonable basis' for believing the person or organisation they are sending money to is genuine.

Despite this, First Direct told pensioner John, 78, from Cambridge, that it wouldn't fully reimburse his £180,000 loss to an investment scam as he didn't check online reviews of Grandefex - the trading platform he invested with.

First Direct told us: 'He could have carried out greater checks before making the payment. For example, reviews on TrustPilot and Google gave a clear red-flag warning.'

We think this is unfair. In November 2020, shortly after John was scammed, Grandefex had nearly as many excellent TrustPilot ratings (43%) as bad (47%).

Google is a hotbed of scam investment adverts and online reviews can easily be faked by scammers or their accomplices. Grandefex is now subject to a Financial Conduct Authority (FCA) scam warning, but this came long after John invested.

To make matters worse, First Direct took more than 35 days to reach a decision (banks should respond to reimbursement claims within 15 working days or 35 in 'exceptional cases') and failed to warn John that he was at risk of identity fraud because the scammers had copies of his passport and recent bills.

We advised John to take his case to the FOS.

Find out more: behavioural experts say fraud warnings often come too late to help victims

Erratic reimbursement decisions

Other cases lay bare a lack of consistency in how banks are applying the code.

Kevin, 69, from Cornwall, lost £400 to a WhatsApp scam and has been told by his bank, Lloyds, that he won't be reimbursed. A message sent to the family WhatsApp group appeared to come from his daughter. It began 'Hi Mum' and explained that she was using a temporary number while she was waiting for her number to switch to a new provider.

'We had no reason to believe that this wasn't from our daughter,' says Kevin. 'About 30 minutes later, another message said she needed help to pay a bill because she couldn't use the temporary phone number with her online banking. We agreed to make the payment on her behalf and settle up later. Our [real] daughter texted in the afternoon and we realised our error.'

Kevin reported the scam to Lloyds that same evening. However, only £16 was recovered. The bank refused to refund the rest because it said that Kevin didn't act on the warnings given and failed to confirm that the person was who they said they were. This is in spite of a recent victim of an identical WhatsApp scam being given a full refund from Bank of Scotland, also part of Lloyds Banking Group.

Lloyds Bank said: 'We carefully review the individual details of each case reported to us and consider a number of factors, including whether the bank could have taken any additional steps to help prevent the scam taking place, if the customer took reasonable care when making payments and also a customer's personal circumstances.'

Scam alert: watch out for this WhatsApp verification scam

What needs to change

The Payment Systems Regulator (PSR) is due to make an announcement imminently on how to improve consumer protections against APP fraud - and Which? is calling for strong and urgent action from the regulator to ensure that banks do more to protect consumers, and treat victims fairly and consistently.

Instead of continuing to pursue another version of a code, we believe the right option to address the serious shortcomings of bank transfer scam protections is for the PSR to introduce mandatory consumer protections across all payment providers, including a reimbursement obligation.

Which? is urging the PSR to outline publicly the powers it wants from the government to enable this to be possible.

Properly enforced, this would help tackle the current reimbursement lottery that leaves many victims facing an uphill struggle to recover their money.

What if your bank isn't signed up to the code?

Most banks are signed up to the APP scam code, but there are exceptions, including Bank of Ireland, Dankse Bank, Monzo and Tesco Bank (TSB offers its own fraud refund guarantee). The code doesn't cover bank transfers to foreign accounts.

Being with a bank that hasn't signed up can make it harder to get your money back, but don't let this stop you from making a formal complaint asking to be refunded.

The Banking Protocol adds another level of protection. This is a rapid response scheme where bank staff are trained to detect the signs of a scam and make an emergency call to the police. It has recently been extended to cover online and phone transfers as well as branch payments.

Even if your bank refuses to reimburse you, escalate your complaint to the FOS. It will look at what happened and decide if the bank was right to reject your complaint. This is a free and impartial service, but many cases are taking more than a year to be assessed due to the volume and backlog of scam complaints.

First featured in October's Which? Money magazine

Each month we publish investigations, news and advice features covering all areas of money.

Magazine subscribers also get access to tailored one-to-one guidance from the Which? Money Helpline.

Join Which? Money today and take control of your finances.

More on this

Related articles

About Us

Which? Limited is registered in England and Wales to 2 Marylebone Road, London NW1 4DF, company number 00677665  and is an Introducer Appointed Representative (FRN 610689) of the following:


1. Inspop.com Ltd for the introduction of non-investment motor, home, travel and pet insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635). Inspop.com Ltd is authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635) and is registered in England and Wales to Greyfriars House, Greyfriars Road, Cardiff, South Wales, CF10 3AL, company number 03857130. Confused.com is a trading name of Inspop.com Ltd. 


2. LifeSearch Partners Limited (FRN656479), for the introduction of Pure Protection Contracts and Private Health Insurance, who are authorised and regulated by the FCA to provide advice and arrange Pure Protection Contracts and Private Health Insurance Contracts.  LifeSearch Partners Ltd is registered in England and Wales to 3000a Parkway, Whiteley, Hampshire, PO15 7FX, company number 03412386.


3. HUB Financial Solutions, for the introduction of equity release advice and an annuity comparison service, who are authorised and regulated by the Financial Conduct Authority (‘FCA’) to provide advice and guidance on financial products for those who have retired or are approaching retirement (FCA Firm Reference Number: 455713). HUB Financial Solutions is registered in England and Wales to Enterprise House, Bancroft Road, Reigate, Surrey RH12 7RP, company number 05125701.


4. Alan Boswell Insurance Brokers Ltd (FRN 301), for the introduction of non-investment landlord insurances, who are authorised and regulated by the Financial Conduct Authority to provide advice and arrange insurance contracts. Alan Boswell insurance brokers Ltd is registered in England at Prospect House, Rouen Rd, Norwich NR1 1RE, company number 02591252.


Other financial services:

Mortgage service provided by London & Country Mortgages (L&C), Unit 26 (2.06), Newark Works, 2 Foundry Lane, Bath BA2 3GZ. London & Country are authorised and regulated by the Financial Conduct Authority (registered number: 143002). The FCA does not regulate most Buy to Let mortgages. Your home or property may be repossessed if you do not keep up repayments on your mortgage.


We do not make, nor do we seek to make, any recommendations or personalised advice on financial products or services that are regulated by the FCA, as we’re not regulated or authorised by the FCA to advise you in this way. In some cases, however, we have included links to regulated brands or providers with whom we have a commercial relationship and, if you choose to, you can buy a product from our commercial partners. 


If you go ahead and buy a product using our link, we will receive a commission to help fund our not-for-profit mission and our campaigns work as a champion for the UK consumer. Please note that a link alone does not constitute an endorsement by Which?.