RBS has been criticised for so far failing to commit to a date for bringing in technology designed to prevent one of the most common types of fraud.
It comes as consumer organisation Which? is calling for vital fraud protections to be made mandatory, as the consumer champion reveals more than £1 billion is estimated to have been lost to bank transfer scams in just three years.
During that period, the sums lost to this type of scam, also known as authorised push payment (APP) fraud, have risen rapidly, while the payments regulator and banks have been slow to introduce much-needed protections for consumers.
The consumer organisation named and shame RBS and HSBC for being unable to confirm a specific date for when they would introduce an new scambusting checking system called Confirmation of Payee (CoP).
It will make it harder for customers to be duped or make errors by alerting them if the name of the person they want to pay does not match that on the recipient's account.
According to Which?’s projections, £97 million could have already have been lost in the first three months of this year alone.
Alarmingly, analysis suggests that almost a third of the total losses since 2017, equating to £320 million, could have been prevented if a simple system of checking names on bank transfers had been in place during that period.
CoP ensures that a check is made on whether or not the name a customer enters when making a payment matches the account details it is being sent to. It helps to stop fraudsters from posing as trusted organisations such as a bank or solicitor and tricking people into making payments to them.
The Payment Systems Regulator (PSR) has only directed the six biggest banking groups to sign up by March 31, but Which? believes all banks must join the scheme in order for it to be effective.
The consumer champion asked all banks when they planned to introduce Confirmation of Payee. Of the banks that have been directed to sign up, RBS Group (including Royal Bank of Scotland, NatWest and Ulster Bank) and HSBC (including First Direct) were unable to confirm a specific date when asked if they would be ready by the regulator’s deadline.
On the other hand, Lloyds Banking Group is ahead of the pack, implementing CoP from 2 March 2020 for Bank of Scotland customers, before rolling it out to Halifax and Lloyds customers throughout the rest of this month.
Of the banks that haven’t been directed to sign up by the regulator, several have said that they plan to deliver the system by the end of the year.
An RBS spokeman indicated it hope to introduce PSR in the coming weeks.
“We believe Confirmation of Payee is an important part in protecting our customers from scams, fraudsters and from entering account numbers incorrectly. It is therefore an area of focus for us and we are working with other banks and the industry to ensure we introduce this..."
At the moment when you make an online bank transfer, you are asked for the name of the person you are paying. but the information is not checked. This loophole allows fraudsters to convince victims to send money to supposed trusted institutions such as HMRC by getting them to use this as the name of the account. Scammers also convince victims they are sending money to "safe" accounts set up in the victim's name. In both instances the accounts are held by different people.
The deadline for introducing CoP was pushed back from July last year after the PSR consulted banks. The PSR told them last August that they must be ready to respond to other banks' identity checks from last month and to perform their own checks from March 31.
Metro Bank has said it has no current plans to implement CoP at all - despite this being a requirement of the voluntary industry code on APP scams launched in May 2019, which Metro Bank signed up to.
Which? said it did not elaborate on why it is does not intend to introduce CoP, but says the voluntary code gives customers significantly increased protection against authorised push payment scams.
Amid concerning reports of banks failing to follow the code’s rules around reimbursing blameless APP scam victims, Which? said it was concerned that a voluntary approach to ensuring victims are treated fairly is no longer viable.
The next set of UK Finance figures on bank transfer scams is due for release in the coming days.
It should show an increase in the amount of money being reimbursed to victims of bank transfer fraud, as banks signed up to the code begin implementing the greater protections it offers.
Which? says it believes the code and CoP should be made mandatory and that the government must consider directing the PSR to ensure all banks are signed up. The consumer champion is also encouraging all consumers to put pressure on their bank to sign up to both the code and CoP.
Gareth Shaw, head of money at Which?, said: “The UK has been in the grip of a fraud crisis for years, but new security measures offered by the banking industry should finally give people better protection against increasingly sophisticated fraudsters.
“At the end of this month, we should get a true sense of how well the industry is tackling the issue. It is vital for all banks to commit to basic name-check security, and the whole industry should sign up and follow through on the protections offered by the scams code.
“If the banks fall short of making these commitments themselves, these initiatives must be made mandatory by the government."
Pay UK, the retail payments authority, claims that only one in 20,000 transactions unintentionally ends up in the wrong bank account every year.
Data from the banking trade body UK Finance shows that in the first half of 2019 customers lost more than £207.5 million from payments they made to fraudsters, up from £148.2 million in the first half of 2018.
Based on analysis by the PSR, Which? estimates that approximately £320 million of losses to customers could have been prevented if CoP had been introduced at the beginning of 2017.
The PSR estimates that 70 per cent of misdirection fraud will be prevented in its first year, and 75 per cent each year afterwards.
Metro Bank said: “We take our customers’ security extremely seriously and have a range of safeguards in place to help defend them against fraud, which we constantly review and update in light of increasingly sophisticated tactics from fraudsters. We have no plans to implement Confirmation of Payee currently, but can reassure our customers that they will continue to be protected. Metro Bank is a voluntary signatory of the Contingent Reimbursement Model Code, giving customers significantly increased protection against authorised push payment scams.”
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel