Written evidence submitted by Transparency Task Force Ltd

 

1                        Introduction

1.1                 About the Transparency Task Force (TTF)

1.1.1                                                                                                              TTF’s mission is to promote ongoing reform of the financial sector, so that it serves society better. Our vision is to build a large, influential and highly respected international institution that helps to ensure consumers are treated fairly by the financial sector. The primary beneficiaries of our work will be consumers; but the sector itself will also benefit through improved market conduct and increased trust in the services it provides. 

1.1.2                                                                                                              Much of our focus is on rebuilding trustworthiness and confidence in financial services through a framework for finance reform which we describe as a “whole system solution for a whole-system problem”. (http://www.transparencytaskforce.org)

 

1.2                 About the Author

1.2.1                                                                                                              Richard Emery is an Independent Forensic Fraud Investigator, with an extensive background serving as an Expert Witness in both Civil and Criminal matters covering Retail Theft & Fraud, Credit/Debit Card Fraud and On-line Bank Fraud.  He now focuses on assisting individuals, small businesses and charities (hereinafter: individuals) who have been the victims of bank fraud to challenge the banks and take complaints to the Financial Ombudsman Service. (https://www.4keys.co.uk)

1.2.2                                                                                                              He also challenges the Regulators and FOS on their approach to the various Regulations and Codes of Practice.

1.2.3                                                                                                              He is an Ambassador for TTF, supporting their work with the APPG on Personal Banking and Fairer Financial Services as a member of its Secretariat Committee.

 

1.3                 About this submission

1.3.1                                                                                                              This submission focusses on developments in respect of five matters that were covered in the Treasury Committee, Economic Crime: Consumer View Report, published on 1 November (ref: HC 246) [the Report].  It also introduces a number of new topics that the Committee may wish to consider.

1.3.2                                                                                                              The structure of this submission is as follows:

 

Section 1              Introduces the Transparency Task Force and the Author (1 page)

Section 2              Executive Summary (446 words)

Sections 3-7              The five core issues (3,053 words)

Section 8              Future developments by the banks (835 words)

Appendix A              The case for the banks having been grossly negligent (2 pages)

Appendix B              Summary of the APPF section of the UK Finance report (2 pages)


2                        Executive Summary

2.1.1                                                                                                              Authorised Push Payment Fraud (APPF) has almost doubled between 2017 and 2019.  Figures released by UK Finance show that there were 122,437 victims of APPF in 2019, with losses of £455.8m. (section 3 on page 5)

2.1.2                                                                                                              The CRM Code of Practice ‘went live’ on 28th May 2019 with Barclays, HSBC, Lloyds, Metro, NatWest/RBS, Nationwide, Santander and Starling.  Co-operative Bank signed-up on 17th December 2019. (section 5 on page 9)

      The first seven months (June-Dec 2019) were disappointing in terms of the level of reimbursement, and the latest figures from UK Finance (for Jan-June 2020) show that only 37.5% cases (by value) of APP fraud were reimbursed by the banks.
      There is a serious lack of transparency in respect of “Who is reimbursing what?”. Two of the banks reported that they had not reimbursed in 96% cases, representing 94% and 87% by value, during the first seven months, but who are they?
      There is also no transparency on “Why are cases not being reimbursed?”

2.1.3             CoP was eventually implemented on 30 June 2020, by the six ‘directed’ banking groups (Barclays, HSBC, Lloyds, Nationwide, NatWest/RBS and Santander). Starling Bank joined on a voluntary basis. (see section 4 on page 6).  There is no agreed timeline for the delivery of phase two. Whilst recognising that it is too early to tell how effective it will be in reducing APPF there are a number of issues to be considered, including:

      Inadequate Customer Education
      Ineffective and Inconsistent Warnings
      A Lack of Visual Impact
      I’m ‘Known As’

2.1.4                                                                                                              The possibility of establishing an Historic Reimbursement Scheme has been met with ‘silence’ from the Government, the PSR, the FCA and Pay.UK in their responses to the previous Report. (section 6 on page 11)

2.1.5                                                                                                              There is no visible progress towards Delaying Faster Payments, with respondents preferring to wait-and-see the impact of CoP. (section 7 on page 12)

2.1.6                                                                                                              There are a number of important developments that the banks should be undertaking that would either reduce the risk of APPF or benefit victims in recovering from such fraud. (section 8 on page 12)

2.1.7                                                                                                              Appendix A sets out the basis for asserting that the banks have been Grossly Negligent since the start of 2014 in that they have, amongst other things, failed to develop and deliver systems to allow customers to confirm the account name on the payee’s account (until now).

2.1.8                                                                                                           Appendix B summaries the UK Finance figures for APPF in 2019.  These show that 62% of cases were purchase scams and represented just 6% of the value; investment fraud accounted for 28% (by value) with average losses of £13,400 and impersonation of trusted parties constituted 34% of losses (by value).

3                        Authorised Push Payment Fraud (or Scam)

3.1                 What is APPF?

3.1.1                                                                                                              APPF happens when either the bank’s customer (aka: the Payer) is deceived into authorising a payment to the wrong person, or they pay the intended payee, but that person turns out to be a fraudster or scammer.  See Appendix B for brief details of the types and losses of APPFs.

3.1.2                                                                                                              APPF is sometimes referred to as APP Scams, and some banks have even sought to differentiate between ‘a fraud’ and ‘a scam’The difference is essentially esoteric; they are two sides of the same coin.  The ‘scam’ can be seen as the presentation of false information to draw in the victim and the ‘fraud’ seen as the misappropriation of the money when the payment is authorised. 

 

3.2                 The Scale of APPF

3.2.1                                                                                                              The figures that have been reported by UK Finance show that APP Fraud has grown from £236m in 2017, to £354m in 2018 and £455m in 2019.  These figures include “non-personal” losses which account for 6% of cases and 30% by value.

3.2.2                                                                                                              During the six years 2014 - 2019 there were an estimated 300,000 cases of APPF, with losses totalling c.£1.3bn.

3.2.3                                                                                                              The average loss of just over £4,000 will be significant for some people but cannot really be described as ‘life-changing’.  The picture is, however, somewhat different if you apply the Pareto (80/20) principle.  If you draw the line at a loss of £2,000 then I estimate that 255,000 cases involved losses averaging c.£1,000 whilst the remaining 45,000 cases had losses averaging c.£22,000. 

3.2.4                                                                                                              The 62 individuals whose cases are on my desk have lost an average of over £60,000 each, totalling over £4m.

 

3.3                 Types of APPF

3.3.1                                                                                                              UK Finance categorise APPF into eight ‘scam types’:

      Purchase Scams
      Investment
      Romance
      Advance Fee
      Invoice
      CEO
      Impersonation - Police/Bank
      Impersonation - Other

3.3.2                                                                                                              A brief description of each scam type, together with details of the number and value of scams in each type, is given in Appendix B.

 

4                        Confirmation of Payee (CoP)

Paragraphs 39-43 / Recommendations 5-8 of the Report may be summarised as:

Identifying “that banks were not previously confirming payees”, asserting that this was “a serious failure to protect customers from harm.” 

We therefore recommend that Confirmation of Payee should be introduced as a matter of urgency. Every delay leaves more people vulnerable to falling victim to economic crime.

It highlighted the importance of “the implementation date of March 2020” [for the major banks] and “by the end of 2020” for all relevant firms.

 

4.1                 What is CoP?

4.1.1                                                                                                              CoP was designed to minimise the risk of people being deceived into authorising a payment to the wrong person by being able to confirm that the actual name on the payee account to which they intend to make a payment is what they expect it to be.

4.1.2                                                                                                              Examples of when CoP would be expected to prevent the APPF from happening include:

      An email from a solicitor to the house purchaser is intercepted by a fraudster and replaced with a new email giving the fraudster’s account details.
      An investor is seeking to pay money to a well-known investment organisation but is given the fraudster’s account details instead.
      A person is persuaded, by someone who they believe is calling from their bank, that their account is ‘under attack’ and that they need to move their money to a new ‘safe’ account - which should be in their name; but is not.

 

4.2                 How Does It Work?

4.2.1                                                                                                              CoP works when an account holder (the payer) is making their first payment to a new payee.  It does not apply to subsequent payments to an existing payee.

4.2.2                                                                                                              CoP only works when both the payer’s bank (aka: the sending bank) and the payee’s bank (aka: the receiving bank) have implemented CoP. (see paragraph 4.3.3).

4.2.3                                                                                                              The account holder enters the account name, sort code and account number of the intended payee and their bank sends a message to the payee’s bank asking them to confirm that the name on the account is what the payer expects.  If the payee’s bank has implemented CoP, they will respond with one of three messages:

      Perfect Match
      Close Match
      NO Match

4.2.4                                                                                                              If the response is ‘Close Match’ the payer’s bank will display the actual name so that the payer can decide if this is who they intend to pay.

4.2.5                                                                                                              If the response is ‘NO Match’ the payer’s banks should display “a clear negative CoP result” which should result in the payer taking appropriate actions before making the payment.

 

4.3                 Delayed Implementation

4.3.1                                                                                                              When the Payment Systems Regulator (PSR) started consulting on CoP in November 2018 they “proposed giving a direction mandating that all PSPs [Payment Service Providers] be capable of receiving and responding to CoP requests by 1 April 2019 and that they send CoP requests by 1 July 2019. (my underlining)

4.3.2                                                                                                              The responses that they received raised “some important issues concerning the scope and design of the proposed direction, including: “difficulties meeting the proposed implementation deadlines, the impacts on different types of PSP, and the perceived lack of stability of Pay.UK’s standards and guidance on CoP.

4.3.3                                                                                                              The revised direction was that the first phase of implementation would be limited to six banking groups (Barclays, HSBC, Lloyds, Nationwide, NatWest/RBS and Santander) with full implementation by 31 March 2020, and “The timeline for the delivery of phase two is yet to be determined”.  Starling Bank joined on a voluntary basis.

4.3.4                                                                                                              Then, on 20 March 2020, PSR issued a statement giving the banks a further three months, i.e. until 30 June 2020, “in light of the Covid-19 pandemic”.

4.3.5                                                                                                              This extension was conditional, and I have a number of letters and emails that indicate that some of the banks have not fully complied with the conditions that were imposed by PSR.

 

4.4                 Inadequate Customer Education

4.4.1                                                                                                              Despite having well over a year to prepare for the implementation of CoP there was a collective failure by the banks, PSR and Pay.UK to educated everyone about CoP.  This failure was so widespread that when I contacted several banks in December 2019 and January 2020 some of their frontline staff did not even know what CoP was, let alone when it was going to be implemented.  In one case I was told that the banks had always verified the account name, so they didn’t know what was meant to be changing.

4.4.2                                                                                                              The absence of a wide-spread, effective education programme meant that some people became victims of APPF after CoP was implemented because they had no idea of how it was meant to work.

 

4.5                 Ineffective and Inconsistent Warnings

4.5.1                                                                                                              This situation was compounded by ineffective and inconsistent warnings in ‘NO Match’ situations.

4.5.2                                                                                                              A vitally important aspect of CoP is that in the event of a ‘NO Match’ the payer should see “a clear negative CoP result” which should result in them taking appropriate actions before making the payment.  It should prevent the APPF from happening.

4.5.3                                                                                                              The warning message should, as a minimum, be Understandable, Clear, Impactful, Timely and Specific.

4.5.4                                                                                                              I have recently reviewed the NO Match warning messages given by all seven banks who have implemented CoP.  They are all different and they generally lack verbal impact.  For example: “Different from” may mean either close match or NO Match.

4.5.5                                                                                                              PSR and Pay.UK should, in my view, have prescribed the ‘NO Match’ wording for all banks to read something like: “NO MATCH.  The name you have given does NOT MATCH the name on the payee account.  It is COMPLETELY DIFFERENT.  You are at SERIOUS RISK OF FRAUD if you authorise a payment without checking that the sort code and account number are correct.  You must confirm this using a different method from how you were given the details.

 

4.6                 Lack of Visual Impact

4.6.1                                                                                                              In addition to the lack of ‘verbal impact’ a number of the messages lack ‘visual impact’.  A ‘NO Match’ message should be unmissable.

4.6.2                                                                                                              Over-riding a ‘NO Match’ warning, and continuing to make the payment, should require a clear and conscious act on the part of the payer which, in my view, should require the payer to:

      Press a specific ‘button’ that is different from the button for a ‘perfect match’.
      Acknowledge a second fraud message that uses words that are more impactful than “you may not get your money back”.

 

4.7                 I’m known As

4.7.1                                                                                                              One aspect of the design of CoP that was not, in my view, properly considered was the issue of ‘known as’.

4.7.2                                                                                                              The CoP process for personal accounts is based on ‘first name’ and ‘surname’, but a significant proportion of people do not use their given first name in everyday life.  They may use a shortened version, or a ‘nick name’ or, in many cases, their ‘middle’ name.  This has a particular relevance to Muslim men who have Mohamed (or one of the several spelling variants) as their first name but always use their ‘middle’ name.  When I raised this point with someone in a bank, they responded by saying that they didn’t know anyone who didn’t use their first name.  I asked: “How would you know?”

4.7.3                                                                                                              The CoP process for businesses and charities is based on their official account name but many companies are known by a ‘trading identity’.  This has caused difficulties for some companies but, more importantly, it has also created an opportunity for fraudsters to say that the account name will not match because the bank is having difficulty matching their company name.

4.7.4                                                                                                              As part of the education and implementation programme, which didn’t happen, the banks should have notified every account holder of their official account name and given them a ‘once only’ opportunity to create a ‘known as’ name.

 

4.8                 The Role of Pay.UK and Payment Systems Regulator (PSR)

4.8.1                                                                                                              Pay.UK and PSR both had the opportunity to exercise their powers to give much clearer direction to the banks on how CoP should be implemented.  They should have directed the banks to develop an education programme for both their staff and the public in advance of implementing CoP, and they should have prescribed both the wording and visual impact of the key messages.

4.8.2                                                                                                              All other PSPs should be implementing CoP during 2021.  This gives Pay.UK and PSR an opportunity to address all these matters in phase two.

 

 

5                        Contingent Reimbursement Model Code of Practice

Paragraph 114 / Recommendation 26 of The Report reads:

We remain unpersuaded that the [CRM] Code [of Practice] should be voluntary and strongly urge any relevant parties who have not yet signed up to the Code to do so. As the first year review of the Code approaches, the Code should now be made compulsory through legislation.”

 

5.1                 What is CRM?

5.1.1                                                                                                              The CRM Code of Practice is a voluntary code that was developed by the APP Scams Steering Group (under the PSR) in response to the recognition of the growing threat of APP Fraud and Scams.  It is presented in three major sections covering the Sending Firm, the Receiving Firm and the Customer.

5.1.2                                                                                                              The Code was designed to give customers increased protections against APP Frauds and Scams, and assure full reimbursement for victims of APP Scams who have met certain requirements.

5.1.3                                                                                                              The Code ‘went live’ on 28th May 2019 with: Barclays, HSBC, Lloyds, Metro, NatWest/RBS, Nationwide, Santander and Starling.  Co-operative Bank signed-up on 17th December 2019.

 

5.2                 Is CRM working as expected?

5.2.1                                                                                                              The first seven months of CRM (June-Dec 2019) were disappointing in terms of the level of reimbursement.  It could be argued that the low levels of reimbursement can be explained as being due to the banks going through a learning curve, but it is still disappointing.

5.2.2                                                                                                              The latest figures from UK Finance (for Jan-June 2020) show that only 37.5% cases (by value) of APP fraud were reimbursed by the banks.  Firms that have signed up to CRM have reviewed cases worth £125.6m but only reimbursed £47.2m, leaving many victims without reimbursement.

5.2.3                                                                                                              But, it is not just the low level of reimbursement that gives cause for concern.  The banks are not being transparent about what is happening.

 

5.3                 Who is reimbursing what?

5.3.1                                                                                                              On 30 March 2020 the PSR held a conference call covering 25 banks and other relevant bodies.  During this call two charts were shared showing “Reimbursement by Cases” and “Reimbursement by Value” for the first seven months.  Two of the eight banks reported that they had not reimbursed in 96% cases, representing 94% and 87% by value.

5.3.2                                                                                                              We do not know which banks these were because the charts did not name the banks.  There needs to be transparency.

 

5.4                 Why are cases not being reimbursed?

5.4.1                                                                                                              In addition to not knowing which banks are not reimbursing there is also no transparency on why they are not reimbursing.  If customers and consumer groups do not know why the banks are not reimbursing them, then:

      Customer behavior will not be changed, and frauds will not be prevented.
      The banks cannot be held to account for their decisions.

 

5.5                 “Effective Warnings”

5.5.1                                                                                                              An important element of the Code is the requirement for customers to “take appropriate action in response an Effective Warning”.

5.5.2                                                                                                              The Code states that Effective Warnings should:

      be risk based
      enable the Customer to understand what actions they need to take to address the risk ….. and the consequences of not doing so.

5.5.3                                                                                                              It further states that the warning should, as a minimum, be Understandable, Clear, Impactful, Timely and Specific.  I have reviewed a number of cases where the bank has declined to reimburse but, in my view, the warnings did not meet these criteria.

5.5.4                                                                                                              The banks should be required to disclose both the exact wording of every warning and the circumstances in which that warning was given if they decline to reimburse on the basis that the customer ignored the warnings.

 

5.6                 “A reasonable basis for believing”

5.6.1                                                                                                              Another important element of the Code is the question of whether or not the customer has a “reasonable basis” for believing that the payment was for genuine goods or services and/or the person or business was legitimate.

5.6.2                                                                                                              Here again, the banks are not explaining why they have decided that the customer failed to meet this test.

 

5.6.3                                                                                                              The FOS presented an update to the PSR for the 30 March conference which included the following statement:

“Some firms are inappropriately declining reimbursement on the basis that the consumer did not have a reasonable basis for believing the transaction or recipient was genuine”.

 

5.7                 Alignment with FOS limits

5.7.1                                                                                                              There is an unhelpful difference between businesses that are covered by CRM and those that can take a complaint to FOS.

5.7.2                                                                                                              The CRM limit is a “Micro-enterprise”.  This has been defined by reference to Regulation 2(1) of the PSR 2017, which in turn refers to a European definition dating from 2003, which reads; “a microenterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million.

5.7.3                                                                                                              The FOS limit has been increased in recent years and they now recognise a Small Business limit of £6.5m.

 

 

6                        Historic Reimbursement Scheme (HRS)

Paragraph 119 / Recommendation 28 of The Report reads:

We strongly encourage firms to consider whether refusing to retrospectively reimburse customers who relied on the payee name is fair and just. We especially encourage this where the customer would now fall into the Code’s definition of vulnerability.”

 

6.1                 Silence

6.1.1                                                                                                              Following the publication of the 2019 report it was circulated to the Government, the PSR, the FCA and Pay.UK so that they could respond it.

6.1.2                                                                                                              Their response to this Recommendation was one of silence.  I have not been able to identify any comment on this Recommendation in any of the four responses.

6.1.3                                                                                                              I remain firmly of the view that the banks have been ‘Grossly Negligent’ since at least January 2014 by being “indifference to the obvious risk” of relying on unverifiable sort codes and account numbers, and that they should be required to develop an Historic Reimbursement Scheme.

6.1.4                                                                                                              Whilst not wishing to exclude any victims of APPF from the possibility of claiming reimbursement I believe that the focus of HRS should be those individuals who have lost at least £2,000.  I estimate that this would cover the top 45,000 cases (15%) where victims lost an average of £22,000.

6.1.5                                                                                                              A more detailed explanation of this point is given in Appendix A.

7                        Delaying Faster Payments

Paragraph 50 / Recommendation 10 of the Report say:

We recommend a mandatory 24-hour delay on all initial or first-time payments, during which time a consumer about to be defrauded could remove themselves from the high-pressure environment in which they are being manipulated. All future payments to that same account could flow at normal speed to minimise inconvenience to customers. If a situation arose whereby an initial payment was needed instantly, a customer could ring their bank and additional checks could be carried out for the funds to be released.

 

7.1                 Response to this Recommendation

7.1.1                                                                                                              The responses from the Government, the PSR, the FCA and Pay.UK might best be described as “luke-warm”.  There is recognition that there might be benefits of doing this, but it is felt that it should be reviewed after CoP has been implemented.

 

7.2                 “Not allowed under the Regulations”

7.2.1                                                                                                              Concern has been expressed that it would not be allowed under PSR 2017, although nobody has ever specifically articulated the precise Regulations that say this.

7.2.2                                                                                                              PSR 2017 Regulation 86 and the FCA Approach paragraph 8.273 state that: “The default rule is that payments have to be credited to the payee’s PSP’s account by close of business on the business day following the day when the payment order was received.  Does this allow for a clear 24-hour delay between the payment order and the payment being made?

7.2.3                                                                                                              There is, however, another way of looking at it.  Almost all banks allow customers to ‘forward date’ Faster Payments, and they then make the payment on the ‘forward date’.  So, if I tell my bank to delay any high value initial or first-time payment for 24-hours after the payee is created, then this is my instruction and the bank should make the payment after 24-hours.

 

 

8                        Future Developments

There are a number of developments that I believe would either reduce the risk of APPF or benefit victims in recovering from such fraud.  These are outlined below.

 

8.1                 Bank Identification

8.1.1                                                                                                              When the customer phones the bank, or the bank phones the customer, the entire ‘security protocol’ is in respect of the bank being satisfied that they are speaking with their customer.  Nothing is done to assure the customer that they are speaking with their bank.

8.1.2                                                                                                              This serious flaw in security is regularly exploited by fraudsters who socially engineer the victim into believing that they are talking to their bank before executing the fraud.

8.1.3                                                                                                              UK Finance reported that “Impersonation of the police or the bank” accounted for 18% (by value) of APPF in the first six months of 2020.  In 2019 it accounted for 23% (by value) of ‘personal’ losses.

8.1.4                                                                                                              In my experience losses from impersonation of the bank are amongst the most emotionally stressful.

 

8.2                 Account Opening

8.2.1                                                                                                              The CRM Code states that: “Firms must take reasonable steps to prevent accounts being opened for criminal purposes”, but are all banks fulfilling their legal and regulatory requirements on Customer Due Diligence (CDD)?

8.2.2                                                                                                              One possible cause for concern is that the easements that were announced by Companies House in April 2020, that were designed to complement the national response to the coronavirus (COVID-19) pandemic, may have resulted in an increase in the registration of companies being formed for fraudulent purposes.  There were 221,020 new incorporations between July and September 2020, an increase of 51,269 (30.2%) compared with the same quarter of the previous year.

8.2.3                                                                                                              From a fraudster’s perspective, the benefit of a business bank account is that it is less likely to attract the same level of scrutiny in respect of high value transactional activity, giving them great opportunity to process fraudulent receipts.

 

8.3                 Active Account Monitoring

8.3.1                                                                                                              Banks need to consider account activity not only in respect of payments from accounts (outbound), but also receipts into accounts (inbound).  Some banks have developed effective account monitoring systems that are increasingly able to detect exceptional inbound transactions and freeze them before the account holder, who might be a fraudster, is able to transfer the money out of the account.

 

8.4                 Disclosure of Beneficiary Account Details

8.4.1                                                                                                              Where a victim of APPF has not been reimbursed by either their bank or the receiving bank, they may wish to consider taking legal action in the civil courts against the account holder of the receiving account, but they face a very serious obstacle - they do not have any details of the account holder.

8.4.2                                                                                                              Paragraphs 5(3)(a-c) of Part 1 of Schedule 2 of the DPA 2018 makes specific provision for disclosure of personal data that: “is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), or is necessary for the purpose of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights”.  However, the banks have been consistently reluctant to disclose details of the beneficiary account holder in cases of APPF.  This matter has been raised with the FCA, PSR, FOS and ICO.

8.4.3                                                                                                              In a limited number of cases victims have obtained a Norwich Pharmacal Order (NPO)An NPO is a court order that forces an (innocent) party, in this case the bank, to disclose information when legal proceedings for alleged wrongdoing cannot be brought because the identity of the wrongdoer (the fraudster) is not known.  Obtaining an NPO can cost as much as £5,000.

 

8.5                 Complaints About Beneficiary Banks

8.5.1                                                                                                              Recent changes in the scope of the FOS allow a limited degree of investigation into the actions of the beneficiary bank in cases of APPF but, in my view, this needs to be extended to allow the FOS greater rights of investigation.

 

8.6                 Repatriation of Stolen Money

8.6.1                                                                                                              Where beneficiary banks freeze funds in an account that is being used for fraud there is a process by which these funds can be repatriated to the victim.  This process can be infuriatingly slow and in one recent case it was nearly six months before the victim’s bank was able to confirm that they had not been able to recover any of the stolen funds.

 

8.7                 Regional Economic Crime Teams

8.7.1                                                                                                              It is perfectly clear that the Police do not have sufficient resources to investigate all but a tiny proportion of APPF cases.  It is also important to recognise that Officers working in this area need both time and training to develop the appropriate skills, which means that there needs to be a long-term committee to their appointment.

8.7.2                                                                                                              I understand that the banks are holding significant funds that have been frozen but which, for a variety of reasons, cannot be repatriated.  In my view these funds, together with some form of levy on the banks, should be used to develop highly focussed regional crime teams, that combine both Police and civilian staff, to fight APPF and other economic crimes.

 


9                        Appendix A - The Banks Have Been Grossly Negligent

9.1.1                                                                                                              Figures published by UK Finance record APPF losses of £455.8m (i.e. £1.25m/day) in 2019.  The headline figures for 2018 and 2017 were £354m and £236mIt is, in my view, reasonable to extrapolate that the total value of APPF losses between 1st January 2014 and 31st December 2019 is in the order of £1.3bn.  A modest sum when we consider the financial impact of C-19, but a very significant sum for the individuals who have lost life-changing sums of money.

9.1.2                                                                                                              The question that I am asking is: Have the banks done all that they reasonably could have done to prevent, or at least mitigate, these losses; or have they been ‘Grossly Negligent’?

 

9.2                 The Risks of Faster Payment System (FPS) and CHAPS

9.2.1                                                                                                              Prior to the introduction of FPS we used cheques, and cheques relied on the Payee name.

9.2.2                                                                                                              When FPS was launched on 27 May 2008 it was based on the use of the Sort Code and Account Number (the Unique Identifier) to route the payment to the Payee’s account.  FPS made no reference to, or use of, the Account Name that the Payer had used to identify the intended Payee. 

9.2.3                                                                                                              CHAPS, which is designed for making high value payments, requires the Customer to provide a correct name for the intended recipient of the payment that matches the Account Name associated with the Unique Identifier (i.e. the Sort Code and Account Number), but the system does not validate it.

9.2.4                                                                                                              In my view a thorough and detailed analysis of the risks associated with the introduction of ‘instant payments based solely on an unverifiable sort code and account number’ should have resulted in the development of appropriate security protocols.  There were obvious risks.

9.2.5                                                                                                              Even if those risks were not properly identified at the time, then they should have been identified and responded to as they became increasingly obvious in the following years.

 

9.3                 Tidal Energy Ltd v Bank of Scotland

9.3.1                                                                                                              Even if the risk of fraud from the use of unverifiable sort codes and account numbers was not obvious in 2008, it became obvious in 2012 and 2013 with the case of Tidal Energy Ltd v Bank of Scotland (EWHC 2780).  In January 2012 Tidal Energy attempted to make a payment of £217,781 but it went to the ‘wrong’ account.  The court ruled that Bank of Scotland did not have to reimburse Tidal Energy because it was not banking practice to check the Payee name.

9.3.2                                                                                                              The fact that it was not banking practice at that time to check the Payee name does not, in my view, mean that the banks could remain indifferent to what was now an obvious risk.

 

9.4                 Camerata Property Inc v Credit Suisse Securities (Europe)

9.4.1                                                                                                              In this case, together with those of Red Sea Tankers Ltd v Papachristidis (The "Ardent") and Winnetka Trading Corp v Julius Baer International Ltd & Anor, one of the issues that the judges had to consider was that of potential ‘Gross Negligence’.

9.4.2                                                                                                              The specific point that I focus on is the statement made by Mance J that: “the concept of Gross Negligence seems to me capable of embracing ….. indifference to an obvious risk".

 

9.5                 The Banks have been Grossly Negligent

9.5.1                                                                                                              Based on the principal that “indifference to an obvious risk” may constitute Gross Negligence, and that the Banks have been aware of the risk since at least 2013, they must, in my view, have been Grossly Negligent since the start of 2014, in that they have, amongst other things, failed to develop and deliver systems to allow Account Holders to confirm the account name on the Payee’s account.

 

 


10                    Appendix B - Types and Values of APPF

10.1            UK Finance ::  Fraud - The Facts 2020

10.1.1                                                                                                          The following information is taken from UK Finance “Fraud - The Facts 2020”.  The figures are for 2019 and are divided into “personal” and “non personal”.  The “% inc” is the increase since 2018:

              Personal              Non-Personal              Total

              2019              % Inc              2019              % Inc              Total              % Inc

Volume              114,731              47%              7,706              20%              122,437              45%

Value              £ 317.1m              39%              £ 138.7m              10%              £ 455.8m              29%

Average              £2,763.86              £17,998.96              £3,722.73

 

10.1.2                                                                                                          The values below each description are for ‘personal’ cases and show:

      The Number of Cases and the Percentage of all Cases
      The Value (in £m) and the Percentage of the Total Value of all Cases
      The Average Loss of each Case

 

10.2            Purchase Scams

10.2.1                                                                                                          In a purchase scam, the victim pays in advance for goods or services that are never received. These scams usually involve the victim using an online platform such as an auction website or social media. Common scams include a criminal posing as the seller of a car or a technology product, such as a phone or computer, which they advertise at a low price to attract buyers.

Cases              71,574              62%              Value              £51.1m              16%              Aveg Loss              £714

 

10.3            Investment

10.3.1                                                                                                          In an investment scam, a criminal convinces their victim to move their money to a fictitious fund or to pay for a fake investment. The criminal will usually promise a high return in order to entice their victim into making the transfer. These scams include investment in items such as gold, property, carbon credits, cryptocurrencies, land banks and wine.

Cases              6,679              6%              Value              £89.5m              28%              Aveg Loss              £13,400

 

10.4            Romance

10.4.1                                                                                                          In a romance scam, the victim is persuaded to make a payment to a person they have met, often online through social media or dating websites, and with whom they believe they are in a relationship. Once they have established their victim’s trust, the criminal will then claim to be experiencing a problem, such as an issue with a visa, health issues or flight tickets and ask for money to help.

Cases              2,137              2%              Value              £18.0m              6%              Aveg Loss              £8,423

 

10.5            Advanced Fee

10.5.1                                                                                                          In an advance fee scam, a criminal convinces their victim to pay a fee which they claim would result in the release of a much larger payment or high value goods. These scams include claims from the criminals that the victim has won an overseas lottery, that gold or jewellery is being held at customs or that an inheritance is due. The fraudster tells the victims that a fee must be paid to release the funds or goods. However, when the payment is made, the promised goods or money never materialises.

Cases              10,508              9%              Value              £16.0m              5%              Aveg Loss              £1,523

 

10.6            Invoice

10.6.1                                                                                                          In an invoice or mandate scam, the victim attempts to pay an invoice to
a legitimate payee, but the criminal intervenes to convince the victim to redirect the payment to an account they control. It includes criminals targeting consumers posing as conveyancing solicitors, builders and other tradespeople, or targeting businesses posing as a supplier, and claiming that the bank account details have changed. This type of fraud often involves the criminal either intercepting emails or compromising an email account.

Cases              4,732              4%              Value              £31.7m              10%              Aveg Loss              £6,699

 

10.7            CEO

10.7.1                                                                                                          CEO fraud is where the scammer manages to impersonate the CEO or other high ranking official of the victim’s organisation to convince the victim to make an urgent payment to the scammer’s account. This type of fraud mostly affects businesses.

Cases              80              0%              Value              £1.2m              0%              Aveg Loss              £15,000

 

10.8            Impersonation - Police/Bank

10.8.1                                                                                                          In this scam, the criminal contacts the victim purporting to be from either the police or the victim’s bank and convinces the victim to make a payment to an account they control.

Cases              10,835              9%              Value              £73.5m              23%              Aveg Loss              £6,784

 

10.9            Impersonation - Other

10.9.1                                                                                                          In this scam, a criminal claims to represent an organisation such as a utility company, communications service provider or government department. Common scams include claims that the victim must settle a fictitious fine, pay overdue tax or return an erroneous refund. Sometimes the criminal requests remote access to the victim’s computer as part of the scam, claiming that they need to help ‘fix’ a problem.

Cases              8,186              7%              Value              £36.2m              11%              Aveg Loss              £4,422

 

November 2020

 

 

26 November 2020              Transparency Task Force Ltd              Page 18 of 18