In March and April this year, I received calls on my mobile from fraudsters purporting to be members of my bank’s fraud investigation team. They told me that my account had been hacked and that, to flush out the perpetrators, I needed to transfer money in accordance with their instructions to facilitate their investigation and (more threateningly) so as not to frustrate a wider investigation. I ended up transferring almost £30,000 from my Santander account to accounts with Barclays and Cash Plus Bank, both of which disclaimed any responsibility for my loss.
I fell victim to “authorised push payment” (APP) scams. In these scams, fraudsters contact bank customers directly, representing themselves as the bank’s fraud investigators, the police, HMRC or similar and persuade customers to transfer money (typically using real-time payment systems, such as Faster Payments) from their own accounts to accounts with other banks. The money is then almost immediately removed from the recipient account, in many cases overseas, and is not recoverable.
Despite measures being taken to address the increasing levels of bank fraud, and APP fraud in particular, the scale of the problem has continued to increase to such an extent that UK Finance, the banking trade body, has described it as amounting to a national security crisis. It is estimated that bank fraud now costs the UK economy approximately £1bn a year, and APP fraud accounts for the greater part of it. I got my money back, with interest, only after involving the media. Prior to that, Santander had offered me only £4,300 by way of recompense for what had been stolen from me.
In these scams, it is easy to identify the initial recipient, since the victim will be instructed, persuaded or intimidated into transferring money into a named, numbered account with a bank identifiable from the sort code. These accounts—described by UK Finance as “money mules”—may or may not be set up in compliance with anti-money laundering and “know your client” regulations. There is evidence that many, if not most, recipient accounts are legitimate, either in the sense that the bank concerned has complied with the regulations and verified the account holder’s identity, without realising that the purpose of the account is to function as a conduit for stolen money; or, worse, in the sense that the account holder is entirely innocent and unaware of the fact that his or her account has itself been hacked to serve as a conduit.
Too often, the losses caused by APP fraud are left to lie, fully or partially, where they fall: with customers. Too often banks decline to reimburse customers on the basis that they have failed to heed warnings about how to protect themselves from scams. This ignores the fact that, legally, the duty of a bank is to act as an “ordinary, prudent banker” would act when placed on inquiry by unusual or suspicious activity on a customer’s account, even where the payment instruction appears to have been authorised by the customer. The ordinary, prudent banker does not automatically execute such an instruction without first satisfying itself that the instruction is genuine and not the consequence of fraudulent misrepresentations. Banks—not only the victim’s bank, but the “initial recipient” bank—have systems to detect and query suspicious transactions. Given the exponential growth in bank fraud, these systems are obviously not working effectively, and warnings about scams are clearly not cutting through. Although victims have a right to complain to the Financial Ombudsman Service in the event of a refusal by their bank to reimburse them, the process is extraordinarily time-consuming and compounds the distress caused to customers who may have suffered catastrophic losses. There is also no guarantee that a complaint will bring about a favourable outcome.
The question then arises: what is being done with all this stolen money which, after all, is not being recovered from the fraudsters even where a victim is successful in obtaining full or partial recompense? In effect, UK banks are allowing themselves to be used as vehicles not merely for theft but also for facilitating serious organised crime, such as drug or people trafficking and even terrorism. Perhaps this factor more than any other should compel banks and the appropriate agencies (including, for example, the National Crime Agency, the Financial Conduct Authority and HM Treasury) fully to recognise the urgency of this crisis, already so harmful to thousands of bank customers and the UK economy, and to start building a coherent strategy for fighting it.