Payment fraud doesn't have an easy answer – unless you want to blame the banks...
Sadly, this rather hyperbolic article offers few useful facts or insights into the ongoing prevalence of payment fraud and what protections exist.
Therefore, I hope to offer some:
1. It is relatively rarely that a bank will "fall for scams" as the headline suggests. If a bank makes a payment in the absence of authority from the customer, they would prima facie be making a payment in breach of the customer's mandate and be liable to restore the account;
2. Instead, payment fraud is typically perpetrated when (a) a customer is duped into handing over their sensitive account information; or (b) a payment the customer intended to make is misdirected into the fraudster's control (e.g. due to an intercepted/altered invoice or a scam phone call). The latter being an authorised push payment (APP) fraud. As the name suggests, this is where the customer has authorised a payment;
3. There is relatively strong legislative protection for consumer and micro-enterprises who are victims of payment fraud - pursuant to the Payment Services Regulations (PSRs) which, albeit amended, have been in force since 2009;
4. Further, protections have recently been enhanced by:
- The expansion of the FOS jurisdiction to consider complaints by small businesses;
- The expansion of the FOS jurisdiction to consider complaint against recipients banks (where the complainant is not the bank's customer); and
- The introduction of the APP CRM code – a voluntary code of conduct – which obliges signatory banks to offer refunds in more circumstances and, in some cases, even when the customer is at fault;
5. It is the case that, on 27 August 2019, Pay.UK has received a change request from the participants of the CRM Code – in order to charge a levy (around 3p on transactions) to fund "no blame" fraud refunds. That is, to refund victims of fraud where neither the customer, nor the banks are "at fault". The call for information is due to close at 5pm on Tuesday 1 October 2019;
6. The development of ever faster payment processes referred to in the article (and retention of a customer's data to power them) have been responding to consumer and business demand. I don't think many people would happily return to a world where we cannot make contactless payments, book/pay Uber fares and transfer sums via our Apps;
7. It is the case that bank transfers operate on the primacy of account numbers and sort codes. This was held to be legitimate in the case of Tidal Energy Ltd v Bank of Scotland Plc [2014] EWCA Civ 1107 (in which my firm acted) and which remains the leading authority. This will remain the case until the forthcoming introduction of Confrimation of Payee (CoP), the protocol which will introduce a further check to ensure the customer has not entered incorrect recipient details;
8. Whilst there has been a delay to the introduction of CoP, the Payment Systems Regulator has mandated that the six largest banking groups must fully implement this by 31 March 2020; and
9. There are grounds for victims of fraud to criticise banks, particularly in the areas of the adequacy of fraud prevention systems and money laundering checks for mule accounts (used to channel funds away). However, this is very much a fact sensitive exercise in each case and one which can only be concerned with balancing any secondary culpability as between customer and bank - where the primary responsibility must lay with the fraudster.
Despite the article's assertions, if banks are "at fault" they are often very keen to ensure a customer does not lose out, even if the customer was wholly (or partly) to blame.
Unfortunately, this article and criticisms in the related piece appears to be an attempt to absolve victims from responsibility and use well-worn clichés to blame banks.