107.Consumers have always faced economic crime and fraudsters attempting to part them from their money. However, as we have seen, while economic crime is not new, the methods for committing frauds themselves are becoming increasing sophisticated, requiring fresh thinking on consumer protection. Susan Allen of Santander UK told us:
As the scammers and fraudsters become more sophisticated, it is quite right that we evolve our understanding of what is right and fair for customers to do to protect themselves.
In this chapter we consider the balance between consumers’ rights and responsibilities, including reimbursement, gross negligence and education.
108.As part of its efforts to tackle the growing rise of APP fraud, in April 2018 the Payment Systems Regulator (PSR) set up a steering group to set up a voluntary industry code to show when victims of APP Fraud should be reimbursed. This followed a super-complaint by Which? to the PSR in September 2016. The group produced the Contingent Reimbursement Model (CRM) Code, which came into effect on 28 May 2019.
109.The Code covers payments made via CHAPS, Faster Payments and internal book transfers. The Code set outs the circumstances under which the financial firms who have signed the Code should reimburse the money lost; the types of information financial firms should provide consumers so they can make informed decisions; and the responsibilities financial firms have if they are sending or receiving payments.
110.On 1 July 2019 the Lending Standards Board (LSB) took over responsibility for the governance and oversight of the Code. Ruth Evans, the Independent Chair of the Authorised Push Payments Scams Steering Group, told us that the LSB entered into a memorandum of understanding with the Steering Group which included specifying the mechanisms by which the code would be reviewed, both thematically and as a whole. She also confirmed that there would be a review within the first year, and subsequently rolling reviews every three years.
111.The Code is a voluntary undertaking by relevant financial firms. When we asked why a voluntary code had been chosen, rather than making changes to legislation or regulation, Ruth Evans of the Authorised Push Payments Scams Steering Group told the Committee that the “PSR felt this was the best way forward” and that the voluntary nature meant that changes could be made more quickly:
It could be done and introduced far more swiftly, and more responsively to consumer and industry needs. […] Introducing a voluntary code […], in essentially a year, is much faster than any statutory underpinning, which would require legislation.
112.The Code has been welcomed by banks. Barclays, for example, told us that the Code marked “a major improvement in consumers’ protection against the impact of scams.” However, Richard Piggin of Which? cautioned that the success [of the Code] would be judged on the impact it had on consumers.
113.The LSB has a list of all financial firms who have currently signed up to the Code on its website. Despite this not being all firms which offer banking facilities, Chris Hemsley of the PSR told us that he believes the principles put into the Code would become “industry best practice” and that the Financial Ombudsman Service would see the them as “standards that [would] need to be applied in any event.”
114.We welcome the Contingent Reimbursement Model Code—a frame work for financial institutions to use to determine when reimbursement should be provided to victims of APP Fraud—as a way to protect consumers. We remain unpersuaded that the Code should be voluntary and strongly urge any relevant parties who have not yet signed up to the Code to do so. As the first year review of the Code approaches, the Code should now be made compulsory through legislation.
115.While the introduction of the Contingent Reimbursement Model Code will cover future victims of fraud if their financial provider was a signatory to the Code, it does not provide any resolution to previous victims of such frauds. Victims and those who represent them told us they believed the Code should also be applied retrospectively. The reasons they gave included that it would be unjust to exclude victims prior to the Code’s implementation and the fact there are no legislative or regulatory changes which have led to the Code’s development.
116.As part of its consultation into the development of a Code, the PSR received evidence from individuals in favour of retrospective reimbursement, but also received submissions from financial services providers who disagreed with retrospection because the standards of the model could not be retroactively implemented. No explanations as to why it could not be retroactively implemented were provided in the consultation publication.
117.When asked why the original parameters of the Code set by the PSR did not cover retrospective reimbursement, Ruth Evans, Independent Chair of the Authorised Push Payments Scams Steering Group, told us that it was recognised that “Payment service providers [could not] retrospectively implement or adhere to the standards of the model.” The PSR explained that:
Applying the Code’s standards retrospectively means payment service providers (PSPs) would have to compensate customers based on standards that didn’t exist at the time of the fraud. Given the Code’s voluntary nature, this would have been a major barrier to getting PSPs to sign up, meaning customers would most likely not be enjoying the protections they have now.
That said, the PSR did not restrict any financial entity from continuing to “be able to offer goodwill payments” in retrospective circumstances
118.We accept that including retrospective reimbursement within the Code would have been a barrier to financial firms becoming signatories. However, financial firms have been warned since 2016, when Which? made a super complaint, that they have been failing in their duty to protect customers by not linking information on account names to payments. This is still an issue as Confirmation of Payee has not been implemented yet.
119.We strongly encourage firms to consider whether refusing to retrospectively reimburse customers who relied on the payee name is fair and just. We especially encourage this where the customer would now fall into the Code’s definition of vulnerability.
120.In order to ensure the Code is properly implemented, a Practitioner Guide for those financial institutions that sign up to the Code has been produced. Ruth Evans of the Authorised Push Payments Scams Steering Group told the Committee that content of the guide was being “overseen by both a consumer and a PSP, with input from everybody from the steering group as well.”
121.Richard Lloyd, who was an Advisor to the Authorised Push Payments Scams Steering Group explained the function of the Practitioner Guide to the Committee:
The practitioner guide gives a very clear set of examples of what kinds of activity the banks should be undertaking and what view they should take of different consumer approaches to the level of care. […] The practitioner guide is intended to give people on the frontline a clear sense of what is expected of them across the industry, what good looks like and what is unacceptable.
122.In addition to the Practitioners Guide there is a guide for consumers. This guide gives a high-level overview of the types of scams a consumer may face, general warnings as to what to look out for when making a payment, and what to do if a consumer falls victim to a scam. The Consumer Guide and the Practitioner Guide, as described by Richard Lloyd, appear to differ in that the Consumer Guide provides no specific examples.
123.Richard Lloyd told the Committee that the Practitioner Guide would not be made available to consumers as the steering group “obviously do not want it to become a guide for fraudsters.”
124.We accept that keeping the Practitioner Guide private avoids it becoming a guide to committing fraud. However, the current consumer guidance is so high level, it does not give consumers a clear sense of what is expected of them. Without sight of how the Code should work in practice, consumers may be left unable to effectively challenge their bank. This could lead to an increased number of cases being referred to the Financial Ombudsman Service and a delay in any potential reimbursement. We recommend that a more detailed consumers’ guide is produced, which includes practical examples.
125.Until January 2019, consumers who were the victim of authorised or unauthorised fraud could only claim against their own financial services provider, and not the provider that received the funds. The FCA have issued new rules, which came into force on 31 January 2019, permitting consumers to complain to the financial firm receiving the payment. These firms now have the same obligations as the firm sending the payment under the complaints handling procedures within the FCA Handbook. Megan Butler of the FCA told us that:
Victims now have a greater capacity to go to the FOS [Financial Ombudsman Service] to complain if their bank has not stepped up to the mark, or indeed if the payee bank has not stepped up to the standards that they are expected to meet.
126.Until recently, financial firms have only had access to information within their own firms. As such they could not see how payments moved across the entire banking system. The Mule Insights Tactical Solution (MITS), run by Vocalink, brings together data across the banking system to analyse transactions and see how laundered funds are moved. Mark Tingey of Metro Bank told us that the technology “is helping to proactively identify prospective mules based on activity from other accounts.” The technology is used to track suspicious payments “regardless of whether the payment amount is split between multiple accounts, or those accounts belong to the same or different financial institutions.”
127.Despite the existence of the MITS, it is still usually not possible for payments to be recovered when the receiving account has been identified. This is because recovery and payment of the funds out of the recipient account can currently only take place with direct authority of the account holder. Susan Allen of Santander UK, explained:
We are tracking where payments go. Even when we find that money has gone to an account, today you cannot get it back. Unless you have the authority of the account holder to remove that money, you cannot remove that money even if you have suspicion.
The receiving bank is only liable if they have neglected their responsibilities as set out in FCA Handbook.
128.Stephen Jones, Chief Executive of UK Finance, also highlighted the frustrations with the current legal framework:
Fundamentally, when we are talking about victims, if we can identify where the victim’s money has gone but cannot do anything about repatriating the money from the end account to the victim, something is wrong in the system. Unfortunately it is the law that prevents that at the moment.
129.We welcome the FCA’s recent rule changes requiring financial firms receiving payments to ensure that they are not inadvertently assisting economic crime. However, we are concerned by the lack of power financial institutions have to recover money sitting in bank accounts once it has been reported as stolen. Given the development of MITS technology, the Government should review the current legislation around recovery of stolen funds to ensure that victims can be reimbursed as quickly as possible, whilst protecting legitimate transactions.
130.Where a firm concludes that a loss from an unauthorised fraud was down to the consumer’s own ‘gross negligence’, reimbursement is unlikely. The Payment Services Regulations 2017 state that the consumer would be liable for all losses on an unauthorised payment if (amongst other criteria) they are deemed to be grossly negligent. Gross negligence can include not using the payment instrument (for example a debit or credit card) in the agreed manner with the service provider.
131.Whilst regulations use the concept of ‘gross negligence’, they did not provide a definition. Stephen Jones of UK Finance told the Committee this meant that:
The interpretation of gross negligence, to the extent that there is no statutory definition, becomes a matter of common law. When the FOS [Financial Ombudsman Service] look at the concept of gross negligence, they apply a judgment every time in terms of what they think is fair and reasonable. It is a matter of interpretation and practice.
132.This ambiguity in determining what amounted to gross negligence was echoed by Mark Tingey of Metro Bank, who told us that ‘Unfortunately, there is no definition and very little case law in terms of gross negligence.’
133.It is therefore down to individual financial firms to decide what constitutes ‘gross negligence’. The Financial Ombudsman notes that there is “an ever-changing state of play” with regards to the scams being faced by consumers. Firms may differ, therefore, in deciding what are “fair and reasonable” expectations for consumers. One solution could be for cases to be referred to the FOS, but under the current arrangements this would be at a consumers’ discretion, and it might take time for an accepted view to develop of what gross negligence meant in a certain case.
134.Caroline Wayman, Chief Ombudsman and Chief Executive of the FOS, stated that their policy was to set “gross negligence [at] a pretty high bar.” Examples the Committee were given by industry representatives for what might be considered to be negligent included giving someone the PIN for a bank card, or not storing the PIN safely; and not ensuring the loss of a bank card is reported promptly.
135.Despite the existence of the term ‘gross negligence’ in the regulatory framework, we were told that firms were reluctant to use it when corresponding with customers to avoid upsetting the customer. Susan Allen of Santander UK told the Committee “We have never automatically called a customer grossly negligent.” Mark Tingey of Metro Bank told us that its process was not to use the phrase as they felt explaining the rationale of the decision was more helpful than using the phrase.
136.However, Richard Emery, an independent fraud investigator, argued that as the rules state a consumer is only liable for all losses if they have been ‘grossly negligent’, unless the bank proves and states this, they should be reimbursing.
137.We were told that firms would take the vulnerability of a customer into account when determining whether a customer had acted negligently. During our inquiry into Consumer Access to Financial Services we were told about how Eleanor Southwood, Chair of the Royal National Institute of Blind People, needed to give her PIN to a taxi driver because the Chip and PIN device was not able to cater to those with partial sighting. When asked on this specific case, Chris Rhodes, of Nationwide, said “We have a vulnerability policy, and cases are assessed on a case-by-case basis. […] which we would always take into account.”
138.Vulnerability is not dependent on the protected characteristics listed in the Equality Act 2010. In our report Consumer’ access to financial services we took evidence on the FCA definition of vulnerability and how it could be applied in practice. As part of their response to our report, the FCA promised a consultation on ‘Guidance for firms on the fair treatment of vulnerable customers’ which was launched in July 2019. This consultation has now closed and we are awaiting the results. The consultation noted that vulnerability may stem from circumstances, for example bereavement, and as such a consumer could be vulnerable for a period of time, and not their whole life.
139.The existing Payment Services Regulations do not define what actions by a customer would be deemed as ‘gross negligence’. As a result, each individual firm can set its own bar of what customer behaviour it would deem to be grossly negligent. This could lead to a lack of consistency between how customers with the same circumstances are treated. We recommend that an accepted definition for gross negligence should be agreed by the regulators. The regulators should require financial firms to produce an easy to read lists of ‘dos and don’ts’ for customers, to show how the individual financial firms would define proper account usage in the majority of circumstances. Such lists would allow for variations between firms.
140.Financial firms must ensure that vulnerability is a key factor in determining if a consumer was grossly negligent. The FCA should ensure that the outputs from their recent consultation on the Guidance for Firms on the Fair Treatment of Vulnerable Customers covers any finding of gross negligence.
141.If firms do find individual consumers to have been grossly negligent, we recommend their customer responses quote the legislation the firms are relying upon to refuse making a reimbursement, alongside an explanation of how this conclusion was reached. Although it may cause distress, we believe that using the phrase ‘grossly negligent’ would provide a very clear explanation to the consumer why their claim is being refused, and on what grounds.
142.Despite the scale of economic crime, Detective Chief Superintendent Peter O’Doherty, Head of Crime and Cyber at the City of London Police, told us that the general public are largely unaware of economic crime unless they themselves have been a victim:
Cybercrime and economic crime is a big problem once you have been victimised but, up until that point, for an average person, it is a fairly invisible crime.
143.During our inquiry we gathered evidence on how best to educate consumers both on general advice around how to avoid being the victim of a scam, and on ensuring they were aware of specific scams. We heard evidence about the various educational pieces that regulators, trade bodies, the police and individual banks have undertaken.
144.We heard differing opinions on how effective the education push by the financial sector has been. Mark Tingey of Metro Bank said that “people are more aware today of the threats that are out there than they maybe were five years ago.” However Richard Piggin of Which? was more sceptical about whether increased education had lead to any reduction in fraud:
[The banks] response to date has focused very much on education and awareness-raising, […] and we are not convinced that there is enough evidence to show that education and awareness-raising has an impact on reducing the amount of fraud.
145.TSB provided evidence to us describing outreach sessions in areas where data was showing a higher likelihood of falling victim to fraud. As a result of these sessions the attendees reported “that they felt more confident in being able to spot fraud after attending.”
146.Education must reach as many consumers as possible in accessible ways in order to be effective. Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA, explained to us that while a lot of education campaigns may seem to be “basic” information, it was important for messages to be repeated to people for it to be fully understood:
People often forget about [financial education] when they are being induced to make an investment by someone who turns out to be a fraudster or a scamster […]That kind of information needs to be repeated over and over again to really get it through to people, so that they understand that they are at risk of being scammed.
147.An example of such an education piece was the “Take Five” campaign run by the Home Office and Joint Fraud Taskforce partners on a national basis. This utilised different types of media to send a simple message to consumers around how to protect themselves from fraud. Karen Baxter the Police National Coordinator for Economic Crime, explained the key message within the campaign:
If it looks too good and feels too good, it is probably too good. It is about the power of getting people to take five minutes and to take a step back. That in itself will have prevented many crimes.
148.Education has an important role to play in the wider fight against economic crime. There is always merit in equipping consumers with skills to give them the confidence and knowledge to pause and think about whether or not the situation they have found themselves in could be a fraud.
149.We recommend that financial firms should undertake targeted education campaigns where trends have been identified and when new scams appear. These should include information at the point of opening an account about the consequences of being a money mule and information regarding emerging frauds so that consumers can stay vigilant.
150.It is important that financial education is not a ‘one time’ exercise. We recommend that reminders are sent out to consumers in different formats and at different times. This should include online marketing and social media to target messages to younger consumers. This will ensure that firms are not only meeting their obligations of the Contingent Reimbursement Model Code, but also will help prevent fraudsters from succeeding in the first place.
128 APP Scams Steering Group, , September 2018, para 3.13
129 Lending Standards Board, , 28 May 2019
133 Barclays ()
135 Lending Standards Board, , October 2019
137 Holly Richardson (), Barrie Cooper () and 4Keys International ()
138 Holly Richardson ()
139 Payment Systems Regulator, , February 2018
140 Payment Systems Regulator, , November 2017, p45, para 6.49
141 Payment Systems Regulator ()
142 Payment Systems Regulator, , November 2017, p45, para 6.49
145 Lending Standards Board, , May 2019
147 FCA, , December 2018
149 Faster Payments, , December 2018
151 Faster Payments, , December 2018
155 The Payment Services Regulations 2017, No.752, Part 7,
156 The Payment Services Regulations 2017, No.752, Part 7,
159 Financial Ombudsman Service, Ombudsman News - , August 2018
160 Financial Ombudsman Service, Ombudsman News - , August 2018
161 Treasury Committee, Oral evidence: Independent Review of the Financial Ombudsman Service, HC1400, 22 January 2019,
168 Treasury Committee, Oral evidence: Consumers’ access to financial services, HC1642, 14 November 2018,
171 FCA, , July 2019
172 FCA, , July 2019, para 2.3
180 TSB ()
Published: 1 November 2019