Authorised Push Payment Fraud

Stuart C McDonald Excerpts
Wednesday 1st March 2023

(1 year, 9 months ago)

Westminster Hall
Read Full debate Read Hansard Text Read Debate Ministerial Extracts

Westminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.

Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.

This information is provided by Parallel Parliament and does not comprise part of the offical record

Kirsten Oswald Portrait Kirsten Oswald
- Hansard - - - Excerpts

I share the hon. Gentleman’s concerns. In 2021, losses to this type of fraud totalled £583.2 million. That represents a 38% increase on the previous year. It is worth noting that a lot of cases of authorised push payment fraud go unreported, so those figures are likely to underestimate the true amount lost to these scams. As he suggested, the impact of fraud can be devastating. Victims can lose substantial sums of money. The impact on their health and wellbeing cannot be over-stated. Research from Which? showed that 71% of fraud victims felt that their experience had a detrimental impact on their stress levels; 63% said it was harmful to their mental health, and 39% said it affected their physical health.

Stuart C McDonald Portrait Stuart C. McDonald (Cumbernauld, Kilsyth and Kirkintilloch East) (SNP)
- Hansard - -

I too am very grateful to my hon. Friend for bringing this subject before the House. She is right to mention the huge damage this fraud can cause to individuals and families, including in my constituency. I have two constituents who were caught up in the episode that she described. Does she agree that progress in making compulsory both full reimbursement and the code has been slower than we would like? It is crucial that we make fast progress on ensuring that full reimbursement and full compliance with the code are in place by the end of this year.

Kirsten Oswald Portrait Kirsten Oswald
- Hansard - - - Excerpts

I am grateful to my hon. Friend. He is absolutely right, both about the people we are discussing who are directly affected, and about the framework generally. Progress is needed now. I will come back to both those points.

My constituent owns a successful business. Despite proper security controls, its email server was unfortunately infiltrated by sophisticated fraudsters, who then sent emails to business clients. The emails sent by the scammers looked just like genuine emails that would be sent from the business. That allowed the fraudsters to cloak their identity. I have heard of other cases of this, too. It is worth stressing that the emails were sent to clients who were due to make payments, which made the fraudulent emails seem entirely credible. This type of fraud is highly sophisticated. In fact, it is a huge and growing industry, which should be of deep concern to us all. I hope to hear the Government’s reaction to it from the Minister. Little wonder that many people unknowingly end up transferring funds to fraudsters when the scams are so sophisticated and complex.

My constituent’s case was only one type of APP scam, namely that of impersonation. There are other types. For example, there are purchase scams, in which a victim is tricked into buying goods or services that are never received. They are regularly found on Facebook and Instagram, and victims are lured in by the promise of cut-price goods. Quite commonly, it will be something like a reduced-price games console, which the victim pays for online but does not receive. Another type of APP fraud is the investment scam: victims are tricked into handing over money for bogus investment schemes that never materialise. Romance scams are obviously less common, but are deeply distressing; people are persuaded to make a payment to a person online with whom they believe they are in a relationship, but who they have never met.

The need to prevent all those types of fraud is paramount. An individual can take steps, particularly in cases such as the one I outlined, to ensure that their money is transferred to the correct bank account. For instance, a straightforward step is to never hesitate to question a payment request robustly. Ideally, an individual should make contact via means other than the ones through which the payment request was made. They should not just reply to an email or click a link, but find another way of contacting the business. We are essentially asking consumers to be responsible for working out where a sophisticated and complex crime is being committed. We need to strike the right balance, and recognise that those actually responsible for this terrible crime are the criminals.

A client of my constituent’s business was asked by their own bank to confirm with the business that it had requested a payment before the bank proceeded with the transfer. At that point, the business became aware that there had been an intrusion into its systems, and it took proactive steps to prevent customers from making any further payments. I welcome the way the business has dealt with the issue throughout.

I welcome the efforts made by several banks to introduce confirmation of payee services. They check the account name and details to ensure that the payment arrives at the correct destination, providing an additional layer of security. However, only some banks have set up such services. TSB Bank believes that all payment service providers should be required to introduce confirmation of payee services, because it seems that organised criminal gangs have shifted to using banks that do not have those checks enabled. It is noticeable, certainly to me, that there is not a unified view in the banking sector on how best to prevent this kind of scam, or on the issue of mandatory reimbursement. The UK Government could do more to take the lead on bringing the banking and payment sectors together to solve these issues. I would welcome the Minister’s thoughts on that.

I thank Lloyds Banking Group, which took the time to meet me this week, ahead of the debate, to discuss these issues and some of the cases I am raising. I hope that a satisfactory conclusion can be reached. My hon. Friend the Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald) very clearly laid out the distress caused to the people who are caught up in these situations. I encourage Lloyds to look further at this particular case, but I am grateful for its positive discussions with me about fraud prevention.

In total, four clients of my constituent’s business were targeted by fraudsters. As my hon. Friend the Member for Cumbernauld, Kilsyth and Kirkintilloch East suggested, the first case involved a couple unknowingly transferring £40,000 to an HSBC-held bank account. They have been reimbursed over £19,000 by their bank, which is the Bank of Scotland. The second case involved an individual who, again unknowingly, sent £12,500 to an HSBC-held bank account. In the third and fourth cases, clients received emails asking them to transfer money to fraudulent HSBC-held accounts, but thankfully they did not do so.

The contingent reimbursement model is a voluntary code that 10 firms covering 21 banking brands have signed up for. That code aims to reduce the occurrence and the impact of authorised push payment scams. It was designed to give people confidence that if they fell victim to that kind of scam, they would be reimbursed if they had acted properly. The responsibility for reimbursement, according to the contingent reimbursement model code, lies solely with the sending bank.

With that in mind, I return to the case that I outlined, where only half the funds have been returned. I wonder how that can be. The couple has been reimbursed £19,555 by the Bank of Scotland—the sending bank, if you like. Now, the Bank of Scotland has signed up to the contingent reimbursement mechanism, so I would have expected it to reimburse its client to the tune of the full £40,000. However, it did not do that and instead suggested that HSBC should refund the other half of the £40,000 because it was the bank with whom the fraudulent account was held. The individual who mistakenly sent £12,500 to an HSBC-held account has in fact received no reimbursement at all.

Both those cases are now with the Financial Ombudsman Service. I hope—although I am not sure this will be borne out in reality—that there will be a sensible resolution to the situation, because none of these people deserves to be impacted in the way that they have been. It is important to stress that terms such as “blame” and “fault” are used too often in these conversations, in a way that is both unhelpful and unfair, given the sophistication of these scams. The only people to blame for authorised push payment scams are the criminals who create these fraudulent ventures, not the people who fall victim to what are designed to be highly convincing criminal efforts to part them from their money.

With that in mind, I would like to make several points to the Minister. First, the banking sector must improve its internal mechanisms for identifying accounts engaged in fraudulent activity. During my correspondence with HSBC regarding the situation I have set out it stated:

“HSBC undertakes robust due diligence as part of our account opening process, and has payment screening in place to identify fraud.”

I have no doubt that HSBC has internal mechanisms to detect potential fraudsters, and I do not seek to suggest otherwise, but my constituent’s clients were targeted by fraudsters with four different accounts, all of which were held by HSBC. We should remember that this particular case of fraud was stopped at an early stage, so I cannot say how many potential frauds the fraudsters may have wanted to carry out or how those would have related to particular banks. However, all the cases I am aware of involved HSBC, so HSBC—and every other bank—can and must do more to identify and shut down accounts engaged in fraud.

Secondly, I welcome the move towards making the contingent reimbursement model a mandatory code covering all banking firms. I note that clause 62 of the Financial Services and Markets Bill, which is currently in Committee in the other place, enhances protections for victims of authorised push payment scams by putting a duty on the Payment Systems Regulator to take regulatory action on APP scam reimbursement, ultimately giving it the power to make reimbursement mandatory across the faster payments service.

The introduction of a voluntary contingent reimburse-ment model code has resulted in the rate of victim reimbursement rising from 19% in the first half of 2019 to 41% in 2020. With a mandatory CRM, I am sure that that number will rise further, meaning that more and more victims of this type of fraud should receive reimbursement. Some banks, such as TSB, offer an authorised push payment scam refund guarantee, fully reimbursing all authorised push payment scam victims up to £1 million, unless the customer has been grossly negligent. Some 97% of fraud claims with TSB have been refunded since the refund guarantee was introduced, which is well above the industry average and should give food for thought to others.

Last November, the Payment Systems Regulator consulted on a package of measures to combat authorised push payment scams, including mandating reimbursement for victims. The regulator is now consulting on specific proposals that would put that mandatory reimbursement in place for all online and mobile payments. In line with protections for other payments and financial services, reimbursement would be on all payments over £100, and a time limit of no less than 13 months would be set for claims. A mandatory reimbursement code would ensure that, regardless of what bank or building society individuals choose as their provider, they would be protected from massive financial loss due to these scams.

To come back to the situation I am dealing with, two clients of my constituent’s business have lost £20,000 and £12,500 each. These are significant sums of money. Who could possibly afford to lose them? I welcome all legislative changes that will help to bring about a mandatory reimbursement code, but what steps will the UK Government take to ensure that people who have been affected before the code comes into place are reimbursed, particularly where their payment service provider signed up to the voluntary code but failed to carry through on its commitment, as the sending bank, to reimburse?

I would also like to hear the Minister’s views on social media firms and tech giants taking fraud more seriously and on what action they can take to stop fraudsters using their platforms to target people. It is also incumbent on them to take steps to clamp down on bad actors but, at the moment, they have no financial incentive to remove fraudsters from their platforms, because banks are ultimately held responsible for refunding lost money. That is a conversation that needs to take place with Government.

I welcome some of the progress that has been made and the action by banks, Government and other organisations but, although mandatory reimbursement is desirable, some are still concerned about how it will be enforced. The Treasury Committee recently published a report entitled “Scam reimbursement: pushing for a better solution”, which highlighted some of these concerns. That report supported the principle of mandatory reimbursement but noted concerns about how the plans would be implemented. The Payment Systems Regulator proposes that Pay.UK will make, maintain and enforce reimbursement rules. That is problematic for several reasons set out in the report. Pay.UK is not independent; it is an industry body and guaranteed by the very banks and other service providers it would be asking to reimburse fraud victims. More worryingly, it is not a regulator and lacks the powers necessary to enforce its rules, so there could be foot-dragging and other challenges.

Stuart C McDonald Portrait Stuart C. McDonald
- Hansard - -

The other reason the Treasury Committee gave for not liking that solution was the potential for further delay and kicking the can down the road. Given the earlier point that this has been ongoing for a few years, the last thing we need is more delay.

Kirsten Oswald Portrait Kirsten Oswald
- Hansard - - - Excerpts

It is almost as if my hon. Friend had read the end of my speech. He is absolutely right; that is it in a nutshell. We want to prevent fraud, punish fraudsters and ensure that victims are reimbursed. That is the way to reduce the harm that these scams cause. Surely, we should all support those principles. I ask the Minister to give serious consideration to the credibility of the Payment Systems Regulator’s current suggestions, to look closely at how social media interacts with these systems and to commit to listening to victims such as those I have talked about today.

To conclude, I ask that the banks involved in the cases I have outlined give serious consideration to their part in the challenges that people are facing through no fault of their own. They should look to ensure both that people are reimbursed and that they clamp down on fraudsters using their services.