Authorised Push Payment Fraud – Don’t Be A Victim

Following recent developments and many well-publicised examples of scams against bank customers making the headlines, Adrienne Brigden and Taryn Heath explore recent changes in the way banks are to deal with so called Authorised Push Payment Scams.

What is an Authorised Push Payment scam?

An authorised push payment scam is the fraudulent method of convincing someone to send their money, often large sums held by way of savings, to another person who is unknown to them under the pretence that such a payment is made to protect such money.

The criminal to which they have sent their money can also freeze the victims’ account and withdraw the cash for their own benefit, effectively wiping out a bank account of its funds. The Banks cannot trace this method as the criminal will more often than not use the name of a trusted source, whether that be a bank, solicitor or trusted advisor causing their victims to believe in a ‘trusted relationship.’

The prominent methods of an authorised push payment scam are either carried out by way of a phone call or email sent from what will be perceived as a trusted source. In short, the mechanics of such a scam operate with the criminal often contacting their victim, pretending to be from their bank where the fraudster will ask a series of ‘security questions’ such as, the victims name, first line of their address and bank details. They will then express concerns about fraudulent activity on the account with the money in such an account being at risk of a possible fraud. In order to prevent this, the victim is advised by the criminal to send their money to another account for ‘safekeeping’. When the funds are sent to a safe account, unless the bank is quick to act, it is extremely hard to trace the funds. The criminal will transfer small amounts of the funds to various accounts and repeat this until the fraudulent activity is nearly untraceable.

The same process can be completed through email; however, this method is often used on smaller businesses who may not be aware of such issues or have the structures in place to prevent such activity. It is estimated that in the first half of 2018, consumers lost £145.4m to authorised push payment scams and only £31m was returned and a staggering £1.2 billion was lost in 2018.

The position prior to the new Code of Conduct

Historically, victims of such fraud have been blamed by their banks for consenting to the transfer of their money, due to the fact there were no safety precautions put in place to protect customer transactions. The victim was therefore deemed liable and responsible for consenting to this action, despite being unwittingly defrauded and be subject to such tactics by experienced fraudsters.

When research was conducted in 2017, it proved that more precautions needed to be put into place. It was found that 43,875 Bank customers lost an average of £2,782 each to Authorised Push Payment scams and only a quarter of this money was replaced by the Banks. This caused controversy over who was responsible for the protection of the victim in such circumstances, with organisations such as the Financial Services Certified Professional (FSCP) stating banks had a duty of care to protect its customers and should not place the blame immediately on the victim.

Further protection was provided to the consumer as of 31 January 2019, which also placed a duty on the receiving bank of the fraudulent funds to act reasonably and work with the victims’ Bank to try and recover the funds. However, this still provided little protection for consumers as it did not prevent Banks blaming the victims for being negligent.

Due to this controversy the New Code of Conduct issued by the Financial Conduct Authority will hopefully improve the behaviour towards the victims of the so-called authorised push payment scams.

What is the new code of conduct?

The New Voluntary Code of Conduct issued by the Financial Conduct Authority and Payment Systems Regulator aims first, to put more precautions in place to protect consumers and most importantly, provide a better ‘aftercare’ for those who have fallen foul of such fraud. This ‘aftercare’ includes the Bank repaying what the victims have lost, arising from their general duty of care and responsibility to their customers to ensure a safe banking facility. The banks have agreed to put this measure in place until final long-term funding arrangements come in at January 2020.

The burden of proof previously applied, related to the consumer being careless and consenting to such a transaction. The responsibility under the Code now rests with the banks proving that the consumer was “grossly negligent”, rather than the victims being left to defend themselves. This is a significant improvement as those who are targeted by criminals, are often the more vulnerable members of society, and thus historically have not just been victims of fraud, but also suffered due to the sensitivity of their situation.

This new code of conduct has been accepted by eight banks in total: Barclays, HSBC, Metro Bank, Nationwide, NatWest, Santander, Royal Bank of Scotland and Lloyds Banking Group. It is important to stress that only those Banks named above have accepted this new code of conduct and taken further safety precautions.

Despite the New Code of Conduct being set into place, this does not mean people who have been victims in the past will be reimbursed their money, instead the new Code of Conduct put into place from 28 May 2019, with its aim to improve future circumstances and issues which may arise rather than deal with past actions. The new Code also does not apply to the victims who have given fraudsters access to their online banking, who then subsequently empty the account. Although these may be disappointing for previous and current victims of Authorised Push Payment Scams, it certainly opens doors to new interpretation and better treatment of bank customers in such circumstances.

How to protect yourself

When you receive a phone call from the bank, it is important to ensure that you are speaking to an actual representative of the bank and not a fraudster. A legitimate representative would require the answers to your security questions, whereas, a fraudster would ask for your personal details, such as the below. If you are asked any questions like the below, it should flag up that you are not speaking to a legitimate representative. No authorised body, nor bank will require the following from you:

  • PIN or banking password
  • To purchase item(s) or to provide them with the bank card
  • Withdraw or transfer money for safekeeping

If you are asked any of the above on a phone call, be sure to: take your time and use your initiative, say no and end the phone call, and also contact the fraud department at your Bank immediately.

For those who have suffered such scams prior to the implementation of the Code of Conduct, RDP has successfully acted for clients in pursuing such action and recovered significant sums for clients. Contact us if you have suffered such losses and we would be happy to discuss such matters and how we could hopefully recover such sums for you. Our contact details are 01633 603178 or email for a no obligation, confidential discussion on your matter.