Community

Agree Ed. In our son’s case his cash ended up in a non-CoP UK bank, so a UK mandating would at least help to close the door. In terms of consumer education (for account holders) …. it would help that effort if these scams could be referred to with something the general public can actually understand and that better describes the problem. Such as Identity Fraud Scams, for instance …. and not ‘APP fraud’ which appears in every media headline but is so tenuous even bankers struggle with it (despite it being essentially derived from bankers’ speak).

Thanks Jackie. When your bank’s app is in your phone, you are carrying their software (SaaS). Essentially you’re carrying a miniaturised branch around in your pocket and we need to be maximising the advantage of this … Applying modern use of in-app messaging or message-based-chat would make the phone line - where you have to be “taken through security” and are more often than not subjected to ‘hello 1989’ IVR before you are permitted to even talk to a human - largely redundant. It would be trivial instead to ping an app (push) notification and then serve up the ‘last three transactions’ …. “did you spend £15.22 at Aldi in Jesmond yesterday?” or whatever, in the App with a Y/N? field. No phone call required, utlising SCA (instead of the first two characters of your mother’s maiden name etc) and strong assurance for the account holder that they’re communicating directly with their actual provider.

APP fraud is identity fraud and banks should implement Secure Provider Authentication (SPA).

To protect their customers from the indignity, the anxiety and the shame of being scammed, Banks need to focus energies on SHUTTING THE STABLE DOOR to prevent more of this from happening in the first place.

Some people will always get scammed but right now that door is way too ajar.

Big banks are just too easily impersonated and their comms channels to customers vulnerable and too easily compromised by their own behaviours.

Last month our son at Uni fell victim to an APP scam and they emptied his account. Sufficiently sophisticated to fool a young adult with just a few yrs of banking familiarity.

First a bogus txt from ‘Royal Mail’ about parcel redelivery: enough to elicit an address and bank name. Next an 0800 inbound call from ‘Santander’s fraud team’ alerting to suspicious activity. And so, driven by a fear of losing all his money … he lost all his money.

Banks say “we will never contact you by…“ and “we will never ask you to ….” but the uncomfortable truth is they do and they have (less now than in the past) - and it’s those behaviours the scammers are exploiting.

In the follow up with Santander’s real fraud team they’d called him on three different 0800 numbers, none of which he had any means to validate as real. At the start of each call he was “taken through security checks” but they gave him NO means to authenticate THEIR identity.

Why? They could have sent an OTC to their App on his phone and recite it once he’d opened the App to view it using SCA. They’re leaving account holders vulnerable because it’s secure comms ONE WAY but NOT the other.

Hardly a surprise that APP fraud on FPS now outstrips fraud on the card networks (which for so long held top billing). Significant for the customer tho as fraud on the former is far harder to recoup than the latter are your article points out.

PSD2 gave banks no choice but to spend on SCA to ensure the account holder is verified by two factors when opening their App.

Implementing 2FA to provide equivalence in the other direction ~ for the account holder ~ is non mandatory. So whilst it's technically trivial to enable, it’s a chunky £upgrade which needs to be signed off internally.

Cost being commensurate with size / age: the CMA9 are the natural laggards and loom large on this heat-map.

When the CRM payouts (mandated or otherwise) exceed the internal cost to upgrade I guess the decision becomes easier.