UK Finance proposes payments tax to compensate fraud victims

Interesting - this infers that we all need to pay for the frauds that need to be stopped rather than funded. Why don't we start by following and recovering the money?

I don't get it. So if "a victim of an APP scam has met their requisite level of care, and so should be reimbursed, but no bank or other Payment Service Provider involved in the payment journey has breached their own level of care", how does the fraud occur? Something must have failed somewhere. Perhaps it's the bank of the fraudser in which the account was created and which accepted the payments and which then allowed the fraudster to abscond with the funds that should be held liable - for failing to do adequate KYC checks.

Absolutely how it shoudl happen: it is rather starange that no-one seems to realise this though and to be addressing this issue.

I agree with you both. Perhaps it's just too problematic to obtain the fraud funds back from an overseas bank!

Many of these frauds occur because the fraudster has been able to open a UK bank account with forged or stolen documents. They then receive money and immediately remove the funds. Please tell me why banks should be absolved from responsibility for allowing the fraudulant account to be opened and also tell me why they are not picking up the immediate removal of the funds received. I do not agree that the general public and businesses should pay for this.

The increase of succeeded fraudes with large amounts that cannot be retrieved after the crime has taken place ,has much to do with the endeavour to persuade all banks to introduce the faster (real) time payments , for which the banks seem not to have found out what applications and services they may connect to this faster payments (see next finextra mail). Fraudsters and money laundriers found out the comfort of this innovation of real time payments as soon as it was introduced. So we can expect more and more it is the duty of banks to resolve this, unfortunaltely we will all have to pay our share either as customers, share holder and perhaps tax payers.

My personal view is that the cost of any fraud should be borne by the weakest link - otherwise no one has any real incentive to address it! Sharing the cost of fraud doesn't address the underlying problem.

This suggests some kind of credit card like chargeback mechanism to be put in place for A2A payments. But chargeback works in credit card because the Beneficiary is a Merchant, who not only has an ongoing relationship with the Acquirer Bank but is also pre-vetted by Acquirer Bank for issue of Merchant Account. In the A2A context, all that the Bene's bank does is KYC. KYC is neither a character certificate nor a background check, so a guy who proves to be a fraudster after-the-fact will pass KYC as easily as a genuine Beneficiary. OTOH, Merchant Account issuance process involves a certain degree of vetting the Beneficiary's business and nobody can question the Acquirer Bank if it denies Merchant Account to someone. There's no way the Bene bank can retrieve money from Fraudster, who can always claim he delivered whatever he committed to the Customer - it becomes a "he said, she said" kind of situation. Again, while many Merchants do consider credit card chargeback unfair, they live with it because that's the cost of popularizing credit card among Payers. Not sure whether the same will be possible in A2A.

Dear Kethamaran, the "he said, she said" situation should lead to a slow down or freezing of payment usually people go to the police if they get frauded. At the moment it is free play for crimials who can get their money intstantaneously while the victim is helpless. In the Netherlands there are now many cases where private bank accounts were ripped for several ten thousands of Euros each(by so called Microsoftscams) . In some case the money first was transferred to english accounts and than dissolved through fast payments. The bank feels sorry but places the full risk on the victirms that never asked for fast payments procedures espacially not with these high amounts to fraudsters. 

As both a private individual and a business owner, I was never asked whether I wanted faster payments, nor was it made clear to me when faster payments were introduced, that the risks would be transferred to me rather than my bankers.

The problem here is that the bank customer is defrauded by a third party to hand over login credentials by being asked to log into their account on a bogus website via the screen scraping technology or by a man in the middle attack. Please note that the sponsors on open banking (TPP:s and authorities) have advocated for not legally banning screen scraping making it harder for customer to look out for fraudulent requests. Sometimes consumers are also asked to send monies to cousin Jeff who is in trouble... via social engineering. The bank security system works as intended and the customer does the strong two factor login and allows monies to be sent to somebody, normally a mule account, a brit who lends his account to fraudsters to receive fraud funds. The banking secerecy requirement does not allow the receiving bank to communicate the recepient bank account holder identity to the payer! The funds then bounce on to other accounts via faster payments and end up being taken out as cash or prepaid cards or other easy to dispose tokens, or on accounts in far away countries where controls may be less. Anyway the monies are rapidly transferred several times and then disappear. Legally the transactions are backed by the finality of a payment requirement and cannot be taken back without the consent of the fraudster or his mule! In Sweden the consumer complaints board recently ruled that the bank of the defrauded party should compensate its customer unless the customer showed major neglect. If so one is not compensated for the first 1 000 Euros but anything above that. The careful customer pays a 50 Euro deductible, all this according to the brand new EU payment services directive no 2. The Swedish defrauded customer takes the 100% blow only if  he/she was in wilful neglect or deliberately acted to allow a known fraud scam. I guess that UK banks are worried that the "swedish syndrome" will spread to the UK and they end up footing the bill and like to transfer it to customers throgh a credit transfer sur-charge. The real problem lies with politicians and legislators setting rules that help fraudsters.

I agree with the second poster - there must be blame somewhere, and in my experience, it's usually a lack of vigilance on the part of the victim.  Until we start following the money (even if offshore), this problem will only get worse.

By trying to create a pot of money to pay people back, not only do you disincentivise vigilance, but you also create a new scam where pairs of criminals can rip each other off and claim it back!  The pot would be empty in minutes...

Is this really a probem for the banks?  If the victims were defrauded out of cash in thier wallets - by scams of a similar nature - it would not fall to the banks to refund.  Indeed it would not be seen as a banking problem at all.  

So, if this is not a direct banking problem, the problem lies in the gulibility and therefore the vulnerability of bank customers, but the problem is exaserbated by the speed at which bank balances can be expropriated and transferred.

The development of real-time banking services has fueled the development of fraud vectors focussed on social engineering mechanisms.  

A victims fund finaced by a payment tax is not the answer.  The answer must lie in modifications to the ecosystem to reduce and limit the opportunities for fraud, but this has a cost.  There are solutions but fraud prevention has never been a headline grabber.     

WP: Agree with David.  Also, if we start charging for bank transfers, we'll be back to cash and cheques in no time....

@Victor Van Rij: 

At the point of making the payment, Payor knows or does not know that Payee is Fraudster. If former, Payor would / should not go ahead with the payment. If latter, I imagine the realization that Payee is Fraudster comes after the payment is made and goods / services are found defective or whatever i.e. ex post facto. In this case, how would the Payor's Bank slow down or freeze the payment while it is being made? Let's also not forget that Banks are governed by strict SLAs on payment roundtrip duration and, unlike PayPal et al, can't get away by freezing a payment / account for suspected fraud. As for the rest of your comment, your use of the passive voice obfuscates the reality that (a) Nobody forced the Payor to use Faster Payments (b) Payor transferred the money to whoever out of their own free will and volition. Therefore, Payor must take responsibility for their actions. 

BTW, it's "Ketharaman":)

@Melvin Haskins:

At least two UK banks and three Indian banks I bank with warn customers that, if they use FPS or NEFT or IMPS or any A2A payment method, (a) they must ensure that they're directing the payment to the intended beneficiary's account number (b) Bank is not responsible for any misdirected payment. At other places, I've argued that Banks are stunting the adoption of A2A payment methods by using such scary language. But if the intrepid Payor still goes ahead and uses them, shouldn't they know that, by default, they're taking the risk of fraudulent payments? Especially since, AFAIK, Banks have never accepted the risk of fraudulent payments for any mode of payment. (Credit card is the sole exception, but, even there, I don't know a single Bank that advertises this fact.)

Bank merely facilitates the payment. There are many other actors in the transaction: Customer, ISP, Fraudulent Supplier, Platform that connects Customer and Fraudulent Supplier (e.g. Craigslist). Just as Craiglist or the ISP won't accept the risk of fraud in the transaction despite their role in putting through the transaction, I don't see why Bank should. The Customer's Decision to buy from Fraudulent Supplier is the most culpable party for the fraud. If the entire cost of fraud can't be slapped on that party for political or whatever reason, the only other fair option I see is to hold all parties collectively culpable and slap the cost of fraud on all of them. If there's a practical method of recovering the cost from all of them, well and good. Otherwise, I'm afraid, a payments tax might the only way out.

Re. Anon's comment, A2A payments already attract a charge in India, and, yes, many customers have gone back to cash and cheque. In response, some banks have already started levying charges for usage of cash and cheques beyond a certain free number per month and other banks are seriously considering such a move.

WP: Yes, well we definitely don't want to go there!

@Anon: 

Agreed but I don't see any other choice eventually. Banks incur cost for cheques. Government incurs cost for cash. As of now, this cost is not explicitly passed on to Payors. OTOH, Banks / PSPs and Merchants incur cost for digital payments, which they try to pass on to Payors. Payors will keep protesting the cost of digital payments unless they're also made to foot the bill for cash and cheque.

PS: What does "WP" mean?

WP are my initials. I post anonymously because I'm not representing my company.

Dear Ketharaman ,You remarked " (a) Nobody forced the Payor to use Faster Payments (b) Payor transferred the money to whoever out of their own free will and volition." This is not true with the regular internet scams that take place. It is known that scammers ask for small payments on (copied and real) screens of the banks (which indeed sometimes are made voluntarily, but also under threat of destroying your pc) and  that the scammers seem to have possibilities to change the amount and the accountnumber where the money goes to. So it is not regular fraude but fraude using the sytem for payment created by the bank. Moreover the cammers also use the codes that they steal for small paymenst not just to higher one payment but also to rip saving accounts connected to the payment account and also the security settings that client put in. This is because many banks use the same safety procedure for normal payments as well as for the change of safety settings (also almost real time). This is a systemic fault of the bannks , which tenfolds the damage in ordinary scams that already take place for 15 or 16 years and has everything to do with the attempts of the banks to create the real time tranfers world,without asking clienst if they want this.

Dear David, I hope you understand that the scams we  are talking about, are not comparabe with normal scams where people talk money out of your wallet. Wallets which in most cases will not contain all of your money. I think we should all look at the Swedish model because it gives the right incentives to the banks to look how they can make their system more resilient also in an age of social engineered real time payments and scams. Scams that use the weak spots of the banking systems and the way clienst use these systems. This is not only about better encryption but about an eye for the interaction of social engineering and the client system interface  plus brainstorming on the potential steps of cybercriminals to break into this. The beauty of the Swedish systems is that it places the largest burden on the banks who have the best opportunity to make their own systems more safe but also assumes some responsibilty of the clients(own risk) and also fights any fraudulant actions of customers with ill will.

@Victor Van Rij:

This article and my comments pertain to the specific instance of "Authorized Push Payment" Fraud and not to any random "regular internet fraud".

While people who fall victim to APP fraud are deceived, that deception is caused by the Payee. There's no reason why a bank should be culpable of it. It's not a secret that, by design, A2A payments are irrevocable and non repudiatable. For years, many people including me have been shouting from the rooftop that Payors should be extremely careful before making an A2A payment and that they should do a sub-dollar pipecleaning payment, verify that the intended beneficiary has received it, before going ahead with the full payment. People who don't follow such basic best practices should use credit card and raise a chargeback request if they are deceived into paying the wrong person. There's no reason why a bank should be culpable for such instances. 

Dear Kethamaran,  I may agree when the fraud would be a simple fraud where you make a payment and dont get delivered , but the article is not covering the features behind the APP , which ususally go beyond a not delivered good or service. That is the practice that , criminals use the features of the banking payment system either to break into the payment (to change its outcome) or  to create falsified payment environments to steal the codes of clients  that can be used to rip off the accounts of these clients. In this area the reponsibility of banks is far greater. I hope you agree

@Victor Van Rij:

Since APP is a PUSH type of A2A payment, it means Payor has the prior itch to make the said payment to the said Beneficiary and that, unlike a PULL payment, Bank has no role in creating or conveying the said itch. PUSH further means that Payor logs into their Internet / Mobile Banking account of their own free will and volition and, unlike PULL, according to their own schedule to "scratch their itch". Under this circumstance, there's absolutely no culpability of the bank if Payor ends up being defrauded by the Beneficiary. 

What you seem to be suggesting looks like plain, simple hacking of the bank's system. AFAIK, that does not come under the purview of APP Fraud.     

PS: Once again, it's "Ketharaman":(