/security

News and resources on cyber and physical threats to banks and fintechs worldwide.

Three-in-four APP fraud cases rejected by banks overturned by Financial Ombudsman

Consumer complaints outfit Which? has accused banks of treating authorised fraud victims unfairly, with some firms getting decisions over scams and reimbursement wrong in nearly nine in 10 cases.

  0 6 comments

Three-in-four APP fraud cases rejected by banks overturned by Financial Ombudsman

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

Up to three quarters of APP fraud cases referred to the Banking Ombudsman found in favour of the customer after the banks involved initially rejected applications for reimbursement.

Figures obtained by Which? show that NatWest and The Royal Bank of Scotland (RBS) - part of the same banking group - are getting it wrong in nearly nine in 10 (86%) cases, with Santander (82%) and Bank of Scotland (81%) following closely behind. While challenger bank Starling (80%) also had a high complaint uphold rate, this was based on a much smaller number of closed cases than other firms.

Fraud complaints against Lloyds Bank (78%), Revolut (77%) and Nationwide (74%) are also being upheld in favour of the victim.

Which? has called for much greater transparency about firms’ behaviour and approach to reimbursement - which would require the Payment Systems Regulator (PSR) to make banks regularly publish data, including their reimbursement rates for all of the APP fraud cases they handle each year. It is also calling on the Government to introduce mandatory APP fraud reimbursement obligations on all firms using Faster Payments, with a robust regime of regulatory oversight and enforcement.

Jenny Ross, Which? Money Editor, says: "It’s shocking that so many banks are failing to handle cases correctly, often wrongly and unfairly denying victims reimbursement. It’s clear banks can’t be trusted to make the right decision when it comes to reimbursing their customers who’ve fallen victim to APP scams."

Sponsored New Report – The Future of AI in Financial Services 2025

Comments: (6)

A Finextra member 

Why is my bank responsible for me telling them to send money to a fraudster? I don't get it. Surely the compensation should come from the payee bank, since they know who the fraudstrer is.

Jackie Barwell

Jackie Barwell Director at ACI Worldwide

Banks have the ability to monitor incoming funds as much as they can monitor outgoing - so they should do so.  If a recipient bank account accumulates a 'dodgy' reputation over time, then surely that recipient bank should decline future incoming transactions to the 'dodgy' account as soon as its risk score reaches a pre-determined 'reject' threshold.  If banks do that, then they have a better case to answer if they choose to reject a claim.  By not doing this, they're not doing all they can to protect account holders.  

Jeremy Light

Jeremy Light Co-founder at Fourdotzero

@Dave Birch - I fully agree. Also, I continue to be amazed that press comment and regulatory actions centre around reimbursing APP victims rather than tackling the route cause of the fraud which is fraudster-controlled accounts at the payee bank.

Talking to people in the open banking world it is clear that bank KYC efficacy varies significantly across banks and that those banks with weaker KYC controls are clearly identifiable. On-us APP fraud is <1% (see PSR APP consultation) whereas on-us payments are around 10% - this may indicate fraudulent accounts are disproportionately in the smaller banks.

Reimbursing innocent victims is obviously very important but as you say it should be the payee bank who reimburses rather than the victim's bank. It is also beyond me why regulators fail to hold all banks accountable to meet the same KYC efficacy - making payee banks liable would jolt into action those with weaker KYC. 

Perhaps regulators worry about burdening smaller banks while finding it easier to bash the big banks who bear the brunt of APP fraud.

A Finextra member 

"Perhaps regulators worry about burdening smaller banks"

Good points all, Jeremy, and yet another argument for some sort of federated bank-led digital identity with a proper interchange and liability scheme in place.

Andy Hunter

Andy Hunter CEO at Perficiam Ltd

The banks need to get their arms around this before liability escalates. COP is patchy and it is unreasonable to give identity risk to the consumer. In the cheques world, this risk rests with the banks who are far better placed to accept it and the system works well. If the same princinciple was applied here it would be much easier to defend those more difficult claims that transactions should have been blocked because they were not in the remitter's best interests.

A Finextra member 

My expectation is PSR intervention (again) by January - the leakage is unsustainable and although I applaud the new bandaid trial of phoning a hotline to check the payment is OK to send, it's not exactly scalable. Trust is everything if we aren't going to regress to bags of cash, meeting on the side of the street to conduct transactions.

[Webinar] Operational Resilience in the age of DORAFinextra Promoted[Webinar] Operational Resilience in the age of DORA