Bank Fraud! Santander!!!

Archi_Bald

TurnUpForTheBooks wrote: »

Why on earth are we condoning for even a moment the action of a bank directly against one of their customers who has suffered loss through card fraud?

Why are we even bothering to try to analyse the systems ? Let's get this problem the right way round, please.

Because we (well, at least some of us) know there are always at least 2 sides to every story. We have only heard 1 side on this one so far. Of course, we aren't likely to hear the bank's side but that doesn't mean we are in a position to judge what actually happened. That's a fact.

No amount of ranting on your part changes anything on that fact.

al25

reclusive46 wrote: »

A lot of ATMS will still accept a cloned magnetic stripe card (Even if the magnetic stripe says it should be a chip card) as the ATM and bank just assume the chip is dirty or broken (fallback). So all they need is magnetic stripe data and PIN.

To test this theory you can tape your chip and try the ATM. It will not work.
and Grumbler is right, we don't have the old ATM's no more.

TurnUpForTheBooks_2

Oh dear oh dear - that "r" word for someone "going off on one" is actually a piece of corporate vocabulary, isn't it? Goes along with handy words like "aggressive" and "rude" when the company wishes to dis someone they've upset rather than deal with the real cause of the upset.

I appreciate the general need for balance for the sake of healthy debate and argument on most consumer matters, but why do we have to endure apologists for banks on the MSE forum? The point is that when things are seen to go wrong, banks notoriously only disclose what they know when it becomes more painful corporately to continue to obfuscate than it does to communicate and act civily.

MPH80 wrote:

TurnUpForTheBooks wrote:

The bank is 100% liable for these losses the moment the customer signs a form confirming that did not make the transactions or directly cause them to be made.

No - they aren't in all cases.

Just so there is no misunderstanding arising from ambiguity, I think you meant to type "No - they aren't in some cases." ?

Then I think you've gone on to allude rather vaguely to some exceptions, none of which can be investigated in the mere 24 hours it seems it took Santander to deny liability to the OP in this case.

For the benefit of those of us who are wondering if a worsened culture not an improved one has been cascaded down within banks recently, what please are the T&Cs you refer to but don't detail that are specifically relevant to card fraud incidents and give the bank authority to deny liability as in this case within 24 hours?

MPH80

TurnUpForTheBooks wrote: »

For the benefit of those of us who are wondering if a worsened culture not an improved one has been cascaded down within banks recently, what please are the T&Cs you refer to but don't detail that are specifically relevant to card fraud incidents and give the bank authority to deny liability as in this case within 24 hours?

Santander don't outline the extent of liability in their T&Cs - they rely on the payment services regulations that government brought in. As I'm sure you're aware - the government bill that brought in the PSR 2009 would override any lower level T&Cs the banks put in. The PSR 2009 work in conjunction with the CCA 1974 to help define the limits and liabilities of card holders in the event of fraud. The bank's can add specific clauses if they like, but not ones which override those acts.

http://www.legislation.gov.uk/uksi/2009/209/pdfs/uksi_20090209_en.pdf

Payment Service Regulations 2009:

Payer’s liability for unauthorised payment transaction
62.—(1) Subject to paragraphs (2) and (3), the payer is liable up to a maximum of £50 for any
losses incurred in respect of unauthorised payment transactions arising—
(a) from the use of a lost or stolen payment instrument; or
(b) where the payer has failed to keep the personalised security features of the payment
instrument safe, from the misappropriation of the payment instrument. 39
(2) The payer is liable for all losses incurred in respect of an unauthorised payment transaction
where the payer—
(a) has acted fraudulently; or
(b) has with intent or gross negligence failed to comply with regulation 57.
(3) Except where the payer has acted fraudulently, the payer is not liable for any losses incurred
in respect of an unauthorised payment transaction—
(a) arising after notification under regulation 57(1)(b);
(b) where the payment service provider has failed at any time to provide, in accordance with
regulation 58(1)(c), appropriate means for notification; or
(c) where the payment instrument has been used in connection with a distance contract (other
than an excepted contract).
(4) In paragraph (3)(c) “distance contract” and “excepted contract” have the meanings given in
the Consumer Protection (Distance Selling) Regulations 2000(a).

However, it's also worth noting this clause in this government bill:

Evidence on authentication and execution of payment transactions
60.—(1) Where a payment service user—
(a) denies having authorised an executed payment transaction; or
(b) claims that a payment transaction has not been correctly executed,
it is for the payment service provider to prove that the payment transaction was authenticated,
accurately recorded, entered in the payment service provider’s accounts and not affected by a
technical breakdown or some other deficiency.
(2) In paragraph (1) “authenticated” means the use of any procedure by which a payment service
provider is able to verify the use of a specific payment instrument, including its personalised
security features.
(3) Where a payment service user denies having authorised an executed payment transaction, the
use of a payment instrument recorded by the payment service provider is not in itself necessarily
sufficient to prove either that—
(a) the payment transaction was authorised by the payer; or
(b) the payer acted fraudulently or failed with intent or gross negligence to comply with
regulation 57.

So them saying that the use of the payment instrument isn't necessarily sufficient to prove that the individual authorised the transaction. However, the definition of payment instrument in the regulations could, reasonably, be interpreted to be just the card, not the PIN. As such, the use of the correct PIN would indicate authorisation. Thus, providing records showed that the correct card (e.g. fully chip read) and the correct PIN were used on the transactions - and the card is in the possession of the card holder - and no additional cards have been issued - then the card holder made the transactions.

Would you mind now showing me the regulations that make the bank fully liable - which is what you've originally stated. Because the link I've posted shows that you're always liable for up to £50 for unauthorised transactions. This is confirmed by both the PSR 2009 and the CCA 1974 (as appropriately amended).

M.

MPH80

but why do we have to endure apologists for banks on the MSE forum? The point is that when things are seen to go wrong, banks notoriously only disclose what they know when it becomes more painful corporately to continue to obfuscate than it does to communicate and act civily.

No organisation is going to be fully transparent at any time.

The NHS has had a series of cover ups. The banks covered up a variety of problems. Did any of the organisations currently on trial for bribery in the far east jump to it and admit in advance?

The simple fact of the matter is that this is the corporate world in which we live. No amount of !!!!!ing, moaning and complaining is going to change that. Regulations will be brought in to force transparency, and then revoked a few years later as 'red tape'.

None of us here are apologists - we simply understand the regulations and rules both the banks and the people who have signed contracts with the banks are operating under and thus what rules the OP is going to have to work with.

We can help the OP understand that and work within that framework to get the right outcome.

Understanding the deep ins and outs of regulations, hierarchy of T&Cs will enable consumers to appropriately get what they deserve. This is most effectively demonstrated with the bank charges a few years back. Understanding of law and regulation allowed people to challenge them. Unfortunately for them, the charges were, in the end, declared lawful. But that knowledge helped thousands.

Jumping up and down about how evil and out of control banks are doesn't help anyone.

M.

TurnUpForTheBooks_2

MPH80 wrote: »

Santander don't outline the extent of liability in their T&Cs - they rely on the payment services regulations that government brought in. As I'm sure you're aware - the government bill that brought in the PSR 2009 would override any lower level T&Cs the banks put in. The PSR 2009 work in conjunction with the CCA 1974 to help define the limits and liabilities of card holders in the event of fraud. The bank's can add specific clauses if they like, but not ones which override those acts.

http://www.legislation.gov.uk/uksi/2009/209/pdfs/uksi_20090209_en.pdf

Payment Service Regulations 2009:

Payer’s liability for unauthorised payment transaction
62.—(1) Subject to paragraphs (2) and (3), the payer is liable up to a maximum of £50 for any
losses incurred in respect of unauthorised payment transactions arising—
(a) from the use of a lost or stolen payment instrument; or
(b) where the payer has failed to keep the personalised security features of the payment
instrument safe, from the misappropriation of the payment instrument. 39
(2) The payer is liable for all losses incurred in respect of an unauthorised payment transaction
where the payer—
(a) has acted fraudulently; or
(b) has with intent or gross negligence failed to comply with regulation 57.
(3) Except where the payer has acted fraudulently, the payer is not liable for any losses incurred
in respect of an unauthorised payment transaction—
(a) arising after notification under regulation 57(1)(b);
(b) where the payment service provider has failed at any time to provide, in accordance with
regulation 58(1)(c), appropriate means for notification; or
(c) where the payment instrument has been used in connection with a distance contract (other
than an excepted contract).
(4) In paragraph (3)(c) “distance contract” and “excepted contract” have the meanings given in
the Consumer Protection (Distance Selling) Regulations 2000(a).

However, it's also worth noting this clause in this government bill:

Evidence on authentication and execution of payment transactions
60.—(1) Where a payment service user—
(a) denies having authorised an executed payment transaction; or
(b) claims that a payment transaction has not been correctly executed,
it is for the payment service provider to prove that the payment transaction was authenticated,
accurately recorded, entered in the payment service provider’s accounts and not affected by a
technical breakdown or some other deficiency.
(2) In paragraph (1) “authenticated” means the use of any procedure by which a payment service
provider is able to verify the use of a specific payment instrument, including its personalised
security features.
(3) Where a payment service user denies having authorised an executed payment transaction, the
use of a payment instrument recorded by the payment service provider is not in itself necessarily
sufficient to prove either that—
(a) the payment transaction was authorised by the payer; or
(b) the payer acted fraudulently or failed with intent or gross negligence to comply with
regulation 57.

So them saying that the use of the payment instrument isn't necessarily sufficient to prove that the individual authorised the transaction. However, the definition of payment instrument in the regulations could, reasonably, be interpreted to be just the card, not the PIN. As such, the use of the correct PIN would indicate authorisation. Thus, providing records showed that the correct card (e.g. fully chip read) and the correct PIN were used on the transactions - and the card is in the possession of the card holder - and no additional cards have been issued - then the card holder made the transactions.

Total bamboozling bank barrister ballcocks if you don't mind me saying, MPH80?

Would you mind now showing me the regulations that make the bank fully liable - which is what you've originally stated. Because the link I've posted shows that you're always liable for up to £50 for unauthorised transactions. This is confirmed by both the PSR 2009 and the CCA 1974 (as appropriately amended).

No it isn't. In both cases it is a maximum limit of the customer's liability ALL ELSE CONSIDERED, not an insurance excess, and it does not absolve the bank of the liability in the first place.

Why are you arguing this from the point of view that these regulations transfer risk and liability from the bank to the customer? That was never the intention of these regulations.

You are dancing on the head of a pin, M.:dance:

MPH80

TurnUpForTheBooks wrote: »

Total bamboozling bank barrister ballcocks if you don't mind me saying, MPH80?

Ok - reasonable debate has gone out of the window.

OP - I've done all I can - enjoy.

M.

Uxb

TurnUpForTheBooks wrote: »

And they have plenty of helpers in these forums willing to line up and bamboozle the customer further.

I sometimes despair at the defining characteristics of typical posters on MSE on anything to do with UK business culture within which we are invited to imagine they take a full part.

Once you have spent some time on these forums as a 'lurker' or as a member you will start to find that not all posters with a problem are as they
seem to be.
There are the trolls who start totally ficticous threads about a 'problem' with the sole aim of wasting people's time. Ususally they are reasonably easy to catchout in subsequent postings or even looking at their previous postings page which is a very useful MSE feature to see where their current story does not match previous statements about themselves.

There are the genuine ones with a genuine fraud problem on their account.

There are the ones who are using MSE's forums to try and discover banks and others security systems for criminal intent. Some of them quite blatant. In the techie forum one asked about how to remotely install a keylogger on another PC from afar.

There are the ones who hotly deny it could have been them or any member of their family....when actually it was. I remember where the bank showed that the disputed online purchase was carried out from the same IP address as used in other accepted transactions prior and post the disupted one. Not suprisingly when the significance of this was explained to the OP, they when suddenly very quiet and nothing more was heard.

Sad to say much fraud is carried out by persons close to the victim who have access to the data and the like to be able to impersonate them either on the phone or on a computer via ID/password use. The banks etc will not generally regard this as 'fraud' unless the victim is willing for the police to prosecute the person which will require them making a sworn statement against the person.

I case you will say I'm yet another banker, no I'm a professional engineer. I can assure you that we get problems with corporate customers mishandling our equipment and then claiming it was all our fault and nothing to do with them. We too are responding by having to put in remote data gathering and monitoring facilities to stop the customer lies.

Apologies for the long post

TurnUpForTheBooks_2

No need to apologise for any long post, Uxb - least of all when I am around - one of the world's worst long posters!

I do take your point but this is a consumer money saving website. It is surely not right for anyone to try to justify a bank's actions against an innocent customer using a barrow load of technical or legal mumbo jumbo which in fact does no such thing.

Those of us with experience of many banks and many systems and many life experiences in the consumer world sail a consistent course through frequent attempts by certain industry groups to recalibrate the compass in their favour, to make waves or sometimes to change the course of the river altogether.

The overriding principle in the relationship between a bank and its customers is that the customer shall deposit his or her money with the bank and in return will receive an absolute guarantee of deposit security. The subordinate service provided by the bank in consideration of the money deposited is a recognised easy payments service that does not require the customer to withdraw deposits and make the payments in person.

Let us not confuse the one with the other which is what the banks are very much trying to do and it seems they have turned it full circle with their treatment of ATM withdrawals as "payments".

We are very aware that the banks pressure their customers into standard payment services which many of their older customers particularly do not like. It is with good reason that many older people do not like CHIP & PIN or cards full stop. Can you wonder at it when you see links in threads like this to university research papers/technical specs/bits of statutes/unknown T&Cs? These things are for no common customer to worry about. The customer is entitled to argue that a bank is what it has always been from first principles.

If money goes missing from the bank, then it has been robbed or embezzled. It is not the customer who has been robbed or embezzled. When a customer reports an anomaly in their account which indicates the bank has been robbed or embezzled then they should be treated with the greatest of care and respect, not treated like they or their family or friends or work colleagues are criminals.

On the subject of work colleagues with criminal dispositions, when you take a look at the ordinary people that work in bank branches why is it that we are encouraged to assume that they are not the problem with flakey security ?

These are the people that flogged PPI against any conscience they might have had nagging them. Many are young and spend more than they earn yet they supposedly advise customers on sensible budgeting. There is high turnover as banks get continually merged or demerged or move continually in and out of investment business at the branches. There is easy access to enormous amounts of personal data. There are hushed up examples of criminal groups forming inside banks.

All this, and the same banks dare to let computers tell them what a pattern of suspicious customer activity looks like. Pity it doesn't tell them what a dodgy bank worker looks like. Unfortunately, in the past at least, many of the dodgy ones are more likely to have been labelled as best-sellers :mad:

So if you as a customer who has just reported anomalous transactions in your account happen to fall outside the bell curve of their half-baked statistics you get the bums rush from the bank - just as has happened to the OP.

And then the consensus of opinion here from those that should know better in many cases (not suggesting that's you Uxb) is that the bank unquestionably has good reason but if you must question it then here's a bunch of small print to chew on as you go, and do mind the way out. (Appeal if you want to, but not here). :mad:

meer53

I have a lot of life experience. And a lot of bank experience too. I've worked for banks (just 2) for the last 30 years. The majority of this time in a fraud department so i've dealt with cases like the OP's lots of times.

I can see 100% why Santander are saying they won't refund at the moment (no i don't work for Santander, and never have)

They will have investigated the withdrawals and checked whether the PIN was read by the ATM. Bank systems will show this. If the PIN has been read, then the original card and PIN have been used. So far, fraudsters have been unable to make a counterfeit card with a chip. It isn't a usual fraud pattern either, no fraudster would make several withdrawals over several days, the account would be emptied as quickly as possible. Why would they risk the OP noticing the withdrawals and stopping the card ?

You can all spout techincal specifications and refer to regulations but if i were investigating this case, i wouldn't be refunding either. My view is that the card is being used and replaced, i'd be asking the OP where their card is kept during the times the withdrawals were made. I've known cases where cards were taken from purses by work colleagues and replaced, it's not impossible.

In nearly 30 years of bank employment, i've never known any "dodgy" bank staff.