Bank APP scam rejection and possible lax security measures

connor0811

naedanger said:

The important point is to follow the complaint process to the end. In other words follow the bank's process until they say that their response is final. At that point you can, and should, take your complaint to FOS. 

Some reading:
https://www.financial-ombudsman.org.uk/consumers/complaints-can-help/fraud-scams

https://www.thisismoney.co.uk/money/beatthescammers/article-8384311/Thousands-fraud-victims-complained-Financial-Ombudsman-year.html
From the second link "According to its figures, 11,383 complaints were resolved in 2019-20, 58 per cent of which were upheld in favour of consumers, [my emphasis] suggesting nearly three in five are wrongly being turned away for refunds."

Yes it said in the letter it was their final decision, but said if anything new pops up to contact them. I was thinking the data breach would of been one, but might just go straight to the ombudsman with this now as I did warn my relative it wasn’t likely he’d get a full refund. But this potential data breach is unacceptable. 

connor0811

eskbanker said:

connor0811 said:

He got a text message from the bank which told him to contact them if he didn’t make this payment, but on his online banking it was shown as paying to an account in his name. I know you can put different names in on online banking and a warning may come up about it not matching the actual name on the account, it may of I’ll get clarification from him of this, but on the online banking once the payment had gone through it still shown as his name, wether this is relevant or not I don’t know. They also said it was an immediate payment, but the banking app says it was the day after.

The fact that it's shown that way only signifies that he entered that as the payee name (or maybe a nickname or reference, depending on the bank's online platform), but doesn't reflect the actual name on the account at the other end.

It will be relevant to get to the bottom of this - if the target account really was in his name then serious questions need to be asked of the bank's security processes (although names obviously aren't unique) but he wouldn't have had a CoP warning and so shouldn't be held responsible for paying to the wrong account.  On the other hand, if the target account wasn't in his name, then he'd have received a CoP warning and presumably ignored it, which thereby gives the bank the opportunity to decline his claim.

connor0811 said:

I’m shocked that the fraud measures didn’t pick up such a large amount being sent to an account elsewhere, as when I made an irregular but legitimate transaction in the past, the bank (I’m with the same one funnily enough) got in touch to make sure it was me making the transaction and it wasn’t some form of scam if it was me, I presume they held it in pending or something until I confirmed and it was no where near the sum we’re talking about here.

Many who've been scammed express the same view, but the bank aren't actually responsible for stopping all such transactions and so can't be relied on to act as a safety net.


On a wider point, does the fact that you're dealing with this for him signify that he's vulnerable in some way?  If so, then the bank should be able to impose stronger checks if they're advised of this....

Yes I did explain all this too him, I said there’s no harm in trying though. What’s changed my stance on it though on thinking it is unfair is that someone (the other letter he got) who has made a complaint, for the same scam has been fully refunded, we would of probably let it lie if this wasn’t the case. I know circumstances can be slightly different and that can make all the difference, but the detail of the situation he’s got in the other complainants are pretty identical to his just a different outcome. 

And you could argue he’s vulnerable, OCD and Anxiety disorder (until you see it first hand you can’t begin to imagine how hard it must be), to be honest he was victim of fraud before a few years back where someone was using his details to pay parking tickets somewhere else in the country, this was sorted quickly and was nothing to do with anything he had or hadn’t done but I think this was playing in the back of his mind when all this started and he thought the person from the ‘bank’ was genuine and acting with his best interests at heart. I did touch on this in my letter but didn’t want to use him as a sympathy case and use it as a basis for the whole complaint, as I don’t think it’s a correct way to do things. 

eskbanker

connor0811 said:
But this potential data breach is unacceptable. 

Personal data breaches are more of an ICO issue than a FOS one but unless I misread your post, it was someone else's data being breached, not your relative's (or at least there's no evidence of his data being breached)?  That doesn't make their conduct any better of course, but it means that your relative isn't directly impacted by the breach, so there's not much mileage in going after the bank for it, even if you might feel that it epitomises poor security practices....

connor0811

eskbanker said:

connor0811 said:
But this potential data breach is unacceptable. 

Personal data breaches are more of an ICO issue than a FOS one but unless I misread your post, it was someone else's data being breached, not your relative's (or at least there's no evidence of his data being breached)?  That doesn't make their conduct any better of course, but it means that your relative isn't directly impacted by the breach, so there's not much mileage in going after the bank for it, even if you might feel that it epitomises poor security practices....

I think they’ll of both received both letters as the reference number is the same on both. But we obviously don’t have proof the other person did so that’s true.

naedanger

connor0811 said:

naedanger said:

The important point is to follow the complaint process to the end. In other words follow the bank's process until they say that their response is final. At that point you can, and should, take your complaint to FOS. 

Some reading:
https://www.financial-ombudsman.org.uk/consumers/complaints-can-help/fraud-scams

https://www.thisismoney.co.uk/money/beatthescammers/article-8384311/Thousands-fraud-victims-complained-Financial-Ombudsman-year.html
From the second link "According to its figures, 11,383 complaints were resolved in 2019-20, 58 per cent of which were upheld in favour of consumers, [my emphasis] suggesting nearly three in five are wrongly being turned away for refunds."

Yes it said in the letter it was their final decision, but said if anything new pops up to contact them. I was thinking the data breach would of been one, but might just go straight to the ombudsman with this now as I did warn my relative it wasn’t likely he’d get a full refund. But this potential data breach is unacceptable. 

I suppose there is no harm asking the bank why your complaint is being treated differently to the other similar one other than it may slow things down slightly. If nothing else it will be embarassing for them when your complaint to FOS shows their lapse in customer data security. (However that data lapse isn't really directly connected to your complaint, and I suspect they will say they cannot comment on other cases on the grounds of data protection - despite their initial failing.) 

Assuming you do need to take the matter to FOS, then I think it is worth putting some effort into clearly composing your complaint to them. (Obviously if you have either a very strong, or a very weak case it probably won't make any difference. But if the complaint is within a grey area then setting it out clearly could make the difference.)

I suggest you read some similar complaints to get an idea of how FOS judge them.
Complaints upheld:
https://www.financial-ombudsman.org.uk/decisions-case-studies/ombudsman-decisions/SearchDecisions?Keyword=Authorised+Push+Payment+scam&BusinessName=&Business=&IndustrySectorID%5B1%5D=1&DateFrom=&DateTo=&IsUpheld%5B1%5D=1&Sort=relevance&SecurityID=5a4269dd0310f216cac32f667a61eda5f5002be3&Captcha=&Captcha_Timestamp=1612020817

Complaints not upheld:
https://www.financial-ombudsman.org.uk/decisions-case-studies/ombudsman-decisions/SearchDecisions?Keyword=Authorised+Push+Payment+scam&BusinessName=&Business=&IndustrySectorID%5B1%5D=1&DateFrom=&DateTo=&IsUpheld%5B0%5D=0&Sort=relevance&SecurityID=5a4269dd0310f216cac32f667a61eda5f5002be3&Captcha=&Captcha_Timestamp=1612020831

I have not read any of them. Also just do some googling to see if you can find any further information.

EDIT - I notice the above links seem to have time expired.
To reproduce go to the following lin:
https://www.financial-ombudsman.org.uk/decisions-case-studies/ombudsman-decisions
and use keyword entries Authorised Push Payment scam 
then select upheld and not upheld as required.

connor0811

naedanger said:

connor0811 said:

naedanger said:

The important point is to follow the complaint process to the end. In other words follow the bank's process until they say that their response is final. At that point you can, and should, take your complaint to FOS. 

Some reading:
https://www.financial-ombudsman.org.uk/consumers/complaints-can-help/fraud-scams

https://www.thisismoney.co.uk/money/beatthescammers/article-8384311/Thousands-fraud-victims-complained-Financial-Ombudsman-year.html
From the second link "According to its figures, 11,383 complaints were resolved in 2019-20, 58 per cent of which were upheld in favour of consumers, [my emphasis] suggesting nearly three in five are wrongly being turned away for refunds."

Yes it said in the letter it was their final decision, but said if anything new pops up to contact them. I was thinking the data breach would of been one, but might just go straight to the ombudsman with this now as I did warn my relative it wasn’t likely he’d get a full refund. But this potential data breach is unacceptable. 

I suppose there is no harm asking the bank why your complaint is being treated differently to the other similar one other than it may slow things down slightly. If nothing else it will be embarassing for them when your complaint to FOS shows their lapse in customer data security. (However that data lapse isn't really directly connected to your complaint, and I suspect they will say they cannot comment on other cases on the grounds of data protection - despite their initial failing.) 

Assuming you do need to take the matter to FOS, then I think it is worth putting some effort into clearly composing your complaint to them. (Obviously if you have either a very strong, or a very weak case it probably won't make any difference. But if the complaint is within a grey area then setting it out clearly could make the difference.)

I suggest you read some similar complaints to get an idea of how FOS judge them.
Complaints upheld:
https://www.financial-ombudsman.org.uk/decisions-case-studies/ombudsman-decisions/SearchDecisions?Keyword=Authorised+Push+Payment+scam&BusinessName=&Business=&IndustrySectorID%5B1%5D=1&DateFrom=&DateTo=&IsUpheld%5B1%5D=1&Sort=relevance&SecurityID=5a4269dd0310f216cac32f667a61eda5f5002be3&Captcha=&Captcha_Timestamp=1612020817

Complaints not upheld:
https://www.financial-ombudsman.org.uk/decisions-case-studies/ombudsman-decisions/SearchDecisions?Keyword=Authorised+Push+Payment+scam&BusinessName=&Business=&IndustrySectorID%5B1%5D=1&DateFrom=&DateTo=&IsUpheld%5B0%5D=0&Sort=relevance&SecurityID=5a4269dd0310f216cac32f667a61eda5f5002be3&Captcha=&Captcha_Timestamp=1612020831

I have not read any of them. Also just do some googling to see if you can find any further information.

Thank you so much, I know you said you hadn’t read them but reading those is making me even more optimistic for him, I haven’t gone into great detail on here for obvious reasons, but there’s one there that really stands out. Cheers.

naedanger

connor0811 said:

naedanger said:

connor0811 said:

naedanger said:

The important point is to follow the complaint process to the end. In other words follow the bank's process until they say that their response is final. At that point you can, and should, take your complaint to FOS. 

Some reading:
https://www.financial-ombudsman.org.uk/consumers/complaints-can-help/fraud-scams

https://www.thisismoney.co.uk/money/beatthescammers/article-8384311/Thousands-fraud-victims-complained-Financial-Ombudsman-year.html
From the second link "According to its figures, 11,383 complaints were resolved in 2019-20, 58 per cent of which were upheld in favour of consumers, [my emphasis] suggesting nearly three in five are wrongly being turned away for refunds."

Yes it said in the letter it was their final decision, but said if anything new pops up to contact them. I was thinking the data breach would of been one, but might just go straight to the ombudsman with this now as I did warn my relative it wasn’t likely he’d get a full refund. But this potential data breach is unacceptable. 

I suppose there is no harm asking the bank why your complaint is being treated differently to the other similar one other than it may slow things down slightly. If nothing else it will be embarassing for them when your complaint to FOS shows their lapse in customer data security. (However that data lapse isn't really directly connected to your complaint, and I suspect they will say they cannot comment on other cases on the grounds of data protection - despite their initial failing.) 

Assuming you do need to take the matter to FOS, then I think it is worth putting some effort into clearly composing your complaint to them. (Obviously if you have either a very strong, or a very weak case it probably won't make any difference. But if the complaint is within a grey area then setting it out clearly could make the difference.)

I suggest you read some similar complaints to get an idea of how FOS judge them.
Complaints upheld:
https://www.financial-ombudsman.org.uk/decisions-case-studies/ombudsman-decisions/SearchDecisions?Keyword=Authorised+Push+Payment+scam&BusinessName=&Business=&IndustrySectorID%5B1%5D=1&DateFrom=&DateTo=&IsUpheld%5B1%5D=1&Sort=relevance&SecurityID=5a4269dd0310f216cac32f667a61eda5f5002be3&Captcha=&Captcha_Timestamp=1612020817

Complaints not upheld:
https://www.financial-ombudsman.org.uk/decisions-case-studies/ombudsman-decisions/SearchDecisions?Keyword=Authorised+Push+Payment+scam&BusinessName=&Business=&IndustrySectorID%5B1%5D=1&DateFrom=&DateTo=&IsUpheld%5B0%5D=0&Sort=relevance&SecurityID=5a4269dd0310f216cac32f667a61eda5f5002be3&Captcha=&Captcha_Timestamp=1612020831

I have not read any of them. Also just do some googling to see if you can find any further information.

Thank you so much, I know you said you hadn’t read them but reading those is making me even more optimistic for him, I haven’t gone into great detail on here for obvious reasons, but there’s one there that really stands out. Cheers.

FOS work by having an adjudicator look at the case first. If both parties are happy with the adjudicator's decision then that is the final decision.

If either party objects it goes to an Ombudsman.

I believe there is no harm in referring to a particular complaint - they all have a DRN reference numbers. What I don't have a view on is when you would be best referring to any previous FOS decisions that support your case. You could do it as the last step in the bank's process - so go back to them mentioning the case reference that you believe is the same as your case, and possibly also mentioning their own case that they inadvertently sent you which they seem to have treated better than your case. (However redact any personal information from their case if sending it anywhere via post or email so that you are behaving responsibly.) Alternatively save mentioning the supportive FOS cases for when your complaint to FOS. And again should you mention it initially or wait to use it if the complaint goes to the FOS Ombudsman stage. (It seems a tactical decision. But I would certainly quote any supportive FOS cases at some point in the process.)

Lastly FOS are not bound by any previous case decisions, they can just say every case is different, but logically they should at least consider previous decisions. 

eskbanker

Perhaps worth bearing in mind when referring to other FOS cases that Confirmation of Payee is a complete game-changer for how such scams will be assessed - before this was in place the banks largely had to accept responsibility under the APP code (albeit that itself was only introduced in 2019) but now that they're effectively warning customers of this scam in real time via CoP this effectively reverses that responsibility.  I haven't reviewed the decisions but would expect that few, if any, will relate to scams under CoP because of the lengthy lead time in going through bank and FOS complaint processes, so check for references to that in very recent cases rather than citing any from pre-CoP times....

naedanger

eskbanker said:

Perhaps worth bearing in mind when referring to other FOS cases that Confirmation of Payee is a complete game-changer for how such scams will be assessed - before this was in place the banks largely had to accept responsibility under the APP code (albeit that itself was only introduced in 2019) but now that they're effectively warning customers of this scam in real time via CoP this effectively reverses that responsibility.  I haven't reviewed the decisions but would expect that few, if any, will relate to scams under CoP because of the lengthy lead time in going through bank and FOS complaint processes, so check for references to that in very recent cases rather than citing any from pre-CoP times....

I suspect the sums involved and whether they are out of character may play a part.

I have recently been moving large (for me) sums around (as an executor) and have had a great deal of questioning when moving money even when the names match the account numbers at the receiving banks (and in one case when moving money from one account to another in the same branch and accessed via the same online account). Questioning has included being interviewed by two staff members in the branch, being asked many detailed questions e.g. "is someone listening to our discussion via your phone or other device" etc, and made to watch a video, and I don't think I come across as the least bit vulnerable. I have no objection to this so long as they take similar precautions for those that actually need them. 

Armorica

Complain. Go to FOS.
Vulnerability is a factor- was that in the original complaint to the bank?
But so is whether someone has fallen for scams before - are the bank aware of this?