My son fell for an Authorised Push Payment scam via Revolut

born_again

1957DfurdPensionist said:

Having worked for a global bank myself in the dim distant, I appreciate it is hard for those brought up with old ideas to take on board nuances of the very varied payment services now developing further in previously unthought of (or thought impossible) ways every day.  In the same way fraud is developing ahead of the new services.

But back to basics, if I have understood everything correctly, the first post described how money in an RBS current account was "pushed" by fraudsters as a payment to Revolut (no doubts so far?) almost certainly as a Faster Payment.  It was authorised and conducted in the normal way by the victim and no direct access to RBS was given to the fraudsters.

Stage 2 of the fraud was to "push" the same money from Revolut back to RBS but to the "safety" of a savings account.  In that case card no. and CVV were given to the fraudsters in exactly the same way one might ordinarily give such detail to RBS to credit an RBS credit card account perhaps?  So nothing stupid about the OP's son doing that when he thought he was talking to RBS.  That was another authorised push payment, but some contributing forumites have used all their energy on arguing Stage 1 as disbarred from regulatory scope, and even describing the OP as "conceding" something thereby seemingly taking sides with or even seemingly making representative statements on behalf of the not so empathetic UK banking industry.  Are we agreed so far?

So, take a deep breath and chill a bit ... is there any APP we might suggest can be reimbursed under the seemingly flakey October 2024 regulations and implementations here?  Can anyone tell us why Stage 1 cannot be dealt with by RBS fraud department as bog-standard APP?  Afterall, it was an RBS customer who kept all his money with RBS who was being targeted and the fraudsters were impersonating RBS throughout in order to get their greedy mits on it all one way or another.  Agreed?

OP.
The fraudsters convinced him to transfer £600 and £400 from his RBS current account to his Revolut account i.e. all the money he had. From his Revolut account, £750 was sent to Coinbase and £300 to Transak, 

2nd OP
I got a few more details. They convinced him the money transferred to Revolut needed to be transferred to his RBS savings account so that RBS could "track the money and it was insured" and they would arrange that. He gave them his Revolut card number and 3 digit CVV number and accepted the notifications. So I guess they used his card details to make purchases on Coinbase and Transak which he then unwittingly approved. That might explain why there was no obvious warnings.

No money was sent to RBS savings acc. They got the OP's card details & used these to purchase on Coinbase & Transak.

eskbanker

1957DfurdPensionist said:

Having worked for a global bank myself in the dim distant, I appreciate it is hard for those brought up with old ideas to take on board nuances of the very varied payment services now developing further in previously unthought of (or thought impossible) ways every day.  In the same way fraud is developing ahead of the new services.

But back to basics, if I have understood everything correctly, the first post described how money in an RBS current account was "pushed" by fraudsters as a payment to Revolut (no doubts so far?) almost certainly as a Faster Payment.  It was authorised and conducted in the normal way by the victim and no direct access to RBS was given to the fraudsters.

As you go on to recognise, it wasn't pushed by the fraudsters as such, but by OP's son at their behest.

Stage 2 of the fraud was to "push" the same money from Revolut back to RBS but to the "safety" of a savings account.  In that case card no. and CVV were given to the fraudsters in exactly the same way one might ordinarily give such detail to RBS to credit an RBS credit card account perhaps?  So nothing stupid about the OP's son doing that when he thought he was talking to RBS.  That was another authorised push payment, but some contributing forumites have used all their energy on arguing Stage 1 as disbarred from regulatory scope, and even describing the OP as "conceding" something thereby seemingly taking sides with or even seemingly making representative statements on behalf of the not so empathetic UK banking industry.  Are we agreed so far?

I'm certainly not speaking on behalf of anyone but myself and the reference to 'conceding' was in relation to OP clarifying that it wasn't an authorised push payment as defined in the regulations but a payment transaction of a different type.  It's nothing to do with 'empathy' or 'taking sides', it's easy to empathise with victims in such situations, but it remains important to advise them of the facts about what recourse, if any, they have.

So, take a deep breath and chill a bit ... is there any APP we might suggest can be reimbursed under the seemingly flakey October 2024 regulations and implementations here?  Can anyone tell us why Stage 1 cannot be dealt with by RBS fraud department as bog-standard APP?  Afterall, it was an RBS customer who kept all his money with RBS who was being targeted and the fraudsters were impersonating RBS throughout in order to get their greedy mits on it all one way or another.  Agreed?

There's nothing to be lost by trying a claim against RBS, but they'll simply argue (correctly) that OP's son was moving funds from one of his accounts to another within his control.  One of the exclusions in the regulations, as posted above, is "It’s a payment you have made to another account that you control."

Although you're trying to argue a broad and literal interpretation of what 'APP' means, the regulations are quite specific about what they cover, and neither of these stages qualifies.  However, as above, OP's son might be able to try a chargeback claim via Revolut for the debit card transactions.

Comments inline above....

1957DfurdPensionist

Sadly, forumites seem to be dancing on that pin again.  APP fraud is getting much much worse, not better.  You've perhaps in the last 12 months or so heard about extensive new-built slave camp call centres in remote Chinese border areas of Myanmar run by Chinese gangsters? Young educated adults kidnapped off the streets in surrounding provinces or even further flung places and forced an tortured into making the scam calls.  Many never heard from again by their families should they be overhead talking about their fate?

However, the changes to Payment Service Regulations are, whichever way you hold the page, an horrendous muddle unintelligible to most readers' attempts.  The more recent legislation contains more words about making fraud "investigation" easier, and giving extra time to conduct it and respond to victims, than it does clear words about what the subject fraud type actually is.  So for the financial institutions that ultimately have to fund the reimbursements, the words to make it clear what the lawmaker's original intentions are, just aren't up front, only limits of their liability and reimbursement deadline adjustment opportunities.  Just one example - the original planned limit of reimbursement was £415,000.  It was suddenly reduced to £85,000 in the months before implementation.

Yet the PSR website is pretty clear right up front on original intention - far too much "impersonation" scamming.  Yes quite right - that's the crux of it.  Then some bright spark must've said oh but what about that poor clothes shop owner who lost her life savings to the cad who hides in Spain and prison and keeps popping up on Sky News perennially?  So romance scam got added in, and I think eyes were seemingly taken off the ball in so many other ways thereafter.

Yes it is good that the cost of fraud that does qualify for reimbursement is now shouldered by both the payment sending organisation, and the payment receiving organisation, although I am still not sure if devices like Revolut Pay involve use of the Faster Payments System somewhere on route through associated Third Party middleman payment service providers like Stripe.  Elon Musk was a founder of PayPal was he not, and I remember the early days when they had a customer service unit in Richmond, south west London which was rather tough to get moving on "disputes".  Mr Musk was an original investor in Stripe too I believe.  And wasn't there suggestion he was going to use Twitter/X to introduce some kind of token or crypto currency?  I digress.

These burgeoning fintech companies are however big business, that all see the cost of dealing with live customers as a drag.  Revolut only let you complain or report fraud via their App (not APP)!  Do they get involved with sharing APP reimbursements as middlemen, or have they escaped the microscope on their exact activities with possible fraudsters?

I admit that until I did some more reading overnight, I understood the "Push" in "Authorised Push Payment" to mean the manipulation of the victim into making the payment.  Indeed that does also make sense from the overall intention in guidance and legal commentary who use the manipulation word to describe what the fraudsters do of course.

But no, reading on, we begin to see what eskbanker and others are getting at when they remind that the new APP protection is not for card payments, not even debit card payments, and not in fact for anything much, beyond "bank transfers" by Faster Payments or CHAPS.  Bank transfers are PUSH transactions in payment service terms.  Card payments are PULL transactions.  OK, but we were never trying to stop either.  FRAUD is what we were supposed to be stopping, especially IMPERSONATION fraud.

Again by eskbanker above, I am gently criticised for conceding that the victim in the case discussed in this thread "pushed" his own transaction. I don't blame eskbanker for pointing it out because no doubt eskbanker knew more about PUSH and PULL transactions than I had remembered up to that point, and thus was not signing up for my interpretation of what the Push in APP was really about.

But seriously, now we are so bogged down with the semantics and recognisably so, do we agree that the Payment Service Regulations are in urgent need of a complete overall and not just further tinkering by financial services lobbyists who have always shied from the mounting costs of fraud, leaving far too many consumers way out of pocket over the years?

And more to the point of this thread, how do we get back to the newbie, @rgb68 who posted about their son's misfortune three whole months ago now and hasn't posted since, to advise that it might be still worth talking to RBS?

[Deleted User]

I still have no clue why anybody thought it was a good idea to refund anybody anything unless the bank's systems were a contributory factor in misleading the customer. The irony is, some idiot sends a big chunk of money to a scammer for whatever reason (naivety, narcissism, greed, take your pick) and they get their money refunded overnight. But someone who, say, makes a considered payment to a builder who does a runner and leaves them with no roof, gets no help and is left to fight it out with the courts to get their money back, and they never will. Sometimes I think this country is run by abject lunatics.

Nasqueron

1957DfurdPensionist said:

Sadly, forumites seem to be dancing on that pin again.  APP fraud is getting much much worse, not better.  You've perhaps in the last 12 months or so heard about extensive new-built slave camp call centres in remote Chinese border areas of Myanmar run by Chinese gangsters? Young educated adults kidnapped off the streets in surrounding provinces or even further flung places and forced an tortured into making the scam calls.  Many never heard from again by their families should they be overhead talking about their fate?

However, the changes to Payment Service Regulations are, whichever way you hold the page, an horrendous muddle unintelligible to most readers' attempts.  The more recent legislation contains more words about making fraud "investigation" easier, and giving extra time to conduct it and respond to victims, than it does clear words about what the subject fraud type actually is.  So for the financial institutions that ultimately have to fund the reimbursements, the words to make it clear what the lawmaker's original intentions are, just aren't up front, only limits of their liability and reimbursement deadline adjustment opportunities.  Just one example - the original planned limit of reimbursement was £415,000.  It was suddenly reduced to £85,000 in the months before implementation.

Yet the PSR website is pretty clear right up front on original intention - far too much "impersonation" scamming.  Yes quite right - that's the crux of it.  Then some bright spark must've said oh but what about that poor clothes shop owner who lost her life savings to the cad who hides in Spain and prison and keeps popping up on Sky News perennially?  So romance scam got added in, and I think eyes were seemingly taken off the ball in so many other ways thereafter.

Yes it is good that the cost of fraud that does qualify for reimbursement is now shouldered by both the payment sending organisation, and the payment receiving organisation, although I am still not sure if devices like Revolut Pay involve use of the Faster Payments System somewhere on route through associated Third Party middleman payment service providers like Stripe.  Elon Musk was a founder of PayPal was he not, and I remember the early days when they had a customer service unit in Richmond, south west London which was rather tough to get moving on "disputes".  Mr Musk was an original investor in Stripe too I believe.  And wasn't there suggestion he was going to use Twitter/X to introduce some kind of token or crypto currency?  I digress.

These burgeoning fintech companies are however big business, that all see the cost of dealing with live customers as a drag.  Revolut only let you complain or report fraud via their App (not APP)!  Do they get involved with sharing APP reimbursements as middlemen, or have they escaped the microscope on their exact activities with possible fraudsters?

I admit that until I did some more reading overnight, I understood the "Push" in "Authorised Push Payment" to mean the manipulation of the victim into making the payment.  Indeed that does also make sense from the overall intention in guidance and legal commentary who use the manipulation word to describe what the fraudsters do of course.

But no, reading on, we begin to see what eskbanker and others are getting at when they remind that the new APP protection is not for card payments, not even debit card payments, and not in fact for anything much, beyond "bank transfers" by Faster Payments or CHAPS.  Bank transfers are PUSH transactions in payment service terms.  Card payments are PULL transactions.  OK, but we were never trying to stop either.  FRAUD is what we were supposed to be stopping, especially IMPERSONATION fraud.

Again by eskbanker above, I am gently criticised for conceding that the victim in the case discussed in this thread "pushed" his own transaction. I don't blame eskbanker for pointing it out because no doubt eskbanker knew more about PUSH and PULL transactions than I had remembered up to that point, and thus was not signing up for my interpretation of what the Push in APP was really about.

But seriously, now we are so bogged down with the semantics and recognisably so, do we agree that the Payment Service Regulations are in urgent need of a complete overall and not just further tinkering by financial services lobbyists who have always shied from the mounting costs of fraud, leaving far too many consumers way out of pocket over the years?

And more to the point of this thread, how do we get back to the newbie, @rgb68 who posted about their son's misfortune three whole months ago now and hasn't posted since, to advise that it might be still worth talking to RBS?

There are enough checks and warnings in place now that make normal banking frustrating, we don't need more. If someone is willing to ignore repeat warnings from the bank, MSE, the government et al because they're determined to invest in an obviously fake crypto scam or similar; or believe a major high street bank would ask you to move your money to another bank for safe keeping; there is little we can do to help them. All bank customers lose out because of the cost of refunding those who keep giving their money away to something that is beyond obvious that it's a scam

eskbanker

1957DfurdPensionist said:

Sadly, forumites seem to be dancing on that pin again.  APP fraud is getting much much worse, not better.

Not true, at least under the accepted definition of authorised push payments!

The most recent published UK Finance figures show the H1 2024 APP scams to be 16% down on H1 2023, and reimbursement rates continue to improve: "62% of all APP losses returned to victims in 2023, up from 59% in 2022 or 45% in 2020".

1957DfurdPensionist said:

And more to the point of this thread, how do we get back to the newbie, @rgb68 who posted about their son's misfortune three whole months ago now and hasn't posted since, to advise that it might be still worth talking to RBS?

If you feel the need to intervene, you could always send them a private message, but they haven't even visited the forum this year.  However, as above, there'd be no point in building up their hopes that there'd be any value in contacting RBS?

born_again

1957DfurdPensionist said:

But seriously, now we are so bogged down with the semantics and recognisably so, do we agree that the Payment Service Regulations are in urgent need of a complete overall and not just further tinkering by financial services lobbyists who have always shied from the mounting costs of fraud, leaving far too many consumers way out of pocket over the years

What do you propose?

Banks are already having to refund people for failing to heed warnings given.

No offence to OP, but how many times to banks & media have to say Banks will never ask you to transfer funds to another account?
Yet people do & banks are in it for up to £85K

Someone has to fund this, & it is you & me that are doing it.