“NHS: We have identified that you are eligible to apply for your vaccine: for more information, and to apply, follow here: uk-application-form.com.”
We all long for an end to the coronavirus pandemic, so being tempted to click on the link in that text message, disseminated widely in Britain over Christmas and New Year, is understandable enough. But it could also be very costly. “Proving your identity” on the linked website, by entering your bank details, could result in your account being emptied of funds.
It is just the kind of online scam that has spiralled in recent times: losses from these so-called push-payment frauds are costing more than £400m, on an annualised basis, in the UK.
Fraud has existed for as long as there has been money. But it has accelerated as a mass-market phenomenon amid the digitalisation of the economy. Britain’s widespread use of digital payment apps, as well as its early adoption of faster-payments technology, to enable instant money transfers, have helped make the country a global hotspot.
Instant payments sound like a great thing for everyone. But, for consumers, there are three downsides.
First, the way they were introduced in the UK left a gaping hole for criminals, because there was no longer a requirement to use payee names. This made errors — from accidental mistakes to malicious fraud — more likely.
Second, the instant nature of such transfers, even for large transactions such as house purchases, left no scope to rectify a mistake — even if it was discovered a few minutes later.
Third, liability shifted away from banks, which had borne it under more primitive systems because they held on to cash for several days.
For a time, many banks were unwilling to foot the bill for what they saw as their customers’ mistakes. But the jump in fraudulent transactions, the growing sophistication of fraudsters and banks’ concern about the reputational damage of not helping out persuaded them otherwise. Three years ago, the banks established a code of conduct that set standards for compensation and preventive advice.
That is the good news. The bad news is that the implementation of the code has been farcical. Of the eight banks party to the code, the best only granted full compensation in 59 per cent of cases, according to anonymised data. And the worst compensated just 1 per cent of defrauded customers in full. TSB, which has been on a charm offensive with customers since an embarrassing IT failure three years ago, is not subject to the code, but is by far the most generous, compensating 99.6 per cent of its defrauded customers.
But, however decent an institution is about compensation, the system is unjust — because addressing the problem should not be down to banks alone.
Why do mobile phone companies bear no responsibility, even though their systems enable fraudsters to assume a bank customer’s identity simply by obtaining a replacement Sim card? Why do tech companies that host online scams typically go unpunished? And why aren’t consumer-facing companies that lose customers’ data not drawn into the solution, either? The Information Commissioner’s Office, which polices data privacy, raised more than £40m from fines last year but the money goes to the Treasury rather than victim compensation.
Tension among the banks over their sole responsibility for compensation came to the boil late last year. The expiring code of conduct was extended, but only for a further six months.
Finding a longer-term resolution will be complicated. Police are doing a better job of catching cybercriminals but there is still vast room for improvement. Overhauling the compensation system would require financial regulators to collaborate with Ofcom, which governs the telecoms sector, and the Information Commissioner’s Office. And for the government to orchestrate that would require the collaboration of at least three departments.
Given all the other issues that prime minister Boris Johnson faces at the moment, it would be tempting to do nothing. Banks are still in redemption phase after the financial crisis of 2008, and there is little political capital in making life easier for them. But many other consumer brands with partial responsibility for push-payment fraud deserve bad reputations, too. They could start salving them by picking up their share of the bill. That in turn would help Britain’s banks become more engines of national revival, and less national whipping boys.