The majority of funds transfer scams no longer rely upon breaching the IT systems of a bank, retailer or law firm but are approaches directly to the client.
There are an endless number of variations, but the three basic forms are:
- Ring the customer and impersonate the institution, often with an “urgent warning” that an account is compromised and funds need to be moved elsewhere. The caller asks for passwords and one-time codes that allow them to take over the account or provides details of a “safe” account to move the money to.
- Convince the customer to log into the account then hand over remote control of their computer.
- Send the customer an email that looks like it came from the provider. Include fake destination account numbers for an upcoming transaction.
While there are overall technologies a bank can adopt to reduce the likelihood of some variants succeeding, in each of the above scenarios the institution has not been compromised and the decisions were taken by the customer. Smaller businesses that must take the transaction frameworks as they find them have even less opportunity to ensure customers are not defrauded.
Insisting that a bank make reimbursement without negligence or breach of contract on its part is a significant departure from well-established legal principles.
To a large extent Australian financial institutions have brought this latest wave of regulation on themselves. Refusal to deploy Confirmation of Payee systems for large transfers and a decline in the efficiency and urgency of funds tracing once a customer is defrauded has led to a lot of legitimately critical coverage. The basic thrust of the current reforms is to ensure that banks and other large e-commerce players have some skin in the game and can no longer simply pass the problem off to customers. If the pendulum swings a little too far in favour of the mums and dads who just lost their life savings it is unlikely that many tears will be shed.
However, it would be extremely easy for these reimbursement principles to expand to other sectors of the economy if the basic premise underlying them – a customer should be fully compensated for loss unless their own negligence was egregious – becomes normalised.
Protecting people from themselves requires significant intrusion into everybody’s lives. To identify an anomalous transaction the institution must conduct real time surveillance of every customer’s financial dealings. Once a transaction is flagged, the institution must have the power to prevent an adult customer dealing with their own money until they justify the transaction to the satisfaction of a bank teller.
Consumer advocates and journalists covering scams rarely acknowledge these realities. The story usually focuses on the impact on the customer and takes the position that as the loss is not their fault the nearest set of deep pockets should reimburse them. The bank pointing out that it is not their fault either is treated as “blaming the victim”. Traumatised Customer1 vs Big Bad Bank is only ever going to spin one way.
While the proposed Australian Scam Prevention Framework is currently only aimed at banks and tech companies, law firms cannot be complacent. There are many attempts to directly target clients in conveyancing transactions and very few measures a firm can take to protect them. There may be as few tears shed over solicitors bearing strict liability as there is for banks.
Compensation without negligence – everyone pays.
If there are no reasonable steps the institution can take to prevent the loss, a forced reimbursement model simply becomes compulsory funds transfer insurance paid for by increased costs on each consumer. Adjudication schemes such as the Australian Financial Complaints Authority or the UK’s Financial Ombudsman Service usually pay lip service to the concept individual responsibility and the need to find negligence on the part of the institution, but the reality of how they operate inevitably drifts away from these principles.
By way of one (among many) examples, in a recent UK decision2 a complainant, “Mr. C”, was reimbursed after using funds from his bank account (drawn over a series of transactions) to purchase cryptocurrency. He then “invested” the crypto by handing it over from his crypto-wallet to a scammer. The bank had issued an automated warning when the customer first tried to transfer funds to purchase the cryptocurrency. Further warnings were issued to the customer via the bank’s message system that crypto scams were common and he should seek advice before proceeding. Despite all these warnings the customer went ahead, losing his money.
The UK ombudsman said the bank should reimburse Mr. C the entire amount after the ninth withdrawal in the sequence.3 The FOS stated that the bank’s regulatory obligation to “ensure good outcomes” required a teller to refuse the customer access to his account and then analyse the specific investment structure before permitting him to go ahead4.
This outcome is a direct contradiction of the UK Supreme Court’s 2023 ruling5 that where a customer has authorised a payment the bank is not entitled to substitute their own judgment or to refuse to act on the transfer instruction, even if they view the transaction as suspicious. The ruling in Mr. C’s favour is not unusual, either. In fact, the decision was so generic that the Ombudsman issued it with at least three cut and paste errors in which Mr. C’s identifier had not been replaced by the names of prior claimants who were also the lucky recipients of the Ombudsman’s largesse.
While cases in Australia are not yet this extreme there are many voices calling for introduction of a UK-style system. Caution should be exercised before heeding those calls.
[Correction noted: This article has been amended to better summarise the sequence of events and findings in the FOS decision noted above. The author thanks Martin Churchill of Vocare Law for identifying these errors.]
Footnotes
1 This trauma is real. Loss of life savings and financial security profoundly affects a person’s wellbeing.
2 United Kingdom Financial Ombudsman Service, DRN-5089865 (Decision, 17 October 2024).
3 There were a series of transactions. The customer recovered all payments after a certain point in the series with no reduction for contributory negligence, although the Ombudsman does seem to have altered the point at which the bank’s responsibility commenced to reflect the customer’s choices.
4 The Ombudsman suggested that this process – interrogating the customer of the proposed use of the funds, identify the precise nature of the scam then issue tailored advice – could have been “automated”. No reference to evidence that such automation was possible in 2023 was supplied.
5 Phillipp v Barclays Bank UK Plc [2023] UKSC 25. The facts in that case were remarkably similar to “Mr.C’s” except that the amount stolen exceeded the Financial Ombudsman’s monetary jurisdiction. While the decision is noted in the FOS ruling, it was considered that the bank’s “Consumer Duty” to “ensure good outcomes” became an implied term of the contract and over-rode the Phillipp principles.
Share this article