News and resources on cyber and physical threats to banks and fintechs worldwide.
APP fraud losses hit £456 million in 2019

APP fraud losses hit £456 million in 2019

With authorised push payment (APP) fraud soaring, UK Finance is calling for cross-sector cooperation on a problem that still results in most victims not being reimbursed by banks, despite a recently introduced voluntary code of conduct.

In 2019, there were 122,437 APP fraud cases in the UK, with losses hitting £456 million, up from £354 million in 2018. Financial providers returned about a quarter of losses - £116 million - to victims.

To help tackle the APP crisis, industry body UK Finance is calling for fraud to be included in the new Online harms regulatory framework being proposed by government.

In the meantime, UK Finance says that things are improving, with more money being reimbursed to victims under the voluntary Contingent Reimbursement Model code, in place since May 2019, which compels banks to reimburse blameless victims.

Under the code, cases involving £101.1 million in losses were assessed, with £41.3 million (41%) reimbursed.

Katy Worobec, MD, economic crime, UK Finance, says: "The introduction of the voluntary Code last May has meant more victims of authorised push payment fraud are receiving compensation, particularly in cases involving higher value losses and more sophisticated scams."

While some progress in being made on reimbursements, the industry has come under fire for its efforts to stop the fraud before it happens.

Yesterday, consumer watchdog Which? accused banks of lagging in implementing anti-fraud measures. Confirmation of Payee is set to be introduced by the UK's six major banks by 31 March, ensuring that a check is made on whether or not the name a customer enters when making a payment matches the account details it is being sent to.

So far, however, only Bank of Scotland has gone live with the programme. Bank of Scotland parent Lloyds Banking Group and Halifax will follow, while Barclays has informed customers that it will be implementing the scheme at the end of the month.

Upon questioning, Which's says that RBS Group (including Royal Bank of Scotland, NatWest and Ulster Bank) and HSBC (including First Direct) were unable to confirm a specific date when asked if they would be ready by the regulator’s deadline. Metro Bank told Which? that it has no current plans to implement CoP at all.

Which? believes the code and CoP should be made mandatory and that the government must consider directing the PSR to ensure all banks are signed up.

Meanwhile, UK Finance is telling the public to expect an uptick in APP scams, as crooks use the publicity surrounding Covid-19 to pose as genuine organisations such as the WHO through email, phone calls, texts and social media posts.

Comments: (7)

Marite Ferrero
Marite Ferrero - Lumiere LTD - London 19 March, 2020, 10:32Be the first to give this comment the thumbs up 0 likes

A family member experienced this. She received a call from what showed in her mobile phone as coming from HSBC. Naturally, this made her think that HSBC was calling her. The person on the other side told her that they were contacting her because they want to verify a suspicious transaction - a bank transfer. They told her that they flagged a £750.00 transfer as suspicious. She then panicked and said that of course, she did not do this bank transfer. They then told her that they needed her to generate 2 codes - 1 to confirm that she is the real bank account holder that they are talking to and 2nd code to allow them to cancel that £750.00 transfer. Again, since the phone call showed as coming from HSBC - she generated those 2 single use codes and gave each one to them. Fraudster then used the code to log-in to her account; then trigger a bank transfer with the second code.

APP Fraud is usually done combined with another fraud. In her case, it's called number spoofing.

Surely, it wouldn't be so complicated for the banks to add code so as to store their customers' known device-ids. In addition to processing the single-use code, the bank's system can also check if it's coming from one of the customer's device-ids. If it shows as being triggered from a new device-id then they should stop (not allow) the transaction; notify the customer via text and request customer to confirm that the bank transfer coming from a new device id.

Storing a customer's device ids and checking against the bank of customer's device ids is not a new technique. American Express does this. Amex actually 'whitelists' customer's confirmed device ids.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 20 March, 2020, 12:55Be the first to give this comment the thumbs up 0 likes

Only £456M? A couple of days ago, Finextra reported that APP fraud loss was £1B. 

On a side note, there's no end to the amount of security measures that can be implemented by banks. But, they all come at the cost of increasing friction, creating the risk of failed payments, and reducing adoption, as we've seen in India. Banks here have taken a lot of steps but UPI Fraud, which is the Indian version of APP fraud, is rampant. I wish there was a better way of saying it, but, end of the day, as the old adage goes, a fool and his money are easily parted, and there's no point to designing a system for the <1% suckers. In my experience, such people will anyway not be able to handle the extra friction caused by increased security measures and will end up giving their phones to somebody else to fulfill their transaction, which opens up the field for an entirely new fraud threat vector. IMO, the solution to this problem is not to throw the baby out with the bathwater. Instead, the <1% consumers who get defrauded should be reimbursed by banks for the first fraud, receive training on how to use these apps, and be told in no uncertain terms that they won't be reimbursed if they fall for APP fraud another time.   

Paul Penrose
Paul Penrose - Finextra - London 20 March, 2020, 13:35Be the first to give this comment the thumbs up 0 likes


The report from a couple of days recording £1.1 billion lost to APP fraud was referring specifically to lossses incurred over the past three years., including the 2019 figure of £456 million.

Dinesh Katyal
Dinesh Katyal - Financial Data Exchange - San Francisco Bay Area 20 March, 2020, 14:38Be the first to give this comment the thumbs up 0 likes

If a system makes it too easy to impersonate, then consumers can't be blamed. If an institution chooses a low friction / higher risk system, they should also bear the burden. Cost/ benefit tradeoff.

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 20 March, 2020, 15:07Be the first to give this comment the thumbs up 0 likes

@Paul Penrose: TY for the clarification. 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 20 March, 2020, 15:17Be the first to give this comment the thumbs up 0 likes

@Dinesh Katyal:

I did say bank should reimburse for the first time. But, beyond that, forget it, consumers must take responsibility for their actions. Out-of-band authentication has been a best practice for this kind of workflow for ages.

Of course, if you prefer, there's the alternative where the bank blocks access to the app to all users who were defrauded and compensated once. 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 20 March, 2020, 16:27Be the first to give this comment the thumbs up 0 likes

I must hasten to add that "first time fraud reimbursement" is itself fraught with huge moral hazard and can be a big source of "first party fraud". When someone knows he can claim APP fraud and get his money back, there's nothing stopping the fraudster from sending money to an accomplice and getting it reimbursed by the bank.

Still, I recommend it, in the largest interest, but with an upper limit or only when fraud happens the first time the app is used.