Banks understand the regulatory imperative to tackle fraud and protect their customers; they have had no choice but to dedicate more resources to compliance as regulation has increased. But are they overlooking the potential reputational damage they could suffer in areas where they may be compliant, but where customers and others feel let down?
That question is prompted by an investigation launched by journalists at The Times, who asked the UK’s Payment Services Regulator (PSR) for data on the impact on fraud of the new confirmation of payee system, both at banks that have adopted it and those that have yet to sign up.
Under this system, customers of participating banks who make payments through digital banking services get confirmation of the name of the recipient of the cash before they confirm the transfer. This flagship initiative is aimed at reducing bank fraud, by making it easier for customers to spot when they are being asked to transfer cash to someone other than the individual or company they thought they were dealing with.
Data disclosed by the PSR suggests the initiative is working. The value of fraudulent funds sent to banks that are using the confirmation of payee system fell from £38m to £33m between the third and fourth quarter of last year. Meanwhile, such frauds at banks that haven’t adopted the system rose from £13m to £23m over the same period. That rather suggests fraudsters are focusing on banks that have chosen not to adopt conformation of payee for one reason or another.
Now, rather bizarrely, the PSR refused give The Times details of which these banks accounts for the largest share of frauds; to do so, the regulator explained, might damage their commercial interests.
There are plenty of people for whom that decision sits uncomfortably. Surely, they argue, customers have a right to know which banks are performing better or worse on fraud. And might the threat of naming and shaming prompt banks yet to adopt confirmation of payee to move more swiftly, which is presumably what the regulator wants?
Still, while the banks in question here may have had something of a reprieve, this episode should be a wake-up call for the whole sector. Its performance on fraud and related financial crimes is under scrutiny – and not only from the regulatory authorities, but also from the media, from customers, and from other stakeholders. And regulatory compliance is the bare minimum all those groups will expect.
Banks that discharge their regulatory responsibilities to the letter of the law are very quickly going to discover this isn’t enough for many customers. The banks that have chosen not to join confirmation of payee are not breaking any rules – it is not a regulatory requirement for all banks – but customers will be unimpressed to find out they are more at risk of fraud because of their bank’s decision.
Moreover, while the PSR’s terms of reference did not allow it to name these banks on this occasion, the direction of travel on transparency is clear. Many regulatory authorities increasingly see publicity as a tool they can use to encourage banks and other financial services firms to do more – including going beyond the basic compliance requirements.
Indeed, the PSR itself has just announced plans to require banks to publish much more data on authorised push payment scams, the leading bank fraud risk in the UK today; APS losses totalled £355m in the first half of 2021 alone. It is now proposing that the 12 largest banking groups in the UK should have to publish data on their performance in relation to APP scams and on levels of reimbursement for customers, as well as which banks’ and building societies’ accounts are being used by fraudsters in these cases.
That will ramp up the pressure on the banking sector. It is entirely possible that leading banks will find themselves publicly castigated for their performance and behaviours on APP fraud, despite having policies and processes that do not fall foul of regulation in this area.
Retail banking customers are already beginning to make their voices heard. The Financial Ombudsman Service received 36% more complaints about how banks dealt with fraud in 2020 than in 2019. Most of these complaints were not about banks failing to comply with regulation; rather, customers felt let down because their bank had not spotted the fraud, or not dealt with it properly.
Reputational risk is dangerous. The renowned investor Warren Buffett, who knows a thing or two about financial services businesses, once said: “It takes 20 years to build a reputation and five minutes to ruin it – if you think about that, you’ll do things different.”
Bank fraud threatens to be another example of that lesson. For those banks regarded as not prepared to go above and beyond the call of duty on fraud, the risk is that the damage they incur will far outweigh the kind of fines and penalties we’ve seen from regulators for outright breaches of the rules.