New rules mean banks will have to take more responsibility for fraud protection. But is it enough?
Last month, the police reporting service Action Fraud tweeted: “2019 will not be a happy year for fraudsters.”
It was referring to a new initiative where banks will check the name of the payee before transferring money to a sort code and account number.
Many people think banks do that already – after all, we cannot make a transfer without entering the name of the person or business where the money is going. But, no. They have finally been forced to do so by a pincer movement from the Payment Systems Regulator and pay.uk, the new name for the body that moves £6trn a year of faster payments, Bacs and cheques.
The new system will not start before 1 July next year. So despite Action Fraud’s hopes, the first half of 2019 will be a happy time for thieves who still have months to carry on as normal. The initiative, called “confirmation of payee”, has been discussed for years. Until recently, I was told it was impossible or even against EU law.
The thefts it will frustrate are called “authorised push payment” frauds. In the first six months of 2018, thieves used that method to steal £145.4m from 34,128 individuals. That appeared to be a 44 per cent increase in the money stolen and a 77 per cent rise in victims over the same period last year. But the banks’ trade body UK Finance says the numbers are not comparable, admitting only to an increase which it could not quantify.
In all cases, the victim had authorised the transfer themselves after the thieves tricked them into thinking it was a good idea.
In some cases, thieves pretended to be from the victim’s bank or a trusted firm like Microsoft or BT, and warned their security was compromised and they should move money to a “safe” account. In others, thieves intercepted emails and sent a revised account number as the victim was about to pay a large bill, perhaps for building work or a property purchase.
These crimes should be stopped by confirmation of payee. The victim will be warned the account name does not fully match the one they had entered and told to check before authorising the payment.
Unlike other frauds, the banks have taken no liability for an APP loss. They say the customer authorised it and must take the hit. However, in a parallel move, other new rules from the PSR will mean that, if banks do not use confirmation of payee and other available technologies to detect or prevent fraud, compensation will be paid – though banks are still arguing whether it is them or a state-run fund that should pay it.
What puzzles many people is how thieves open the bank accounts they need to receive the proceeds of this crime. Meet Nilesh Sheth. Over three years, this Barclays personal banking manager opened 400 accounts at his own bank using fake IDs and sold the details to a gang of thieves.
When arrested, £16,000 in cash was found at his Essex home, and he was recently ordered by the court to disgorge another £62,000 or have a year added to his four-year sentence. That total of £78,000 amounts to less than £200 for each of the accounts he opened which the gang of four men used to launder £16m. They were jailed for between three and 10 years each.
Barclays said it was “a rare occasion where an individual deliberately exploited our systems”. Banks typically underplay the number of accounts they allow to be opened with fake IDs. But an ex-fraudster called Tony Sales told me on Money Box it was easy enough to do. “To buy a fake passport, if I’m a fraudster, will cost me £700. To buy a fake utility bill is going to cost me £50.” Banks say most frauds use what are called “mules”. These are young people or students with a legitimate account who are paid by thieves to allow them to use it to launder money.
Fraud prevention agency Cifas reported earlier this year that the incidence of young people aged 14 to 24 involved with a mule account was up 36 per cent.
Cifas members identified more than 32,000 mule accounts in 2017. Lloyds Bank told me it had closed 13,000 such accounts since it launched a special unit to identify them at the end of 2017.
However, it does not always act as fast as it might. It identified one account belonging to a 19-year-old woman which was not blocked until 14 payments totalling £100,000 had passed through it.
The final step of the laundry cycle is moving the money out of the receiving account into others.
The Sheth trial revealed how thieves obscure the trail. The gang used the 400 accounts to receive money from many frauds, mixed it up and sent it on.
The proceeds of one fraud were not kept intact and traceable. They were split into smaller amounts, added to other money, split again, moved through numerous accounts in various amounts, until finally this thoroughly mixed and untraceable money was transferred to eastern Europe, where it disappeared.
Confirmation of payee is an important step and may save some people from losing their life savings. But banks will still allow thieves to open or take over accounts, still fail to spot money moved in unexpected quantities and still be too slow to follow it.
In other words, they will still be involved in every step of money laundering but fail to reimburse most of the customers who fall victim to this industrial-scale crime.
Paul Lewis is a freelance journalist and presenter of BBC Radio 4’s Money Box programme. You can follow him on Twitter @paullewismoney