Authorised Push Payment Fraud

So I know that many banks have signed up to a voluntary code to refund customers who get scammed into making payments under false pretences, but having just seen this screenshot from my Lloyds Bank account, I can only say their approach to determining fault (or perhaps UX design) is ridiculous!

This is before any sort of Payee Name verification (that comes later), but having the “continue at your own risk” button here implies that Lloyds will use this is a get out of jail free card if I were to ever fall victim. All the customer is doing is setting up a new payee.

I would understand if this came after the name verification failed etc., but this is insane!

Does Monzo subscribe to that voluntary code? I have to say, it would be better if the App also explicitly told you that the payee name does match, instead of only when it doesn’t.

Does appear to be trying to shift responsibility…

‘Yes I’m sure this is a real invoice’ would be much better wording.

We were told In May 2019 they were signing up to the voluntary code, as of last year it hadn’t happened, maybe it now has finally, I’m not sure.

Edit: if this is the up do date list, which I think so but am not certain of, then the answer would be no, they still haven’t signed up.

1 Like

That runs into the whole not giving away information issue… Name matching is inherently broken, as there are an almost infinite number of variations… but they can’t tell you the real name due to privacy regulations so it ends up turning into a crazy guessing game.

Some banks do tell you when it matches very clearly.

Lloyds banking group is one example that comes to mind.

If you put “Joe Bloggs” as the payee name and it checks that, it just comes back with a tick to say that Joe Bloggs is right if that’s considered an acceptable name. It doesn’t “give away”, for example, that the real account name was “Mr Joe Adam Bloggs”.

I have tried playing around with this with Monzo and some of my other accounts and actually Monzo does reveal the full name registered on the account if it’s considered to be a close match. That’s more like if you’ve typed in “Jan Doe” but the name is actually “Jane Doe”. You get warned that the account belongs to Jane Doe and asked if you want to proceed.

However, I agree with the general thrust of the initial question about this in that Monzo doesn’t make it sufficiently clear that the check has passed correctly - it simply moves to the next stage of the payment process like nothing has happened. It would be much more reassuring to the user if there was an additional step making it clear that the name matches, and it wouldn’t be giving anything more away that what a near-match already reveals.

I think this is another case of hiding behind the reasoning of “can’t do it because of privacy” when that actually isn’t a logical argument. Especially when the user already has the name correct. It’s a labelling and user interface design issue more than anything.

I think Monzo (wrongly in my view) assume that the user is “supposed to know” that CoP checks are happening and they will get warned if they fail. But many users do not realise this, and this logic misses the point that some accounts are either opted-out of CoP or don’t support it. Therefore to assume that nothing=pass would be wrong. It would be much clearer to provide positive feedback of a successful match as well as negative feedback for when there isn’t a match.

2 Likes

I think I remember reading that Monzo agreed with the principles of the code and said that they would be adopting them as part of their business practises but, confusingly, they refused to actually sign up to the code itself.

I believe the reason why was that the way the contributions for the “no fault” reimbursement fund were calculated was a system based on market share, which Monzo said penalised banks which might have better fraud controls than others and provided no incentive for banks to reduce overall levels of fraud (therefore, perversely, ending up rewarding fraudsters; meaning that fraud was likely to increase over time). It would also have meant other banks “subsiding” the cost of poor fraud controls at rival banks.

They were pushing for some kind of performance-based contributions instead, which other banks rejected as too complicated, so they failed to sign up to the code.

I’m very willing to be corrected if I’m wrong but that’s my recollection of the reasoning.

1 Like

Indeed, you definitely remembered it correctly, which was what the commenter who replied with a forum comment from a Monzo customer, so not actually anything useful🙄, very helpfully linked to.

What it comes down to though is You’re either in, or your out. Attempting to follow the spirit of something doesn’t give me a guarantee as a customer that the scheme will be followed. it’s not worth the paper it written on. You’re in and I’m covered, or you’re not and I’ve no idea where I stand. Like the DD guarantee or the CASS scheme, it gives you some amount of certainty that members of the scheme will be held to account if they don’t follow it.

2 Likes

Oops, that will teach me to read the thread properly next time; I missed that!

I agree with you on the principle of being in or out, though, and I think it’s important not to sit on the fence.

It’s difficult to say that when I can certainly understand where Monzo is coming from and their logic does even make sense, but if they were totally serious about that logic they would have to refuse to refund vicitms of APP fraud and cite FCA guidelines saying customers must not be grossly negligent. Generally, with CoP now in place, I would imagine that APP fraud now comes down to extensive social engineering efforts to convince customers to ignore bank warnings. Except in the case of vulnerable customers, I think there is an argument that you’re basically being stupid/negligent if you still make the payment when there are obvious red flags.

We still need CoP to fully roll out at all banks, though, and we also need better education of customers from banks before it’s fair to blame customers in my view. I know all about this sort of stuff due to being interested in banking, so would already be on red alert making a big transfer anyway, but the average person isn’t like that and shouldn’t have to be.

2 Likes