Banks need to pay up for financial scams
New Zealand banking regulations are not keeping up with international trends to provide better protection for customers involved in financial scams or fraud.
It’s time for urgent change and more onus on financial institutions to repay stolen money. Banks are hiding behind the buyer-beware excuse and not taking responsibility for their own failures in the under-investment of technology and commercial risk taking, which we are forced to accept.
Recent reporting has unveiled heart-breaking cases of Kiwis being taken to the cleaners for large amounts of money, when they think they’re investing in genuine financial products with genuine banks or money managers.
The social engineering and trickery involved in these cases is highly sophisticated. Everything has been faked, from websites to financial documents, online logins, staff with profiles on LinkedIn and money laundering checks that mirror those carried out on a real investment.
We have fraudsters with posh accents, a New Zealand-based phone number and New Zealand bank accounts to accept funds. In two recently publicised cases of fake Citibank investments, people lost six-figure sums of money.
It is our banks and counterparty banks who process these fraudulent transactions. They know the real account name and authenticity of the recipient of the money. It’s a surprise to most customers to find the account name you type in for an online payment is not cross-checked against the official name on the account. Type “Citibank” and the real account could be in the name of Mickey Mouse. No warning is triggered.
In the latest scam, what’s the likelihood the ASB account used to accept the deposit was in the name of Citibank? It’s far more likely to be a Smurf (money mule) who claims to have no idea their account was being used to swiftly transfer funds offshore.
In the UK, names have been cross-checked with online payments since mid-2020 to counter fraud. This week I made a payment and didn’t type the business name correctly. Barclays online banking flashed up “the name on this account is [company name Limited], do you still wish to proceed?”.
New Zealand banks have failed to implement this and continually delay. We are now a target for international crime rings. Banks point the finger, “it’s your fault”, then scurry behind the banking ombudsman who is obliged to apply outdated laws.
Customers are responsible for authorising a payment, when banks can’t tell us if the name matches. The Code of Banking Practice doesn’t protect us. It condones under-investment in security.
Without forcing liability back on banks, there will be no change. The risk to customers has become unacceptably high. Systems have failed to keep pace with fraud innovation.
Banks should also be checking their own customers’ activity to identify cases where money mules are being used to funnel amounts offshore. An improvement to fraud algorithms and human intervention is needed to monitor local and international inter-bank transfers as well as internal account activity.
We need retrospective action from regulators, where account-name checking would have flagged a fraud warning. The ombudsman should demand the power to over-ride the current Code of Practice, as a signal for banks to take action.
Phishing and smishing
Payment fraud is also rampant, with criminals pretending to represent a bank. An attempt to extract information by phone is known as “phishing” and via text message, “smishing” (named after the SMS). Some employ bots with electronic voices that feel like a big-company automated fraud check.
Many UK banks are part of a voluntary scheme to repay stolen money where customers are phished. It will soon be the law and applied to all banks. In the meantime, the ombudsman can demand repayment if the customer was careless, but not negligent. This concept of carelessness is important. It’s a non-intentional action.
With credit card fraud it may be careless if the zip on my handbag is open, allowing a pickpocket to divert my attention and trick me into my card being stolen. But I wasn’t negligent. The credit card companies pay up for losses.
Banks place us in the position of having open handbags, by setting up technology that isn’t gold-standard, or taking known commercial risks to save money. When they send a code by text message, they are exposing customers to fraud by malware and fraud by phishing. When codes were first used, banks overseas sent out plastic calculators. You slotted your card in and produced a random code. Barclays had a PINsentry machine and I’ve still got one in my office desk.
Now we have delivery of two-factor codes via text. Why? Because it’s cheaper, frictionless and attracts customers to set up new payment methods and raises profit levels. Technology experts openly admit banks are not using gold-standard methods. So why are we as customers being held liable for fraudsters targeting these?
Banks set risk levels based on commerciality, but the law in New Zealand isn’t recognising this. Their profit levels are riding high, but responsibility slinks low, because the Banking Code of Practice is too soft.