Banks are taking advantage of a legal loophole to ‘fleece’ fraud victims, MPs will be told.
Under guidelines devised by the ombudsman and seized upon by banking groups, Brits who use their card in a hacked machine have ‘consented’ to the fraudulent transaction.
This means the regulator will likely rule that customers who get stung will not be entitled to a refund, even if they lost tens of thousands of pounds, campaigners say.
The Financial Ombudsman Service (FOS) also says transactions made under duress from abusive partners are consented to, as are payments made while drunk or under the influence of drugs.
Banks are legally required to refund transactions that customers did not consent to.
One leading expert estimated that the full extent of the loophole could have cost Brits ‘billions’ over the years.
FOS training documents, seen by MailOnline, set out what investigators should consider ‘when deciding whether a consumer authorised a disputed transaction’.
The guidance states: ‘When a consumer gives a payment order the underlying relationship between them and whoever they’re paying is irrelevant to whether the payment is authorised.
‘This means that if a payee has been coerced into making a payment or deceived about the purpose or amount of a payment, that doesn’t usually make the payment transaction unauthorised.’
In its examples of ‘things that don’t invalidate consent’, the FOS lists:
- Where a consumer says the merchant’s payment terminal was tampered with, or obscured e.g. ‘I’ve been charged £120 but I thought I was paying £12 because that’s what was shown on the terminal’;
- Where a consumer says they were drunk or drugged so couldn’t appreciate what was happening when they entered their PIN;
- Being pressured or coerced into giving consent to a payment. Please see guidance on domestic and economic abuse.
The FOS settles disputes between all UK-based financial companies, including high street banks, and customers. It has the legal power to adjudicate.
With regards to tampered terminals, experts say attacks like these are only possible because of digital security flaws in the chip-and-pin network.
This is despite banks insisting the system is impenetrable.
Andy Agathangelou, secretary of the All Party Parliamentary Group (APPG) for investment fraud and fairer financial services, told MailOnline: ‘The fact that the regulations and/or how poorly they are being enforced, means that somebody who has been conned through a hacked and corrupted payment services terminal can be deemed to have given consent to what is clearly a fraudulent transaction initiated by the perpetrators with criminal intent in mind, just goes to show how far behind the curve we are.
‘The present loopholes mean the FOS, the Financial Conduct Authority and the regulations they operate through are a means by which they can fleece victims of premeditated, systematic tech-savvy fraud out of refunds, legally or otherwise.’
Mr Agathangelou, also founder of consumer campaign group Transparency Task Force, added: ‘As well as changes to regulations and the enforcement of them, we must also scrutinise what deficiencies there are in the banks’ security systems that are allowing payment services terminals to be hacked such that, for example, a consumer spending £40 results in £400 leaving their account when they actually only authorised £40.
‘Is it not obvious that trust and confidence will be corroded even further if these known flaws and weaknesses in the banks systems mean they can be hacked and manipulated by crooks in this way?
‘Surely it’s time for strong regulatory intervention to put an end to this?’
The FOS told Barclays to refund just half of the £20,000 stolen from a Falklands war hero Henry Williams (pictured), 65, after his card was defrauded while on holiday in Rio de Janeiro
Mr Williams at the Ipanema beach in Rio de Janeiro while on holiday in 2022
Professor Ross Anderson, a renowned digital security expert who unexpectedly died last year, said before his death that the FOS ‘uncritically backs the banks’.
He had previously said ‘the ombudsman was set up a generation ago to minimise litigation costs for the industry’ and that it routinely parrots false assertions from banks that the security of the chip and pin system is unbreakable.
As well as obscuring the true payment fees, fraudsters have developed ways of queuing up multiple high value transactions for customers who correctly enter their pin once.
A spokesperson for the FOS – an offshoot of the FCA that is funded through annual levies slapped on banks – said it ‘strongly refutes these allegations’.
The Payment Service Regulations (PSR) 2017 state that banks should refund customers for payments they did not consent to unless they were grossly negligent, they tried to defraud the bank, or if it can be proven they did authorise the payment.
If a consumer has been defrauded they should phone their bank to claim a refund.
If a customer disagrees with the bank’s decision, they can refer the case to the FOS, which first gets a ruling from an investigator. If their view is disputed, the case is escalated.
According to the FOS training, a customer’s consent to a transaction does not need to be ‘informed’.
A slide on an October 2022 training presentation titled ‘Intro To Disputed Transactions’ reads: ‘The consent referred to in the PSR is not like the “informed consent” requirement used in the field of healthcare.
‘The validity of a payer’s consent to a payment transaction does not depend on the payment transaction being fully explained to them.’
But the next slide, seen by MailOnline, quotes guidance from the FCA, which says: ‘For consent to be valid it must be clear, specific and informed.’
Rupert Brown, founder of Evidology Systems which builds systems to ensure digital compliance, said: ‘It is clear to me that “consent” has been redefined – but to what extent it is c**k up vs conspiracy is not wholly clear.’
He said that given the shifts to online and contactless payments and rising levels of fraud, the FCA should ‘put in place additional consent safeguards for particular classes of transaction and amount thresholds’.
He added: ‘There are protections in place for credit card transactions and problems with faulty goods, so perhaps they should be extended by some form of levy for debit transactions.
‘There needs to be multiple and varying layers of trust and control above the basic technical mechanism – no consumer should be permitted to “consent” solely to a technology-based system that is implicitly flawed.’
Mr Brown said that banks need to work on their security systems by utilising two-factor authentication and ‘more rigorous licensing and multiple tiers of payment limits as well as deeper scrutiny of payment merchant supply chains’.
When asked for comment, and FOS spokesperson said: ‘We strongly refute these allegations.
‘A range of methods and sources are used to build investigators’ understanding of fraud and scam complaints, the legislative background and the agreements drawn up between consumers and their financial providers.
‘Whilst we consider the specific terms and conditions the consumer has agreed to, it is the relevant law and regulations – to which the banks must adhere – that provide the basis for our decision making.
‘When deciding what is fair and reasonable we not only take these regulations into account, but also the case’s unique circumstances and other factors such as a consumer’s vulnerability.
‘Our independence is paramount and each week we investigate hundreds of fraud and scam cases, providing a free alternative to the courts.’
UK Finance, the trade body for British banks, has been contacted for comment.
