Who compensates the scammed?
For regulators with the remit of protecting consumers, compensation is a thorny question. New Zealanders are used to banks refunding fraudulent payments if their credit card is hacked. But to what extent should banks be responsible for compensating the victims of scams? Especially if victims have ignored bank and government warnings, and authorised payments where there were clear signs that indicated a potential scam. Examples have emerged of customers falling victim to the same dating website scam three times in short succession. The New Zealand Police estimate that tens of millions of dollars are lost each year to romance scammers.⁴
The UK has been active in addressing this issue, in particular for authorised push payments (APPs), where losses were up 39% year on year in 2021 to GBP 583.2m.⁵ An APP, where a customer has given instructions to their bank to make a payment, is different from an unauthorised payment where an account is used without the customer’s knowledge.
The UK’s regulatory stance is that if a customer hasn’t authorised a payment, the bank should refund the money, provided the customer had not acted fraudulently or negligently. The voluntary code in the UK has also resulted in a heavy (and likely increasing) burden on banks to reimburse scammed customers in almost all circumstances. This is despite the legal position that the bank is not liable for the customer’s loss, even in circumstances where the customer might be tricked by a plausible scam; for example, where a fraudster is posing as a genuine payee.
This situation evolved from a recognition in the banking industry that there are circumstances where banks should have identified that a payment, despite being authorised, may relate to a scam. In these circumstances, the reasoning goes, it is within the bank’s power to intervene.
From this logic came the voluntary UK code offering consumers greater protection through a contingent reimbursement model. The model will reimburse scam victims in circumstances where banks (and other payment service providers) are deemed to have been able to identify the fraudulent nature of the transaction and failed to intervene.
A recently proposed update to this voluntary code (which includes a voluntary compensation model) will place the burden further onto banks, with reimbursement to customers for APP fraud to be provided by banks in all but exceptional cases and executed within 48 hours. Based on reported scam losses in 2021, achieving the payout rate targeted by the Payments System Regulator (“PSR”) (95%+) would cost the UK banking industry an additional GBP286m (NZD553m) minimum in annual customer payouts.⁶
In another example of victims receiving refunds, New Zealanders who were defrauded by an illegal sweepstake and prize promotion scheme will have accessed refunds from The Federal Trade Commission, a US public agency responsible for protecting consumers from fraud. The FTC sued the operators of Next-Gen Sweepstakes in 2019, and in 2022 FTC returned almost $25m to consumers worldwide.⁷