What a year of Banking Ombudsman decisions on scam complaints taught us

Thursday, 4 January 2024

Horrific details emerged in late 2023 of Indian men trafficked to Myanmar by Chinese criminal gangs who use them as tech slaves to scam people in wealthy countries like New Zealand.

ANALYSIS: A year of Banking Ombudsman decisions shows how hard it is for scam victims caught by ever-more sophisticated international criminal networks to get compensation.

American news network CNN reported in December how Chinese criminal gangs had trafficked thousands of Indian workers to walled compounds built in Myanmar on the Thai border to force them to work as modern-day slaves in scam call centres to rip-off people in rich countries like the US and New Zealand.

Often, people who fall victim to scammers feel let down by their banks, which they feel could have done more to protect them.

But complaints handled in 2023 by the Banking Ombudsman show it recognises no “general duty” on banks to monitor their customers’ transactions for indications they are being scammed, although they are doing it and are promising to do better.

On December 20, the Banking Association said work on an anti-scam centre was progressing, and banks were now focusing on sharing additional information to help identify and reduce fraudulent payments to mule accounts.

Banks are also building systems to check bank account names and numbers match so when people make payments, they can be alerted to potential scams.

Scam texts with embedded links taking anyone who clicks on them to fake websites continue to arrive in people's phones. This is a scam text.

Individual banks, such as ANZ, are promising to deploy better anti-scam systems,and the industry has pledged to finally phase out the use of embedded web links in bank texts, something scammers are very good at imitating.

All banks must be members of the Banking Ombudsman scheme and, as it is costly and hard to sue banks through the courts, it’s often to the ombudsman people turn when they have lost money in a scam.

The ombudsman publishes short “case notes”.

Under the Consumer Guarantees Act companies, banks included, must deliver their services with reasonable care and skill. Services must be fit for the purpose for which they were supplied. Some scam victims argue banks’ payment services are no longer fit for purpose.

While they indicate some of the principles behind Banking Ombudsman decisions, they do not necessarily reflect what would happen if banks’ actions were tested in a court of law against existing laws like the Consumer Guarantees Act, which requires companies provide services which are “performed with reasonable care and skill” and “fit for the particular purpose they were supplied”.

Scam victims like Borja Ares lifted the lid on banks’ weak anti-fraud systems in 2023. It led to high-profile media coverage, and banks had no choice but to respond.

Banks have no general duty to warn: In December the ombudsman ruled a bank was not responsible for a woman’s $45,000 loss in a crypto-currency scam. She had “invested” using her debit card and internet banking. She believed the bank should have protected her. The ombudsman said the bank had no general duty to monitor a customer's transactions. The woman had authorised the transactions using her own banking credentials. The bank’s “primary obligation” was to follow her payment instructions. However, the ombudsman said a bank does have a duty to exercise reasonable care and skill and this could include making inquiries, if it saw signs of possible fraud. That had happened in the woman’s case, but she had not heeded the bank’s warning, the ombudsman said.

No duty to do a deep dive, even after a fraud alert: An October decision involved a man who complained his bank had not done enough to protect him from a scammer he met on WhatsApp who was flogging fake gold investments. The bank’s system had triggered a fraud alert, but the bank could not contact him. Two transactions went through, before the bank blocked, and then cancelled, his credit card. When he got a new card, he made more “investments” triggering a fresh scam alert. The bank rang the customer and identified the scam, but could not recover the $18,000 that he had lost. The ombudsman decided the first fraud alert was triggered out of concern the man might not have authorised the transaction, not that he might be trying to pay for a fake investment. “As a result, the bank did not have an obligation at that point to look into the transactions he had authorised,” the ombudsman decided.

Bank mystery compensation offer: A September case involved a woman tricked on the phone by a cold-caller claiming to be from her bank. The crook claimed the bank had spotted fraudulent transactions on her account and said she needed to help to reverse the transactions. She helped the scammer complete transactions by handing over her banking credentials and by telling the crooks two authorisation codes sent to her mobile phone. The scammer stole $15,236. Banks usually claim they are not obligated to reimburse a customer for fraud, if a customer authorised transactions. The woman claimed she had not authorised the transactions, and offered to reimburse half her losses, despite, the Code of Banking Practice, which is a voluntary code created by banks, claiming banks do not have to reimburse fraud losses if a customer was negligent, or did not comply with the bank's terms and conditions, or did not take reasonable steps to protect his or her banking credentials. The bank’s terms and conditions were explicit that customers should not disclose authentication codes sent to her mobile phone to anyone, including anyone claiming to be from the bank, the ombudsman said.

Sometimes banks are liable for losses: A woman got a text purportedly from her bank saying it had detected an unusual payment attempt on her new card, and asked her to click on a link in the text if it wasn't her. The woman had been trying to activate a new card that morning and was concerned her card had been compromised. She clicked on the link, which took her to what looked like the bank's log-in page where she entered her username and password. She then received another text and an email from the bank containing codes. The text and website were from crooks, who used them to harvest her banking details. Using those, the crooks set up the bank's mobile app on another device. They then accessed her account through the app to make transactions totalling $28,505. The bank recovered $4490, but the woman felt the bank should make up her losses. The bank accepted the woman did not know she had disclosed her banking details, and only thought she was dealing with the bank. “We did not consider Joyce had acted negligently or breached the terms and conditions of her account when she entered her details and the codes into what she thought was the bank’s website,” the ombudsman said. The bank agreed to compensate her. In another similar case from June, the ombudsman ordered the bank of a man who was scammed out of $60,000 in a similar scam involving a fake Inland Revenue text message, to reimburse his losses.

Drawing the line on customer negligence: Sucked in by a fake Waka Kotahi text claiming he was overdue on his rego, a man clicked on a link in the text, which took him to what appeared to be the organisation’s website. He entered his credit card details, and then entered in three payment authentication codes sent by his bank to his mobile phone. The crooks used these to steal $5720. The messages to his mobile with the codes showed the transactions were not in New Zealand dollars, and were for sums much larger than was needed to pay for a rego. The man’s bank agreed to pay him half the money he lost, which surprised the ombudsman. Not reading the texts meant the man had not taken reasonable steps to protect his banking, the ombudsman said. That breached his bank’s t’s and c’s, and meant the bank was not liable for his loss.

Once warned, a customer is on their own: A man made several online transactions to “invest” in a fake cryptocurrency scheme using his bank debit card. The bank contacted him to tell him it was probably a scam. He went ahead anyway, and lost $15,000. He felt the bank should have prevented him from making the payments. The ombudsman said the bank had done enough with its warning, and did not have to reimburse him for his losses.

Banks can, and do, decide to block payments without customers’ consent: A bank was so concerned about a repeat scam victim, it blocked his credit and debit cards, and would not allow him to make international money transfers. The man complained to the ombudsman that the bank had based its decision to restrict his banking services on “false information and hearsay”. The ombudsman ruled the bank’s t’s and c’s allowed it to act on a suspicion that fraud might be taking place, although it had to have a reasonable basis for forming this suspicion.

Reasonable care and skill: A victim of a romance scam lost $55,000 by sending it to her fake lover via an international money transfer through her bank. Luckily, the recipient bank returned the money, saying it was concerned about the possibility of fraud. To protect the woman, her bank disabled her ability to make international money transfers. A few months later, she became caught up in a second romance scam. As she could not make international money transfers, the scammer convinced her to transfer funds via a New Zealand-based cryptocurrency trader. She blamed the bank, saying it should have done more to protect her, but the ombudsman said customers were responsible for payments they have authorised, even if tricked by a scammer into making them. “A bank is liable for a loss only if it has failed to act with reasonable skill and care by, for example, failing to detect or respond appropriately to a red flag,” the ombudsman said. The bank’s systems for detecting fraudulent payments were appropriate and reasonably effective, the ombudsman said. “The fact the bank’s systems did not detect the scam did not mean they had failed.” But the bank had failed to try to recall all the transactions, and offered the woman $2000 compensation.

Banking Association’s fraud tips:

Trust your instincts. If it feels wrong, it probably is. Urgency is a red flag. Scammers try to rush you.
Your bank will never ask you for passwords, log-in details, or two factor authentication codes, nor will they send you an email or text message asking you to log in.
Your bank will never tell you to move your money to a “safe” account, or ask you to use your money to help catch a scammer.
Think carefully before entering your credit card details online.
Be cautious with unsolicited texts, emails, or calls. Don’t give out details that could be used to impersonate you.
Don’t click on links or open attachments from people you don’t know, or seem out of character for someone you do know. Hover over links to reveal the actual site.
Don’t respond to instructions to download unknown software. It could be malware to access your accounts.
Be careful of deals or investments that sound too good to be true. Contact investment firms or businesses via their official New Zealand-based websites, and never via online contacts, emails, links, or phone numbers sent to you directly or from other websites on the internet.
Use strong, unique passwords and PINs for your banking. Don’t write them down or record them.
If you think you’ve been scammed report it to your bank immediately.