The TSB and Lloyds Bank APP fraud saga and the rise of CoP

The issue of Authorized Push Payment (APP) fraud, where customers are manipulated into sending money to a fraudster, has been a persistent and costly challenge for the financial sector. However, the crisis reached a new level of public and regulatory scrutiny in 2018, primarily due to events at TSB Bank and their fallout across the wider UK banking landscape.

The TSB Catalyst

The catalyst for this saga was a catastrophic IT migration at TSB in April 2018. The bank, in an effort to move customer accounts to a new platform, suffered a series of technical failures that left millions of customers without access to their accounts for weeks. This period of widespread chaos and confusion created a perfect storm for fraudsters. Scammers exploited the situation with sophisticated social engineering attacks, impersonating the bank and convincing panicked customers to “transfer” their funds to a “safe” account, which was, in reality, controlled by the criminals. This incident alone led to significant financial losses for customers and placed TSB under intense pressure from regulators and the public.

Bob’s Take on The Operational Resilience Gap

“The TSB and Lloyds fraud saga is a huge lesson for everyone in fintech. When TSB’s IT system crashed, it wasn’t a cyberattack, but it created a massive mess that fraudsters jumped all over. They used the chaos to trick people into sending them money. The main takeaway is that you can’t just focus on one thing. Cybersecurity and operational stability are two sides of the same coin. An IT failure can be just as dangerous as a direct cyberattack because it creates the perfect opportunity for criminals. The lesson is clear: a financial institution’s resilience must be holistic, encompassing technology, people, and processes, and not just focus on traditional threat vectors.”

The Lloyds Bank Connection and Industry-Wide Impact

While the TSB case was an extreme example, APP fraud was not unique to one bank. Lloyds Bank and others were also facing a rising tide of similar incidents. The public and regulatory pressure mounted, leading to the collective recognition that the existing payment system wasn’t adequately protecting consumers. The simplicity and irreversibility of the UK’s Faster Payments system, designed for convenience, was being exploited at scale. This realization prompted an industry-wide response, driven by the regulator.

The Industry’s Response

The financial services industry, in collaboration with regulators, developed a two-pronged strategy to combat APP fraud:

1. The Contingent Reimbursement Model (CRM) Code: Introduced in May 2019, this voluntary code shifted the burden of responsibility. Participating banks agreed to reimburse victims of APP fraud under certain conditions, such as when a customer had taken reasonable care to protect themselves. This was a crucial step towards rebuilding customer trust and incentivizing banks to improve their fraud prevention measures.
2. Confirmation of Payee (CoP): The introduction of CoP was arguably the most significant technological response. This service, now widely adopted across the UK, requires the payer’s bank to check if the name on the recipient’s account matches the one provided by the payer. A mismatch generates an alert, giving the payer an opportunity to halt the transaction. CoP directly addresses the social engineering tactics used in APP fraud by making it more difficult for fraudsters to trick people into sending money to a falsely named account.

Bob’s Take on The Power of Collaboration and Regulatory Influence