Back in June 2022 there was a landmark decision in the Swedish supreme court (https://www.domstol.se/hogsta-domstolen/avgoranden/2022/1155...) that made the banks responsible in most of these kinds of cases. The same thing needs to happen in other countries.
I love the British comedian David Mitchell's long time campaign against this kind of bank behavior:
The Payment Services Regulations (2009 & 2017) already encode this liability in UK law. It outlines a very clear set of standards that need to met for payments to be “authorised”, and make it clear that banks are 100% liable for any unauthorised payments.
Banks of course will do everything in their power to shirk their responsibilities. But reading the legislation, and writing a well worded letter, plus a follow up with the Financial Ombudsman (FOS) is pretty much sure fire way to get your money back.
The FCA set clear rules around how banks must deal with complaints, and the FOS makes it easy to escalate complaints when banks refuse to acknowledge they’re responsibilities, and are extremely consumer friendly (I say this as someone who’s dealt with the FOS from the banks perspective)
Since you seem to have a grasp on those regulations; which are those very clear standards that need be met for payments to be "authorised"? A brief overview would be much appreciated. Please include a link to the actual law text if you're able to.
Legislation is online and written in some pretty clear English, knock yourself out[0].
But broadly the bank is completely responsible for any transaction the account owner claims is “unauthorised” unless the bank can demonstrate the account owner was “grossly negligent” with their payment credentials, or can demonstrate the account owner is making a fraudulent claim. The standard of “grossly negligent” is something you need to look to case law to understand, but it’s generally very hard to prove gross negligence, and the account owners personal situation must be considered.
A relevant example of non-gross negligence, was an older individual who entrusted their debit card and PIN number to their carer so they could buy them groceries. The carer used the card and PIN to steal money from the account holder, and bank claimed that sharing their PIN with a carer was gross negligence, but the FOS and courts disagreed on the grounds the individual needed to provide their card and PIN because their personal situation made buying groceries themselves effectively impossible.
But the TL;DR is that law places the burden on banks to prove that any transaction a customer claims is “unauthorised” was actually “authorised” by the customer, that the customer isn’t acting fraudulently, and wasn’t grossly negligent. There is no assumption of fault on the customer part.
Banks have an obligation to ensure that people can access and use their funds. This isn’t email, being unable to spend your own money has very serious consequences for people. It’s their duty to provide security measures that both ensure transactions are authorised correctly, and allow people reasonable access to their money.
If you’re house bound, entirely dependent on a trusted third party help for your day-to-day living, and your bank only provides a debit card and PIN facility to authorise your transactions, then what choice do you have but to share those credentials with a trusted third party so they can buy food for you?
The bank chooses the authentication mechanism, their customers don’t get a choice. If that mechanism doesn’t work as intended when faced with common and entirely reasonable living situations, that’s the banks failure, not the customers failure.
This is basically, it's bank's fault for having chosen their cheapest mechanism and not have changed anything.
In the end, the bank could have provided a digital one off pin with a fixed amount fir the debit card. From a tech perspective this seems easy to implement and could have solved the casr, the bank just does not provide it.
In most places a large number of aberrant transactions that don't match the historic spending patterns of an account would be enough to trip a security review, and a call to the account holder, temporary freeze, etc are low impact to false positives and highly effective at stopping fraud.
So yes, because we afford massive protections and rights to banks in exchange for the necessary but largely low-risk activity (holding cash then returning it in exchange for a fee) - laws holding them responsible for failing to prevent theft do exist.
- Sweden has a public personal identification number for every citizen (except for like 10k people with protected identities)
- The four main banks in Sweden have collaborated to create something called "Bank Id". It's often used as a secure authentication tool combined with the personal identification number (something you have - the cert in the mobile app, something you know - PIN or face id).
Someone convinced an elderly person over the phone to authorize the creation of a new Bank Id on the attacker's phone. This was fairly complicated and required the old person to use their physical RSA SecurID token. The court found that the elderly person had behaved reasonably well and that the attacker was very competent.
Still, the supreme court felt that the bank should have been more careful about letting strangers steal their money.
In the UK authorised push payment fraud, where customers are tricked into authorising payments to fraudster accounts has a similar smell to Swedish case you mention. Rulings by the regulators and courts have reached basically identical conclusions to the Swedish courts. Fs the customers acted in a reasonable manner, then it’s the banks failure, customers aren’t expected to become security and fraud experts just to access their bank accounts.
I don't understand how the liability could lie elsewhere. I understand why the bank might want to tell a customer "someone else took your money. It sucks to be you", but it seems pretty clear cut that it's no different than the bank somehow misplacing funds for any other reason (at least as far as the customer is concerned. The bank's insurer presumably cares about the particulars of how they're misplacing money).
Not to mention they seem to have no problem treating it as "their" money while lending it out to other people, but as soon as someone tricks them into sending it to the wrong place, suddenly it was "your" money.
It reminds me of when I was a kid, my sister and I got two identical fish and couldn't disambiguate which was mine and which was hers. But when one of them died, she made sure to let me know that was my fish.
It is their money. You lent it to them when you made the deposit. All you now own is an admission from the bank that they owe you $x. The whole point of getting hacked is that the bank doesn't know it's not you, so of course they'll try to get out of refunding you.
There are some asterisks to this statement due to the large amount of regulation around bank accounts.
That would imply that if the bank loans me money, and then I deposit it into a fake/scam bank I can claim that I didn't know it's not them and get out of repaying the loan. But it doesn't work that way because I'm expected to do my due diligence. So should the bank.
Not knowing it's me just means they have to find a way to guarantee that knowledge. Because the failure to properly identify a client is the bank's not the client's.
>so of course they'll try to get out of refunding you.
Yes, in the same way that companies will often try to avoid honoring their warranties. That it's in their financial interest to do so doesn't mean they can just ignore their contract with you.
I always took the bank's sudden intense interest in my security as serving there concerns, not mine. Not only did it smell insincere and fishy, but it didn't make sense either. Why should I care so much for _their_ service? If they get scammed into giving all my money to someone else, that sounds very much like a _them_ problem, and not a me problem.
At least here, their care isn't really optional. It's their responsibility, since it's their service. I think they have to prove it was through my own fault in order to brush it off, and that's difficult. Difficult enough that when I had to get my money back (lost due to fraud), they didn't ask more than a nominal set of questions.
> So we’ll do the whole @financialombuds thing and fill in a million faceless forms. But I bet that not a single person will ever turn up at her home, sit down with her and just talk to her. Shame on you @HSBC_UK
Such a weird place to look for care and comfort.
Let's grant that an elderly person needs assistance and compassion in this time, and as a community we should provide it. Would we want the bank to provide it? Hell no! There's an enormous conflict of interest there. In this situation I wouldn't want somebody from the bank cozying up to my mom and earning her trust. In fact, I'd go ballistic if they tried. Their financial incentives are to use that trust to persuade her not to exercise her full rights, to avoid her becoming aware of all the avenues of recourse available to her, to make her feel that everything will be okay if she lets the matter drop.
What we really want for someone in her situation, besides emotional support, is a savvy legal advocate who will let the bank know that she is aware of her rights and the bank's obligations, and that she has legal resources at her disposal.
That's great in theory, but you missed the part where the fraudsters stole all her money. There is no Legal Aid for cases like these. Charities or (in this case) relatives are the best hope for her.
> There is no Legal Aid for cases like these. Charities or (in this case) relatives
That's the part that could be fixed. If we manage to provide legal assistance to every criminal defendant who can't afford it, we could provide a consumer advocate for people in her situation, backed up with a lawyer when necessary. They wouldn't have to do much; their attention and their ability to bring legal resources to bear would motivate the bank to do what they are obligated to do.
Thankfully the Financial Ombudsman is a pretty good arbiter (for consumers), and when cases like this land on their desks they love to make examples of banks. It might take a couple of months, but expect this lady to get 100% of her money back, an apology, and a considerable amount of compensation back from HSBC.
or maybe banks, and more specifically people who work at banks, should not be incentivized to screw their clients at every opportunity. which is to say, we should not have a legal, fiscal, and political regime which encourages or excuses this behavior. and, as people, we should not tolerate or accept it
you are, on the one hand, calling for "community" to provide for assistance and compassion and to respect basic human dignity. then, on the other, you accept and normalize this notion that all human interaction is explicitly transactional, and even adversarial. these are orthogonal goals.
Not really. The notion that all human interaction is transactional and adversarial is relatively new, and the idea that this is actually good and should be encouraged is even newer. It only seems like an iron law of human nature because individualistic thinking is so prevalent in the West and especially the US and the UK, while models of human behavior that even remotely orient around collective goals, behavior, and action, are discouraged and often regarded as something like extremism.
The hardness of the problem is borne of powerful actors making it such: there is nothing inherently difficult about it.
Why? Why shouldn't we obligate businesses with dealing with the HUMAN results of the suffering they cause by not properly vetting people claiming to be you?
The very concept of a business exists at the whims of society. We can make them do better if we want.
Businesses aren't human beings, and there's no meaningful way to confront them with emotional consequences. Whatever obligations they have should be satisfied in a way that gives them the least possible influence over the process and the least possible way of taking credit for it. I.e., through taxes and fines that fund aid for the victims.
I don't think its feasible to expect a global bank with literally hundreds of millions, if not over a billion, customers to be dispatching someone to do a household visit.
If they don’t have the means or resources to do business, let them stop doing business. Someone else will take their place, and with proper regulations the successor will take this sort of things more seriously.
I really don’t understand all these “business will become too onerous and they’ll lose money” argument. Society does not owe them success. If a business plan does not work, then let the company die. (It won’t be the case here, British retail customers are a blip on HSBC’s balance sheets).
if they can't do business at that scale in a way that is acceptable to most people they do business with, then why should they be allowed to do business at that scale at all?
At least with a bank there are some actual human beings that you can rant at and maybe, finally, persuade to take some action.
That is getting less and less common these days. Take companies like Google and Meta who pride themselves on not having a single human support person.
I even paid for Google support to try and get back into my Google account lol. Here's their reply:
"My name is Christopher, and I’ll be taking up your case here today. I understand you are trying to get back into a different Google account but are not able to. I understand how important this is to you to get back into your account. We'll work together to see if we can get you back into the account.
You've said you have access to your email address, password and recovery email but you lost your phone number in a fire.
Based on that, we currently don't have any other account recovery suggestions for you."
I'm just going to repeat something I've just remembered that I heard recently which might be useful to someone.
I read somewhere in a HN comment that someone was able to restore access to a Google account which they were locked out of because they already had all email forwarding from the locked account to another account. One of the options Google offered for unlocking access to an account was having access to email from that same account, which seems ludicrous to me, but in this case worked for that person.
As well as setting recovery email addresses, it might be worth turning on forwarding to that recovery email, and a rule in the recovery account to automatically send those emails to trash.
I have forwarding already set up from before it was locked. I get all the email that comes into the account. I can't get them to do anything with this, though :(
I had exactly the same though -- if they could just send me a link or something to verify!
This is an incredible reply to receive! I suppose good current security practice is to assume that most of us will also be in a similar situation one day.
There are services that I still have difficulty giving up, which are provided by companies I don't trust to not lock me out forever or to provide customer service. I feel stupid as I type this - are other people in a similar situation? Is the only option to vote with our wallets and choose better/paid providers?
I like to think that there's a solution out there which returns us to a time when it didn't feel like account access involved the sword of Damocles:
- coming up with the perfect combination of 2FA/Advanced Protection/removing mobile phone number which prevents these arbitrary lockouts,
- a popular name and shame website collating these ridiculous examples
I got banned from Twitter ages ago and never bothered to create another account. I used to not have trouble reading threads like this but among other things with "X" the UI has become absolutely impossible to use lately. I'm not even sure if I'm allowed to read the rest of this thread on Twitter itself but, if I am, how to do it is not at all obvious.
FYI all you need to do (for now) is plain substitute the twitter.com with nitter.net. The links in comments are convenient, but it's trivial to DIY when faced with some twitter thread you want to read without a login.
It's intensely frustrating that most big banks' branch staff are now there just to say "computer says no". They're not empowered to do anything whatsoever.
I'm exceedingly glad to have switched to a local credit union.
I switched to a local credit union years ago and I can't imagine going back. Service can be slow-moving, but it is always humane. When a fraudster emptied my checking account several years ago, I simply walked into the branch, told them what had happened, identified the fraudulent transactions, and they sorted it out - practically on the spot. I walked away with some cash and a new debit card; the rest of the money was returned later that week. A brief chat with an investigator several weeks later concluded the matter (they had identified the culprit).
There was another story a few years ago, which I can't find right now, but I'm fairly certain I remember the details correct:
Someone bought a new house to retire with their life savings. Everything was
arranged properly, and she transferred the money to the bank account the
estate agents told them.
But they never received the money.
What had happened was that someone had hacked in to the real estate agent email
and had sent a fraudulent email, so she transferred the tens of thousands of
pounds to the wrong account. This was discovered a few days later.
Bank said there's nothing they can do; "your life is destroyed but not our problem kthxfucketybye". Of course the real estate agents took no
responsibility either (after all, we all know that the primary function of most people involved in the housing industry is to make everyone as miserable as possible).
(I don't recall if things did end up being resolved after a few years; I'd
appreciate it if someone remembers the article; IIRC it was in The Guardian).
> What had happened was that someone had hacked in to the real estate agent email and had sent a fraudulent email, so she transferred the tens of thousands of pounds to the wrong account. This was discovered a few days later.
That's why I always "warm" bank accounts. I first do a little transfer, then confirm with the person, on the phone, that the money was received. If that's not possible (for example for fully automated system which expect the exact amount), I make 100% sure the account is correct.
Invoice from my car dealership asking me to wire 3 K EUR? I call them and ask the secretary to read me loud the bank account number.
Note that what you mention is a famous scam in the cryptocurrencies world: replacing Bitcoin deposit addresses (say a Bitcoin deposit address belonging to an exchange like Kraken or Coinbase) with the attacker's address. There are even malware who modify the clipboard when they detect that a Bitcoin address is in the clipboard. Even "better": there are malware that do this while making sure the last four digits are the same as those on the legit address (so people only checking the last four digits and thinking they're good are owned).
It's very hard to not get scammed in this mediocre world full of shitty insecure, constantly owned, OSes, phones, websites, etc.: nothing that appears on these shitty devices can be trusted.
The problem is so bad people are using 2FA devices and are still getting scammed.
Wire fraud is quite a common problem. It's pretty standard practice at least where I am to require written wire instructions from the settlement agent, and then the bank will call them to verify that is indeed correct before sending funds.
But if an email looks official and came from an official address, I can't imagine the settlement agent wouldn't be liable for the loss. (And often they now have cyber insurance to cover such losses.)
I know some title companies are moving away from wiring funds out and only issuing checks to prevent having this problem themselves.
I'm all for giving people agency over their finances for their entire life... but come on... there's got to be some way of asking "did this person really intend to empty their bank account" to that person or a loved one before actually allowing the transaction to succeed. A fraud filter at the bank should see the owners age and know that something is off. Better to be wrong and be an annoying bank instead of mindless like HSBC and allowing this to happen.
> Organisations, political parties, etc talk a good game when it comes to “support” or “mental health” or “community” but when the shit hits the fan, they’re all faceless organisations. Morally bankrupt and full of equality adverts and slogans.
Yup, that's the UK. Nothing in this country works anymore. People think it does until they have a problem and then they find everything is just a facade.
Need to call an ambulance? Emergency service will tell you to take an uber.
Been victim of a crime? Police will do their best to make you go away.
Victim of a fraud? It was your fault go away.
and so on.
and you pay for all of it highest taxes in living memory.
Sorry for the rant. Elections can't come soon enough.
> Sorry for the rant. Elections can't come soon enough.
I am sorry but British history says that regardless of how Labour polls today, on election day you’ll still end up with Tories. Or, alternatively, new new Labour for a couple of years and then Tories. That’s pretty much British politics for as long as there has been a UK.
And that explains where British politics and civilization is headed: regulatory capture, chaos, and dysfunction moving towards a conservative utopia because of a feckless left.
That's not true my understanding is that the UK police are the best in the world at making sure you are tracked down and punished if you say something unflattering about someone on the internet, or if you happen to be walking around with a chisel, or god-forbid a pocket knife.
And then from what I've heard the NHS is the best run health care system in the world[1].
Fundamentally, there's a major conflict of interest here--what incentive do they have to actually investigate? Finding the truth means they're out the money. Letting it sit means they're not.
This will persist until we change the laws to make misbehavior more expensive than proper behavior.
Fraud is absolutely rampant[1] and the police / "In-"ActionFraud will do absolutely nothing about it. Combine this with the banks having reduced costs and outsourced everything, and the outcome is cases like this one.
Support is bad because outsourced everything, and the outsourcing companies are under huge pressure to cut costs and especially human costs. Everything is measured, and extra time responding to complaints is a huge red flag, so its made as hard as possible to interact with humans. Time for empathy is out of the question, and its probably a security risk.
In less than 5 years, all of this will be replaced by LLMs, and we will have the luxury of talking to a warm but completely fake human who will provide us even less help than before.
Feel bad for mum but this guy is annoying. When I have a business relationship with a bank, I don't expect them to show up at my house or be all up in a concern about my mental state. I don't show up at the branch to check in on the mortgage department's mental well being every time the rates go up, I don't send my condolences when the stock price tanks or they have a layoff, etc. It's not the nature of the relationship!
The main question is - did the bank fuck up and if so, will they fix their fuckup. The TLDR of this thread seems to be that (1) yes the fucked up and admitted it and (2) the author seems to believe it will be resolved. So that sounds fine. The expectation that the bank will toss mom a few quid outside of their remediation process seems preposterous.
"@HSBC_UK allowed fraudsters to transfer all her savings for a period of 6/7 weeks comprised of c.150 transactions to one external account"
This doesn't sound right, and the Twitter thread is devoid of much detail as to the root cause here. Last I checked, HSBC had a physical code generator that had to be involved in approving transfers, so how were these transfers (150 of them!) actually made?
So, was this actually APP fraud? (in which case - let's not beat around the bush here - it's almost certainly the account holder's fault, but obviously things are less black and white when the account holder is vulnerable). Or was there actually a flaw in HSBC's account security which allowed criminals to gain access to the account?
None of these facts excuse the poor customer service, but there's generally good reasoning that these cases are dealt with by a dedicated fraud team and not by random staff in branches. There needs to be more regulation to ensure that they're staffed appropriately and victims aren't left in the lurch, though.
It doesn't add up with my experience of how banks (incl. HSBC) deal with transfers.
> Victim blame much?
If we can't have a rational conversation about the actual factors leading to these sorts of events (i.e. exactly how the transfers were authorised, where the weakest link in the security chain was), how are we supposed to prevent future occurrences?
We can have all of the technical measures in the world in place, but if a customer explicitly consents to someone else logging in, or making these transfers - we should be discussing non-technical solutions instead.
Equally, if it turns out that the UI design of the existing security measures was poor and that lead to this case, then that's something that industry can and should improve upon (or be forced to, via regulation).
Their fraud department calls me several times a year to enquire about any transactions out of the ordinary to the point I am very careful when I travel abroad because I know they are bound to flag the activity.
And to play devil's advocate - from their perspective, _this_ claim could very well be fraudulent. Not accusing anybody of anything, but in theory it's not a bad scam - get your son to drain your bank account, move the money where it can't be found, claim you were hacked, get all your money back. I doubt that's what happened here, but the bank has to consider it.
Santander did the same. Including blocking my debit card after I’d been in Arizona for a week. That was a bit of fun, calling them from the middle of the desert with the time difference.
The problem is their profiling is out of whack. They should not treat foreign transactions from a frequent traveler with the same urgency (or more) as a vulnerable elderly emptying their bank account over the course of weeks. They have all the data they need to do their job properly and then some. They are not afraid to use this data when it’s to sell you plans and mortgages.
This is a serious problem. I had a fraudulent charge today that my credit card company caught. I got both a text and a phone call; the phone call bounced me from person to person, one asking for last four digits, the other asking for name, and when I couldn't immediately find the card to get the CVV the third offered to send me a two-factor code via text to confirm my identity... which said "we will not call and ask for code" in the text message.
Still not 100% sure it was the bank, so I asked for a reference number (which they couldn't provide) and said I would call back the number on my card instead.
HSBC publishes their relevant phone numbers so usually I just call them back.
Recently they also have started sending texts instead. They text that "you card ending with xxxx has been used for a transaction of x money at y company, did you make this transaction?" and you just reply Y/N. If you don't reply they start calling.
I love the British comedian David Mitchell's long time campaign against this kind of bank behavior:
https://www.theguardian.com/commentisfree/2018/nov/25/identi... ('’Identity theft’? It’s daylight robbery by the banks' - 2018)
https://www.youtube.com/watch?v=CS9ptA3Ya9E (Mitchell & Webb - Identity Theft, 2007)