The measures being introduced by banks to enhance their monitoring capabilities with regard to financial crime are “bearing a fruitful outcome” before the Arbiter for Financial Services, which has acknowledged these efforts in several decisions that have absolved financial institutions of most blame when their clients fall victim to scams.

The Arbiter’s decisions 33 and 39 of 2024 found Bank of Valletta (BOV) only responsible for 20 per cent of the complaints, which saw its clients lose thousands of euro.

In one case (ASF-33-2024), the victim received a text message, from the same number used by BOV, directing him to a spoof website, with instructions to input details that allowed the fraudsters to set off with just under €2,400.

A spokesperson for BOV tells WhosWho.mt that, unfortunately, the bank has no control over criminals spoofing its brand identity. “All we can do is communicate with customers to raise awareness, which we do on an ongoing basis.”

The spokesperson explained that such spoofs trick the customer to sign off on the transaction, effectively ordering the bank to make the payment.

“That is why it is so important to always keep in mind that bank employees never ask customers to divulge information to conduct financial transactions over the phone, even if the phone number from which calls are received seems to be legitimate.”

He pointed out that BOV has been undertaking various initiatives to mitigate the incidence of fraud.

“The Bank has increased awareness through communication in local media, social media, as well as through direct communication with customers. We advise to be vigilant and cautious, not to trust unofficial sites, not to give out bank account or card numbers in full, card CVV details, card PINs, internet or mobile banking passwords, codes, signatures, one-time passwords, or multi-factor authentication.”

When contacted for comment, the Arbiter for Financial Services agreed that “the client has an obligation to protect their access credential with diligence from fraudsters’ attempts for their procurement.”

But what of that 20 per cent of responsibility that was attributed to the bank?

In the case of ASF-33-2024, a mistake in the BIC code necessitated the manual intervention of a bank employee to fix the issue and clear the transaction for processing. The Arbiter argued that the nature of the transaction was arguably suspicious enough to warrant flagging at that stage that a human was actually looking at it.

The transaction of a significant amount being sent to a foreign account on same day priority basis with the accompanying text, “Please make sure that help goes towards mother," the Arbiter found, “are not conclusive [evidence of fraud] but were similar to other fraudulent payments that the bank had seen,” arguing that they should have made the bank realise [xegħlu bozza] that the payment should be referred back to the complainant.

The Arbiter uses a model framework when making its considerations as to whether a complainant deserves compensation. It takes several considerations into account, including banks’ obligation related to transaction monitoring systems, with the perceived lapse in BOV’s system leading the Arbiter to assign it 20 per cent of the blame for the successful scam.

“As the spread and creativity of fraudsters continue to evolve, banks are expected to strengthen their payment monitoring systems to protect their clients against fraud,” says the Arbiter.

Commenting on the Arbiter’s decision, the BOV spokesperson says the bank is “being pro-active and evolving and making improvements to our tools and processes to improve vigilance, including any instances of manual intervention that would have been carried out by the bank to comply with customer instructions.”

He added that the banks is “enhancing its monitoring capabilities to enable it to detect transactions suspected of financial crime, including that of money laundering and fraud, while flagging unusual or suspicious activity for further investigation.”

These measures, says BOV, “are bearing a fruitful outcome since, in the majority of cases where the bank appeared before the Arbiter for Financial Services in similar cases, the Arbiter acknowledged that the bank continues to implement effective measures to ensure that customers are protected in line with the applicable legislation when approving payments.

“This has influenced the outcome of the Arbiter’s awards, along with the fact that consumers should never willingly divulge their financial information or give instructions to authorise payments.”

The Arbiter for Financial Services also notes that its decisions are having an impact on banks’ behaviour, even allowing certain cases to be cleared at mediation stage without the need for a formal complaint.

“Following a number of decisions issued by the Arbiter, we have observed several instances where banks applied the model to complaints at the mediation stage and the parties reached settlement at mediation without the need for the complaint to be referred to the Arbiter.”

Nonetheless, “we are seeing too many cases relating to scams and fraud,” says the Arbiter. “These cases cause victims and their families not just financial ruin but also emotional and psychological stress.”

Tips to stay safe

The Arbiter for Financial Services has shared 10 important lessons that emerged from real experiences it has faced in the complaints referred to it.

1. Be super cautious about clicking on links in SMSes or e-mails claiming to be from your bank, even if they look genuine. Banks don't send links this way!
2. Keep your login details and security credentials strictly confidential. Don't share them with anyone, even if they claim to be from your bank. Safeguard your login details and never share them with anyone, no matter how convincing they seem.
3. Be extra cautious when making unusual transactions, especially while travelling.
4. Always double-check payment details before confirming. If something seems off, contact your bank directly through official channels.
5. Report any suspicious activity to your bank immediately. Quick action can sometimes help recover funds.
6. Be wary of requests to "re-authenticate" or "validate" your account, especially if they come unexpectedly. Banks will never send you links asking you to validate your account or re-authenticate. Always double-check directly with your bank if unsure.
7. Stay informed about common scams. Pay attention to fraud warnings from your bank, especially direct communications. It's not enough to rely on your bank's general media warnings about scams.
8. Trust your instincts. If a transaction or request feels unusual, take a moment to verify before proceeding.
9. Familiarise yourself with your bank's security measures and proper online banking procedures.
10. Remember, your bank will never ask you to transfer money to a "safe account" or share your full PIN or password.