Skip to main content

The Banking Protocol and financial harm

In 2017, the British Standards Institution (“BSI”) launched a code of practice for financial institutions (including banks) that sought to give recommendations to organisations for protecting vulnerable customers from financial harm. Whilst a breach of the protocol may not mean immediate reimbursement by an organisation it is certainly a helpful indicator of what standards they are expected to meet and a weapon in your arsenal if you can show breaches.


  • There are numerous protocols, codes and agreements that seek to protect victims of fraud.
  • One of these is “BSI: PAS 17271: 2017 Protecting customers from financial harm as result of fraud or financial abuse”.
  • This protocol is a code of practice for financial institutions which seeks to give recommendations for protecting vulnerable customers from fraud and financial abuse.
  • Amongst other things it encourages banks to take a proactive approach to minimising risk and provides examples of potentially suspicious activities on customers’ accounts.
  • Reliance on the “BSI: PAS 17271: 2017 Protecting customers from financial harm as result of fraud or financial abuse” may not necessarily be a ‘golden bullet’, but it could add weight to either a bank or Financial Ombudsman complaint.

Standards in the financial services industry

Unfortunately, more and more people are finding themselves a victim of fraud, especially in the current climate when reliance on the cyber world is ever more prevalent. There are many sophisticated scams that can catch out even the most savvy of us and those who are vulnerable may find themselves at an even higher risk.

Many people find themselves having to complain to their own bank after having been a victim of fraud and due to the plethora of protocols and obligations this can be a minefield.

There are two key regulators in the UK. The Prudential Regulation Authority (“PRA”) is responsible for the financial safety and soundness of banks. The Financial Conduct Authority (“FCA”) is responsible for how banks treat their clients and behave in financial markets.

Under FCA principles, banks have a duty to exercise reasonable skill and care, pay due regard to the interest of its customers, follow good industry practice and take steps to keep their customers’ accounts safe, as well as other obligations.

Often these principles are bolstered by codes of practice and one such code of practice is “BSI: PAS 17271: 2017 Protecting customers from financial harm as result of fraud or financial abuse” (“the Code”).  In November 2017, the BSI launched this code of practice to protect customers from fraud and financial abuse.

The BSI is the national standards body of the UK. It produces technical standards on a wide range of products and services and also supplies certification and standards-related services to businesses.

What is fraud/financial harm?

Fraud is a criminal act involving deception intended to result in financial gain. Financial abuse is slightly different in that it is defined as the criminal act of controlling a person’s property (e.g. money) intended to result in the financial or personal gain of the abuser.  It is typically carried out by people in a position of trust.

What is the Code?

It is an initiative between the police, banking institutions and Trading Standards. Its aim is to encourage bank staff to be proactive in spotting scams before money is handed over. The Code also enables branch staff in certain situations to alert local police to suspected fraud.

The Code gives recommendations to organisations on how to identify customers who might be at risk of financial harm that might occur as a result of fraud or financial abuse, how to assess the potential risks to the individual and how to take the necessary actions to prevent or minimise financial harm.

What is the objective of the Code?

The underlying premise of the measures is how an organisation treats its customers can contribute to levels of financial harm.  For instance, if there are inadequate systems in place that fail to identify, inform, protect and support customers it can make it more likely that vulnerable customers are more susceptible to harm. The objective therefore is to help organisations protect customers from financial harm by identifying good practice in systems and procedures to prevent and detect fraud and financial abuse, recognising customers that might be susceptible to risk and advising on the best way to respond to certain situations.

Identifying vulnerable customers

It can sometimes be hard to identify vulnerable customers as vulnerability is dynamic in nature. It can be temporary or permanent and can be caused by a variety of factors.  Banks should consider whether the customer is able to communicate effectively, make decisions or take actions that are in their best interests.  However, the Code provides recommendations, guidance and a checklist for organisations to help them navigate this potentially tricky area.

What does the Code recommend?

It establishes that, as a general principle, the organisation should deliver a service that:

“3.1(b) takes a proactive approach to minimising risks, impact and incidences of financial harm”

It sets out systems and tools for the prevention and detection of fraud and financial abuse. As a general point, it says organisations should ensure that all systems are developed using technologies and methodologies that are effective in the prevention of fraud and financial abuse, through authorised and non-authorised payments, thereby minimising the risk of financial harm to customers.

As regards to the detection of fraud and financial abuse, it says the organisation:

5.3.1 should have measures in place across all payment channels and products to detect suspicious transactions or activities that might indicate fraud or financial abuse”. It then lists the following examples of suspicious activity on customer accounts:

  1. multiple chequebooks;
  2. sudden increased spending;
  3. transfers to other accounts;
  4. multiple password attempts;
  5. logins from new devices, multiple geographical locations;
  6. sudden changes to the regular operation of the account;
  7. a withdrawal or payment for a large amount;
  8. a payment or series of payments to a new payee;
  9. financial activity that matches a known method of fraud or financial abuse.

And it goes on to say any suspicious transactions should be flagged on the system and the appropriate member of staff notified.


The Financial Ombudsman relies on a combination of the relevant law, rules, regulations, guidance and good practice when considering a complaint from a customer.  It has been known to rely on the Code when considering whether to request a bank repays a customer’s money.  Once such example can be found through this link  In brief the customer was persuaded to part with £15,000 through numerous different transactions.  It was found by the Financial Ombudsman that the type of activity on the account was the type of activity that the Code warned against and that the bank should have done more to intervene.  If they had then the fraud could have been averted.

If you have been a victim of fraud or financial abuse, then reliance on this Code could help you apply pressure to the bank to reimburse the payment(s) made.  By no means is this a magic bullet but it is certainly helpful.

If you are a bank, these obligations should not be overlooked.

We advise on the obligations on banks relating to monitoring fraud risk to customers.  If you need assistance on navigating these areas, we can help.  If you need guidance, then do not hesitate to get in touch at

Published on January 12, 2021

Contact details

Phone: 0121 796 4020


Fax: 0843 216 4240


Tenet Compliance & Litigation Limited
Sterling House, 71 Francis Road, Edgbaston, Birmingham B16 8SP


Copyright © Tenet Law. All Rights Reserved.

Tenet Compliance & Litigation Limited. Registered Office, Sterling House, 71 Francis Road, Edgbaston, Birmingham B16 8SP. Registered in England and Wales. Registered No: 09776405. Authorised and regulated by the Solicitors Regulation Authority. SRA Identification No. 626562.

Created by Gritt & Co