FIs Combating Romance Scams - The Good, the Bad and the Ugly

In October 2025, the UK’s Financial Conduct Authority (FCA) released a report on how banks and payment firms are dealing with romance scams.  This 10-page report is packed with information for any financial institution around the world to assess how they might perform in such an audit. 

The Financial Times highlighted that “The UK’s financial watchdog has warned that banks are failing to prevent a growing threat of romance scams, with cases rising by almost 10 per cent last year. The Financial Conduct Authority said on Friday that it had identified multiple instances where banks and payments companies had missed opportunities to identify suspicious transactions.”

The FT added more concern by saying Lloyds Bank recently “warned of a 52 per cent rise in romance scams over the past year for that age group (over age 55), compared with the previous year.”  This is the age group that losses the most amount of money in Authorized Push Payment scams.

The Report Methodology

• The FCA reviewed six bank and payment firms. Some were well established and some were new.

• The FCA reviewed 60 confirmed fraud cases. Cases where there was no scam loss were not included in this study.

• 85% of these cases originated from online platforms.

The Challenges the FCA Acknowledges

• The victims are well groomed (over weeks and months) in the romance scam before the victim ever starts the first financial transaction.

• The fraudsters have a high-level working knowledge of the banking sector and how to circumvent the fraud controls.

• There will be a number of romance scam cases the bank staff will not be effective in stopping the money transfers.

• Fraudsters may get the victims to start with low-value payments to ‘reinforce trust and avoid detection”.

• In nearly half of the cases reviewed, victims did not disclose the true purpose of the payment.  

• In some cases, the fraudster and the victim had met in person.

• In 15% of the cases, customers had previously been victims of fraud while banking with the same firm.

What the FCA Found

The FCA found that a number of firms were really doing a good job of detecting and blocking romance scam transactions.  This demonstrated “that meaningful, tailored care is not only achievable but can play a vital role in reducing harm.” 

Examples of good practices are:

• “Firms’ detection systems had adequately deferred high-risk payments for manual intervention, required customers to interact with a staff member before the payment instruction was confirmed.”

• “Use of various data points to improve their ability to detect suspicious transactions, such as previously being a victim of fraud, attempted payments to a high-risk beneficiary and funds being received from a loan provider and then promptly sent to money transfer services.”

• Information sharing between sending and receiving bank.

• Effective staff training on dealing with scams.

• Establishment of specialist scam teams to interact with customers/victims.

• Use of the Banking Protocol, where the bank staff can bring local police to the branch to talk with the customer.  This is a good control, but the FCA noted that firms reported “that the Protocol is not always effective when the customer remains under the fraudster’s influence and police intervention does not break it.”

• Compassionate aftercare.

• Meaningful efforts to help customers recognize and avoid fraud, using interactive education online, and using real life examples to highlight the risks of online relationships.

But, the FCA also found significant issues with a number of these firms.  This is an important finding because the UK has the strongest prevention regulations around consumer scams of any country in the world.  And if there are problems protecting consumers in the UK, then just think about how many financial institutions around the world might have deficiencies in detecting and preventing consumer financial scams.

This FCA report is just about romance scams, but think about investment scams/pig butchering (maybe larger than romance scams), impersonation scams and the other types of consumer scams.

So, what were the weaknesses the FCA detected?

• A firm failed to detect” 6 high-value payments totaling  over £131,000 sent to overseas jurisdictions.”  There was no prior history of such transactions.

• Over a one-year period, one “victim made 403 payments totaling £72,000.”

• Victims opened new accounts, transferred money from their existing account to the new accounts and immediately dispersed the funds.  The receiving bank failed to notice this activity.

• In some cases, investigators did not account for transactions made via methods other than Faster Payments, such as cash withdrawal, card transactions and gift card purchases.  This is key because the regulations focus on Faster Payments and not these other transaction methods.  Some of these firms appear focused on the regulations, not the problem.  Obviously, the fraudsters have figured out these gaps and move some of the victims to the non-monitored alternative transaction methods.  The FCA said: “Without capturing and analyzing the full spectrum of payment activity, they lacked a holistic view of romance fraud. This can limit the ability to detect emerging trends and shifts in fraudster tactics.”

• A victim told staff they wanted to send money via cryptocurrency payments to Iraq.  The staff saw screenshots of conversations and other clear indications of a romance scam but still approved the transactions.

• Many firms were not aware of customer vulnerabilities, but effective staff training can sometimes help staff identify these vulnerabilities.

Summary

The FCA gave credit to those institutions that are doing a good job in preventing romance scam losses.  But it also highlighted significant inconsistencies in how a number of firms deal with helping to stop romance scam losses.

This report highlights the importance of both detection and interdiction.  Even with the best anomaly detection, if the firm does not have excellent trained staff in the psychology of scams, the ability of the staff to convince the customer to cancel the transaction will be limited.

Michelle Hilscher, a PhD in psychology and a behavioral economist at the Deloitte Toronto office reminds us that staff training must be on-going as “finding the best approach for each customer interactions will take trial and error, just like how the scammer worked to master the best grooming pitch.”

The report also highlighted the need to address all payment transfer types—bank to bank, international, cash, crypto—when developing scam controls.

Another important point to bring up is the involvement of scam victims and their advocacy groups, such as AARP in the US and LoveSaid in the UK.  This can be an excellent way to help focus staff training on being effective in helping to convince the customer they are involved in a scam.

In a recent situation in the US, the apparent lack of victim advocacy involvement occurred.  The American Bankers Association put out a romance scam education ad that was panned by victim advocates.  So, money spent for education missed the mark.

To all FIs—take the time to read this FCA report in detail.  It is only 10 pages, but it is filled with a wealth of information.  Assess your firm and see how you think you might have scored in preventing romance scam losses.

About Ken Palla

Since 2005, Ken Palla has been in Online Security.  He was a Director at MUFG Union Bank, retiring in early 2019.  At MUFG Union Bank he managed the online security for both commercial and retail customers.  Ken was an advisor to the RSA eFraud Global Forum and a Program Committee member for the annual San Francisco RSA Conference. 

In 2019, he received the Legends of Fraud Award.  He has published many white papers—on the need to focus on online customer safety, on online authentication and on how to select a multi-factor authentication solution. 

Most recently, he has been writing about consumer financial scams and how around the world financial institutions are adding scam controls and sometimes providing reimbursement.  He is currently consulting to banks and to online security vendors and is a member of The Knoble Scam Committee.