A tale of a SIPP administrator, a complainant's fraudulently intercepted email account and a missing £20,000
The Pension Ombudsman Service (POS) recently upheld a complaint and in doing so, found a SIPP administrator (the Administrator) at fault for the release of £20,000 from Mr N's (the Complainant's) SIPP to a fraudster. The determination is a helpful reminder of the responsibilities of professionals when it comes to payment transfer requests and verifying the recipient of payments, with the POS finding that given the "red flags" in the case, contact should have been made directly with the Complainant to verify the payment request or additional checks undertaken. The determination highlights the dangers of processing transfer requests via email and that in some circumstances further checks may be needed if a request looks "fishy".
Circumstances giving rise to the complaint
On 9 April 2019, the Complainant emailed the Administrator requesting that £20,000 be released from his SIPP and provided to the Administrator the required documentation to facilitate the release. On 18 April 2019, the Administrator confirmed to the Complainant that £20,000 less the relevant tax deduction would be paid from his SIPP into his nominated bank account by close of business on 29 April 2019.
Prior to the release of the monies, the Complainant's email account was hacked by a fraudster. The fraudster emailed the Administrator via the Complainant's email address, stating that there was an issue with his bank account receiving transfers and requested that the funds be transferred into an alternative bank account. The Administrator sent the forms required to facilitate the bank account change unknowingly to the fraudster and during exchanges which followed, the fraudster requested that the monies be paid into an international bank account or a third party's bank account; the Administrator confirmed neither of these options were possible.
Following further exchanges between the Administrator and the fraudster, the Administrator stated that the payment request was already on the banking run for April and so the recipient account could not be amended. The £20,000 payment was subsequently released to the Complainant's bank account on 29 April.
On the following day, the fraudster emailed the Administrator with completed forms requesting that a further £20,000 be released. The Administrator sent the forms to the Complainant's financial adviser (the Adviser), and on 13 May 2019, the Administrator confirmed that the further £20,000 would be released into the bank account nominated by the fraudster.
Following the release of the further £20,000, this time into the fraudster's bank account, the Complainant noticed that his SIPP account stated that he had withdrawn a total of £40,000. The Complainant asked the Adviser to confirm its records as he had only withdrawn £20,000, following which, the Adviser contacted the Administrator to request that it confirm its records with the Complainant. The Administrator contacted the Complainant to confirm the payments, however the email was intercepted by the fraudster who confirmed that the payments were correct.
The Complainant maintained to the Adviser that he had only requested a single payment of £20,000. The Adviser asked the Administrator to review the payments and whilst the Administrator was carrying out the review, the Adviser contacted the Administrator to confirm that it appeared as though a fraudster had hacked the Complainant's email account, which had led to the further £20,000 being released to a bank account unconnected with the Complainant.
The complaint to POS
A complaint was subsequently made to POS about the Administrator. The Administrator rejected the complaint broadly on the basis that the fraudster had provided the required documents, and that the Administrator had verified the documents said to have been certified by an accountant who had been verified via a search on Companies House. The Administrator also stated that it expected the Adviser to carry out its own verification process before counter-signing the documents sent to it by the Administrator. Furthermore, the Administrator asserted that the Adviser failed to identify and react when it had every opportunity to do so.
POS Determination
In upholding the complaint against the Administrator, the Ombudsman found that the Administrator owed a duty to the Complainant in relation to the payment verification steps it had taken and had breached that duty.
The Ombudsman concluded that the Administrator should have undertaken additional checks following the request to change the receiving bank account details noting a number of "red flags":
- The fraudster requested that the money from the SIPP be transferred to an international bank account and shortly following the Administrator's refusal to do so, the fraudster requested the money be transferred to a third party bank account, which the Ombudsman described as unusual.
- The bank statement submitted by the fraudster when making the request (which was falsely presented as having been certified by an accountant) should have raised suspicions. The branch address on the bank statement, the address of the accountant who purportedly certified the statement and the Complainant's address were all in different locations and of some distance from one another, and so it was unlikely that the bank statement was a truly certified copy.
The bank statement was of low resolution and whilst the content of the statement was typical and uncontroversial, it was clear that the certified copy wording had been physically scanned at a low resolution, and then most likely copied and pasted as a separate image onto the copy statement (which was at a visibly higher resolution). - The fraudster's assertion on 23 April 2019 that there was a "little problem" with their UK bank account meaning that it could not accept deposits was unlikely, particularly given the successful genuine payment to the Complainant's bank account on 29 April 2019.
- Whilst the email sent by the fraudster to the Administrator was not illegible, it evidenced a number of errors.
The Ombudsman stated that whilst some of these factors may not have been sufficient to prompt further checks in themselves, when taking them together, they should have enough to cause suspicion and prompt the Administrator to carry out additional checks. The Ombudsman suggested that the Administrator could have sought to verify the certification through contacting the accountant directly through the accountancy firm's contact details to confirm that the accountant did indeed certify the document or speak to the Complainant.
The Administrator was directed by the Ombudsman to pay the Complainant a sum equal to that required to ensure that the Complainant held the same number of units had the fraud not happened, less any fees payable to the Administrator throughout the period since the fraud. The Administrator was also required to pay the Complainant £1,000 for the distress and inconvenience caused.
What can be learnt?
Whilst the Ombudsman has included what further checks the Administrator may have taken in this instance, the determination does not specifically set out what checks an administrator should carry out when dealing with a request from a customer to transfer funds. This reflects the reality that administrators will need to keep internal policies under consistent review and there must be flexibility to allow for the identification of increasingly complex fraud and arguably an amount of "detective work" if requests do not "stack up" which may lead to further checks being needed.
This case serves as a useful reminder to all administrators when receiving transfer requests, and especially when doing so via email, to remain vigilant at all times and to have the internal policies and procedures in place in order to be able to respond appropriately to potential
fraud.
To read the determination, please click here.