In an era where fraudsters continually evolve their methods to exploit financial consumers, “pig butchering” scams have emerged as particularly insidious.In December 2023, the arbiter for financial services issued a model addressing the assignment of responsibility between a payment service provider (PSP) and a payment service user (PSU) for fraudulent payment schemes. 

Building on this precedent, the arbiter has recently issued a technical note to spread awareness on the nature of ‘pig butchering’ type scams, as well as highlight the factors that will influence future decisions taken by the arbiter. 

This article distils the essential elements of this technical note, offering payment service providers and victims alike insight on the legal considerations, recommendations and remedies at law. 

Understanding pig butchering scams

At its core, a pig butchering scam is a fraudulent scheme that unfolds over weeks or months, during which the scammer employs social engineering and psychological manipulation to build a relationship founded on trust with the victim. 

Contact with a scammer is initially established via social media, interaction with advertisements and dating apps, whereby the scammer would gradually persuade the victim to invest in what appears to be a profitable investment opportunity, usually involving cryptocurrencies. 

Victims are typically steered by the scammer to invest in cloned or fake trading platforms designed to mimic legitimate investment returns. 

The scam culminates in the scammer coercing the victim into transferring additional funds under false pretences, such as alleged service fees or taxes, simultaneously instilling a sense of urgency so that payments are settled quickly by the victim who cannot pause to think twice, ultimately leading to severe financial loss and emotional distress.

Unlike one-off scams, such as authorised push payment (APP) fraud that typically involve smaller amounts, pig butchering schemes consist in several transactions over the course of time, and generally result in larger, more devastating losses. 

As a result, victims are filing complaints with the arbiter for financial services claiming that their service provider, such as a bank, failed to reasonably detect the abnormal transactions in a timely manner to prevent the financial ruin suffered. 

Transaction monitoring obligations and necessary reform 

Licensed payment service providers such as banks, financial institutions and virtual financial assets service provi­ders, have distinct regulatory obligations regarding payment transaction monitoring. However, all are bound by overarching fiduciary duties under the Civil Code and their respective licence conditions. 

Despite these clear legal obligations, the arbiter is calling upon PSPs to enhance their transaction monitoring systems and implement more robust onboarding procedures to further safeguard consumers. 

Banks and credit institutions

These service providers are subject to rigorous monitoring obligations to ensure the protection of their customers, who generally would have long-standing relationships with their bank. As a result, banks have access to the everyday transactions effected by their clients and consequently are expected to detect unauthorised or abnormal transactions using effective monitoring systems. 

The legal basis for the implementation of these monitoring systems primarily originates from Commission Delegated Reg­u­­lation (EU) 2018/389 of November 27, 2017, which specifically stipulates in Article 2(1) that “payment service providers shall have transaction monitoring mechanisms in place that enable them to detect unauthorised or fraudulent payment transactions”. 

The same regulation also emphasises that the transaction monitoring mechanisms must necessarily take into consideration the amount of each transaction, as well as known fraud scenarios in the context of payment services.

Once there is a suspicion that a transaction is unauthorised or fraudulent, the bank or other service provider is also authorised by law to block payments.

Victims are typically steered by the scammer to invest in cloned or fake trading platforms

Given their unique position with long-standing customers, banks and credit institutions are being urged by the arbiter to upgrade their monitoring systems to be able to analyse typical payment patterns and effectively flag unusual transactions that may indicate fraudulent activity.

Interestingly, the arbiter also emphasises that banks should not rely on the fact that transactions were made to a customer’s own account with a third-party service provider and thus refrain from intervening. When confronted with transactions that are out of character, banks have a duty to promptly contact and warn customers.

Documentation of all interventions, including the timing and nature of communications with customers is critical.

In adjudicating complaints, the arbiter will consider:

• The timing of the bank’s intervention(s);

• The extent and nature of any actions taken to alert the customer;

• The customer’s subsequent behaviour following these interventions.

Failure to intervene appropriately may influence the arbiter’s determination of liability, particularly where the abnormal payment patterns clearly suggest an ongoing fraud scheme.

Financial institutions (licensed under the Financial Institutions Act)

Although these entities might not have the benefit of long-standing customer data, they are equally responsible for monitoring transactions under the same above-mentioned regulation. However, where the complainant is not a customer of the PSP, but rather a payment was effected by the complainant to a third-party account held with that institution, fault would be challenging to prove on the basis of a lack of transaction monitoring. 

While some institutions may argue that complaints should be dismissed on jurisdictional grounds (e.g. the complainant not qualifying as an “eligible customer” under the arbiter for Financial Services Act), this stance is unsustainable.

Future amendments are expected to broaden the definition of eligible customers, allowing the arbiter to examine the merits of the complaint.

Financial institutions are being urged by the arbiter to enhance due diligence in onboarding procedures, particularly for corporate customers involved in handling funds derived from retail.

Additionally, these institutions must ensure that their corporate customers possess proper onboarding systems with their own clients to prevent exploitation by fraudsters.

The arbiter also calls for an elevation of suspicion where payment orders only provide an IBAN number without clear beneficiary identification. Moreover, the obligation to investigate only increases with each subsequent transfer that deviates from established norms.

Virtual financial assets service providers (VASPs)

These types of service providers facilitate custodial wallet services and digital asset transactions, including fund transfers between hosted and external wallets. 

Fraudsters in these circumstances generally coerce their victims into opening digital wallets, transferring funds from their bank accounts to the wallet in order to purchase digital assets, which are subsequently moved to external wallets controlled by the fraudsters. 

While VASPs are not held to the same transaction monitoring standards as banks, they are still subject to fiduciary duties and, increasingly, to record-keeping requirements under Regulation (EU) 2023/1113.

VASPs must now maintain reliable records on external wallet owners, particularly as their operations often involve transferring digital assets through complex networks that obscure ultimate beneficiaries.

According to the arbiter, VASPs should implement more robust onboarding processes, particularly for retail clients, and clearly warn them of the risks associated with custodial wallets and potential fraudulent schemes. Past decisions by the arbiter have already highlighted the need for VASPs to enhance their fraud prevention mechanisms.

Remedies for complainants

Victims of pig butchering scams should be aware that each complaint is assessed on a case-by-case basis. The arbiter’s decision will reflect the unique circumstances, including the timing of the service provider’s interventions, the robustness of monitoring systems and the conduct of both the victim and the payment service provider.

Consumers are advised to maintain thorough records of communications and transactions. Such documentation is crucial in substantiating claims that a service provider failed in its duty to monitor or intervene appropriately.

While the arbiter’s adjudications aim to be fair and equitable, they also serve as a push for financial institutions to upgrade their systems. Therefore, victims should not hesitate to raise their concerns, especially where systemic shortcomings contributed to their losses.

Conclusion

The emergence of pig butchering scams represents a complex challenge for the financial sector. The arbiter’s technical note underscores that while regulatory frameworks provide a baseline, institutions must go beyond mere compliance. 

Banks, financial institutions, and VASPs are expected to proactively upgrade their monitoring systems, engage in timely customer communications, and implement robust onboarding procedures.

Ultimately, the arbiter’s forthcoming decisions on pig butchering cases will not only resolve individual complaints but will also serve as motivation for the industry to safeguard consumers against increasingly sophisticated fraud schemes. 

Consumers are also reminded that if an investment opportunity sounds too good to be true, it likely is − and caution should always be exercised in all dealings involving crypto-assets and similar ventures.

Petra Grima is an associate at Fenech & Fenech Advocates.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.