Fraud Complaints to the Banking Ombud Have Nearly Doubled

The Ombudsman for Banking Services recorded a near-doubling of fraud complaints year on year, according to The Citizen's reporting on the OBSSA caseload. Phishing, SIM swap and authorised push payment scams are driving the curve, and the curve is steep.

That number is being read in most banks as a fraud-loss problem. It is also a conduct-risk problem, and the regulator is about to make that explicit.

The complaint is the canary

Every fraud complaint that lands at OBSSA started as an internal complaint that the bank could not resolve. The customer phoned, emailed, walked into a branch, raised a chat. Somewhere in that loop, the bank either failed to detect the typology, failed to reverse the loss, or failed to communicate why it would not. Only then did the customer escalate externally.

This matters because the FSCA Conduct Standard for Banks, in force since July 2020, treats internal complaint resolution as a regulated outcome, not a service nicety. Treating Customers Fairly outcome six is specific. Customers must not face unreasonable post-sale barriers when they want to complain, claim or switch. A doubled OBSSA caseload is, by definition, evidence that those barriers are getting higher, not lower.

The FSCA's new OMNI-Risk Return, the structured conduct-risk reporting mechanism flagged by ENSafrica earlier this year, will pull complaint data into a single supervisory view. Boards that cannot explain their complaint trend lines will be explaining them to the regulator instead.

Fraud typologies mutate faster than fraud rules

The reason fraud complaints are surging is not that banks have stopped investing in fraud controls. They have invested heavily. The reason is that authorised push payment scams, in particular, defeat rules-based controls by design. The customer authorises the payment. The mule account looks clean for the first ninety seconds of its life. The social-engineering script evolves weekly.

Rules engines catch what they were written to catch. They lag the typology by the time it takes a fraud analyst to notice a pattern in a loss report, draft a rule, test it and push it to production. That lag is now measured in weeks. The scammers iterate in days.

The earliest signal that a typology is mutating is not in the loss data. It is in the language customers use when they call the contact centre. The phrase a victim uses to describe how they were tricked, repeated across fifty calls in a week, is a leading indicator. The loss report is a lagging one.

Complaints as strategic signal

This is where the contact centre stops being a cost line and starts being a conduct-risk instrument. Voice and chat transcripts, run through sentiment and conversation analysis, surface the language of emerging scams before the fraud team has named them. Auto-QA flags the calls where the agent missed the cue. Root-cause analytics cluster the complaints by typology, channel and product, not by queue.

At CXG, the complaints we handle for regulated clients feed a structured root-cause loop back into the bank's first line of defence. The point is not the tooling. The point is that complaint intelligence is treated as a board-level signal, governed under TCF, and reported with the same discipline as a loss number.

That is the shift the OBSSA figures demand.

What boards should ask this quarter

Three questions are worth putting on the agenda before the next OMNI-Risk submission.

First, what is the gap between our internal complaint volume on fraud and our OBSSA escalation rate, and is that gap widening or narrowing. A widening gap means the internal resolution loop is breaking.

Second, how quickly does a new scam narrative travel from a contact centre transcript to the fraud rules engine, named, classified and acted on. If the answer is measured in weeks, the bank is reacting, not detecting.

Third, who owns the complaint root-cause output at executive level, and does that owner sit close enough to product, fraud and conduct to change something. If complaint analytics report into operations alone, they will be read as service metrics. If they report into the conduct-risk committee, they will be read as what they are.

The OBSSA numbers are not a customer-service story. They are a conduct-risk story with a customer-service surface. Banks that read them the first way will keep losing the argument with the regulator and with their customers. Banks that read them the second way will hear the next typology before it shows up in the loss column.

Word count: 712.