Combating APP fraud: law and legislation and the banks
By Michael Barnett and Kieran Bailey
APP fraud costs over £1bn annually, with banks and lawmakers grappling to protect victims amidst evolving threats and complex legal challenges
Authorised Push Payment (APP) Fraud is on the rise and estimated to cost over £1bn annually. Fuelled by online scams, artificial intelligence, and highly organised ‘fraud factories,’ APP fraud occurs when an unwitting victim is hoodwinked into transferring their money to an account operated by fraudsters posing as a legitimate outfit.
Yet, despite its prominence, holding banks liable to victims has proven legally problematic. Attempts to assist victims via the so-called ‘Quincecare duty’ have failed, albeit it took the Supreme Court in Philipp v Barclays Bank [2023] UKSC 25 to provide a definitive answer. Nonetheless, the court left open some scope for certain, perhaps novel, claims against banks.
The Quincecare duty
The so-called Quincecare duty originated in Barclays Bank v Quincecare Ltd [1992] 4 All ER 363. Mr Justice Steyn held that a bank should not execute a payment instruction given by a customer’s agent where it has reasonable grounds to suspect the agent is defrauding the customer, without making further inquiries of the customer.
In Philipp v Barclays Bank [2022] EWCA 318, the Court of Appeal controversially extended the duty beyond instructions by an agent to cover APP Fraud. However, the Supreme Court has unanimously reversed that decision.
In Philipp, the Claimant, had been duped by fraudsters pretending to be from the Financial Conduct Authority into transferring large sums to UAE bank accounts. Mrs Philipp gave payment instructions in branch at Barclays Bank. The bank duly executed her instructions, and the money was gone.
Mrs Philipp claimed against Barclays for breach of its Quincecare duty and for failing to take adequate steps to recover the money after becoming aware of the fraud.
The Supreme Court rejected the argument that the bank should not have performed the transaction, basing its decision on the first principles of banking law. It is a bank’s basic and strict duty within the banker-customer contract to comply with a customer’s payment instructions, where their account is in credit. Bankers are not to query the wisdom of their customer’s transactions.
In concluding that the duty is grounded in the "principles of agency," Lord Leggatt rejected the reasoning in the original Quincecare case and subsequent authority, that there was a “tension” between a bank’s duty to execute its customer’s instruction and its duty to do so with reasonable care and skill. Rather, the Quincecare duty is an application of the bank’s general duty of care in interpreting, ascertaining, and acting in accordance with the customer’s instruction. Agents do not have authority to defraud customers. Thus, where a bank suspects this is occurring, the bank’s duty to protect the customer is engaged.
However, the Quincecare duty will not protect customers 'from themselves' where they intend to make the payment, even at the instigation of a fraudster.
A missed opportunity
While banking law purists may applaud this decision, it could be argued that the court missed an opportunity to update fundamental banking principles to deal with a pernicious modern threat. Big banks are better placed than customers to assess the risk of APP fraud and if a banker suspects a customer is being defrauded, surely they should make further inquiries before proceeding?
Nonetheless, the Supreme Court did identify two scenarios where a customer might be able to bring a claim successfully against their bank after falling prey to APP fraud.
First, where a banker has information to hand which, if the customer had it, would dissuade them from making the payment instruction. The court derived this duty from an Australian judgment, Ryan v Bank of New South Wales [1978] and left to future argument whether Ryan determined the correct legal test.
The court observed that in a hypothetical scenario where the police have told a bank that a customer’s instruction has been procured by fraud “it may be right” that the banker make further enquiries of the customer before proceeding.
The fact that it merely ‘may’ be right to delay payment shows that the application of this test may be very limited, yet the ambiguity surrounding the scope of the Ryan test may encourage speculative litigation by victims. .
Secondly, Philipp left open claims for breach of a bank’s ‘retrieval duty,’ giving the claimant an opportunity to pursue this claim at trial. Recently, in CCP Graduate School v National Westminster Bank Plc [2024] EWHC 581 (KB) the High Court considered a claim for failure to take adequate steps to recover monies dissipated to fraudsters.
The claim against NatWest was time-barred, but the court held the claimant could continue its claim against Santander as there was an arguable case that Santander, as the fraudster’s banker, owed NatWest’s customer a retrieval duty. Clearly, it remains to be seen how the courts will interpret the scope of the duty to retrieve lost funds.
The Supreme Court viewed tackling APP Fraud as a social question for Parliament. Steps are clearly being taken. The Payment Services Regulator has established a new compensation scheme for consumers, charities, and micro-enterprises which comes into force on 7 October 2024.
Under this scheme, payment service providers (PSPs) will compensate customers who are victims of APP fraud within five working days, up to the value of £415,000. The PSP can delay the compensation for 35 business days after the claim to gather further information. Typically, the sending PSP will be able to claim back 50 per cent of the cost of compensation from the receiving PSP. Customers will need to claim within 13 months of the fraud, although a PSP may extend this voluntarily. Customers (excluding vulnerable customers) must exercise a “standard of caution” based on four elements to qualify for compensation.
Looking ahead
The scheme clearly provides new protection for customers and may nudge PSPs to strengthen fraud prevention measures. However, it only deals with the consequences of APP Fraud after the crime has been carried out and it would not have fully reimbursed victims like the Philipps.
HM Treasury has proposed the Payment Services (Amendment) Regulations 2024. Under this, a PSP may delay outbound transactions by up to four business days if it suspects fraud, with reasonable grounds to be established by the next business day. This power can only be used to contact the customer or a third party to decide on the payment. PSPs must inform the customer of the delay, the reasoning, and any required actions or information, unless doing so would be unlawful, such as violating anti-money laundering regulations.
The new power may be welcomed by consumers but clearly raises several critical issues. First, there are risks that a bank’s statutory duty to inform a customer of the reasonable grounds it suspects APP Fraud may conflict with its duty to not tip-off customers under anti-money laundering legislation.
Secondly, companies will have the right to opt-out of the policy. In such cases, a bank may only delay a transaction by one day. If, however, a bank froze funds belonging to a company which had opted-out, on suspicion of financial crime, could the bank be sued for breach of the opt out? The bank may not be able to explain its reasons without letting the cat out of the bag, thus contravening its duties under the Proceeds of Crime Act 2002. Perhaps an extreme case, but would the bank have a defence?
Thirdly, PSPs will be liable for any interest or charges which customers incur because of a delay. However, how far will such liability extend? What happens if the customer faces substantial or long-term financial losses? Would the customer have strong grounds to bring a claim if they are not reimbursed promptly or in full?
Unless improvements are made to the legislation, banks will clearly have to chart a careful course when navigating such choppy waters, including drawing up and implementing clear policies, which may have to be accessible to customers.
The Supreme Court in Phillip has held the line on the foundational principles of banking law. The Quincecare duty cannot be invoked in cases of APP Fraud. However, banks will need to keep a close eye on the “retrieval duty” litigation and possible claims under the Ryan test. Finally, it remains to be seen whether the Government’s new measures will effectively combat APP Fraud, and whether the risks inherent in the proposed regulation, particularly in relation to scenarios where APP Fraud and money laundering are simultaneously suspected, will inadvertently create new problems for banks.