Navigating the complexities of APP fraud litigation

Authorised push payment (APP) fraud occurs when a victim, whether an individual or a business, is tricked into making a payment to an account which the victim believes is held by a legitimate person or company, but in fact belongs to a fraudster.

APP fraud accounts for a significant and increasing percentage of fraud losses – 40 percent in 2022 – causing significant issues for individuals and businesses. So where do the parties caught up in this situation stand? There have been key decisions in case law in this area, as well as legislative developments.

The case law

Back in the 1990s, the case of Barclays Bank v Quincecare [1992] 4All ER 363 established that a bank has a duty not to execute a payment instruction given by an agent of its customer, without making reasonable inquiries if the bank has reasonable grounds for believing that the agent is attempting to defraud the customer. This is known as the Quincecare duty.

There is a delicate balance to be struck between the obligations on a bank when performing its duties and the protection of the customer. There have been relatively few cases in which the Quincecare duty has been found to have been breached. However, there have been attempts to expand the scope of the duty.

For instance, the Court of Appeal in JP Morgan Chase Bank NA v Federal Republic of Nigeria found that the question of what a bank should do when put on inquiry is a matter on the facts of the case, but in most cases would require something more than simply deciding not to comply with a payment instruction, which had the effect of adding a positive element to a bank’s obligation.

There was significant interest in the case of Philipp v Barclays Bank UK PLC [2023] UKSC 25, which raised the question of whether the Quincecare duty applied when the payment instruction was not issued by an agent of the customer. It also considered whether the duty should be extended to include obligations in circumstances of APP fraud. This had the potential to significantly expand the scope of the Quincecare duty.

In this case, Mrs Philipp was deceived into instructing her bank to transfer £700,000 into two offshore accounts. Upon discovering the fraud, attempts to recover the payments were unsuccessful.

The bank sought to summarily dismiss the claim, an application which was ultimately allowed by the Supreme Court. The Supreme Court decided that the Quincecare duty does not arise in circumstances wherein the customer has “unequivocally authorised and instructed the bank to make a payment,” such as in the case of an APP fraud payment. However, the Supreme Court refused to grant summary judgment regarding Mrs Philipp’s alternative case that the bank had breached its duty by not acting swiftly enough to recover the funds paid out. The court determined that the relevant matters could not be resolved at the interim summary judgment stage because there were factual questions that needed to be addressed.

In this instance, the claimant can therefore continue with her claim on this alternative basis. This basis has since been put forward in another recent case before the High Court - CCP Graduate School Limited v National Westminster Bank PLC and another [2024] EWHC 581 (KB). In this case, following payments totalling over £415,000 made into a fraudster’s account, it is argued that there is a duty owed by the paying and receiving banks to the fraud victim to take reasonable steps to retrieve the sums paid as a result of an APP fraud – a possible ‘retrieval duty.’ This duty is said to arise in tort.

On an interim application by the banks to summarily dismiss the claims against them, the court dismissed the claim against the bank which sent the payment due to limitation. However, the court refused to dismiss the claim against the receiving bank, of which the claimant was not a customer.

While acknowledging points made by counsel for the receiving bank, the judge concluded that, “whether or not it could be described as a developing area of law, there is … some uncertainty as to whether any such duty lies on the bank of those who can be assumed to have perpetrated the fraud.”

The judge noted from the evidence produced in the application that there might be a possible workable system for retrieval and anticipated that more evidence would be forthcoming should the claimant be allowed to proceed to argue the issue to trial.

Accordingly, the question as to whether there could be a retrieval duty in an APP fraud scenario, both against the paying bank (in Philipps) and the receiving bank (in CCP), has been left to be determined by the courts.

In Philipps, the Supreme Court made it clear that the issues arising in APP fraud cases ultimately need to be addressed by parliament rather than the judiciary:

“The type of fraud which occurred here is a growing social problem and can undoubtedly cause great hardship to its victims, as the sad facts of this case make all too clear. Whether victims of such frauds should be left to bear the loss themselves or whether losses should be redistributed by requiring banks which have made or received the payments on behalf of customers to reimburse victims of such crimes is a question of social policy for regulators, government and ultimately for parliament to consider.”

The legislation

The relationship between a bank and a customer is a contractual one but is also subject to a significant amount of legislation and regulation.

In response to the influx of APP fraud, the Contingent Reimbursement Model (CRM) Code was introduced in 2019, which aimed to reduce instances of the fraud and provided for the reimbursement of victims in certain circumstances. However, this Code is voluntary and has not been widely adopted.

However, on 7 October 2024, a mandatory reimbursement scheme will come into effect, pursuant to the Financial Services and Markets Act 2023. Although this is a step in the right direction, there are limitations to this scheme which does not have retrospective application.

For example, larger businesses are not protected, there is a maximum reimbursement limit of £415,000 per scam and the scheme applies to payments made within the UK Faster Payments Service only (which effectively excludes payments made overseas). Furthermore, the scheme is not a ‘sword’ for customers, in that there is not a provision within the scheme whereby a customer can enforce reimbursement by the banks.

Accordingly, given that a lot of affected parties will fall outside the mandatory reimbursement scheme, claims by victims affected by APP fraud are likely to continue to arise in the English courts, particularly if case law on the possible ‘retrieval duty’ develops in the fraud victims’ favour.