News and Publications

Authorised Push Payment fraud: should the alarm bells be ringing?

Posted: 22/12/2021

According to UK Finance, consumers lost a whopping £355.3 million to Authorised Push Payment (APP) fraud in the first half of 2021, an increase of 71% compared to the same period last year. The vast majority of the funds lost due to APP fraud are never recovered, sadly leaving consumers and businesses out of pocket.

What is APP fraud?

APP fraud is where an individual or business is tricked into authorising a payment from their bank account to a fraudster posing as a genuine recipient. The most common types of APP fraud include impersonation fraud, purchase scams, invoice scams or romance scams. Because the payments appear to be properly authorised by the account holder, the frauds can be particularly difficult for the paying bank to detect, and this is why there is currently no automatic reimbursement scheme for the victims. 

What is being done about APP fraud?

In July 2021 the Financial Conduct Authority (FCA) announced its Business Plan for 2021/22, and at the heart of this was a commitment to increasing the level of protection to consumers. There were indications that there would be more onerous duties on banks in this regard. As part of its consultation on a new consumer duty, the FCA indicated the possibility of a private right of action for breaches of the FCA Principles for Business. If implemented, this would give certain victims a right to sue firms where they had breached the FCA principles. The principles are broad, and there would be considerable scope for allegations that a principle - for example, the third principle, requiring that a firm take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems - had been breached by a firm in the context of authorised push payments. This would be wider than the current right for consumers to bring a private action for breach of the FCA rules under section 138D of the Financial Services and Markets Act 2000. Unfortunately, the FCA’s further consultation paper now suggests that, while they will keep matters under review, they no longer intend to attach a private right of action against any aspects of the new consumer duty at this time. This consultation is open until February 2022.

Similarly, the Payment Systems Regulator (PSR) announced proposals in November 2021, including the requirement for banks to publish their fraud data, such as their performance in relation to APP scams, reimbursement to the victim, and details of which bank and building society accounts are being used to receive the fraudulent funds. There was also a focus on intelligence sharing that will enhance the detection and prevention of APP scams. This consultation is open until January 2022.

The recent decision in Philipp v Barclays UK plc [2021] EWHC 10, however, is a reminder that the courts remain reluctant to extend the bank’s ‘Quincecare’ duty to include fraudulent transactions that have been authorised by an individual customer. The Quincecare duty requires banks to exercise reasonable care and skill in carrying out a customer’s instructions. This duty arises once the bank has been ‘put on inquiry’, meaning that there are reasonable grounds for believing that the instructions may be an attempt to misappropriate the customer’s funds, and it requires the bank to refrain from executing the order. This duty does not require proof that there is an attempt to misappropriate the funds; the standard is lower as there only need to be reasonable grounds.

In Philipp, the claimant argued that the bank had a duty to query her instructions when she, acting on the instructions of a fraudster who had convinced her that she was assisting the FCA and National Crime Authority, requested that the money in her account be moved to a foreign bank account. The court struck out the claimant’s claim and approved the defendant’s application, ruling that the Quincecare duty of care did not extend to protecting the claimant from the consequences of her own genuine instructions. HHJ Russen QC, finding in favour of the bank, held that i) the bank’s primary duty is to act on a customer’s instructions; ii) it was not practical to extend the duty; and iii) the Quincecare duty applies only to corporate customers and unincorporated associations.

There is a tension between the sentiment behind the FCA and PSR consultations and the recent decision in Philipp. Add into the mix the voluntary CMR Code, under which signatory firms/banks commit to protect their customers with procedures to detect, prevent, and respond to APP fraud, and it will be interesting to see how the law and regulation in relation to APP fraud will develop in 2022, and whether it will give teeth to currently voluntary protections for consumers. Watch this space closely…

Return to news headlines

Penningtons Manches Cooper LLP

Penningtons Manches Cooper LLP is a limited liability partnership registered in England and Wales with registered number OC311575 and is authorised and regulated by the Solicitors Regulation Authority.

Penningtons Manches Cooper LLP