Authorised Push Payment frauds – plenty of sympathy but few easy answers

In the COVID era of increased online frauds, this week’s judgment in Philipp v Barclays[1] provides useful guidance on the criteria applied by Courts when faced with “Authorised Push Payment” (APP) frauds. APP frauds involve a customer willingly transferring money away from their own account at the request of a fraudster. This article explores the law and regulation surrounding such issues and asks whether more should be done to help those impacted.

The Philipp claims and Authorised Push Payments

Mrs and Dr Philipp were duped by a man claiming to work for the Financial Conduct Authority (FCA) who stated that a fraud was being carried out by certain members of HSBC staff. Dr Philipp was told to transfer his monies into "safe accounts" in the United Arab Emirates protected by the FCA. He was told the investigation involved a “higher level” than the police, and he should not speak to them regarding the issue.

Despite receiving advance warnings by the police, the Philipps twice attended Barclays branches and, in accordance with the fraudster’s instruction, made two payments of £400,000 and £300,000 to the UAE accounts. The extent to which checks and queries were raised by Barclays was not agreed between the parties, although it was clear Mrs Philipp identified herself as the customer and was certain she wanted the payments to be made. A third intended payment of £250,000 was blocked by Barclays pending a review.

As any Google search will reveal, the Philipps are far from the only individuals impacted by APP frauds, with examples including:

  1. Payments intentionally made as a result of online relationships which later turn out to be fictional.
  2. Fraudsters intercepting and amending legitimate emails, often purporting to be from a customer’s conveyancer in the context of a house purchase, requesting urgent payment via updated bank details.
  3. Customers who are so convinced by a cold calling fraudster that their money is at risk that they repeatedly ignore their bank’s generic warnings designed to guard against fraud.

The law and regulations

The Court dismissed the Philipps’ claim at summary judgment stage. The judgment noted that “one cannot reasonably feel anything other than acute sympathy” for the Philipps but it would be wrong in the circumstances for the bank to be left with the bill.

It was common ground that a summary of the relevant test to be applied in such cases was:

"When executing the customer's instruction to make a funds transfer the bank acts as its customer's agent. Acting as agent the bank owes the customer a duty to observe reasonable care and skill in and about executing the customer's orders. The duty arises both at common law and under statute."

Barclays’ position was that this duty was restricted to using reasonable care and skill when executing the instruction (e.g. correctly transcribing the account details) and not to execute the instruction if an ordinary prudent banker would consider the instruction resulted from an attempt to misappropriate funds.

The Philipps claimed the duty extended to "a duty to refrain from executing an order of Mrs Philipp if and for so long as it was put on inquiry, by having reasonable grounds for believing that the order was an attempt to misappropriate funds from Mrs Philipp”. The Philipps had outlined several examples of what, on their case, the bank should have done in this respect, including an analysis of analytics to spot fraud, identification of customers susceptible to fraud and increased staff training.

In a lengthy judgment, the Court held the duty did not extend in the manner suggested by the Philipps with key conclusions including:

“In other words, [Mrs Philipp] says that the Bank was under a duty to second guess her decision as to how she wished to spend her money. In my judgment, the existence of such a duty would involve the triumph of unduly onerous and commercially unrealistic policing obligations over the bank's basic obligation to act upon its customer's instructions.”

“There is in my judgment no proper basis for imposing liability upon a bank in respect of alleged omissions which, viewed from the perspective of the purpose behind the suggested duty to act, really relate to testing the genuineness of the recipient of the monies rather than the genuineness of the instruction to pay the monies (whatever the circumstances behind that instruction may be and whether or not the payor might have a compelling claim in deceit against the payee as a result of them).”

2019 Voluntary Code

Following public outcries at some of the shocking stories of APP frauds, and a super-complaint from the consumer body Which?, 2019 saw the introduction of a Voluntary Code to regulate treatment of victims of APP frauds.

As well as increasing the obligations on signatory banks to increase measures to prevent/detect fraud, the Code confirms the position as to when banks should reimburse the funds if the customer has done everything expected under the Code. It was heralded as a potential game changer, preventing banks from relying on generic statements in terms and conditions warning against fraud and creating an obligation to repay the funds unless there was clear evidence of fault on the customer’s part.[2]

It is, however, by no means a panacea for the defrauded customer. It still allows a bank to reject claims from customers who failed to heed warnings, acted “grossly negligently” or where business customers had not followed their own internal payment authorisation procedures.

Recent studies by the Payment Service Regulator suggest banks are relying on such exemptions, and frequently refusing to refund the sums despite the terms of the Code.[3] Some financial institutions are said to reject over 90% of fraud claims brought to their attention.

Commentary

Given the money will rarely be recovered from the fraudster, deciding whether the customer or bank should pay is a difficult and fact specific question. The bank would (as Barclays did in Philipp) argue that it would be unfair for them to become the insurer of last resort, effectively underwriting all losses when they had no reason to suspect this was not a genuine payment to the intended recipient. Additionally, banks who refuse to action customer requests for fear of them later being found to be fraudulent could be faced with criticism for refusal to process genuine payments.

The Voluntary Code remains in place until June 2021 and conversation has turned to what should be done in terms of a long-term solution to the problems of APP frauds. The impact of the Voluntary Code has, as above, been muted and recent press reports suggest that Nationwide is looking to move away from it, with several other financial institutions said to be lobbying to water down its impact. UK Finance, the Treasury Committee and Which? have argued that the consumer protections should be laid down in legislation rather than in optional reimbursement schemes.

Ultimately, whether abandoning or strengthening the Voluntary Code or by introducing legislation, there will always be arguments as to whether more could or should have been done by the customer or the bank. Much turns on the specific facts of the fraud, especially given the rapidly evolving sophistication by which these frauds are committed, and it becoming more difficult for the customer to have known the action to be fraudulent.

Part of the Voluntary Code involved the establishment of a “no blame” pot from which compensation could be paid in circumstances where both the customer and the bank have fulfilled their obligations under the Code. Even this compensatory pot, designed to cover grey areas where it seems all parties acted as they should have done, is unlikely to be the answer. It would not have helped the Philipps and there would still remain questions about whether the bank/customer had indeed complied with their Voluntary Code obligations, which is the precursor to accessing the fund.

There are also wider considerations at play – James Cohen, Money Editor at The Times, wrote a piece late last year arguing that a greater propensity to refund customers could help to combat fraud as it may make victims more likely to open up about the detailed facts of what happened. This would lead to higher levels of police referrals containing specifics of the fraud, in turn increasing the chances of actually catching the wrongdoers and, hopefully, decreasing long term fraud.

If there was consensus about the continuation or expansion of the no blame compensation reserve, banks have been keen to emphasise that others who innocently help facilitate frauds should also be required to contribute. An obvious example included the mobile phone industry, which is often used to facilitate APP frauds via suspect text messages which appear as if they were sent by a bank.

In summary, there are no easy answers to who should foot the bill for APP frauds and it is difficult to see arguments as to where the loss lies will go away soon. One thing is clear though – anyone faced with an initial rejection will be well advised to examine carefully the reasons for refusal along with the relevant provisions of the Voluntary Code and the relevant terms and conditions.

Footnotes

[1] [2021] EWHC 10 (Comm)

[2] This did not apply in the Philipps’ case as the Voluntary Code only applies to domestic payments post-dating its introduction in May 2019.

[3] Bucking that trend despite not being a signatory to the Voluntary Code is TSB – in 2019 they refunded 99.6% of submitted claims.