Authorised Push Payment Fraud – court rules on scope of banks’ obligations
In March 2018, Mrs Philipp transferred two payments to accounts in the UAE, totalling £700,000, representing her and her husband, Dr Philipp’s savings. In doing so, Mrs and Dr Philipp thought they were assisting an investigation by the FCA and National Crime Agency (“NCA”) into fraudulent activities. Unfortunately for the Philipp family, they were, in fact, the victims of that fraud, not helping to tackle it.
Dr Philipps authorised transfers to Mrs Philipps’ accounts from his own, and Mrs Philipps authorised the transfers to the two UAE-based bank accounts. They knew the destination of the funds, and meant for them to be sent. What they did not know was that the two accounts were controlled by fraudsters, who had tricked them into making the payments to “safe” accounts, as part of investigations into an alleged fraud.
This type of scam is known as authorised push payment (“APP”) fraud. The customer instructs their bank or other payment services provider to transfer money from their account and the transaction is carried out with their consent. As such it is authorised by the customer (even if the authorisation resulted from a fraud). APP fraud is a growing problem in the UK.
Whilst Mrs Philipp’s bank tried to get the funds back from the receiving bank on being made aware of the APP fraud, it was unable to do so. Mrs Philipp sued the Bank, on the basis that it was under a duty to do more to prevent Mrs Philipp failing victim to the scam. This blog analyses the judgment on a summary judgment application made by the Bank, which sought to have Mrs Philipp’s claim struck out.
The Bank’s duties
Banks and other payment services providers have a duty to exercise reasonable care and skill when executing customers’ orders. This boils down to two primary duties when processing customer transactions:
They need to comply with instructions given by the customer in accordance with their mandate, and make sure the right sums are transferred to the instructed accounts.
They are also under a Quincecare duty (named after the decision in Barclays Bank plc v Quincecare Ltd  4 All ER 363).
The second obligation is subordinate to the primary duty. Mrs Philipp’s case hinged on the extent of that secondary obligation.
The Quincecare duty
In Quincecare, the scope of the duty was found to be “that a banker must refrain from executing an order if and for so long as the banker is “put on inquiry” in the sense that he has reasonable grounds (although not necessarily proof) for believing that the order is an attempt to misappropriate funds of the company…And the external standard of the likely perception of the ordinary prudent banker is the governing one.”
Mrs Philipp argued that the Bank had a duty to protect her from making a payment like the payments she made, and so falling victim to this type of APP scam. She said the Bank should have in place policies to detect and prevent APP fraud, and to reclaim monies subject to a potential APP fraud. Mrs Philipp suggested that had the Bank done this, it would have led to the payments being stopped or delayed, giving Mrs Philipp a chance of recovering the money.
It is worth noting that Mrs Philipp was asked by the Bank when making the transactions whether she wished to proceed, and confirmed that she did. She also confirmed to the Bank (incorrectly, but as the fraudster had directed) that Dr Philipp had had prior dealings with one of the purported beneficiaries to whom the transactions were directed. Mrs and Dr Philipps also refused to engage with police enquiries, having been told by the fraudster that police involvement could jeopardise the FCA/NCA investigation.
In contrast, the Bank’s argued that the broader duty contended for by Mrs Philipp was not a recognised duty in law, and should not be recognised since it conflicts with a Bank’s duty to comply with its customer’s mandate. The Bank was not an “insurer of last resort” for fraud against their customers, and Quincecare did not impose a duty to protect Mrs Philipp from the consequences of her own actions, where her payment instructions were valid and the payment reflected her intention.
The Court agreed with the Bank that the scope of duty suggested by Mrs Philipp went beyond the boundaries of the Quincecare duty. The Quincecare duty is confined to cases of attempted misappropriation by an agent of the customer. The duty depends on an agent of the payor attempting to misappropriate funds, rather than any intention of the recipient of the funds. This significantly limits the circumstances in which banks can be said to have breached their Quincecare duty to an individual.
The Court found two fundamental problems with the broader duty suggested by Mrs Philipp:
It sought to elevate the Quincecare duty from being subordinate to the primary duty to act in accordance with the mandate, to the other way round. That would require the Bank to second-guess the commercial wisdom of the customer’s decisions and instructions.
There is no clear framework of rules which might provide the scope of the broader duty and indicate to banks when they should not act (or not act immediately) on the genuine instructions of its customer. The Court felt there needed to be a clearly recognised banking code to define the circumstances when further questions would be required.
The Court concluded:
“It is because the Bank cannot be expected to carry out such urgent detective work, or treated as a gatekeeper or guardian in relation to the commercial wisdom of the customer’s decision and the payment instructions which result, that the duty cannot in my judgment extend to the obligations alleged by Mrs Philipp. A duty which carried with it the need for the Bank to have had in place in March 2018 procedures aimed at potentially protecting its customer from her own decisions would involve the Bank being under just the type of unduly burdensome obligation eschewed by Steyn J in Quincecare.”
There was no proper basis for requiring banks and payment service providers to test that the proposed recipient of funds is genuine. They need only, under their Quincecare duty, ensure the genuineness of the instruction to pay.
The CRM Code
The transactions with which this case was concerned were made prior to the implementation of the Contingent Reimbursement Model Code for APP scams (the “CRM Code”). Introduced in May 2019, the CRM Code is a voluntary industry code for dealing with APP fraud. The CRM Code deals with steps firms should take to detect and prevent APP fraud, and how to respond to APP fraud once perpetrated. This includes, in certain APP fraud circumstances, paying and receiving banks repatriating or reimbursing the funds.
The Court noted the implementation of the CRM Code, but rejected the suggestion that it was a reliable indicator of how banks were required to act at the time of the transfers. Where payment service providers have signed up to the CRM Code though, they may be required to take further steps than the Bank in Mrs Philipp’s case.
APP fraud continues to be a major problem for payment services providers and their customers. As customers become more sophisticated in their understanding of fraud, and as firms put in place greater capabilities to prevent and detect fraud, fraudsters will continue to develop their methods. This decision is unlikely to be the last on the topic, particularly as Mrs Philipp has indicated a wish to appeal this decision. However, the Court’s unwillingness to impose broader obligations in this case should provide comfort to banks and other payment services providers that they are not underwriting the costs to their customers of APP fraud.