Authorised push payment fraud has increased dramatically in recent years. Historically, banks have avoided liability to their customers for facilitating payments on the basis that they were authorised to do so by those same customers. However, the recent decision in Philipp v Barclays Bank UK Plc  EWCA Civ 318 may represent a shifting of the tide in favour of the victim.
What is Push Payment Fraud?
Authorised Push Payment (APP) fraud is relatively unsophisticated. The fraud starts by the fraudster gaining access to the victim’s information, possibly by social engineering techniques (e.g. analysing publically available data about the victim) or by hacking the victim’s electronic systems. Next, using that information the fraudster will present themselves as a trustworthy party, typically though not always a party with whom the victim is already doing business. Then, once the fraudster has developed the relationship, they will ask the victim for a payment to be made to a bank account that is supposedly held by the legitimate party they are pretending to be.
APP fraud can and does affect anyone, from individuals to multi-national corporates. Common instances of APP fraud can involve a fraudster disguising themselves as a contractor with whom the victim is conducting business and expecting to make payment. The fraudster will then direct the payment to their own account, often simply by amending bank details on an invoice. Because the victim is expecting to make a payment, often these directions can go unnoticed and unchallenged. By the time the fraud is uncovered, the fraudster has transferred to funds elsewhere.
Difficulties with Recovery
Recovery of funds in these circumstance is not impossible but can be challenging. The first step will often be to contact the bank responsible for the fraudster’s account, informing them of the fraud and encouraging them to lock the account. Banks will often, not unreasonably, request a court order before they do so, requiring the victim to apply for an injunction. The victim may also, at the same time, wish to seek a disclosure order against the Bank requiring it to deliver up information about whether it still holds the funds or, if they have been transferred, the details of the onward account. Victims are then left to trace the funds, often through multiple banks and, sometimes, jurisdictions.
For obvious reasons this can be time-consuming and, depending on the amounts involved, not necessarily cost-effective. Victims may then wish to consider alternative sources of recovery, for instance their own bank for arguably facilitating the fraud.
The “Quincecare” Duty
The so-called Quincecare duty, requires a bank to exercise reasonable skill and care when executing their customer’s instructions. This extends to not executing instructions if they know or are “put on inquiry” that the instructions are an attempt to misappropriate the customer’s funds.
Historically, the Quincecare duty has been found to apply only in circumstances where an agent of the customer (for example, a director) attempts to misappropriate assets by way of a fraudulent transfer. In such an event, the bank must refrain from executing the payment if it has reasonable grounds for believing the payment may be fraudulent.
On the face of it this duty would not extend to where the customer is defrauded into making the payment instruction themselves. Victims of APP fraud would therefore have no recourse to their bank, because they (howsoever mistakenly) authorised the transfer.
Philipp v Barclays Bank UK Plc – A Widening of the Duty?
Mrs Philipp, a music teacher, and her husband Dr Philipp, a retired consultant occupational and public health physician, were thoroughly deceived by a fraudster known as JW to transfer over £700,000 of their savings from Mrs Philipp’s account with Barclays Bank to separate bank accounts in the UEA. It was part of Mrs Philipp’s case that there are various features of the payments and of Mrs Philipp's situation which would have alerted an ordinary prudent bank to the problem. In those circumstances, she argued that a bank, acting with reasonable skill and care, would have delayed the transfers and asked questions to get to the bottom of what was going on.
On appeal, the Court of Appeal found that the duty of a bank to make inquiries and refrain from acting on a payment instruction applies to any case in which the bank is on notice that the instructions are an attempt to misappropriate funds. It can apply even where the customer itself is giving the instruction. This is an important distinction and may open the doors to customers to seek recourse against their bank where it could be said that the bank had reasonable grounds for believing that the instruction was potentially fraudulent and therefore under a duty not to complete an instruction without inquiry.
It was an interesting aspect of the case that the bank suggested such a duty would represent an onerous and unworkable burden on banks. Whilst making no determination on the point, the Court did suggest there was “ample evidence… to make it arguable that the duty of care contended for would be neither unworkable nor onerous in terms of banking practice”.
The decision in Philipp v Barclays was to overturn summary judgment granted against Mrs Philipps. It does not represent the final determination of Mrs Philipp’s case and, importantly, is limited only to finding that the Quincecare duty can apply to instructions from the customer. The Court did not determine whether such a duty did in fact apply; that is a fact sensitive issue for trial.
However, for the victims of APP fraud it is nevertheless an important judgment, potentially widening the scope of customers to seek recovery from their banks where the bank had reasonable grounds for believing that the instruction was an attempt to misappropriate funds. Perhaps in recognising this, Lord Birss suggested that “the purpose of the duty…. is to protect the customer”.
There is undoubtedly a drive within the financial sector to reduce both the occurrence and impact of APP scams. This is to be welcomed, and financial institutions are increasingly putting in place measures to protect their customers. The Contingent Reimbursement Model Code for Authorised Push Payment Scams (the CRM Code) was introduced in May 2019 and sets a standard which banks should adhere to. Whilst the CRM Code remains voluntary, this decision should encourage banks to take ever more active steps to detect and prevent fraud.