12 min read

Philipp v Barclays Bank, FSMA 2023 and the future of claims following APP fraud

Read more

By Emma Bowden, Gareth Hall and Hannah Sinclair

|

Published 14 December 2023

Overview

In July this year, the Supreme Court handed down its long-awaited decision in Philipp v Barclays Bank UK Plc [2023] UKSC 25. In doing so, the Supreme Court departed from the Court of Appeal's decision and significantly refined the circumstances in which victims of authorised push payment fraud ("APP fraud") can successfully rely on the Quincecare duty of care to seek reimbursement of funds from their bank. The judgment will be unwelcomed by victims of APP fraud but will come as a relief to financial institutions, who may have faced a number of Quincecare-style breach of duty claims.

In this piece, we assess the impact of the judgment in Philipp in the wider context of APP fraud as a growing issue in the UK. We also consider the framework anticipated by the new Financial Services and Markets Act 2023 and the extent to which it may counteract such growth.

APP fraud and the Quincecare duty pre and post-Philipp

Broadly, APP fraud occurs when a fraudster persuades the victim to instruct their bank to transfer funds into an account controlled by the fraudster. Pre-Philipp, the Quincecare duty imposed an obligation on bankers not to execute their customer's instructions if they had reason to suspect the customer was a victim of APP fraud. Therefore, Quincecare claims were typically brought by the bank's customer seeking to rely on establishing a breach of this duty to secure reimbursement of the misappropriated funds from the bank.

The Supreme Court's decision in Philipp clarifies that the Quincecare duty simply reflects a "general duty of care owed by a bank to interpret, ascertain and act in accordance with its customer’s Instructions" (at [97]) which is the bank's primary duty. The Supreme Court explained that all other duties, including the duty to exercise reasonable care and skill when executing instructions, are subordinate to this primary duty. If the customer’s payment instructions are unclear and/or the banker has reasonable grounds to believe that those instructions – if received from an agent – may be an attempt to defraud the customer, the banker should not execute them unless and until it has been verified that the instruction has been authorised by the customer. In the absence of such verification, the bank would be in breach of its duty to its customer.

Importantly though, provided those instructions are clear and given personally (i.e. by the customer themselves, as they were in Philipp) or by a third-party 'agent' with actual or apparent authority from the customer, the bank is under no obligation to make any further inquiries and any refusal to carry out the customer's instructions (whether received directly or via such an agent) may constitute a breach of the bank's duty.

The impact of APP fraud in the UK

APP fraud is one of the most common crimes reported in the UK. In the first half of 2023, criminals stole £580 million through unauthorised and authorised fraud with banks preventing a further £651m of unauthorised fraud through their advanced security systems. Similarly, according to the UK Finance’s Fraud Report 2022, losses due to APP fraud amounted to £485.2m in 2022, split between personal (c.£48m) and non-personal or business (c.£77m). As many cases go unreported, and these figures cover only a subset of payment firms, the real figures are likely to be significantly higher.

The underlying question of these unfortunate situations is, if the fraudster is untraceable, should the victims of APP fraud or the banks bear the losses? The Supreme Court in Philipp made it clear that it was "not the role of the courts to make rules of this kind" (at [6]) so ultimately, it appears to be a question for regulators, government and Parliament to decide.

In recent years, there has been an increased focus on the need to tackle APP fraud and to assist those who fall victim to such crimes, as explained below.

The Contingent Reimbursement Model

Between the first instance and the Supreme Court decision in Philipp, the Contingent Reimbursement Model ("CRM") was implemented, as a result of joint work between Payment Service Providers and consumer groups, which provides interim funding to reimburse victims if both the bank and the customer had acted appropriately. In addition to the provision of interim funding, the measures contained within the CRM include:

  • Better education for consumers about current APP fraud scams;
  • Identification of higher risk payments and user groups at risk;
  • Providing warnings and slowing payments where a risk is identified;
  • Acting more quickly when a scam is reported; and
  • Taking further steps to stop fraudsters opening bank accounts to be used for APP fraud.

However, it can be very difficult for a victim of fraud to successfully claim reimbursement from the CRM and to date, only 10 firms which cover 21 UK banking brands between them, such as HSBC UK which includes HSBC, First Direct and M&S Bank, have signed up to the code.

In addition, the CRM does not cover international payments, so would have been of no assistance to Mrs Philipp as she was defrauded into sending £700,000 to an account held by a fraudster in the United Arab Emirates.

Therefore, one may reasonably question whether the CRM wholly reflects the realities and risks of an international payments market with an increasing number of bad actors who will seek to utilise the same to take misappropriated finds out of the UK swiftly.

The Financial Services and Markets Act 2023

The Financial Services and Markets Bill was initially introduced in July 2022 and was arguably the most significant piece of post-Brexit legislation, following the Financial Services Act 2021. The Financial Services and Markets Act 2023 (the "Act") received Royal Assent in June 2023 and will come into effect on 7 October 2024, as per the September 2023 Consultation Paper.

Section 72 of the Act imposes an obligation on the Payment Systems Regulator ("PSR") to draft and publish a mandatory reimbursement scheme, which the Act sets out in brief:

The Act states this scheme will apply to payments made within the Faster Payment system, where those payments were executed subsequent to fraud or dishonesty, and that the purposes of section 72 are to remove barriers and allow the PSR to direct firms to reimburse customers who fall victim to such frauds.

By way of reminder, the Faster Payments Service is a real time payment system which means that any funds that are sent are received in near real time. It was originally launched in May 2008 and allowed payers to transfer up to £100,000.00 via the internet and over the phone, which would then clear within a few hours. In recent years, the limit has been increased, so it is now possible to send individual payments of up to £250,000.00 in a single transaction. In addition, the clearing time has been significantly reduced, so that payments can be received within a few minutes of sending. In 2022, over 3.9 billion payments were processed over the Faster Payments system, according to pay.uk.

What is the mandatory reimbursement scheme as put forward by the PSR?

On 7 June 2023, the PSR published a policy statement creating a new reimbursement requirement for cases involving APP fraud. It will apply to instances of APP fraud, in which payment orders are executed over the Faster Payment System and are the subject of fraud or dishonesty.

This mandatory reimbursement scheme is due to come into effect in November 2024 and builds on the aims of consumer protection that has previously been established by the CRM. The mandatory reimbursement scheme will place greater onus on payment service providers to identify and attempt to prevent fraud. Pay.UK – which administers the UK's digital payments network – will oversee the scheme but the Act is designed to allow the PSR to enforce the provisions where necessary. Any potential APP fraud claim will therefore need to be evaluated in consideration of Philipp and the wider regulatory and legislative provisions.

Under the mandatory reimbursement scheme, payment service providers ("PSPs") who are "sending" the payment will be required to reimburse those who fall victim to APP fraud, subject to a number of exceptions discussed below. The PSP who is subsequently "receiving" the payment will have to pay 50% of the reimbursement to the "sending" PSP.

Both the "sending" and the "receiving" PSP will apply to have a claims excess. The PSR are currently consulting on this point, having identified three potential options:

  1. A fixed excess;
  2. A percentage excess; and
  3. A percentage excess with a cap.

At the time of writing, it is unclear which excess will apply to the mandatory reimbursement scheme, although it has been confirmed that the excess will not apply to vulnerable customers.

Who will the mandatory reimbursement scheme apply to?

In its current form, the following entities will be reimbursed under the mandatory reimbursement scheme:

  • Consumers (individuals who are acting for purposes other than a trade, business or profession);
  • Micro-enterprises (enterprises that employ fewer than 10 people and whose annual turnover and/or annual balance sheet total does not exceed £2m); and
  • Charities (as defined in the relevant legislation and with annual income of less than £1m).

There are exceptions, such as where the victims are involved in the fraud themselves or have acted with gross negligence.

For vulnerable consumers, additional protections will apply and they will be exempt from the proposed gross negligence exception.

The following circumstances will not be captured by the scheme:

  • Civil disputes (such a customer paying a legitimate supplier for goods or services which may have been unsatisfactory);
  • Payments which take place across other payment systems (such as crypto exchanges);
  • International payments; and
  • Payments made for an unlawful purpose.

When reporting fraud the "sending" PSP will be required to make the reimbursement within 5 working days. However, the "clock is stopped" in instances where the sending PSP is required to gather further information regarding the alleged fraud. This reflects the need for PSPs to gather additional information to verify the claim as well as regulatory obligations placed on such institutions to investigate and in some cases report fraud, including to the National Crime Agency where money laundering is known or suspected on reasonable grounds to have taken place.

Will the mandatory reimbursement scheme have the intended impact?

As explained above, the mandatory reimbursement scheme will apply to consumers, charities and 'micro-entities'. Currently, there is no plan to extend the scheme to larger businesses despite APP fraud causing losses of c.£77m to non-personal and business customers in 2022. Without the ability to rely on the mandatory reimbursement scheme, businesses of this size which fall victim to APP fraud will be dependent on establishing either that the instructions, which must have been provided by an agent, the definition of which includes employees, were insufficiently clear or, more likely, that the bank had reasonable grounds to suspect that the agent's instructions were undertaken to commit fraud (which the business may struggle to gauge pending disclosure) in order to run a Quincecare claim. Failing that, they will be reliant on the ability of the police or enforcement agencies to recover funds from the fraudster or on alternative civil claims (such as unjust enrichment) to regain funds from receiving parties.

Another current limitation of the mandatory reimbursement scheme is that it will only apply to payments made over the Faster Payment Service. Whilst it is clear, in recent years, that Faster Payments have become a more popular form of payment method (and have, for the first time, overtaken the number of BACS payments made), the BACS Annual Processing Statistics 2022 show that c.4.7b BACS Direct Debit payments and c.2b BACS Direct Credits were processed in 2022 alone. This shows that there are a significant number of payments that are being made by other methods which will not be covered by the 50 / 50 reimbursement standard between "sending" and "receiving" PSPs.

Whilst the scheme will capture the vast majority of APP fraud cases, there will likely be outlier cases in which fraudsters may have used complex methods to misappropriate significant values (i.e. over £415,000 per claim) in which cases reimbursement may not be available to the customer. At the point of writing, the PSR has proposed that the maximum reimbursement level should be in line with the prevailing Financial Ombudsman Service limit of £415,000 per claim. The PSR, citing UK Finance research undertaken in 2022, notes that the £415,000 limit would capture around 99.98% of APP fraud cases. However, as Faster Payments of up to £1,000,000.00 can now be made almost instantly, there will be instances of sophisticated and particularly high value APP fraud which will fall outside the scheme.

Lastly, as with the CRM, the fact that the mandatory reimbursement scheme will not cover international payments may further limit its impact. In due course, the PSR and UK government may seek to extend the scheme to cover international transactions. Whilst this may require engagement from organisations in other jurisdictions, which could prove to be complex and difficult, there are signs of international appetite to create reimbursement schemes, even if only to operate domestically or regionally at present. For example, financial institutions in the United States currently only reimburse customers in cases of account takeover fraud or unauthorised transactions, however, seven US banks started to work on amending rules to compensate victims of APP fraud in November 2022. Additionally, in June 2023, the EU Commissioner put forward an updated package of rules with the aim of tackling fraud. Under the new rules, PSPs, which now includes electronic money institutions, will be required to reimburse misappropriated funds to customers in impersonation cases. Given the value of funds misappropriated by APP fraudsters and the recent actions of national and regional organisations, there may be multi-jurisdictional approaches to tackling and even reimbursing APP fraud on the horizon.

Outlook for firms

The PSR's mandatory scheme is of course in its infancy and remains in consultation form. It therefore remains to be seen what the final product will look like. However, in the context of increasing regulation and legislation in order to address corporate failure to prevent economic crimes, both the CRM and the mandatory scheme – when implemented – will undoubtedly add further layers to be addressed and navigated by internal compliance functions, including those charged with investigating cases of alleged fraud and / or managing customer claims.

Authors