Onerous or essential? Duty expected from banks to tackle APP fraud

The UK's domestic payment process is undergoing a significant overhaul with varied technological developments leading to both operative and regulatory impediments. These expansions have often been motivated by the growth in competition in the provision of payment services. A significant driver for regulatory change is the upsurge in online payment fraud. One of the most common types of online fraud is Authorised Push Payment Fraud (APP).

An APP is where a payer, often an individual consumer, instructs their Payment Service Provider (PSP) to send money from their account to another account. These payments are typically executed via Clearing House Automated Payment System (CHAPS) or Faster Payments Scheme Ltd (FPS). This kind of fraud occurs when a payer is tricked into making an APP to an account controlled by someone other than the intended recipient.

This article will deal with the varied facets of APP fraud and the Quincecare duty owed by banks which are interlinked, especially in light of the judgment in Philipp v Barclays. We also suggest practical steps to tackle the issues.

APP fraud

Scope

The law governing authorised and unauthorised payment transactions is a mixture of statute, common law and equitable principles. APP fraud is a relatively unsophisticated deception, but it is extremely effective due to the way in which it is delivered. Fraudsters normally obtain access to an individual’s information, by hacking their email and then present themselves as a corporation with whom the hacked account owner is associated with. From there, they will contact the victim and ask for payments to be made via bank transfers ostensibly to the legitimate company they are pretending to be. Many will make the payment using real-time payment schemes and this allows the fraudster to walk away with cash. It can be difficult to obtain effective relief from APP fraud because the payments are authorised by the victim.

The growth of APP fraud

According to UK Finance Report 2021, in total there were 195,996 cases. Of this total, 188,964 cases were on personal accounts and 7,032 cases were on non-personal accounts. Despite the efforts of the financial services sector, criminals stole a total of £583.2 million in 2021. Additional security by banks helped prevent £1.4 billion of unauthorised fraud in 2021, equivalent to 65.3p in every £1 of attempted unauthorised fraud being stopped without a loss occurring.

Previously, fraud committed using payment cards was the largest type of fraud. However, the first half of 2021 saw 71 per cent increase in APP fraud and for the first time surpassed the sum total of money stolen through payment cards. Using strategies such as scam phone calls, text messages and emails, as well as fake websites and social media posts, criminals sought to trick people into handing over personal details and passwords along with transferring huge amount of savings to other bank accounts held in tax havens. This made tracing the money exceptionally difficult (as opposed to other transfers where money could be more easily traced and retrieved). There has been a significant increase in impersonation scams, as criminals posed as banks, government bodies and even health officials to trick people out of their money leading increasingly to life-changing sums being lost.

Another area of significant concern is Investment scams. This is where people are influenced to transfer or invest significant amount of their savings with promise of fictitious dividends or high returns only to realise that they are fictious. However, the common thread running through all these scams is the deployment of online platforms including fraudulent advertising through search engines, social media and fake websites.

UK Finance analysis found that 70 per cent of APP scams originated from an online platform. Disturbingly, there has also been an increase in online advertisements encouraging people to become money mules. This is where people unknowingly permit their bank account to be used to ‘cash out’ fraudulent funds. These are mainly aimed at the younger generation who may not realise the severity of what they are doing or even that it is a crime. It is not certain how much money has been passed through money mules as it is difficult to identify these transactions because they are passed through legitimate accounts.

The level of fraud in the UK has reached concerning heights and could be considered a national security threat. The finance sector cannot combat this issue alone and there needs to be a coordinated approach adopted across every sector. During the COVID-19 pandemic, various industries were approached to help step up the fight, including mobile telephone and network operators and online platforms. 

The government’s Online Safety Bill represents an important opportunity to ensure greater protection against financial fraud. It will require the government, regulators and other sectors to combine forces and fight against such fraud.

Contingent reimbursement model

In February 2018, the PSR and FCA published a joint statement on the outcome of the consultation on the development of a contingent reimbursement model. The Contingent Reimbursement Model for Authorised Push Payment Scams (the Code) was implemented on 28 May 2019. The main aim of the Code was to increase consumer protection standards to reduce the occurrence of APP scams and reduce the impact of these crimes on consumers, micro-enterprises and small charities. PSPs who signed up to the Code were committed to:

• Ensuring greater protection for vulnerable customers and implementing varied procedures to detect, prevent and respond to APP scams
• Greater transparency to detect and respond to accounts being used to launder proceeds of APP scams and receipt of funds from this fraud
• Reimbursing customers who fell victim to this fraud without any contributing fault (unless customers were grossly negligent or reckless).

There are three appropriate outcomes in the above circumstances where:

1. The victim and relevant PSPs have all met the standards of care expected of them under the code (the "no-blame" situation)
2. The victim and one or more of the relevant PSPs have all failed to meet the standards of care expected of them under the code (the "shared-blame" situation)
3. The victim has met the requisite the level of care and one or more of the relevant PSPs have failed to meet the standards of care expected of them (the "inter-PSP" blame situation).

There have been continuing discussions across the industry about how to fund the "no blame scenario" (i.e. when neither the bank or the customer is at fault) so that the protection afforded by the Code can be widened.

In 2018, the FOS published its policy statement confirming that:

1. Victims of APP scams had access to dispute resolution through the FOS for complaints against the PSP who received their payment on behalf of the fraudster (taking effect from 31 January 2019)
2. To meet the Payment Services Directive 2 (PSD2) requirements, the FOS' compulsory jurisdiction was also extended to include complaints by a payer about a payee's PSP’s co-operation with the payer's PSP to recover funds from a payment transaction where incorrect details had been provided (taking effect from publication on 14 December 2018 and applying to complaints deriving from 13 January 2018).

The leading standard board further considered that preventing, detecting and creating awareness should be given precedence over reimbursement when it came to protecting customers at every possible stage of the payment journey for banks, non-traditional lenders and PSPs.

Duty of reasonable skill and care

Quincecare duty

The Quincecare duty is increasingly in the limelight. Its relevance has expanded, particularly in anti-money laundering and fraud cases where banks are gradually becoming more expected by the regulator and the courts to play a significant role in preventing financial crime.

In Barclays Bank plc v Quincecare Ltd, the High Court held that banks owed a duty of care to their customers when they had reasonable grounds for believing that the instructions provided by the customers were an attempt to misappropriate the funds of its customer. To protect customers, banks were able to deny complying with the payment instruction as it was an aspect of the bank's duty of reasonable care and skill towards its customers.It is by virtue of an implied term of the contract or as a co-extensive duty in tort that gives rise to this duty between the bank and the customer.

Originally it was thought that the Quincecare duty was (exclusively) a negative duty not to execute the payment instruction, rather than a duty requiring the bank to take positive steps to verify its legitimacy. However, subsequent court decisions have left this a grey area suggesting that the court’s assessment of what a defendant bank should have done will turn on the facts of each case and that a bank may, in certain cases, be obligated to investigate whether the payment instruction is an attempt to defraud its customer.

Recent decisions dealing with the Quincecare duty

There have been only a few decisions relating to the Quincecare duty. It has been rare where the bank has been held liable. 

Singularis Holdings Ltd (In Official Liquidation) v Daiwa Capital Markets Europe Ltd

This case concerned payments made by Daiwa Capital Markets Europe Ltd from a client account held to the benefit of Singularis Holdings Ltd. Mr. Al Sanea the sole shareholder of Singularis had given fraudulent instructions for these payments. When Singularis went into liquidation, the liquidators claimed these monies from Daiwa.

The High Court held that the Quincecare duty of care was breached by Daiwa, in view of clear signs that the payments were fraudulent. The Judge held:

"The Quincecare duty…require[s] a bank to do something more than accept at face value whatever strange documents and implausible explanations are proffered by the officers of a company facing serious financial difficulties".

Daiwa breached that duty as:

"… any reasonable banker would have realised that there were many obvious, even glaring, signs that Mr Al Sanea was perpetrating a fraud on the company when he instructed the money to be paid to other parts of his business operations".

Daiwa appealed to the Supreme Court. It claimed that Mr Al Sanea's fraud should be attributed to Singularis as it was essentially a one-man company, with the consequence that its Quincecare claim against Daiwa would then be defeated.

The Supreme Court unanimously dismissed the appeal. It ordered that Singularis was not a one-man company. There were a number of directors in the company who had no knowledge of the fraud. Therefore, the fraud could not rightfully be attributed to the company. The purpose of the Quincecare duty was to protect a company against this very form of misappropriation of funds. It would effectively remove the duty's practical value in such cases where it was most needed if a fraud of a company's trusted agent were to be attributed to the company.

The Federal Republic of Nigeria v JP Morgan Chase Bank

On 21 February 2019, the Commercial Court ordered the dismissal of an application for a reverse summary judgment that considered the situations under which a bank owed a Quincecare duty of care. The Judge's conclusions include the following:

1. It is essential for a bank to understand when they are put 'on enquiry' i.e. when they assume there are some questionable grounds to believe that the claimant could potentially get defrauded if the payments are made. The bank would then immediately owe a Quincecare duty of care to the claimant. Pursuant to that the bank's foremost duty is to ensure protection to the claimant by not making payment unless and until it was "off inquiry" i.e. the circumstances for attempted fraud no longer existed.
2. The terms of the depository agreement did not in any manner exclude the Bank's implied duty (implied by law at common law or under statute (section 13 of the Supply of Goods and Services Act 1982 (SGSA)), or by the tort of negligence.
3. There was no further justifiable reason as to why that duty should only be confined to current accounts and not apply to depository accounts.
4. Only if the Quincecare duty is inconsistent with the express terms of the contract or it may have been excluded by an exemption clause, can there be an assumption that the duty does not arise at all. But given that the Quincecare duty of care is imposed for good policy reasons, only explicitly worded terms excluding such a duty would enable the court to conclude that that duty does not arise.

This decision is important as, Andrew Burrows J stated that this duty established not just a negative duty to refrain from executing a payment instruction where there are reasonable grounds to suspect fraud, but also a positive duty to investigate the bank’s suspicions. He went on to say:

“To recognise such a duty of enquiry would be in line with sound policy. In the fight to combat fraud, banks with the relevant reasonable grounds for belief should not sit back and do nothing.”

On appeal, the Court of Appeal refused the defendant bank's application for reverse summary judgment/strike out and upheld the decision of the Commercial Court for Federal Republic of Nigeria to pursue its claim against JP Morgan. The Court of Appeal further reiterated the Commercial Court 's view, that these negative and positive duties carry equal weight, and neither is separate or subsidiary or additional to the other. In the Commercial Court, the judge was more of the view that the positive duty was a duty of enquiry. However, the Court of Appeal’s formulation of the positive duty was not limited to one of enquiry or investigation and for that reason the complex question of whether or not the bank breached its Quincecera duty would be held in trial.

On 14 June 2022, the Commercial Court handed down their judgment in favour of the bank, stating that the Quincecare duty is “narrow and confined” and must be “carefully calibrated” due to the inherent conflict with the primary duty of a bank to honour a payment instruction. Cockerill J further stated that situations related to corruption, past financial crime or fraud would not trigger a bank's Quincecare duty. She emphasised that "the focus has to be on notice of the matter that has vitiated the instruction and not any different or wider potential concern."It is also important to note that even though the Court expressed the duty to be a narrow one it did accept the Court of Appeal's judgment in Philipp v Barclays that “the logic of the principles which establish the Quincecare duty indicate that it is applicable whenever a banker is on inquiry that the instruction is an attempt to misappropriate funds”. It will be interesting to see if and what the outcome would be if the case goes on appeal.

Stanford International Bank Ltd v HSBC Bank plc

In this case, SIB an Antiguan bank, since its inception was accused by liquidators to have been operating a Ponzi scheme fraud. The liquidators had brought proceedings against HSBC who operated various accounts for SIB. The liquidators had contended that monies had been paid out during a certain period until the accounts were actually frozen.

The Court's decision related to a new application initiated by HSBC to strike out or to seek reverse summary judgment in respect of the liquidators' Quincecare claim, on the fact that as SIB suffered no loss, it had no claim in damages. HSBC further argued that since SIB's net asset position remained the same during the relevant period because the payments made to the investors even though reduced SIB's assets, however it had equally exonerated SIB's liabilities to the investors by the equal amount.

The Court held that SIB would have had assets of £80 million, if HSBC had frozen the accounts on 1 August 2008. It would have had a very large number of creditors, but it would have also had that money in its accounts and available for the liquidators to pursue claims. Considering SIB was still insolvent, the Court could not give credit to SIB even though it had saved liabilities of £80 million with just a different mix of creditors. Even though the Court could not factually find justifiable reason to strike out the Quincecare claim or to award summary judgment, it did strike out the dishonest assistance claim.

On Appeal, the Court found in HSBC's favour. It stated that the High Court had made an error in its reasoning by confusing the company's position before and after the inception of an insolvency process. It further stated that the true distinction was between a company that was trading and a company in respect of which a winding up process had commenced, not between a solvent trading company and an insolvent trading company. A company could be heavily insolvent and have slightly lower liabilities which would be a corresponding benefit to its net asset position. In the eventual inception of its insolvency if the company had more cash flow for the liquidators to pursue claims and for distribution to creditors, it would be a benefit to creditors, but not so much to the company while it was trading.

The case has been further heard on appeal in the Supreme Court and is pending judgment. The trend of claims against financial institutions alleging breach of the so-called Quincecare duty is rapidly on the rise. The Court's decision provides a helpful addition to this body of case law, as financial institutions grapple with the emerging litigation risks associated with processing client payments.

Judgment Philipp v Barclays Bank

Facts of the case

In Philipp v Barclays Bank plc, a couple were defrauded by a number of individuals who influenced them to part with a significant amount of their personal savings via a sophisticated APP fraud. They moved over £700,000 of their savings into an account in Mrs Philipp’s name with the defendant (respondent) bank Barclays. Mrs Philipp then instructed Barclays to transfer that money, in two payments of £400,000 and £300,000, to separate bank accounts in the United Arab Emirates. The couple thought that what they were doing was transferring their money into safe accounts to protect it from fraud. They had been convinced in a series of calls starting in late February 2018 that they were cooperating with the Financial Conduct Authority and the National Crime Agency to bring fraudsters to justice. Part of the deception involved Mr Philipp telephoning what he thought was the Fraud Department within HSBC Bank Plc and being re-directed to the fraudsters. Mrs. Philipp was so heavily influenced that she did not even make the transfer from her regular branch and was suspicious of all the bank officials. Soon after the transfer, Mrs Philipp realised the fraud and without any prospect of recovery from the fraudsters, sued the bank claiming it had breached its Quincecare duty by not refraining from executing her order to transfer the funds.

Summary of judgment - Quincecare duty

The High Court at first instance granted summary judgment in favour of Barclays. It held that the duty was limited to situations where payment instructions were not properly authorised, i.e. they were made by a customer’s agent in an attempt to misappropriate funds.

However, the Court of Appeal overturned that decision and held that the Quincecare duty was not limited to circumstances where the bank was instructed by the customer's agent. The Court held that, the duty of care identified in Quincecare does not depend on whether the bank was instructed by an agent of the bank's customer. Lord Justice Birss further stated that as soon as a bank was on inquiry that the instruction was an attempt to misappropriate funds, the duty is capable of being applied. Therefore, even in the case of a customer instructing their bank to make a payment when that customer is the victim of APP fraud, in principle, a relevant duty of care could arise. He further contended that to decide whether such duty arises in this case was a matter for trial and that the summary judgment in the bank's favour was wrongly entered and should be set aside.

The Court of Appeal's view on the legal nature of the Quincecare duty can be understood by reference to the following propositions:

• The Court of Appeal followed the reasoning of Singularis stated that the fundamental test for the application of the Quincecare test was when a bank was put 'on inquiry'. Although in earlier judgments the duty was considered only in relation to instructions from a fraudulent agent acting for a company or firm, the principles supporting those authorities were not so limited. The Court considered it to be better to understand the Quincecareduty as an effective check on the bank’s duty to execute orders promptly. The effect of such a check would imply that the bank would "refrain from executing an order if and for so long as the circumstances would put an ordinary prudent banker on inquiry".
• The Court considered the possible link between the Quincecare duty and anti-money laundering (“AML”) obligations. The Court rejected the argument of the bank stating that the AML obligations by banks were owed to the regulator and not the customer. The Court considered that “[t]he fact that the bank can be in a situation in which it owes a duty to a regulator which it does not owe to a customer does not answer the question” and adopted a reasonable analysis of the scope of the Quincecare duty. The Court agreed that the bank's actions would need to be judged by reference to an examination of banking practice in 2018 and when it was essentially put on enquiry, when the relevant transactions were authorised in person by Mrs Philipp.
• The Court stressed that “[a] finding that the facts of Mrs Philipp’s case would, when considered alongside ordinary banking practice in March 2018, have put an ordinary prudent banker on inquiry about APP fraud, simply does not mean that the circumstances associated with any one of the many millions of low value BACS transfers would do so.”The Court further stated that considering that the distinction between duty and standard of care in this context was a thin one, the courts should not take an excessively strict approach to the pleadings.

The Court summarised its core reasons for allowing the appeal and stated:

The Quincecare duty “does not depend on the fact that the bank is instructed by an agent of the customer of the bank.” Considering “at least possible in principle that a relevant duty of care could arise in the case of a customer instructing their bank to make a payment when that customer is the victim of APP fraud.”

Therefore, the High Court erred in allowing the summary judgment in favour of Barclays and should have decided whether such a duty exists only in trial.

Permission has been sought to appeal the decision to the Supreme Court.

Practical issues

Banks could consider the following steps to mitigate the risks of being found liable for breach of the Quincecare duty:

Know your customer

The banks have the foremost duty to know their customer. It is important the banks are responsible for the customer where they see something out of the ordinary. They must be alerted as soon as the customer behaves differently to their usual course of actions. Ensuring that there is a personal banking manager for clients could help banks to better detect unusual client activity. It might also be beneficial to have a monitoring system in place to facilitate the study of unusual activities of the customers to help navigate the early onset of these activities leading up to the commission of APP fraud.

Escalation processes

There should be a two-step process, one being investigating red flags and second being training. Both having their own step-by-step protocols for escalating concerns to compliance personnel.

• Red flags investigation: it is important to have a set of rules listing out the most obvious red flags such as huge payments to tax havens, unusual high payment amount from a different branch etc. In having a working list for red flags, it will provide a better mechanism for investigating them. Investigating should entail identification of such red flags, raising it with a chosen official of the bank, enquiry on the said red flag and after reasonable investigation recording the reasons for either allowing or disallowing the transaction. This will help banks to carry out their duty in an efficient manner.
• Training: It is important to train the officials at the banks to undertake proper due diligence. If need be to interrogate further till the bank officials can under reasonable circumstances believe it to be justifiable to undertake the instructions from the customer. Thorough and regular checks must be undertaken by the senior managerial personnel to ensure each and every official are properly equipped to deal with the customers, train sales teams not to accept at face value, and to interrogate thoroughly, explanations and documents proffered by the account holder.

Retaining evidence and documenting decisions

When dealing with unusual activities, the banks are essentially put 'on enquiry'. During these situations the banks must record each and every decision and documents supplied by the customer. Unless and until customers produce the required documentation, the bank officials should not execute the payments. While on such enquiry, the bank may also consider whether for the purposes of its Quincecare duty, it would be necessary to file a suspicious activity report (SAR) under the Proceeds of Crime Act 2002 (POCA). Banks should be also be careful to avoid committing the tipping-off offence under POCA if they have filed a SAR.

Industry standards

The banks should be careful and ensure that their internal policies are in line with, upheld, industry standards. Under the Quincecare duty it would be beneficial for banks to show that their internal policies aligned with the banking industry standards and they followed all the essential policies.

It would also be beneficial for the banks to have a banking code of practice to ensure that all banks are equally committed to deal with the issue at hand. Having a forum to discuss the various issues faced by different banks may alert the other banks when faced with similar issues. As stated above one single bank or the banking sector alone cannot deal with this issue. It needs to be a community effort, however led by the banking sector.

Conclusion

The Court of Appeal's decision in Philipp will not be the last word on the wider subject; it is due to be argued in the Supreme Court in early 2023. In the meantime, the Supreme Court is due to give its judgment in Stanford International Bank Ltd v HSBC Bank plc, imminently. Furthermore, in JP Morgan Chase v Nigeria even though the Commercial Court gave judgment in favour of the bank (i.e. narrowing the duty), it did accept that Quincecare duty could potentially be extended beyond 'internal fraud' cases whenever a bank is put on notice of a possible fraud. As such, the boundaries of the Quincecare duty remains fast-evolving and therefore it needs to be a community effort to help overcome the proliferating cases of APP fraud. The Financial Services and Markets Bill recently presented before the Parliament also acknowledges and deals with the broad regulatory framework issue involving APP fraud.