Partner Michael Barnett and Paralegal Kieran Bailey explore recent developments in the context of APP Fraud in Solicitors Journal

May 23, 2024

With Authorised Push Payment (APP) Fraud costing victims over £1bn annually, Partner Michael Barnett and Paralegal Kieran Bailey discuss the impact of incoming banking regulation and legislation following recent fraud cases such as Philipp v Barclays Bank PLC.


Michael and Kieran’s article was published in Solicitors Journal, 21 May 2024, and can be found here. A version of this article was also published in Thomson Reuters PLC Magazine, 30 May 2024, and can be found here.

Authorised Push Payment (APP) Fraud is on the rise and estimated to cost over £1 billion annually. Fuelled by online scams, artificial intelligence, and highly organised “fraud factories”, APP fraud occurs when an unwitting victim is hoodwinked into transferring their money to an account operated by fraudsters posing as a legitimate outfit.

Yet, despite its prominence, holding banks liable to victims has proven legally problematic. Attempts to assist victims via the so-called ‘Quincecare duty’ have failed, albeit it took the Supreme Court in Philipp v Barclays Bank [2023] UKSC 25 to provide a definitive answer. Nonetheless, the Court left open some scope for certain, perhaps novel, claims against banks as discussed below. Moreover, consumers may welcome the launch of a new statutory compensation scheme for victims, and new regulations proposed by HM Treasury to tackle the issue.

The so-called “Quincecare duty”, originated in Barclays Bank v Quincecare Ltd [1992] 4 All ER 363. Mr Justice Steyn held that a bank should not execute a payment instruction given by a customer’s agent where it has reasonable grounds to suspect the agent is defrauding the customer, without making further inquiries of the customer.

In Philipp v Barclays Bank [2022] EWCA 318, the Court of Appeal controversially extended the duty beyond instructions by an agent to cover APP Fraud. However, the Supreme Court has unanimously reversed that decision.

In Philipp, the Claimant, had been duped by fraudsters pretending to be from the Financial Conduct Authority into transferring large sums to UAE bank accounts. Mrs Philipp gave payment instructions in branch at Barclays Bank.  The bank duly executed her instructions, and the money was gone.

Mrs Philipp claimed against Barclays for breach of its Quincecare duty and for failing  to take adequate steps to recover the money after becoming aware of the fraud.

The Supreme Court rejected the argument that the bank should not have performed the transaction, basing its decision on the first principles of banking law. It is a bank’s basic and strict duty within the banker-customer contract to comply with a customer’s payment instructions, where their account is in credit. Bankers are not to query the wisdom of their customer’s transactions.

In concluding that the duty is grounded in the “principles of agency”, Lord Leggatt rejected the reasoning in the original Quincecare case and subsequent authority, that there was a “tension” between a bank’s duty to execute its customer’s instruction and its duty to do so with reasonable care and skill.  Rather, the Quincecare duty is an application of the bank’s general duty of care in interpreting, ascertaining, and acting in accordance with the customer’s instruction. Agents do not have authority to defraud customers. Thus, where a bank suspects this is occurring, the bank’s duty to protect the customer is engaged.

However, the Quincecare duty will not protect customers “from themselves” where they intend to make the payment, even at the instigation of a fraudster.

While banking law purists may applaud this decision, it could be argued that the court missed an opportunity to update fundamental banking principles to deal with a pernicious modern threat. Big banks are better placed than customers to assess the risk of APP fraud and if a banker suspects a customer is being defrauded, surely they should make further inquiries before proceeding?

Nonetheless, the Supreme Court did identify  two scenarios where a customer might be able to bring a claim successfully against their bank after falling prey to APP fraud.

First, where a banker has information to hand which, if the customer had it, would dissuade them from making the payment instruction. The court derived this duty from an Australian judgment, Ryan v Bank of New South Wales [1978] and left to future argument whether Ryan determined the correct legal test.

The Court observed that in a hypothetical scenario where the police have told a bank that a customer’s instruction has been procured by fraud “it may be right” that the banker make further enquiries of the customer before proceeding. The fact that it merely “may” be right to delay payment shows that the application of this test may be very limited, yet the ambiguity surrounding the scope of the Ryan test may encourage speculative litigation by victims. .

Secondly, Philipp left open claims for breach of a bank’s “retrieval duty”, giving the claimant an opportunity to pursue this claim at trial. Recently, in CCP Graduate School v National Westminster Bank Plc [2024] EWHC 581 (KB) the High Court considered a claim for failure to take adequate steps to recover monies dissipated to fraudsters. The claim against NatWest was time-barred, but the court held the claimant could continue its claim against Santander as there was an arguable case that Santander, as the fraudster’s banker, owed NatWest’s customer a retrieval duty.  Clearly, it remains to be seen how the courts will interpret the scope of the duty to retrieve lost funds.

The Supreme Court viewed tackling APP Fraud as a social question for Parliament. Steps are clearly being taken. The Payment Services Regulator has established a new compensation scheme for consumers, charities, and micro-enterprises which comes into force on 7 October 2024.

Under this scheme, payment service providers (PSPs) will compensate customers who are victims of APP fraud within five working days, up to the value of £415,000. The PSP can delay the compensation for 35 business days after the claim to gather further information. Typically, the sending PSP will be able to claim back 50% of the cost of compensation from the receiving PSP. Customers will need to claim within 13 months of the fraud, although a PSP may extend this voluntarily. Customers (excluding vulnerable customers) must exercise a “standard of caution” based on four elements to qualify for compensation.

The scheme clearly provides new protection for customers and may nudge PSPs to strengthen fraud prevention measures. However, it only deals with the consequences of APP Fraud after the crime has been carried out and it would not have fully reimbursed victims like the Philipps.

Moreover, HM Treasury has recently proposed the Payment Services (Amendment) Regulations 2024. Under this statutory instrument:

  • A PSP may delay executing outbound transactions by up to four business days where it has reasonable grounds to suspect the customer is being defrauded.
  • The PSP will need to establish its reasonable grounds by the business day following the payment instruction.
  • The new power may only be used where the PSP needs time to contact the customer or a third party to decide whether to execute the payment.
  • PSPs must inform their customer of the delay, the PSP’s reasoning, and what information or actions will be needed to help the PSP.
  • PSPs may not notify their customer where doing so would be unlawful, for instance, in contravention of anti-money laundering regulations.

The new power may be welcomed by consumers but clearly raises several critical issues. First, there are risks that a bank’s statutory duty to inform a customer of the reasonable grounds it suspects APP Fraud may conflict with its duty to not tip-off customers under anti-money laundering legislation.

Secondly, companies will have the right to opt-out of the policy. In such cases, a bank may only delay a transaction by 1 day. If, however, a bank froze funds belonging to a company which had opted-out, on suspicion of financial crime, could the bank be sued for breach of the opt out? The bank may not be able to explain its reasons without letting the cat out of the bag, thus contravening its duties under the Proceeds of Crime Act 2002. Perhaps an extreme case, but would the bank have a defence?

Thirdly, PSPs will be liable for any interest or charges which customers incur because of a delay. However, how far will such liability extend? What happens if the customer faces substantial or long-term financial losses? Would the customer have strong grounds to bring a claim if they are not reimbursed promptly or in full?

Finally, what will constitute “reasonable grounds”? Would sending large sums to accounts in the Middle East which one had never sent money to before, as in Philipp, constitute reasonable grounds?

Unless improvements are made to the legislation, banks will clearly have to chart a careful course when navigating such choppy waters, including drawing up and implementing clear policies, which may have to be accessible to customers.

The Supreme Court in Phillip has held the line on the foundational principles of banking law. The Quincecare duty cannot be invoked in cases of APP Fraud.  However, banks will need to keep a close eye on the “retrieval duty” litigation and possible claims under the Ryan test. Finally, it remains to be seen whether the Government’s new measures will effectively combat APP Fraud, and whether the risks inherent in the proposed regulation, particularly in relation to scenarios where APP Fraud and money laundering are simultaneously suspected, will inadvertently create new problems for banks.