Financial Services

Authorised push payment frauds in England: are receiving banks in the line of fire?

Published on 13th Jun 2024

Two recent English High Court judgments have focused attention on the role of receiving banks where a customer of a paying bank has been scammed

People in a meeting and close up of a gavel

An APP fraud occurs when a fraudster tricks the payer into instructing their bank (or payment service provider, PSP) to send money from their account to an account controlled by the fraudster. From the paying PSP's perspective, the payment is "legitimate": it was authorised by the customer, whether in person, by use of passwords, two-factor authentication or otherwise. However, in making the payment, the customer has been scammed.

We previously reported on the Supreme Court judgment in  Philipp v Barclays Bank UK plc, where it was held that the so-called Quincecare duty arises only where the payment has not been authorised by the customer and not where the customer has been duped into authorising the payment.

Quincecare duty – effect on receiving bank?

The Quincecare duty of care has traditionally been interpreted as requiring PSPs to refrain from executing a payment instruction from a customer if they have reasonable grounds to believe that the instruction arises from a fraud.

This created an inherent tension between the PSP's duty to execute the customer's instructions and the Quincecare duty not to act on those instructions in certain circumstances. That tension was largely resolved by the Philipp decision for the customer's own PSP. But what of the PSP which receives the payment (often, into the account of the fraudster(s))? Could the paying customer seek redress against the receiving PSP (or further PSPs into which payments are transferred) instead?

That was the issue looked at in two recent High Court decisions: Larsson v Revolut Ltd and CCP Graduate School v NatWest.

Larsson v Revolut Ltd

The novel issue in this case was whether the receiving PSP owes a duty of care to the payer in an APP fraud situation. Perhaps unsurprisingly, the judge held not – and it made no difference if (as was the case here) the customer also happens to be a customer of the receiving PSP (where the payment was made from the customer's account held at another bank).

Most case law on a PSP's duties to its customer relates to the duties of a paying bank. Not only is no duty owed where the customer authorises the PSP to make a payment, there is also no duty owed by the paying bank to a third party which is not a customer (even where the PSP knows that the third party has an interest, for example as the beneficial owner of funds). As the judge put it: "Given the acceptance that no duty of care is owed generally to a third party payer, I can see no principled reason for imposing a duty simply because P [the defrauded customer] happens also to be a customer of the Bank".

CCP Graduate School v NatWest

In this case, the customer victim of an APP fraud sought to claim against both its own PSP and the receiving PSP. In light of the Philipp decision, the Quincecare claim against the paying PSP was summarily dismissed.

In relation to the receiving PSP, the judge accepted that no Quincecare duty was owed by it to the victim and that such a duty would be inconsistent with the contractual duty owed by the receiving PSP to carry out any mandate given to it by its own customer.

However, a further argument was run based on comments made in the Philipp case, to the effect that "a duty of retrieval" might arise in some circumstances.

The judge noted that "the evidence produced in this application at the very least hints at there already being in place a system for retrieval and that any such system might be presumed to be capable of operating without difficulty". This system of retrieval effectively acts as a chain of indemnities from paying to receiving PSPs, until funds are located and frozen.

As a result, he felt unable to strike out, at this stage, the argument that such a duty might arise.

Osborne Clarke comment

As we have discussed in an earlier Insight, the Payment Systems Regulator has previously announced a reimbursement requirement for APP fraud within the Faster Payments Service system and is currently consulting on similar proposals for payments via CHAPS.

Broadly, this will require payment firms to reimburse all in-scope customers (consumers, microenterprises and charities) who fall victim to APP fraud in most cases, share the cost of reimbursing victims 50-50 between sending and receiving payment firms, and provide additional protections for vulnerable customers.

This new requirement will come into force in October 2024. In the meantime, receiving banks seem to be the new target for the victims of APP frauds. Although the Revolut case will give them some comfort, it may be relevant that that decision was in the context of a payment from an overseas bank, where the confirmation of payee name-checking service does not apply, rather than from a domestic bank, where it does.

It also remains to be seen whether the duty of retrieval will lead to the imposition of liability in some cases.

Share

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Interested in hearing more from Osborne Clarke?