Where the customer has authorised and instructed the bank to make a payment, the bank must carry out the instruction promptly. It is not for the bank to concern itself with the wisdom or risks of its customer’s payment decisions.’

Does this principle apply even where a bank’s customer made the instructions but was the victim of Authorised Push Payment (“APP”) fraud?

The Supreme Court (the “UKSC”) has confirmed that it does, in its judgment in the appeal in Philipp v Barclays Bank UK Plc [2023] UKSC 25. The UKSC acknowledged the growing social problem of APP fraud and its hardship on victims but held in favour of Barclays Bank (the “Bank”).

The Bank had not been under a duty to refuse to execute the clear instructions made by Mrs Philipp, even if those instructions were made whilst unknowingly a victim of APP fraud. The UKSC confirmed that the principles derived from the case of Quincecare (under which banks must refrain from carrying out instructions where it has reasonable grounds to suspect that the instructions may be an attempt to misappropriate the customer’s funds) could not assist, where the instructions given to the bank were clear. A full article on this judgment and its implications will soon be posted on our website.

The judgment, whilst unwelcome for Mrs Philipp and other victims of similar APP frauds, will no doubt come as a relief to financial institutions and Payment Service Providers (“PSPs”) who may have faced a slew of Quincecare-style breach of duty claims in relation to transactions and payments otherwise procured through fraud following the Court of Appeal’s decision (here).

This case demonstrates the hardship to APP fraud victims; this type of fraud is one of the fastest-growing in recent years. The question which arises is whether victims should be left to bear the losses themselves, or whether losses should be redistributed by requiring banks, which have made or received the payments on behalf of customers, to reimburse victims. The UKSC emphasised this was a question of social policy for regulators, government, and ultimately, for Parliament to consider, stating it was ‘not the role of the courts to make rules of this kind.’

If the law cannot help APP victims, then what could happen next? Below is a summary of the regulatory issues and developments highlighted by the UKSC:

  • The Payment Services Regulations (“PSR”) do not offer any means of redress for a victim of APP fraud, as they do not provide for reimbursement of any payments which the payer has authorised. The essence of APP fraud is gaining the confidence and trust of victims so that it looks to the bank or PSP that the instruction coming from the customer is legitimate. The UKSC noted the PSR, in particular Regulation 90(1), has been perceived as containing an obstacle to the imposition of a regulatory obligation on payment service providers to reimburse customers.

  • The Consumers’ Association made a complaint to the Payment Systems Regulator in 2016 about the lack of protection for consumers against harm caused by APP fraud. It was argued that banks could take more steps to reduce the risks of APP fraud, and that placing liability on banks to reimburse would incentivise them to take measures. The UKSC acknowledged there had been developments to address this point, notably the Contingent Reimbursement Model Code (“CRMC”). However, the existing 2019 CRMC, designed to provide consumers with some protections against APP frauds, is voluntary, and there are only around 10 industry participants. It is notable that the CRMC does not extend to cover international payments.

  • Does the Financial Services and Markets Act 2023 (“FSMA”) help? The Act received Royal Assent in June 2023. The UKSC acknowledged s.72 of the FSMA is designed to provide reimbursement protections to victims of APP fraud by imposing a 50:50 compensation split between banks who send and receive fraudulent payments. The PSR is currently setting out how these mandatory payments will work in practice. However, this will only cover certain consumers, charities and “micro-enterprises”. Most larger businesses will remain unprotected. It is not proposed that the regulatory obligations arising under the scheme will be directly enforceable by bank customers.

APP fraud is pervasive, with an estimated 40% of all known frauds taking place over the past 12 months taking the form of APP fraud. This amounts to an estimated £480m in stolen funds according to UK Finance’s Annual Fraud Report for 2023. It seems more work is required by regulators and policy-makers to ensure that businesses are offered protections against APP fraud attacks as the current proposals will not provide comprehensive cover. One of the striking features of many of the significant APP frauds is the international nature of the initial and subsequent payments made as part of the APP fraud to place, layer and then reintegrate the stolen funds into apparently legitimate assets and accounts. An international policy effort is going to be required to truly make an impression against APP fraud.