How the UK is leading the way in the fight against APP fraud

In 2023, a staggering £459.7m was lost to authorised push payment (APP) fraud[1] This is a fraud where victims - either individuals or businesses - are tricked into sending money to accounts controlled by criminals.

Often the victim is manipulated into thinking they are making an investment, helping law enforcement, purchasing goods or services, making payments to loved ones or carrying out a business transaction. Sometimes, the fraudsters will obtain personal details before carrying out the fraud, they may spoof email addresses and in some cases may even use sophisticated AI tools. It is as creative and prevalent as it is malicious and even the most streetwise and savvy can be taken in.

A silver lining for victims (but perhaps not banks and other financial institutions) is that a reasonable proportion of victims are now reimbursed. Around £287m, 62% of all losses to APP fraud[2], was returned to victims in 2023. That is a big improvement, however, it still leaves many victims without redress and the consequences for them can be devastating.

The UK is using a multi-layered approach through increased regulation, the courts and government policy to tackle these faceless crimes, but legal practitioners still need to keep one step ahead.

Regulation

In recent years, the UK’s financial industry, perhaps seeing the writing on the wall following the Which? super complaint to the Payment Services Regulator (PSR) in 2016, has made progress in protecting consumers against APP fraud. The Lending Standards Board, an industry self-regulation body, introduced the Contingent Reimbursement Model (CRM) in 2019. This is a voluntary code which a significant proportion of the UK's retail banks - particularly the larger financial institutions - have signed up to. It sets out good industry practice on helping customers to protect themselves from APP fraud and, crucially for victims, signatory banks agree to reimburse customers unless they have ignored warnings or been grossly negligent.

The next stage of regulatory protection will be the introduction of a new mandatory reimbursement scheme by the PSR on 7 October 2024. However, unlike the CRM, it covers only a single payment system - the Faster Payments System (FPS).

In practice, it will mean that consumers, micro businesses and smaller charities should be reimbursed up to a maximum of £415k per claim if they fall victim to APP fraud by paying fraudsters using the FPS. To incentivise both the paying and recipient banks to protect consumers, the cost of reimbursement will be split 50/50 between the sending and recipient banks. As with the CRM, there are some exceptions although they appear to be narrowly framed. In this case, the banks may be able to avoid reimbursement if the customer fails to comply with the "customer standard of caution" through their own gross negligence.

The test for "gross negligence" here is showing a significant degree of carelessness in, for instance, failing to have regard to interventions by the bank, promptly report the fraud to the PSP and then the police, and share information. However, PSPs are not permitted to rely on this exception where they assess the customer to be vulnerable. We will need to see how PSPs approach this in practice and it could be an area which generates disputes.

Perhaps understandably, some concern has been expressed by small PSPs and electronic money institutions (EMIs) that the scheme may negatively impact their profitability, therefore undermining competition in the sector. Indeed, on 11 July 2024, the Payments Association shared a letter to the new Economic Secretary to the Treasury and City Minister, Tulip Siddiq, expressing similar concerns[3]. However, the PSR is keen for these regulations to come into force without delay and the new government seems likely to favour consumer protection over PSP and EMIs' commercial interests.

The courts

The courts have also been grappling with the problem of APP fraud in a series of recent High Court cases. Since the Supreme Courtís decision in Philipp v Barclays Bank UK plc[4] which resisted the extension of a duty of care for banks in cases of APP fraud, attempts have been made to create alternative inroads for recovery of losses. Notably, those attentions have focussed on receiving PSPs.

In April 2024 Revolut Limited (Revolut) (an EMI) applied for summary judgment and/or strike out of a claim made by the claimant (Mr Larsson). Mr Larsson was a customer of Revolut and had fallen victim to an APP fraud. He made five payments by way of bank transfer from his UBS bank account, to separate Revolut accounts held by fraudsters. Separately, Mr Larsson held his own account with Revolut which was not involved with the scam. Mr Larsson argued that even if banks receiving the funds on behalf of customers did not owe a duty of care to third party victims of fraud, they did owe a duty of care to customers who held an account with the bank (even where that account had no involvement with the fraud).

The Court disagreed and truck out the claims relating to duty of care. Mr Justice Zacaroli took the view that it should be for Parliament and regulators to consider the appropriate policy response, and not the courts:

"...to impose a duty on a bank to take reasonable care to protect third parties who make payments to an account of one of its customers from that customer's fraud, would be to cross the line between the proper role of the courts, and the role of the legislator and regulator."[5]

On 12 June 2024, Revolut was involved in another similar case in the High Court (Terna Energy Trading doo v Revolut Ltd)[6]. In this case, a company brought an unjust enrichment claim against Revolut. As a result of an APP fraud, the claimant had instructed its bank to make a payment to an account held with Revolut and the funds were immediately dissipated. Revolut applied for reverse summary judgment and/or strike out of the claim.

This time, the court refused the application and held that whether or not one looked at this as a case of agency (i.e. the EMI being the agent for the company) or as a series of co-ordinated transactions as between the company, the EMI and the bank, either way, it involves an enrichment of the applicant at the expense of the respondent thereby satisfying the legal test for unjust enrichment (subject to the question of "unjustness" and potential defences which would have to be determined at trial).

What next? Government policy?

As the courts have made clear (as expressed by Mr Justice Zacaroli), despite novel legal arguments, there is only so far that they can go in holding payment institutions to account. It is likely to be regulatory and government policy that delivers any major future change. One candidate might be an expansion of the PSR reimbursement scheme, perhaps to CHAPS or other payment systems.

Details were also recently leaked of Labour's draft plans to force tech companies to reimburse victims of online fraud.[7] The draft proposals allegedly also consider other measures such as statutory implementation of the "Online Fraud Charter" (which is currently a voluntary agreement between the government and the technology sector to reduce fraud on their platforms and services),[8] and potential expansion of the Economic Crime Act.

There is little sign of these proposals in the new government's initial policy agenda and it remains to be seen whether they are put into action. Either way, the UK is certainly taking robust steps to challenge the fraudsters, with the aim of obtaining compensation for their victims, and ultimately preventing these damaging crimes from occurring in the first place. However, legal practitioners will increasingly need to think of innovative and creative legal arguments when considering how to frame what their client's course of action is and against whom to bring a claim.

This article was first published in Expert Witness Journal and can be accessed here. 

References