By Robin Henry, Partner and Jonny Mitchell, Senior Associate, Collyer Bristow LLP
Authorised Push Payment (APP) fraud occurs when a victim is tricked into sending instructions to a bank to transfer funds to an account controlled by a fraudster. This type of fraud has increasingly become a concern for both payment-service providers, such as banks, and individuals. Each year, thousands of individuals and businesses fall victim to fraud, with £355 million lost in the first half of 20211Payment Systems Regulator: “APP Scams: Our work to prevent Authorised Push Payment (APP) fraud,” November 2021. .
In an attempt to reduce the occurrence of APP fraud, the Payment Systems Regulator of the United Kingdom introduced the Contingent Reimbursement Model (CRM) voluntary code in May 2019. The CRM code aims to reduce both the occurrence and impact of APP fraud by providing standards for the confirmation of payees and ensuring that, should people still fall victim to APP fraud, they are reimbursed. However, the CRM code has significant limitations in its scope; a payment-service provider must sign up to the code, and it only applies to domestic payments by individuals, microbusinesses with less than 10 employees and small charities.
Many victims will, therefore, not be able to obtain reimbursement under the CRM code, either because the payment was made to an overseas account or because they are a corporate entity. Victims of APP fraud may wonder if they instead have a potential claim against their banks for executing the payment instructions and failing to stop them from being defrauded. This was considered in an important recent Court of Appeal decision.
Background: Philipp v Barclays UK PLC 2Philipp v Barclays Bank UK PLC, March 14, 2022, England and Wales Court of Appeals (Civil Division),  EWCA Civ 318.
Dr. and Mrs. Philipp had been the victims of APP fraud, whereby the fraudsters convinced them that they were assisting an internal FCA (Financial Conduct Authority) and NCA (National Crime Agency) investigation. The Philipps appear to have been completely under the spell of the fraudsters, to the extent that they lied to Barclays regarding the purpose of the two transactions through which they had instructed Barclays to transfer £700,000, amounting to the majority of Dr. Philipp’s investments, to an account in the United Arab Emirates (UAE). The Philipps were under the impression the UAE account was a protected FCA account, and unfortunately, once they realised they had been the victims of fraud, the funds were irretrievable. Therefore, Mrs. Philipp brought a claim against Barclays, asserting that the bank had breached its duty of care to Mrs. Philipp to help prevent her from falling victim to fraud by, for example, not having adequate policies in place to prevent APP fraud. Barclays subsequently applied for summary judgment on the basis that the bank did not have a duty of care in this situation, as the instructions given by Mrs. Philipp were genuine (in the sense that it was genuinely the customer, Mrs. Philipp, giving the instructions), even though the instructions were the result of the Philipps’ having been tricked by fraudsters.
Court of Appeal rules that the Quincecare duty may apply to APP fraud
It is established that banks can owe a duty of care to customers to help prevent fraud (known as the Quincecare duty), but exactly when and to whom this duty will be owed is still being worked out by the case law.
The Quincecare duty was named after the decision in Barclays Bank PLC v Quincecare Ltd3Barclays Bank PLC v Quincecare Ltd, February 24, 1988, High Court of Justice of England and Wales,  4 All ER 363.. In this case, Barclays agreed to lend Quincecare Ltd £400,000 to purchase chemist shops. The chairman of the company—acting as an authorised signatory for the company—then instructed Barclays to transfer £344,000 to an account in the United States, from which the chairman then misappropriated the funds. In the ruling, the trial judge, Steyn J, held that a bank had a duty to refrain from executing an order and make further enquiries in situations in which an ordinary, prudent banker would make an inquiry as a result of there being reasonable grounds for believing that the order was an attempt to misappropriate funds from the client.
In the initial High Court summary judgment in Philipp v Barclays UK PLC, HH Judge Russen QC held that, based on the existing case law, this duty extended only to cases in which the bank was instructed by an agent of the customer (for example, where a company was defrauded as a result of payment instructions received by the bank from a director of that company, as was the case in Barclays v Quincecare Ltd). The judge considered that extending the duty to APP fraud, where the bank had received genuine instructions from the customer, would be an “unprincipled and impermissible extension of the Quincecare duty”.
However, on appeal in April, Lord Justice Birss clarified that the existence of fraud by an agent of the customer was not a determinative requirement for the Quincecare duty to apply and that it was possible that the duty of care could pertain to a case of APP fraud. Lord Birss clarified that the main aspects of the Quincecare duty were:
- That the bank is an agent for the customer;
- That any bank that executes an instruction when it knows it is an attempt to misappropriate funds will be held liable; and
- That the key question in relation to APP fraud is what lesser state of knowledge would put the bank on inquiry and trigger the duty of care when the instructions themselves are genuine.
In the High Court, HH Judge Russen QC held that to impose a duty of care in this situation would be unduly onerous. Whilst the Court of Appeal’s judgment emphasised that this was a matter of fact and, therefore, should be reserved for trial, it was noted that banking practices at the time of the fraud in March 2018 were such that the risk of APP fraud was well understood, and the Payment Systems Regulator had finished its consultation on the CRM code to address APP fraud. In addition, the existence of the CRM code (even though the code does not apply to international payments such as those in this case) lent force to the argument that it would not be too severe a duty to impose upon banks to have internal policies in place to combat APP fraud.
This ruling is an important reminder to banks of the need to continue to develop safeguarding measures to protect their customers against APP fraud. The Court of Appeal’s judgment opens the possibility that a bank may be liable for executing genuine instructions received from a customer. This is a potentially very significant extension of the Quincecare duty, and it is likely to require a number of further cases (in particular, the full High Court trial of this matter, if it goes ahead) before we know more about the exact scope of this duty and what it requires a bank to do. In the meantime, by implementing safeguarding measures, banks can help limit their potential liability for their customers’ actions.
Individuals should be aware that despite developments, such as the CRM code, providing recourse in certain situations, international payment fraud continues to present substantial risks that funds may not be recoverable. This case highlights the possibility that, in certain circumstances, individuals who have fallen victim to APP fraud may be able to recover their funds by making claims against their banks in the courts.
1 Payment Systems Regulator: “APP Scams: Our work to prevent Authorised Push Payment (APP) fraud,” November 2021.
2 Philipp v Barclays Bank UK PLC, March 14, 2022, England and Wales Court of Appeals (Civil Division),  EWCA Civ 318.
3 Barclays Bank PLC v Quincecare Ltd, February 24, 1988, High Court of Justice of England and Wales,  4 All ER 363.