Is anyone safe from APP fraud?

A few months have passed since the Supreme Court handed down its judgment in Philipp v Barclays Bank UK PLC [2023] UKSC 25 (“Philipp v Barclays”). In this case, the claimant transferred £700,000 from her Barclays current account to two bank accounts in the UAE. Attempts were made to recall the funds but this was unsuccessful. Mrs Philipp then proceeded to sue Barclays, claiming that they owed her a duty to observe reasonable care and skill in and about executing her instructions, and that this duty required Barclays to refrain from executing her payment instructions if and for so long as it had reasonable grounds for believing that the instructions were an attempt to misappropriate funds from Mrs Philipp.

Mrs Philipp alleged that Barclays acted in breach of the duty known as ‘the Quincecare duty’ (following the decision of Steyn J in Barclays Bank plc v Quincecare Ltd [1992] 4 All ER 363) and that it should apply in this case where there has been authorised push payment fraud (“APP fraud”).

The UK Supreme Court confirmed that the Quincecare duty banks owe its customers is limited and did not apply in Mrs Philipp’s case. The Court also acknowledged the growing hardship that is being caused to victims of APP fraud but noted that the reimbursement of victims is ultimately a question for Parliament to consider.

This leads me to consider: how will the regulator respond and implement the changes needed to provide the further protections and relief that many victims of Authorised Push Payment (APP) fraud need?

At EMM, we have been approached by victims of APP fraud, who would be considered vulnerable customers and have transferred their life savings and pensions to fraudsters. However, this shouldn’t be surprising to anyone reading this article.

More recently, EMM’s Partner Tamlyn Edmonds spoke with the BBC[1] regarding the psychological techniques used by fraudsters, the impact fraud has on victims and that more is needed to be done against fraud as “most frauds go underreported and [of] those that are reported, only a tiny fraction are investigated so there’s no deterrent effect.”[2]

One of the most recent APP frauds reported in the press highlights this exact issue. Kent Brushes was a victim of an APP scam where the fraudsters proceeded to steal £1.6m, via dozens of fraudulent transactions, in less than 20 minutes.[3] The business hasn’t had its money refunded by the bank and, despite reporting the matter to Action Fraud, the matter was closed by them.

As reported by UK Finance in their 2023 Half Year Fraud Update:

  • “Criminals stole £580 million through unauthorised and authorised fraud in the first half of 2023, a two per cent decrease compared with the same period in 2022 [this amounts to 116,000 people reported falling victim to APP fraud.
  • Banks prevented a further £651 million of unauthorised fraud from being stolen through advanced security systems.
  • 77 per cent of APP fraud started online and another 17 per cent started through telecommunications networks.

Ben Donaldson, Managing Director of Economic Crime at UK Finance, said:

In the first six months of this year ruthless criminals had already stolen more than half a billion pounds from victims through fraud. In addition to the financial losses, these crimes often involve callous manipulation of the victim which can cause psychological and emotional harm. As the UK Finance report shows, criminals are increasingly using social media, online platforms, texts, phone calls and emails to deceive victims into giving up their personal details and their money.”[4]

Recent statistics from Barclays indicate that:[5]

  • Eight in 10 Britons (76%) feel unsafe on social media due to scammers operating on these platforms; and
  • Tech platforms are the source of 87 per cent of all scams.

Tech companies or platforms entering into the financial services sector have been supported by the Financial Conduct Authority’s Innovation Hub. The Innovation Hub supports financial services firms to launch innovative products and services through testing the products/service in the market with real consumers, help with understanding how FCA regulation relates to the innovative proportion, or access to data to test/develop technology solutions.

However, in reality banks are subject to a more regulated environment than tech companies and are under a duty, albeit in limited circumstances, to refrain from authorising payments where there are reasonable grounds for believing that the payment instruction is an attempt to defraud their customer (as confirmed in Philipp v Barclays).

The Payment Systems Regulator (“PSR”), who regulate operators of payment systems, payment system providers and infrastructure providers, published a policy statement in June 2023 where it confirmed that it was introducing a new reimbursement requirement due to come into force in 2024. The changes introduce consistent minimum standards to reimburse victims of APP fraud and will:

  • Require payment firms to reimburse all in-scope customers who fall victim to APP fraud in most cases including Faster Payments sent and received by Payment Service Providers;
  • Share the cost of reimbursing victims 50:50 between sending and receiving payment firms
  • Provide additional protections for vulnerable customers

It is important to note that there will be payments that are out of scope of these regulations. This includes where a victim transfers funds to their account at a crypto exchange and then transfers cryptocurrency onto the fraudster.

The use of tech platforms and diverting funds to a tech platform (such as digital investment platform) is currently out of scope of the PSR’s reimbursement model. This is somewhat surprising considering that most of these frauds occur as a result of scams promoted by social media platforms or cold calls directly from the fraudsters themselves. Some may say this is a missed opportunity and an opportunity that has left social media platforms and telecommunication companies off the hook when it comes to taking responsibility for the financial impact they have on victims of APP fraud.

More recently, the PSR published its first APP scams performance report which shows how well banks and other payment firms performed in tackling APP fraud. The data published covers 95% of payments made via Faster Payments in the UK, by value and volume and allows consumers to see the full extent of how their banks have performed in tackling APP fraud and how they have treated their customers where they have fallen victim of this crime.[6] An example of the data collected by the PSR is shown in the diagram below:

The PSR noted in their report that there had been considerable progress in improving reimbursement for victims and that the introduction of The Contingent Reimbursement Model (CRM) code in 2019 has established good industry practice in preventing APP fraud and responding to its growth. As part of the Code, members who have voluntarily signed up reimburse victims of APP fraud, but there are still varying degrees of reimbursement rates amongst members.

It is also worth adding that the Financial Conduct Authority (“FCA”) has been focusing its efforts on slowing the growth of APP fraud as well as delivering the Government’s Fraud Strategy that was published earlier this year. To support this strategy, the FCA recently published their findings following a multi-firm review into anti-fraud controls including APP fraud and complaint handling in banks, building societies and other businesses that provide payment accounts.[7] The review found that although there were examples of effective control frameworks and good practice, there was insufficient focus on customer impact and treatment which included taking too long to respond to customers’ complaints, management information focussing on commercial risks rather than on the customers and decision letters regarding reimbursement being unclear or on occasion including accusatory language.

How can we avoid falling victim to APP fraud?

Sadly, APP fraud isn’t going anywhere and everyday consumers find themselves victims of fraud at the hands of organised and sophisticated criminals. Below is a list of some signs that you may be being targeted by fraudsters: 

  • If the offer to transfer money is time sensitive e.g. ‘you only have 2 hours to send us the funds before the offer ends.’
  • If you have been contacted out of the blue by someone you don’t know – this could be a phone call but also a text, on social media, over email or even in person.
  • If you receive a call from HMRC, your bank or the police out of the blue saying that you owe money or are owed money by them or there is an urgent issue that you need to rectify, including potential criminal charges against you that can be dealt with if payment is made, then you should ask them to send you a letter to the address they have for you.
  • If what you are being offered sounds too good to be true, then it probably is.

Sometimes, and as previously mentioned, banks will reimburse victims of APP fraud. However, this isn’t always the case as experienced by Mrs Philipp and Kent Brushes. It is also not something that the police/Action Fraud seem to be prosecuting. Those who are turned away by the police should know that there is a constitutional right to bring a private prosecution against these fraudsters and recover assets where identifiable.

By Natalie Tenorio-Bernal

[1] BBC File on 4 – The Anatomy of Fraud

[2] BBC article titled ‘Kent push payment scam victim hits out at fraudsters’

[3] BBC article titled ‘My business had £1.6m stolen in 20 minutes’

[4] UK Finance press release.

[5] Barclays press release

[6] PSR APP fraud performance data

[7] FCA’s multi-firm review – Anti-fraud controls and complaint handling in firms (with a focus on APP Fraud)