APP Fraud: Is a Bank its Customer’s Keeper?

Books hero photo
Gitau Githinji photo
Gitau Githinji

“Am I my brother’s keeper?” asked Cain of the Lord when questioned about the whereabouts of his murdered brother, Abel (Genesis 4:9).  Is a bank allowed to get away with the same abjection of responsibility when asked by its customer “why did you not make sure I was safe from the designs of evil people on the money which I had entrusted you with safekeeping?” In other words, do banks owe their customers a duty of care?


In a time of financial difficulty, the situations in which the question arises are all too familiar.  Consider two unexceptional examples:


  1. A fraudster purporting to be a conduit to a highly lucrative speculative investment opportunity persuades Mrs Laura Birkinshaw of Beverley, East Yorkshire, to part with £200,000 – her entire life savings – in the mistaken belief that by so doing she will quadruple the size of the inheritance she has planned to leave her grandchildren.
  2. Miss Akanksha Patel of Stoke Newington, London, is hoodwinked into paying £500 for a new generation Apple mobile phone by a fraudster who convinces her that she has been randomly selected to receive the newly launched phone at a deeply discounted price.


Both above scenarios are examples of Authorised Push Payment (APP) fraud.  The first is known as “malicious redirection” whereby a fraudster impersonating a person whom the customer trusts (for example, a bank employee) gets the customer to transfer funds out of their bank account and into the fraudster’s bank account.  The second is called “malicious payee” which involves conning someone into buying goods which do not exist or are never received. 


APP fraud is a massive problem globally.  UK Finance, in its 2023 half year update, observed that APP scams amounted to losses of more than half a billion pounds.  It is such a pernicious and prevalent crime that 40% of recorded crime in the UK is now fraud.  Fraud blights people’s lives and its effects are very far-reaching.  Access to a victim’s bank account is the holy grail for fraudsters: the bigger the balance on an accessible account, the better for the criminal.


What then is the extent of a bank’s duty of care when executing client instructions.  This has been described judicially as the Quincecare duty (established in Barclays Bank v Quincecare [1992] 4 All ER 363). It prohibits a bank from executing a payment instruction given by the agent of a customer where the bank has reasonable grounds for believing that such instructions were intended to defraud the customer.  The bank is said to be “put on inquiry.” This means that the bank is obliged to take action to ascertain whether the instruction it has received was validly authorised by the customer before making payment and debiting the customer’s account.


The leading case on Quincecare, which sets out the limits of a bank’s duty, is Philipp v Barclays Bank UK plc [2023] UKSC 25.  Here, the facts did not concern an agent, but an account holder acting directly.  In that case, a lady, was deceived by criminals into instructing Barclays Bank to transfer £700,000 from her current account with Barclays to a bank account in the United Arab Emirates.  Mrs Philipp argued that Barclays Bank was responsible for her loss because it owed her a duty not to carry out her payment instructions if the bank had reasonable grounds for believing that she was being defrauded.  Following the Quincecare argument, Mrs Philipp believed that the bank had been “put on inquiry” and should not, therefore, have carried out her instructions. Barclays, however, disagreed on the basis that as a matter of law it did not owe Mrs Philipp the alleged duty.


The case went all the way up to the Supreme Court, but Mrs Philipp was, ultimately unsuccessful.  The Supreme Court justices found that Barclays did not owe a duty of care to Mrs Philipp and that to reach such a conclusion would be inconsistent with first principles of banking law. 


The court was of the view that express terms could be agreed between a bank and its customer that the bank must not accept its instructions where it has reasonable grounds for believing that it (the customer) has been tricked by a malicious third party, but no such express terms existed in the contract between Mrs Philipp and Barclays.


Lord Leggatt stated as follows:


“It is a basic duty of a bank under its contract with a customer who has a current account in credit to make payments from the current account in compliance with the customer’s instructions. This duty is strict.  Where the customer has authorised and instructed the bank to make a payment, the bank must carry out the instruction promptly. It is not for the bank to concern itself with the wisdom or risks of its customer’s payment decisions…. In the absence of an express term, no obligation of this kind can be implied or said to be inherent in the relationship between a bank and a customer.  To the contrary, such an obligation would be inconsistent with the normal contractual basis on which banking transactions are conducted.”


There are very few cases in the English courts where the Quincecare duty has been found to have been breached. Factors which are considered helpful in “putting a bank on inquiry” have included:


  • inconsistency between the instruction and the customer’s transaction history or business; 
  • non-compliance with the bank’s usual process for verifying instructions;
  • the magnitude of the transaction compared to the customer’s financial circumstances; and
  • suspicious contractual arrangements.


All is not lost for APP fraud victims because, other than seeking redress through the courts, there are alternative methods of redress available. 


First, there is a voluntary code into which banks can opt, called the Contingent Reimbursement Model Code of Practice developed by the Lending Standards Board, to which the majority of UK banks have signed up.  Banks which are committed to the code agree to reimburse victims of APP fraud for their losses.


Firms which have signed the Contingent Reimbursement Model Code of Practice commit to:


  1. protecting their customers with procedures to detect, prevent and respond to APP scams, providing a greater level of protection for customers considered to be vulnerable to this type of fraud;
  2. greater prevention of accounts being used to launder the proceeds of APP scams, including procedures to prevent, detect and respond to the receipt of funds from this type of fraud; and
  3. reimbursing customers who are not to blame for the success of a scam.


Secondly, and significantly, the Financial Conduct Authority takes APP fraud and financial crime extremely seriously and has recently published guidance for firms: Anti-fraud controls and complaint handling in firms (with a focus on APP Fraud) | FCA.  In it, the FCA emphasises the importance for firms to put the needs of their customers first and help them understand what fraud is and how to identity it.  This is all part of the FCA’s requirement that firms should deliver consistently good outcomes for their customers.


Finally, there is legislation soon to come into force in this area which will be of assistance.  Section 72 of the Financial Services and Markets Act 2023 (FSMA 2023) provides for a mandatory scheme of reimbursement.  Payment services providers must reimburse victims of APP “where the payment order is executed subsequent to fraud or dishonesty.” 


The Payment Systems Regulator (PSR) will be responsible for implementing the mandatory scheme and it published a policy statement in December 2023 (PS23/4) setting out its final decision on fighting APP scams.  A new reimbursement requirement will result in most of the money lost to APP scams being refunded to customers (the maximum level of reimbursement will be initially set at £415,000).


A problem remains which has not been addressed by the proposed legislative scheme: payments abroad (such as those made by Mrs Philipp in Philipp v Barclays Bank).  The proposals published by the PSR state that international payments will not be a “qualifying case” under section 72 of the FSMA 2023.  Thus, where a fraudulent payment is made outside the UK, the payment service provider will not be obliged to reimburse its customer and customers will not be empowered to enforce the reimbursement of international payments by banks.  This is a clear lacuna in the law which will need to be considered in the fullness of time – perhaps by a new parliament after the General Election later this year.


Unfortunately, the fraudsters are not about to go away any time soon and people – particularly vulnerable ones (think of a grandmother surviving on a limited pension or a disabled person with limited financial means) – continue to be held victim virtually every hour of every day.  The good news is that, mercifully, the law is not turning a blind eye to this evil and Mrs Birkinshaw and Miss Patel should soon be able to sleep a little more easily. 


Unlike Cain, it seems that the bank is indeed its customer’s keeper.