Introduction
APP fraud is where the victim is tricked into sending money under false pretences to an account posing as a legitimate payee. Unlike other types of fraud where unauthorised access is gained, in APP fraud the victim is deceived into thinking they are making a legitimate payment, often through sophisticated social engineering tactics such as impersonation of trusted entities (e.g., banks, utility companies or government agencies).
There will be at least two PSPs involved in an APP fraud (i) the sending PSP (being the victim’s bank, acting on the victim’s instruction as its customer to transfer money); and (ii) the receiving PSP, to whom the money is transferred.
APP fraud has been on the rise in the UK in recent years; according to the UK Finance Annual Fraud Report 2024, during 2023 APP fraud losses totalled £459.7 million and a total of 232,429 cases were reported to UK Finance by financial services providers, marking a 12% increase compared to 2020.
Refresher on Philipp v. Barclays Bank2
In July 2023, the Supreme Court handed down its landmark judgment in Philipp v. Barclays Bank, in which it refused to extend the “Quincecare duty” to situations in which unequivocal instructions came directly from the (unwitting) customer (see our previous article). As a reminder, the Quincecare duty is a duty imposed on a bank to refuse to comply with a payment instruction in circumstances where the bank is on notice that the instruction may be part of a fraud.
The Supreme Court held that while banks have a strict and primary contractual duty to carry out their customers’ unequivocal authorised payment instructions and prevent the misappropriation of funds, they are not under a duty to prevent APP fraud.
The Supreme Court did, however, allow Mrs Philipp to maintain an alternative claim, based on Barclays’ alleged failure to take adequate steps after it had been alerted to the fraud. The court therefore left the door ajar for claims based on a potential duty of care on PSPs to take reasonable steps to retrieve or recover the sums paid out as a result of an APP fraud – the so-called “retrieval duty”.
Since this decision, there has been a flurry of judgments given in claims against receiving PSPs where the claimants’ cases are based on a variety of causes of actions, including the retrieval duty.
Recent case law
Retrieval duty
In March 2024, for the first time since the decision in Philipp v. Barclays Bank, the High Court revisited the issue of a PSP’s liability in the context of an APP fraud. The key issue was whether a bank owes a duty, directly to the victim of the fraud, to take reasonable steps to retrieve or recover the sums paid out as a result of an APP fraud, i.e., whether there is such a thing as a retrieval duty.3
The claim arose out of a series of payments made by the claimant to a Santander bank account, the receiving PSP. It was alleged that, unbeknown to the claimant at the time, the Santander account had been compromised by a criminal gang, who subsequently dissipated the funds.
The claimant alleged that it was deceived by the criminal gang into instructing another bank to transfer funds to Santander on a false basis. As part of its claim, the claimant issued proceedings against Santander alleging it had breached its duty to the claimant to exercise reasonable care by allowing the criminal gang to dissipate the funds and failing to prevent the accounts from being used as instruments of fraud.
Santander applied for summary dismissal of the claim. In response, the claimant issued a cross application for permission to amend its claim, alleging that (in light of the judgment in Philipp v. Barclays Bank), Santander had breached its retrieval duty.
With some hesitation, the court refused to strike out the claim and so the amended claim against Santander was allowed to continue. The court concluded that there was some uncertainty as to whether the retrieval duty could be owed by the PSP of those who have perpetrated the APP fraud, and that the claim at least carried a degree of conviction.
Santander has been given permission to appeal.
Dishonest assistance
In June 2024, the High Court considered the potential liability of a receiving PSP for dishonest assistance, as well as whether the receiving PSP owes duties (whether in contract or tort) to the victim in an APP fraud when the victim is also a customer, albeit their genuine personal account is not compromised.4
The claimant believed he was buying shares in a company. He was told by the perpetrators of the fraud that accounts at Revolut had been set up in the claimant’s own name and instructed to transfer money into those accounts. The claimant made transfers from his account with a Swiss bank to the Revolut accounts and the perpetrators quickly transferred the funds out again.
Importantly, the claimant was also a customer of Revolut although his genuine Revolut account was not involved in the APP fraud. This fact allowed the claimant to bring a claim against Revolut alleging (among other things) breach of contract and breach of duty (relying on the fact that he had a separate, genuine account with Revolut), as well as dishonest assistance. Revolut applied to strike out the claim.
The High Court allowed partial strike out of the claim, finding that there was no principled reason for imposing a contractual or tortious duty in relation to the APP fraud simply because the claimant happened also to be a Revolut customer.
However, in terms of the claim for dishonest assistance, the High Court was not prepared on a summary basis to conclude that there was “no sufficiently arguable case that a constructive trust arose on the funds transferred” to the Revolut accounts. The court considered that fuller argument would be required to resolve the question, particularly where the answer could have wider implications beyond the facts of that case, and allowed the claim to continue. Interestingly and without saying anything about the merits of the claim, the judge noted that proving the requisite dishonesty on the part of one of Revolut’s employees was “a high one, and that establishing matters that would give rise to a cause of action in negligence will not meet that burden”[para. 78].
Comments on recent case law
While the Supreme Court narrowed the Quincecare duty in Philipp v. Barclays Bank, that has not meant that APP fraud claims have disappeared. Instead, the forum has shifted to different issues, namely (i) the scope of the retrieval duty and adequacy of a PSP’s efforts to recover; and (ii) the potential liability of the receiving PSP for unjust enrichment or dishonest assistance.
The cases also serve as a reminder that the courts will not summarily dismiss a claim where the legal viability of a cause of action is unclear (perhaps because the law is in a state of transition or is developing) or is in any way sensitive to the facts (in the case of strike out).
Given the novel ways these claims were argued and the fact that they are the subject of appeal, PSPs will be closely monitoring Santander’s appeal, unless, of course, the case settles beforehand.
The decisions do, however, indicate that claims premised on such causes of action will, at the very least, survive initial strike out attempts, and will remain an area of uncertainty, and risk, for PSPs in the meantime.
Future regulation
In June 2023, the Payment Systems Regulator (PSR) introduced a new reimbursement requirement within the Faster Payments Service (FPS), aiming to “improve fraud prevention and focus firms’ efforts on protecting customers” (the FPS reimbursement requirement). The final detailed parameters of the FPS reimbursement requirement policy were released in December 2023. The new rules, which came into effect on 7 October 2024, require UK PSPs to reimburse all in-scope customers (being consumers, micro-enterprises and small charities) who fall victim to APP fraud. The cost of reimbursing victims must be split 50:50 between the sending and receiving PSP, with extra protections for vulnerable customers (for example, there is an optional £100 excess that firms can apply, but this excess cannot be applied to vulnerable consumers).
The FPS reimbursement requirement only covers payments made using the FPS. However, following publication of the FPS reimbursement requirement policy, the Bank of England announced its intention, as the operator of the CHAPS payment system, for comparable protections to be implemented for victims of APP scams perpetrated against consumers using the CHAPS payment system. The Bank of England therefore created the CHAPS reimbursement rules. The PSR issued a consultation in May 2024 to support the Bank of England in introducing the CHAPS reimbursement rules. Following that, the PSR issued a direction on 6 September 2024 – Specific Direction 21 – to introduce a reimbursement requirement in respect of the CHAPS payment system. The proposed rules are now aligned with the approach taken for FPS.
The maximum level of reimbursement to the customer under the FPS reimbursement requirement was originally set at £415,000, in line with the Financial Ombudsman maximum reimbursement limit at that time. Following a short consultation launched on 4 September 2024, the PSR decided to lower the maximum reimbursement limit from £415,000 to £85,000, in line with the Financial Services Compensation Scheme reimbursement limit. On 2 October 2024, the PSR released a policy statement on its decision to set the maximum level at £85,000, stating that it would keep the level under review and consider it as part of the PSR’s 12-month evaluation of the FPS reimbursement requirement policy.
In addition to the maximum reimbursement limit, there are a number of exceptions to the regime. In particular, it will not apply to:
- Claims made more than 13 months after the payment was sent (although PSPs can voluntarily choose to give reimbursements for later claims).
- Payments made across other payment systems (i.e., not the FPS or CHAPS).
- Payments made by card, cash or cheque.
- International payments.
- Where the customer has acted with “gross negligence” or fraudulently (gross negligence is a high bar and this exception does not apply to vulnerable consumers).
- What the PSR defines as “civil disputes” (on 23 September 2024, the PSR issued guidance to help PSPs in distinguishing between APP scams and civil disputes5).
Concluding comments
It is likely, particularly in light of the exceptions to the regime and the maximum level of reimbursement, and given the rising volume of APP frauds being perpetrated year on year, that many victims will fall outside of the new regime. Until the case law on the retrieval duty and the potential liability of receiving PSPs on the basis of unjust enrichment and dishonest assistance is clarified, those victims may continue to try to rely on such causes of action, or indeed others which we have yet to see come before the courts, when attempting to recover their lost money via litigation.
- For the purposes of this article, we are using banks and PSPs interchangeably.
- Philipp v. Barclays Bank UK plc [2023] UKSC 25.
- CCP Graduate School Ltd v. Another & Santander UK plc [2024] EWHC 581 (KB).
- Larsson v. Revolut Ltd [2024] EWHC 1287 (Ch).
- According to the PSR’s guidance, civil disputes can vary in nature but most often involve instances where: (i) a consumer has paid one or more legitimate suppliers for goods or services and has not received them and/or they are defective in some way, and (ii) there is no indication of an intent to defraud.
In-depth 2024-217