Authorised push payment fraud

Answer

Authorised push payment (APP) frauds occur when a victim voluntarily sends money to a scammer because they’ve been deceived as to either the account they’re sending the money to or the purpose behind the transfer. This is a huge problem, causing total losses of more than £485 million in the UK past year.

Fraudsters are employing increasingly sophisticated techniques to intercept and divert legitimate transactions. A typical method is for fraudsters to hack into a company's systems and monitor the invoices it raises. Once they select a target transaction, they’ll either intercept the invoice before it reaches the intended paying party and amend the bank details on it or, after the invoice arrives with the payer, they’ll impersonate the payee and direct payment into a different account: their own or a selected 'mule'. In either situation, the victim ends up transferring money to an account controlled by the fraudster under false pretences.

This is obviously a crime. Sadly, a very large proportion of it goes unsolved. Although reporting it to Action Fraud is important, it won’t directly help the victim recover their money. Individuals are protected to a degree by the Contingent Reimbursement Model (if the relevant bank has signed up to it) but this, and its future replacement (the planned reimbursement requirements set by the Payment Systems Regulator), don’t apply to businesses above a very low size threshold (micro-enterprises with fewer than 10 employees and an annual turnover not exceeding €2 million). Any other affected business wanting to recover its money must take matters into its own hands.

APP fraud is endemic and often carried out in a sophisticated manner by large-scale criminal organisations. Businesses shouldn’t be ashamed to admit that they’ve been scammed and should at the very least begin the process described below.

1. The ideal outcome

The best possible outcome for a victim is when they quickly realise that they’ve been defrauded, and contact their own and the recipient bank. Once the banks have been alerted to the fraud, they should either halt the transaction or freeze the recipient account. Instructing a law firm to contact the recipient bank can be helpful as it may lead to the bank taking the report seriously and acting more promptly. In any event, time is of the essence. The only way to recover the money at this stage is for the bank to freeze the account before the fraudsters can transfer it out. Regrettably, this doesn’t always happen, which may be due to delays on the part of either the victim or the bank. Once the funds are gone, the victim should discuss the next steps with their lawyers: either accept the loss or look for targets for legal action.

2. Pursuing the fraudsters

From a legal point of view, there are a number of claims that can be brought against fraudsters and their associates. Depending on the precise involvement of the individuals or organisations identified, causes of action such as deceit, unlawful means conspiracy and knowing receipt might be available. This is an instinctively popular route to go down because it pursues the party ultimately responsible for the fraud and ensures that they can’t get away scot-free.

The problems arise from a lack of evidence and enforcement. Firstly, at the outset, a victim will only know basic bank details of the recipient account. This isn’t enough for effective action. The victim is reliant on the recipient bank providing detailed information about both the account holder and any onward transfers of the funds.

In certain cases, banks will provide this (or at least some) information on request. This is a key benefit of instructing lawyers at the outset, as they’ll make targeted requests for information of the bank at the earliest possible stage. Other banks have blanket policies of refusing to give up information unless compelled to by a court order. One option for the victim is to apply for a Norwich Pharmacal Order (NPO). This is an order against a third party that’s innocent but nevertheless mixed up in wrongdoing for them to provide information in order for the applicant to pursue another party responsible for the wrongdoing: in this case, the fraudster. This can be an expensive process if the bank contests it and these costs should be carefully weighed against the expected benefit. Furthermore, information obtained under an NPO can be used only for the express purpose it’s sought. This isn’t an issue at this stage but can be problematic if it reveals an unexpected alternative target.

This information, however gained, should identify individuals who’ve received the funds. If action is taken quickly enough then the court can freeze the assets (eg, equity in a house) of identified wrongdoers and the victim will ultimately be compensated. Unfortunately, as has been well-publicised, the recipient account is often a 'mule' who’s also been duped and is therefore not an available target. Instead, the money is frequently removed from the jurisdiction leaving no meaningful assets against which to enforce a judgment or order.  

3. Liability of the paying bank

If the fraudster isn’t an attractive or realistic target because of these considerations, there are still two other parties to the transaction: the banks. They can be attractive because the key obstacles of identity and lack of assets that cause problems with fraudsters don’t apply. The identity of the involved banks will be obvious and a bank will, by virtue simply of being a bank, have assets that can be pursued.

It's possible to sue one's own bank on the basis that it allowed a transaction to proceed in circumstances where it should’ve realised that the transaction may be a fraud on its customer. A bank's duty to prevent such transactions is known as the Quincecare duty after the case of Barclays Bank plc v Quincecare Limited [1992] 4 All ER 363. Much of the Quincecare caselaw is concerned with situations in which the bank's customer, a company, fell victim to a fraud perpetrated by its own senior management. As such, the payments made out of the company's accounts weren’t validly authorised by the company and therefore shouldn’t have been executed.

This isn’t the case with an APP fraud, where the victim has validly authorised the transfer albeit under a mistaken belief. For a time, and especially following the Court of Appeal's decision in Philipp v Barclays Bank UK Plc [2022] EWCA Civ 318, claimants hoped that the Quincecare duty could be extended on the grounds that the mistaken belief invalidated the victim's authorisation of the payment. Shortly before this article was published, however, the Supreme Court handed down its decision in Philipp v Barclays Bank UK Plc [2023] UKSC 25, unanimously overturning the Court of Appeal. It’s now clear that the Quincecare duty can’t be extended to cases of APP fraud. The paying bank is under a duty to carry out the valid instructions of its customer (with certain limited exceptions described in the judgment).

The Supreme Court did, however, hold that it was at least arguable that Barclays failed to act promptly in trying to recall the payments after being notified of the fraud. This is a much less attractive claim to bring because the cause of action is only likely to accrue after some or all of the funds have been irretrievably lost. It’ll require very prompt notification by the victim or for the paying bank to have become aware early on of some irregularity that should’ve given them cause to notice the fraud, either of which signals it ignored, for the bank's inaction to prevent a recovery that should’ve otherwise been possible. This is inherently less likely than in the case of the recipient bank. Added to this, many victims prefer not to sue their own bank to maintain the commercial relationship.

4. Liability of the recipient bank

This leaves the bank providing the recipient account, which can be an attractive target for all the reasons given above, but also the victim typically has no relationship with this bank and indeed has been wronged by its customer. The desire to maintain a commercial relationship is therefore usually not a high priority.

Furthermore, as the recipient bank has dealt with either the fraudster or the mule it’s much more likely that it’ll have seen signs of fraud. A typical such red flag is a transaction into an account that’s obviously not in keeping with its usual activity, followed by many rapid small transfers out to dissipate the funds. These red flags would be revealed in information disclosed by the bank, although if that’s under an NPO then the court's permission is needed to bring a claim against it.

The legal claim against a recipient bank that’s turned a blind eye would be most likely brought as a case of unjust enrichment. If there are exceptionally serious failings by particular bank employees then vicarious liability may also arise, but this is beyond the scope of the article, as are knowing receipt and dishonest assistance (both available only to beneficiaries of a trust). The more likely unjust enrichment claim basically relies on the bank having been:

• enriched;
• at the expense of the claimant; and
• in circumstances where it’d be unjust for the bank to retain the money.

While the second point is generally straightforward (specific forms of international money transfer aside), point one (ie, the bank having been enriched) is still a grey area. Banks previously felt on safe ground here but High Commissioner for Pakistan in the United Kingdom v Prince Muffakham Jah & Ors [2019] EWHC 2551 (Ch) has given recent support for claimants. This is a developing area of law and a definitive ruling is awaited.

The final point in the list above essentially relates to identified failures within the bank's fraud prevention schemes, which will also have a bearing on the bank's available defences. While most cases, notably Tecnimont Arabia Ltd v National Westminster Bank Plc [2022] EWHC 1172 (Comm), have been bank-friendly, in cases involving exceptionally serious failure (which are the ones worth pursuing) the defendant bank won’t enjoy hearing this evidence aired in court and in public. This is a powerful incentive to settle on commercial terms which is probably the best result for both parties. Ultimately, a case will go to trial involving more serious failures than Tecnimont. This decision will then lay down a marker for the future of this kind of claim.    

5. Summary   

Clearly, none of these options are perfect. The right choice in any given circumstance is intensely fact specific. Victims must discuss with their legal advisers and adopt a staged approach, keeping a tight eye on the cost-benefit ratio of each step. Sometimes, regrettably, the best option for a victim isn’t to throw good money after bad but simply to learn from the experience and avoid repeating it. In other situations, however, one of the above options may be viable and lead to a full, or at least good and economical, recovery of the stolen funds. This article is only a summary and affected businesses should speak to an experienced solicitor, who’ll be able to give accurate estimates of the costs of each step and ensure that sensible decisions are taken based on the merits of each individual case.

William Monaghan is a trainee solicitor in commercial and banking litigation at RPC.