Back to overview

Commercial Question

APP fraud and the legal profession

updated on 07 September 2021


What is APP fraud and how does it affect a law firm’s clients?


You see it in the news every day: more and more people are falling victim to online fraud. Recent data suggests that the number of fraud victims is increasing exponentially year-on-year, so much so that some commentators have described this as a ‘scamdemic’. Unfortunately, the problem has been exacerbated by covid-19, with the general level of uncertainty created by the pandemic undoubtedly increasing consumer susceptibility.

Given the links between fraud, organised crime and terrorism, it should come as no surprise that fraudsters are increasingly inventive in how they can scam thousands of consumers out of millions of pounds each year. Indeed, with much of the population confined to their homes for many months, fraudsters have increasingly used the Internet to make their scams more convincing.

What is APP fraud?

One of the most prevalent forms of fraud today is authorised push payment fraud (APP fraud). An ‘authorised push payment’ is the term used where a customer provides an instruction to a payment services provider (usually their bank) to make an electronic payment to another party. The customer can give such instructions online, in branch, via a mobile app or over the telephone.

APP fraud occurs when that customer, either knowingly or unwittingly, transfers money from their own account into the account of a fraudster. This usually occurs in one of the following ways:

  • the customer is tricked into making a payment to the fraudster (ie, the customer intends to make the payment, but the fraudster is not who they have claimed to be, for example the fraudster tells the customer that they are from the police, the Financial Conduct Authority or their bank and asks them to move their money to protect it (imposter fraud)); or
  • the customer intends to transfer funds to a legitimate recipient, but is instead deceived into transferring the funds to a fraudster (eg, where a fraudster intercepts a genuine invoice which the customer is expecting to pay and swaps the fraudster’s bank account details instead of the genuine details, so that the customer pays the fraudster (malicious redirection)).

As soon as the funds reach the fraudster’s account, the fraudster will transfer them immediately to other accounts often based overseas. This makes it difficult for the stolen funds to be traced. This difficulty is often exacerbated by delay in reporting the fraud because it can take a while for a customer to realise that they have been scammed.  

To illustrate the scale of the problem, data published by UK Finance shows that Payment Service Providers and their customers lost £479 million in 2020 (up 5% from 2019) across 149,946 reported cases (up 22% from 2019). The true figures may well be higher; industry bodies estimate these figures are under-reported.

What is being done to combat this problem?

Given the increasing number of APP fraud victims, representatives from across the banking industry (including banks and customer action groups) came together in 2018 to develop an industry-wide code with the aim of increasing customer protection, which in turn would (hopefully) reduce the occurrence of APP scams and lessen the impact on customers. In May 2019, this led to the Contingent Reimbursement Model Code for Authorised Push Payment Scams (the CRM Code).

Although the code is voluntary, nine banks (including Barclays, NatWest and Lloyds) have signed up. In doing so they have committed to:

  • protecting customers through procedures to detect, prevent and respond to APP scams, providing a greater level of protection for customers considered vulnerable to such fraud;
  • preventing their accounts from being used to launder the proceeds of APP scams, including procedures to prevent, detect and respond to the receipt of funds from such fraud; and
  • compensating customers that fall victim to an APP scam, provided they did everything expected of them under the CRM Code.

What practical impact does the CRM Code have on our banking clients?

The CRM Code seeks to compensate victims of APP fraud provided they did everything expected of them. In essence, as long as a customer has not acted recklessly or been grossly negligent, if they are the victim of an APP fraud, they should be eligible for compensation from the bank.

There are eligibility requirements for a customer to make a claim and the CRM Code does not cover scams before it came into force. However, if (based on the available evidence) the bank believes a customer was reckless or grossly negligent (eg, by ignoring warnings as to potential fraud or by providing the fraudster with information contrary to the banking agreement), it can refuse to compensate.

Where the banks refuse a claim for compensation under the CRM Code, a defrauded customer may issue proceedings against their bank to recover lost funds, often claiming that the bank was negligent in allowing the payment to proceed or for not adequately warning the customer of the risk of fraud. Such customers often claim that the bank should have realised the payment was out of character or checked the bona fides of the recipient before acting on the instruction. Such claims often rely on the existence of the CRM Code as justification that the customer should be compensated. However, the CRM Code is voluntary and not legally binding. Compensation that may be available to a customer under the CRM Code does not reflect the outcome that same customer might achieve if they chose to pursue court proceedings.

The current legal position is straightforward: once a bank receives an instruction from its customer, it has a primary contractual duty to act in accordance with that instruction. Its secondary duty is to exercise reasonable care and skill in acting in accordance with those instructions. What that means is that once a customer has expressly authorised a payment, there is no obligation on the bank to act as an amateur detective in respect of the recipient of the payment or to second guess the customer’s intentions. The bank’s primary duty is to make the payment.

How are non-PSP clients affected?

Although there are growing calls from industry bodies for all banks to do more to prevent APP fraud and compensate customers, it is clear the banks cannot fight this battle alone. An important focus must be on trying to prevent the fraudster’s communication with the customer. Fraudsters target customers every day via email, telephone calls, texts and social media (to name just a few) often by providing fraudulent or misleading information. With that in mind, it is possible that telecoms companies, technology firms and social media websites will be increasingly called on to do more in the ongoing battle.

It is important that solicitors advising non-PSP-clients in those industries are alert to potential statutory and regulatory developments, which may shift some of the burden away from the banks to the companies providing the medium for fraudsters to target customers. One such measure is the Draft Online Safety Bill published by the government in May this year, which seeks to legislate against certain types of user-generated fraud online.

Should changes be forthcoming, solicitors will have to be proactive in, for example:

  • appropriately protecting their client’s interests when drafting customer contracts; and
  • including appropriate warranties and indemnities in any corporate deals.

Josh Little is a solicitor in the financial services disputes and investigations team at TLT.