The awesome scale of 'authorised push payment' fraud is causing sleepless nights throughout the banking and payments industry, and much uncertainty as to where liability sits. There is a seemingly endless array of scenarios in which APP fraud can occur. Examples include impersonation, investment, romance, purchase, invoice and mandate, CEO fraud and advance fees. It's conceivable that liability could vary according to whether or not the payer is a consumer (or to be treated as one), as well as the type of institutions and payment services involved. I've set out below a quick summary of the current state of play for information purposes only, including various cases before the courts. Let me know if you need legal advice on any aspect, including possibly lobbying the new government to grasp some of the nettles via some form of regulatory action, to spare everyone a lot of time and expense...
Regulatory developments
I covered the Payment Systems Regulator's proposals in this area last June, and these have been brought in with effect from 7 October 2024.
The CRM Code only covered 60% of APP fraud within its voluntary scope, so mandatory reimbursement requirements were always on the cards.
The new reimbursement requirement applies to consumers, micro-enterprises and small charities which are all treated as ‘consumers’ under the Payment Services Regulations 2017 (PSRs), as with the CRM Code. In other words, it only covers payments made using Faster Payments where the victim is deceived into allowing or authorising a payment from their account with a PSP to another account outside the victim's control at another PSP.
Firms must reimburse all in-scope customers who fall victim to APP fraud (with some exceptions), sharing the cost of reimbursing victims 50:50 between sending and receiving PSP, with extra protections for vulnerable customers.
As the operator of Faster Payments, Pay.UK is responsible for monitoring all directed PSPs’ compliance with the FPS reimbursement rules and will operate a reimbursement claim management system (RCMS) that all members (direct participants) in Faster Payments must use from 1 May 2025, with various reporting standards mandated by the Payment Systems Regulator, with some limited to the larger participants. Affected PSPs must also explain this to their customers, including in service terms and conditions, so let's know if I can help there in particular.
As mentioned in March, the previous government proposed an amendment to Regulation 86 of the Payment Services Regulations to extend the time limit on processing a payment order where it has been authorised by the payer but their PSP reasonably suspects APP fraud.
Liability aside from the regulatory solution
Breach of Duties
As clarified by the Supreme Court in Philipp v Barclays:
- banks have a duty to execute a valid (clear, lawful) payment order promptly.
- a bank cannot execute a payment outside its mandate, so cannot debit the relevant amount from the customer's account in that case, and if it were to do so, then the customer has a debt claim against the bank.
- banks also have a duty of care to customers to interpret, ascertain and act in accordance with their customers' instructions, which only arises where the validity or content of the customer's instruction is unclear or leaves the bank with a choice about how to carry out the instruction. The duty won't apply in the case of a valid payment order that is clear and leaves no room for interpretation or choice about what is required to execute it (i.e. the bank must simply execute, according to the first duty above).
- Where the general duty of care arises, and the payment instruction was given by an agent of the customer, and a bank has reasonable grounds to believe that the payment instruction given by the agent is an attempt to defraud the customer, the Quincecare duty requires the bank to refrain from executing the payment pending its inquiries to verify that the instruction has actually been authorised by the principal/customer. A similar duty applies where the bank is on notice that the customer lacks mental capacity to handle their finances or bank accounts.
- the bank may also have a duty to take reasonable steps to recover funds that its customer claims to have paid away by mistake or as a result of fraud.
These findings are generally consistent with the Payment Services Regulations 2017 (PSRs), although (as the Supreme Court also explained), the PSRs did not provide for reimbursement of authorised payments, so did not assist victims of APP fraud, partly because they deem such payments to be correctly executed. However, the PSRs do oblige payment service providers to "make reasonable efforts to recover the funds involved", for which PSPs can charge any contractually agreed fee; and Regulation 90 has been amended to enable liability to be imposed “where the payment order is executed subsequent to fraud or dishonesty” under the Payment Systems Regulator's arrangements explained above - but this does not provide a direct right of action for customers.
It's has since been accepted (e.g. in Larsson v Revolut) that the above duties which apply to banks in a payment scenario, also applies to other types of regulated PSPs (e-money institutions and payment institutions).
In Larsson, the claim was against the receiving PSP with which the payer also happened to have an account, although that wasn't the account from which payment was taken. However, the court held there were no duties owed by the PSP of the payee ('receiving PSP') to the payer, but did preserve the (slim) possibility of arguing 'dishonest assistance in a breach of trust' such that a constructive trust may have arisen over the proceeds of the payment transaction.
CPP v NatWest further considered the concept of a 'retrieval duty'. That claim was held to be time-barred in the case of the PSP of the payer; but not in the case of the PSP of the payee, which might owe the duty where:
- it assumed a responsibility to protect the payer from the fraud;
- it has done something which prevents another from protecting the payer from that danger;
- it has a special level of control over that source of danger; or
- its status creates an obligation to protect the payer from that danger.
I could see claimants arguing that the presence of voluntary and mandatory APP fraud schemes lend weight to some of these factors, while PSPs arguing that those schemes should be disregarded as they only operate strictly within their own scope.
Unjust enrichment
Terna v Revolut involves a claim by the payer that the receiving PSP was 'unjustly enriched' when the payer instructed its own bank/PSP to pay funds to a third party account in the mistaken belief that it was paying a genuine invoice from an energy supplier. The payment went via a correspondent (intermediary) bank via a series of SWIFT inter-bank messages; and the funds disappeared from the third party account within hours of being credited by the payee's PSP (an e-money institution).
For this type of claim to succeed, the payee's PSP must have benefited at the claimant's expense in a way that was 'unjust' and without any defence.
When the payee's PSP received funds in its account with a correspondent bank, it issued e-money to the payee, so claimed that it had not benefited. Some first instance decisions are consistent with that, but established banking law holds that this is not a valid argument; and the court was not convinced that the position may be different with an e-money institution that must issue e-money on receipt of funds and safeguard the funds (which a bank does not have to do) because one safeguarding option involved investing the cash (not to mention insurance as another option). Instead, the court held, these facts might operate as a defence, but that could only be decided on a full trial.
On whether the PSP was unjustly enriched 'at the claimant's expense' the court held that SWIFT and CHAPS payments should be treated the same way; and these were potential instances of 'indirect benefit' rather than 'direct benefit'. Here, the court considered that an 'indirect benefit' is to be treated the same as a direct benefit, where there is agency or a 'set of co-ordinated transactions' and that both applied (contrary to an earlier High Court case of Tecnimont). The likely questions at trial, therefore, are whether the enrichment was 'unjust' and/or a defence applied.
Fortunately, permission to appeal has been granted, so there's an opportunity to settle the difference of opinion between High Court judges. It's probably too much to ask, but in that event it would be helpful if the Court of Appeal were to add some guidance as to how it would treat claims of unjust enrichment in situations where other forms of payment services (and systems) are implicated. For example, 'money remittance' is defined in the PSRs to mean:
"the transmission of money (or any representation
of monetary value), without any payment accounts being created in the name of the payer
or the payee, where—
(a) funds are received from a payer for the sole purpose of transferring a
corresponding amount to a payee or to another payment service provider acting on
behalf of the payee; or
(b) funds are received on behalf of, and made available to, the payee.
Liability where funds are frozen or accounts suspended for regulatory reasons
Kopp v HSBC is another interim judgment, which involves a situation where the payer's bank suspended the payer's account following an anti-money laundering review that the payer argued had been carried out, preventing the payer making certain payments for which it then incurred liability to the payees under an indemnity, including ongoing interest. On an interim summary judgment application, the court held there was a triable issue as to whether the bank's liability clause ('buried' in the service terms) might fail to satisfy the reasonableness requirement under the Unfair Contract Terms Act (which also protect small businesses). That meant the court also refrained from deciding whether the clause in question excluded these heads of liability on the basis that they were not “direct loss of profit” or “other direct losses” or were expressly excluded as being “indirect or consequential loss (including lost business, data, profits or losses resulting from third party claims) even if it was foreseeable”.
Failure to safeguard customer funds
The extension of bank duties and potential APP fraud liability to all types of regulated PSPs (accepted in Larsson) sadly raises the prospect of the insolvency or a voluntary winding up of smaller e-money or payment institutions.
This is relatively rare, since PSPs are required to have a certain amount of minimum capital (both by regulation and, where applicable, card scheme rules) and to manage their working capital to remain a going concern, unless and until they are fully 'wound-down'.
However, sudden, unexpected losses could conceivably arise, particularly where there is poor record-keeping or other problems, such as dissipation of assets or perhaps a sudden, significant 'spike' in APP fraud for which it is at least probable that the PSP might be liable (a matter for directors to consider in the exercise of their duties).
One consequence of APP fraud in this context would likely be that funds which ought to have been, or should have remained, safeguarded were not. The question would then arise whether the affected customer has a priority claim in the "asset pool" of the failed PSP.
I recently explained the position in more detail in the context of the administration of UAB Payrnet in Lithuania. In the UK, an “insolvency event” (including a ‘voluntary winding up’) of the PSP triggers the creation of an “asset pool” of ‘relevant funds’ to be distributed by an administrator according to a specific hierarchy. The claims of e-money holders are to be paid in priority to all other creditors, with no rights of set-off or security applicable until the e-money holders have been paid. If funds should have been safeguarded according to the regulations but were not, national laws come into play within the overall intention behind the E-money Directive to achieve ‘maximum harmonisation’ of the e-money regime.
In the case of Ipagoo a failed UK e-money institution, the UK Court of Appeal decided that the EMD did not require the UK to impose a statutory trust over the “asset pool” under UK e-money regulations (EMRs), so they don't impose or create a trust.
Instead, the court held that the EMD requires all funds received by EMIs from e-money holders to be safeguarded, not merely those that had actually been safeguarded appropriately. Therefore, the “asset pool” must include both relevant funds that have been safeguarded in a compliant way as well as a sum equal to relevant funds that ought to have been, but had not been, safeguarded in accordance with EMRs, along with the “costs of distributing the asset pool” (including the costs of ‘reconstituting’ the asset pool in circumstances where relevant funds have not been safeguarded, as administrative costs associated with the asset pool itself).
Therefore, it might be claimed (possibly via a retrieval duty or unjust enrichment argument) that funds wrongly paid out should have remained safeguarded, though there is perhaps a question whether the payer qualifies as an 'e-money holder' or other 'user' for whom the institution holds relevant funds within the asset pool.
Conclusion
While the various court proceedings are proving somewhat helpful in revealing and resolving some of the uncertainty relating to where liability for APP fraud might sit, this is clearly a very slow and costly process. It would have been preferable for the Treasury, FCA and Payment Systems Regulator to have worked together more proactively to address the issue. With the change in government already heralding more attention being given to detailed issues, it is to be hoped that these are included.
Let me know if you need legal advice on any aspect, including possibly lobbying the new government to grasp some of the nettles via some form of regulatory action, to spare everyone a lot of time and expense...