On 12 July 2023, the Supreme Court handed down judgment in Philipp v Barclays Bank UK Plc [2023] UKSC 25, preventing the so-called ‘Quincecare duty’ being used by victims of authorised push payment (APP) fraud to recover their losses from banks. Over a year on, where are we now in terms of banks’ duty to protect against APP fraud and victims’ efforts to recover losses from the banking industry where the fraudster is often long gone?
The Quincecare duty provides that, where a bank is on inquiry that a payment instruction from its customer may be fraudulent, it should not allow the relevant payment to be made without first taking steps to satisfy itself that the instruction is legitimate. If it breaches this duty, the customer can claim from the bank its losses from the fraud. Importantly, the Quincecare duty had only been applied successfully where the payment instruction was given by an employee or agent of the customer who was party to the fraud.
The Court of Appeal in Philipp v Barclays Bank somewhat controversially held that the Quincecare duty could also apply in circumstances where the payment instruction was given honestly by an individual in their own capacity or as an agent for a company who had fallen victim to fraud. The claimant was an individual who had fallen victim to an elaborate APP fraud where she was convinced by a fraudster to make payments voluntarily to the fraudster’s bank account. This opened the possibility for a wide range of fraud victims potentially to claim against their banks and drew significant interest in the market.
The Supreme Court disagreed with the Court of Appeal’s expansive interpretation, finding instead that the principles underpinning the Quincecare duty were the usual rules of agency and a lack of actual or apparent authority for the payment instruction. The Quincecare duty cannot extend to circumstances where the payment instruction is honestly given, even where the individual giving the instruction has been tricked by a third party into making the payment or into making the payment to the wrong account.
The Supreme Court’s confirmation that the Quincecare duty applies only in relatively restricted circumstances barred a potential recourse avenue for fraud victims in circumstances where it is often time-consuming and expensive to recover losses from fraudsters, if they can be found at all. So, where does that leave fraud victims now?
APP fraud remains an increasing problem. The Payment Systems Regulator (PSR) recently highlighted that £341m was lost to APP fraud in the UK during 2023. While there is currently a voluntary scheme (the Contingent Reimbursement Model) in place among certain payment firms to reimburse victims of APP fraud, reimbursement rates drop from 68% for payment firms that participate to 17% for those that do not. A mandatory reimbursement framework for payment firms is set to be launched in October, which will surely narrow this variance significantly and come as welcome news to consumers.
The mandatory reimbursement framework will, however, be restricted in scope and will cover only payments made by individuals, micro-entities and charities. Larger entities, often the victims of the most significant APP frauds, will not be covered.
Fortunately, the Supreme Court in Philipp v Barclays left open the possibility of a ‘retrieval duty’. This requires the victim’s bank and those further down the chain of payments to make sufficient efforts to retrieve the relevant funds when on notice that an APP fraud has been committed. While the precise scope and practical implications remain to be tested, it seems clear that some form of ‘retrieval duty’ will be imposed on the customer’s bank.
More interesting is the prospect that the ‘retrieval duty’ could extend further down the banking chain to banks where the fraudulently procured funds have been transferred. Until now, it has been notable that, notwithstanding increased KYC (know your customer) and other regulatory requirements imposed on banks to identify and monitor fraudulent activity, it has remained extremely difficult for fraud victims to recover losses from the fraudster’s bank where the bank in question should arguably have picked up that its customer was effecting a fraud. It is similarly notable that the recent PSR report identified that smaller payment firms receive funds as a result of APP fraud at a disproportionately high rate compared to the 14 largest banking groups across the UK.
The potential imposition of a ‘retrieval duty’ on fraudsters’ banks has received positive recent judicial comment at first instance. In CCP Graduate School v Natwest and Santander [2024] EWHC 581 (KB), which was a ruling on summary judgment, a claim for breach of the ‘retrieval duty’ by the fraudster’s bank, Santander, was allowed to proceed. This was partly on the basis that there is an accepted practice among banks whereby the customer’s bank, when put on notice that there has been a fraud, will give an indemnity to the bank to which funds were wrongly transferred in order for that bank to take steps to recover any funds already dissipated. That practice could, theoretically, continue down the payment chain until the funds in question are recovered or the trail is lost.
The scope of the ‘retrieval duty’ is to be tested in the coming months and is one to watch for both banks and potential victims of fraud alike.
Simon Fawell is a partner at Signature Litigation LLP, London
No comments yet