Authorised push payment ("APP") frauds are nothing new.
They arise when fraudsters deceive individuals into sending payments under false pretences to bank accounts the fraudsters control, often using social engineering tactics. According to UK Finance, in the first half of 2021 alone some £355 million was stolen via APP frauds: an increase of 71% from the year before.
With reference to a recent Court of Appeal decision, this article examines whether or not banks are under a duty to protect customers who are the victims of APP fraud, especially where those customers have ordered the bank to pay monies out of their account to the fraudster. We also look at what this means for both banks and customers going forward.
Fiona Lorraine Philipp v Barclays Bank UK PLC
Background to the APP Fraud
In March 2018, Mrs Philipp and her husband Dr Philipp were duped into making significant transfers to accounts in the United Arab Emirates ("UAE"), having received a fraudulent notification of a 'suspicious payment' on an account they held with Barclays Bank UK PLC ("Barclays").
The couple were deceived by a fraudster, who gained their trust over several weeks. They were convinced through a series of phone calls starting in late February 2018 that they were cooperating with the Financial Conduct Authority ("FCA") and the National Crime Agency ("NCA") to bring fraudsters to justice. Part of the deception involved Dr Philipp telephoning what he thought was the fraud department within HSBC Bank Plc, and unknowingly being re-directed to the fraudster. On another occasion the fraudster arranged for an individual to telephone Dr and Mrs Philipp from what appeared to be the NCA's telephone number shown on the NCA website (which the fraudster had encouraged Dr Philipp to look up on the internet). The caller said that he had worked with the original fraudster for nine years and that he was a senior person in the FCA who could be trusted.
As a result Dr and Mrs Philipp moved over £700,000 of their life savings into an account in Mrs Philipp's name with Barclays. Mrs Philipp subsequently instructed Barclays to transfer that money, in two payments of £400,000 and £300,000 (on 10 and 13 March 2018), to separate bank accounts in the UAE. The couple believed that they were moving the money into 'safe accounts' in order to protect it from fraud. By the time the fraud was discovered the money had gone. Mrs Philipp and her husband lost more than three quarters of their life savings as a result.
Mrs Philipp subsequently sued Barclays for a return of the money, on the basis that it failed to comply with its duty to protect her from the consequences of having made the two payments. She claimed that the Bank's observance of that duty would have led to the payments being questioned further by the Bank and, as a consequence, either stopped or delayed; the result being that she then would have had the chance of recovering the monies before they reached the hands of the fraudster.
The duty Mrs Philipp referred to is known as the Quincecare duty. It creates a liability where a bank executes a customer's order knowing it to be dishonestly given, shuts its eyes to the obvious fact of the dishonesty, or acts recklessly in failing to make such inquiries as an honest and reasonable person would make. As such, a bank should refrain from executing an order for so long as it was put on inquiry by having reasonable grounds for believing that the customer's order was part of an attempt to misappropriate funds. Mrs Philipp's view was that the Quincecare duty extended to the payments she made out of her account.
The Bank, on the other hand, argued that the Quincecare duty did not extend to a duty to protect Mrs Philipp against the consequences of her own decisions, where (as between herself and the Bank) her payment instructions were valid ones and not in and of themselves fraudulently given.
The High Court and Court of Appeal's Decisions
The High Court found that the Quincecare duty did not extend to cover the payments Mrs Philipps made. The Judge considered that the duty had to be confined to cases where the suspicion raised was one of attempted misappropriation of the customer's funds by an agent of the customer and not where the customer themselves had authorised the payment. Accordingly, the High Court's decision was that Barclays was not obliged to pay the money back that Mrs Philipp lost.
Mrs Philipp appealed. The Court of Appeal ("CoA") allowed her appeal on 14 March 2022, enabling her to continue legal proceedings against Barclays, with her case now set to go to trial. The CoA disagreed with the High Court on the scope of the Quincecare duty. It concluded that it was capable of applying "with equal force" to a case in which the instruction to the bank was given by a customer themselves, provided that the bank was on inquiry that executing the order would result in the customer's funds being misappropriated.
A further point considered by the CoA, as raised by Barclays, was whether the imposition of the Quincecare duty on banks where customers themselves gave the instruction would be onerous and unworkable in practice, bearing in mind the volume and speed of transfer obligations on banks in the BACS and Faster Payment systems. The CoA did not accept this as a relevant concern. It reasoned that while a finding that the facts in Mrs Philipp's case would have put a prudent banker on enquiry, this did not mean that the circumstances associated with any one of the many millions of low value BACS transfers would do so.
The Impact
Customers
Customers will no doubt have welcomed the CoA's decision, which ultimately may reopen an avenue for victims of APP frauds to pursue banks who are in breach of their duty to protect against them. In the case of Mrs Phillip, she will need to prove at trial that Barclays should have realised the transactions were fraudulent and that it breached its duty to her by failing to take reasonable steps to prevent the fraud from happening. If Mrs Philipp can do this, we anticipate that this will further extend customers' rights to recover against banks where they have lost money through APP frauds.
Banks
Banks will already have been affected by the CoA's decision, in that the Quincecare duty has now been clarified to include instructions being given by customers who are the victims of fraud. The consequence is that banks will need to show that they have followed satisfactory procedures and asked the right questions of every customer wishing to make transfers. The decision may well result in them reviewing their own fraud prevention measures, and putting in place compensation schemes, so as to avoid liability.
Indeed, banks are already expanding their anti-fraud detection systems and whilst not yet directly applicable to an authorised customer giving an instruction which has come about via an APP fraud, they will have to find ways of dealing with the extended duty. Some banks have started using behavioural biometric software in order to reduce frauds from taking place. Such technology monitors customer smartphone sensors and allows tech companies to register:
The manner in which a customer holds their smartphone;
The speed in which a customer keys in their digits and pin codes;
The speed in which personal details are inputted (with fraudsters often taking longer to double check these);
The strength with which a customer presses keys on their smartphone; and
The manner in which a customer inputs their password information, whether by autofill (which customers tend to use) or copy and paste (which fraudsters are more likely to use by contrast).
Such behavioural biometrics can be used to differentiate customers from fraudsters, particularly when used in conjunction with other data involving timing of logins, location, and the form of device being used. Red flags could involve logins taking place from unusual locations, with one or more of the above biometrics being unusual, which would send a warning to banks that they need to request extra details to verify a customer's identity.
Sadly, it is not the first time that we have seen this conduct by fraudsters.
We have extensive experience in acting against various UK lenders as a result of APP frauds suffered by its clients and since 2020 alone, we have acted for:
A UK company in obtaining a pre-action settlement of £110,000 from a major UK bank, following allegations of negligence and/or breach of duty;
An international client in obtaining a pre-action settlement of c£275,000 from a major UK bank, following allegations of dishonest assistance on the part of one of its employees, unlawful means of conspiracy, negligence and breach of statutory duties; and
A UK individual in recovering c£2.2 million following an application for 'Norwich Pharmacal' relief.
The case of Mrs Philipp is remarkably similar to another former client who was convinced by a fraudster that he was working for the NCA and seeking to identify an 'insider' at another major UK bank. This happened at a time she was caring for her terminally ill mother. After several months, the client eventually recovered her loss in full (£238,998) under the Contingent Reimbursement Model Code.
We expect banks and their customers to watch the next stages of Mrs Philipp's case with close interest.