In recent years, “authorised push payment” (APP) scams, where a payer is deceived or defrauded into authorising a payment to a criminal, have increased both in value and volume, with many individuals suffering significant financial and emotional harm. 

Both the judiciary and the legislature have been busy recently with developments impacting the liability of banks when people fall victim to authorised push payment scams and the role third parties can take in helping to prevent such scams. 

• Most recently, the Government has announced that it will enable the Payment Systems Regulator to require banks to reimburse authorised push payment (APP) scam losses, totalling hundreds of millions of pounds each year. This will ensure victims are not left paying for fraud through no fault of their own.
• A further blow for banks is that the Court of Appeal has overturned the first instance decision in Philipp v Barclays Bank plc to strike out a claim which had sought to extend the Quincecare duty of care owed to bank customers, to instances of APP fraud. The Court of Appeal judgment means that payment institutions could be liable where they suspected or should have suspected that their customer was being scammed by a third party fraudster, even where the payment instruction itself is authorised.
• However, helpfully, the Government has been persuaded to extend the remit of the Online Safety Bill to cover APP Fraud scams perpetrated using online platforms and social media apps. This should have an impact on reducing scams even if not yet requiring social media and search engines to contribute to losses resulting from APP Scams.

Here we take a closer look at all three developments.

Government approach to authorised push payment scam reimbursement

The UK Government is pushing forward mandatory repayment to customers of losses for APP fraud. This was announced in the Queen’s Speech at the state opening of parliament in May 2022. The intention is to use The Financial Services and Markets Bill, to amend the Payment Services Regulations 2017 (the Regulations). Currently, these Regulations provide that, where a payment is executed in accordance with the unique identifier (e.g. account number and sort code) provided by the customer, a payment service provider has correctly executed the payment. The Government’s amendment will make clear that this does not affect the ability of the PSR to use its existing regulatory powers in relation to APP scams. This will enable the PSR to establish a liability framework for APP scams using its existing powers, and ultimately improve reimbursement outcomes for victims.   

In order to bring this change into effect, the Government intends to require the PSR to publish for consultation a draft regulatory requirement within 2 months of the provisions coming into force and impose a regulatory requirement within 6 months of the provisions coming into force.

We are expecting the consultation containing further details in Autumn 2022.

Philipp V Barclays Bank Plc - Court Of Appeal Decision

The Court of Appeal handed down judgment on Philipp v Barclays Bank plc [1] on 14 March 2022, unanimously overturning an earlier High Court decision which held that the Quincecare duty (a duty which requires banks not to make payments when they are "put on inquiry" that the payment instruction is an attempt to misappropriate the funds of a customer) was limited to situations where payment instructions are not properly authorised, i.e. they are made by a customer’s agent in an attempt to misappropriate funds.

The claim relates to a sophisticated scam to which Ms Philipp and her husband fell victim, transferring almost £1m of their savings to fraudsters posing as law enforcement officers. Ms Philipp brought a claim against Barclays alleging that the bank had breached the Quincecare duty.

The High Court had applied the traditional interpretation of the Quincecare duty and struck out the claim on the basis that it could not apply to a payment authorised by the account holder. It concluded that the Quincecare duty was limited to situations where an agent of the account holder (such as a director authorised on the mandate) gave an instruction unauthorised by the customer. The High Court struck out the claim on that basis.

The Court of Appeal's decision overturns that decision, meaning that it will now proceed to a full trial at first instance. Importantly, and of particular interest for banks and other payment institutions, the Court of Appeal expressed the view that there is no principled reason why the Quincecare duty should not apply to authorised payment instructions. If, the Court of Appeal said, a bank is on inquiry of an attempt to misappropriate its customer's funds, it does not matter whether the person seeking to misappropriate the funds is an agent of the customer (i.e. the traditional interpretation and application of Quincecare) or some third party fraudster – the bank is under a duty not to pay in either case. The latter case would represent a very significant extension of the Quincecare into the world of authorised payments. The Court of Appeal also made several comments on the likely feasibility of an extension of the duty in this way.

OUR COMMENTARY

The judgment has understandably given rise to some uncertainty as to the scope and applicability and of the Quincecare duty and the extent of a bank's potential liability where its customers fall victim to APP fraud. Questions such as the level of knowledge that a bank needs to have for the duty to be engaged, or what a bank needs to do to discharge its duty once it is engaged, remain unanswered. Given the prevalence of APP fraud and the difficulties that some payers who are not eligible for the CRM Code or Financial Ombudsman Service redress can have in recovering funds paid to fraudsters, a final judgment that extends the Quincecare duty could create a new route of recovery for both business and private customers to claim directly against their banks.  

WHAT DOES THE DRAFT ONLINE SAFETY BILL MEAN FOR FINANCIAL SERVICES INSTITUTIONS?

On 17 March 2022, the Government published its response to the Joint Committee's recommended improvements to the draft Online Safety Bill [2].

SCOPE WIDENED TO INCLUDE FRAUDULENT PAID-FOR ADVERTS

The Government announced that, amongst other things, the draft Bill will be amended to include within its scope fraudulent paid-for adverts made available on social media and search engines that host user-generated content video-sharing or live streaming (whether they are controlled by the platform itself or an advertising intermediary) (Hosts). As a result, Hosts will need to:

• put in place proportionate systems and processes to prevent (or minimise in the case of search engines) the publication and/or hosting of fraudulent advertising on their service;
• remove that content when they are made aware of it; and
• prevent advertisements promoting financial promotions which are not properly authorised by the FCA under its financial promotions regime, fraudsters impersonating legitimate businesses, and advertisements for fake companies.

The definition of a fraudulent advertisement is contained in s34(3) of the Bill as "a paid for advertisement, an advert that amounts to an offence specified in s.36, and where it is not regulated user-generated content in relation to the service."

A register of providers which fall within the scope of the requirements will be created. 

Failure to comply with the requirements may amount to a criminal offence if the content of the fraudulent advertisement breaches:

• sections 23, 24 or 25 of FSMA 2000 (the provisions relating to carrying out regulated activities without permission and restrictions on financial promotions); 
• sections 2,4,7 or 9 of the Fraud Act 2006; or 
• sections 89 or 90 of the Financial Services Act 2012 (making misleading statements or giving misleading impressions).

In addition, Ofcom will have the regulatory power to hold companies to account by blocking their services in the UK or issuing fines of up to the greater of £18m or 10% of worldwide revenue. 

At present there is limited detail on what will be required of Hosts. Ofcom, which will regulate compliance with the Act if it becomes law, will set out further details on what platforms need to do to fulfil their new duties in Codes of Practice in due course. The Government has indicated the Codes could include requiring firms to[3]:

• scan for scam adverts before they are uploaded to their systems; 
• undertake measures such as checking the identity of those who wish to publish adverts; and
• ensure that financial promotions are only made by firms authorised by the FCA.

OUR COMMENTARY: IMPACT ON BANKS AND PAYMENT INSTITUTIONS:

The impact is likely to be two-fold:

1. There will be no direct reduction on the focus on account providers to refund customers for fraudulent payments.

Fraudulent paid-for adverts will now be included in the scope, but the draft Bill does not provide for customer redress against a platform which has allowed fraudulent advertising to appear on its service.  

This means that there will be no direct reduction on the focus on account providers to refund customers for these payments. It is possible that creative litigation could result in a finding of liability against social media and search platforms for losses resulting from their failure to comply with the legislation. However, there will be limited motivation for claimant law firms to run these cases if claims can be successfully made against the victim's account provider or payment service provider under the existing protections offered by the CRM Code, Financial Ombudsman Service and the new mandatory reimbursement requirements when introduced.  

2. Possible impact on reducing fraud occurrences

Whilst the draft Bill may not provide a new remedy for customers against Hosts, the legislation, if successful, will reduce the quantity of fraudulent advertisements that consumers see. Consequently, banks and payment service providers may find the number of attempted frauds reduces as fewer fraudulent adverts should appear.