In recent years, "authorised push payment" (APP) fraud, where a payer is deceived or defrauded into authorising a payment to a criminal, has increased both in value and volume, with many individuals suffering significant financial and emotional harm.

In the UK, if a payment has not been authorised by the payer, the Payment Services Regulations 2017 (PSRs) provide statutory protection for consumers from fraud. Where a customer has authorised a payment, however, in accordance with the terms of its agreement with its account provider, the PSRs state the customer is liable for that payment. This is the case even if they accidentally typed in the wrong payee account details or were tricked into making the payment to a fraudster.

Both the judiciary and the legislature have been busy recently considering the liability of banks when people fall victim to authorised push payment scams.

What does the government propose to do about APP fraud?

HM Treasury is pushing forward with proposals that will mandate repayment to customers of losses for APP fraud. This was announced in the Queen's Speech at the State Opening of Parliament in May 2022. The intention is to use The Financial Services and Markets Bill to amend the PSRs. The PSRs provide that where a payment is executed in accordance with the unique identifier (e.g., account number and sort code) provided by the customer, a payment service provider has correctly executed the payment.

The government's amendment will make it clear that this regulatory provision does not affect the ability of the Payment Systems Regulator (PSR) to use its existing regulatory powers in relation to APP frauds. This will enable the PSR to establish a liability framework for APP frauds using its existing powers, and ultimately improve reimbursement outcomes for victims.

To bring this change into effect, HM Treasury intends to require the PSR to publish for consultation a draft regulatory requirement within two months of the provisions coming into force, and impose a regulatory requirement within six months of the provisions coming into force.

The authors are expecting the consultation containing further details in Autumn 2022.

What are the courts doing?

The courts' approach to APP fraud also appears to be shifting. The Court of Appeal's recent judgment in the Philipp v Barclays case has the potential to significantly expand payment services providers' liability for APP fraud.

The claimant in that case — Mrs Philipp, who, along with her husband, had been duped by fraudsters out of her life savings — alleged that the bank had breached the Quincecare duty, i.e., the duty on a bank not to pay when it suspects the payment instruction is an attempt to misappropriate the customer's funds.

The High Court struck the claim out on the basis that Quincecare had no application to authorised payments, including APP frauds. The Court of Appeal disagreed, however, holding that there is no principled reason why a bank could not be liable for authorised payments where it suspects that the customer is being scammed. The case will now proceed to trial (or the Supreme Court). If the Court of Appeal's reasoning is followed, it will represent a very significant expansion of payment service providers' liability for APP fraud.

The even more recent case of Federal Republic of Nigeria v JPMorgan does, however, offer some comfort for banks, reminding them that Philipp does not (yet) conclusively establish that a duty of care arises in cases of APP fraud, and that the Quincecare duty is a highly fact-specific and limited duty.

Policy behind existing APP fraud protection measures in the UK

In the UK it has long been the case that customers are protected from suffering loss from unauthorised transactions. In broad terms, the justification behind this is that payment services providers, such as banks, underwrite the loss from such activity because they have the greatest ability to help prevent such crimes. For example, payment services providers determine the payment methodologies that are available with a particular account (i.e., a payment card or using an online banking portal). Payment servies providers are also well-positioned to put in place anti-fraud measures to help prevent unauthorised transactions. For example, by implementing identity verification processes (such as SCA) and investing in advanced security systems and developing fraud screening detection tools.

From a social policy perspective, there is also logic in requiring those who have the deepest pockets and the greatest means of recovering funds from fraudsters to carry the risk. After all, the banks are arguably in the best place to do something about it. Banks are also often in the best place to trace and recover funds.

It is this ideology that has largely steered us to the position today which sees payment services providers, particularly a payer's payment services provider, being considered responsible for putting in place a type of insurance policy to protect users of their products from authorised push payment frauds. Arguably, in many cases, these payment services providers are also in the best place to prevent such frauds using real-time transaction analysis and as a payee bank, by ensuring customers are genuine, conduct transaction monitoring to identify suspicious payment patterns.

Consequently, the argument goes that it if the payment services provider can help prevent these APP frauds, they should expect to carry the risk of such losses when such frauds continue to take place.

What can the financial services sector do about APP fraud?

Financial Institutions should consider putting in place measures to prevent fraud relating to both unauthorised and authorised payments. Such measures would also help reduce the liability exposure. These could include:

(a) working with government and law enforcement to deter and disrupt criminals and better trace, freeze and return stolen funds; (b) working with Pay.UK to put in place processes for information sharing to allow banks to share data to detect and prevent financial crime better; (c) delivering the Banking Protocol — a ground-breaking rapid response scheme through which branch staff can alert police and Trading Standards to suspected frauds taking place; (d) working with government on making possible legislative changes to accountopening procedures to help the industry act more proactively on suspicion of fraud and prevent criminals from accessing financial systems; and (e) exploring new ways to track stolen funds moved between multiple bank accounts.

Warning - This is not just an issue just for the financial services sector

In the authors' view, more needs to be done to prevent these types of frauds from happening in the first place. The idea that this is an issue for the financial services sector alone is quite inadequate for a number of reasons, however:

• First, the role of a payer's payment services provider in underwriting its customer's loss from some types of APP frauds (such as romance scams) is less clear. It is less clear how a payment services provider could know that a customer has been convinced to make a payment to a fraudster under false pretences; where they thought that person needed help when in fact that person did not.
• Secondly, most APP fraud take place due to some form of social engineering. The instigation of that activity often takes place outside the banking system. For example, using tactics such as scam phone calls, text messages and emails, as well as fake websites and social media posts, criminals seek to trick people into handing over personal details and passwords, or personal information. This information is then used to target victims and convince them to authorise payments. Consequently, there is a growing view that there is more that could be done by other sectors such as social media platforms and telecommunications providers to help combat fraud.

Help from other sectors

Rightfully, there is a continuing trend for regulators to want to see victims of APP fraud reimbursed, but the proposals to date place responsibility squarely with the banks.

It is encouraging that we are starting to see regulatory activity in terms of requiring other sectors to do more to help combat such fraud, for example, through proposed amendments to the Online Harms Bill. It is, however, unlikely that these will go far enough, and they continue to fall short of also requiring firms from those other sectors to play a role in compensating victims.

This article was first published in Thomson Reuters Regulatory Intelligence on 7 July 2022