Skip to main content
08.08.2024

Navigating the New Landscape of APP Fraud: Corporate Protections and Bank Liabilities in 2024

Authorised Push Payment (“APP”) is where a payer, often an individual consumer, instructs their Payment Service Provider (“PSP”) to send money from their account to another account. These payments are typically executed via CHAPS or FPS. In a fraud situation, the payer is tricked into making an APP to an account controlled by someone other than the intended recipient, generally fraudsters tricking victims into authorising payments to accounts controlled by criminals.

APP fraud continues to be a significant challenge for businesses (UK Finance recently reported that £459.7 million in losses were suffered by UK APP fraud victims in 2023) despite various measures already in place and corporate victims often find themselves in a difficult position when seeking redress from receiving banks. 

In 2024 significant legal and regulatory advancements have been made to support corporate victims of APP fraud, especially in their claims against receiving banks, which we look at it in this article.

Current Challenges for Corporate Victims

Corporate victims of APP fraud have often faced numerous hurdles when attempting to recover lost funds. The Supreme Court ruling in Phillip v Barclays Bank [2023], which we have previously commented on highlighted that PSPs will not be liable to reimburse victims under the so called ‘Quincecare’ duty, which requires banks to refrain from executing payment instructions if they suspect fraud.  

The Phillip’s ruling left many businesses without a clear pathway to financial recovery as there was no legal framework that legally obliged receiving banks to reimburse victims of APP fraud. 

The Contingent Reimbursement Model Code

The Contingent Reimbursement Model for Authorised Push Payment Scams (“the Code”) was implemented on 28 May 2019. 

The main aim of the (voluntary) Code is to increase consumer protection standards to help reduce the occurrence of APP scams and lessen the impact that these crimes have on consumers, micro-enterprises and small charities. 

UK PSPs who signed up to the Code (not all PSPs in the UK have signed up) commit to:

  • Protecting their customers with procedures to detect, prevent and respond to APP scams, providing a greater level of protection for customers considered to be vulnerable to this type of fraud.
  • Greater prevention of accounts being used to launder the proceeds of APP scams, including procedures to prevent, detect and respond to the receipt of funds from this type of fraud.

In addition, any customer of a PSP signed up to the Code can expect to be reimbursed if they fall victim to an APP scam, provided they did everything expected of them under the Code (for example they were not grossly negligent or reckless).

The APP Fraud Mandatory Reimbursement Scheme

In response to the growing prevalence of APP fraud, and the limitations of the Code (most notably its voluntary basis), one of the most notable changes is the new reimbursement scheme introduced by the Payment Systems Regulator (“PSR”). From 7 October 2024, banks and PSPs will be required to reimburse victims of APP fraud up to £415,000 per claim. The reimbursement will be shared equally between sending and receiving PSPs. 

The scheme is designed to address the substantial financial losses faced by victims, including corporate entities, due to APP fraud. However, there are notable limitations to the scheme such as the fact that it is primarily focused on consumers, charities and micro-businesses and so larger business potentially remain vulnerable to substantial financial losses they incur as a result of APP fraud. Neither does it apply to international payments. 

The reimbursement scheme also requires consumers to exercise a standard of caution, such as responding to bank warnings and promptly reporting suspected fraud; banks can deny reimbursement if they prove that the consumer acted with gross negligence, although this is a very high standard to meet.

The introduction of the reimbursement scheme marks a significant regulatory shift aimed at enhancing consumer protection however the limitations mean that there will likely still be challenges faced in recovering lost funds, especially for larger businesses suffering larger losses.

Larson v Revolut Ltd [2024]

The High Court has recently significantly influenced the legal framework surrounding APP fraud. The landmark case of Larsson v Revolut Ltd [2024] reaffirmed the position that receiving banks might owe a duty of care to third-party victims of APP fraud.

Mr Larsson was defrauded into transferring CHF 466,617.73 to fraudulent accounts at Revolut under the belief that he was purchasing shares in an entity called “Starlink” which did not in fact exist. Mr Larsson claimed that Revolut had breached its contractual and tortious duties by failing to detect and prevent the fraud. He also alleged unjust enrichment and dishonest assistance in a breach of trust. 

The High Court ruled that Revolut did not owe a duty of care to Mr Larsson, as a third party, and struck out his claims in both contract and tort. However, the dishonest assistance claim was allowed to proceed, subject to Mr Larsson amending his statements of case to clarify the existence and breach of trust and Revolut’s role in assisting that breach. 

The Court ruled that Revolut, as an electronic money institution, does not owe the same contractual and tortious duties as traditional banks in preventing APP fraud. 

This distinction is key in understanding the responsibility of different types of financial institutions to consumers. However, the dishonest assistance claim being allowed to proceed, subject to amendments, highlights the potential for financial institutions to be held accountable if they are found to have assisted in enabling fraudulent activities, even if indirectly. 

This decision has set a precedent for how Courts may handle future claims involving APP fraud and electronic money institutions and further highlights the complexities of fraud cases involving electronic money institutions and the limitations of their duties compared to traditional banks. 

Overall, the decision provides a clearer framework for the responsibilities and liabilities of electronic money institutions (such as Revolut) in cases of APP fraud, potentially influencing future litigation and regulatory approaches in the financial sector.

Emerging Concept of a Retrieval Duty

Another key development is the ongoing discussion surrounding the concept of ‘retrieval duty’ of banks. 

This concept involves the obligation of both sending and receiving banks to take reasonable steps in recovering funds once an APP fraud has been identified. The retrieval duty aims to enhance the collaborative efforts of financial institutions in mitigating the effects of APP fraud and recovering the lost funds. 

Although the legal issue is still evolving, recent case law is bringing this topic to the forefront.  

The High Court examined whether banks have a duty to retrieve funds lost to APP frauds in an interim application in CCP Graduate School Ltd v National Westminster Bank plc & Anor [2024]

The claimants in this case fell victim to APP fraud and the Court considered whether the banks involved (both sending and receiving) had a duty to take reasonable steps to recover the funds once the fraud was discovered. 

Whilst the High Court dismissed the claim against the ‘sending’ bank, due to it being statute-barred (i.e. that time in which to bring the claim had expired), the claim against the ‘receiving’ bank was allowed which suggests that there might be a duty for banks to act upon discovering fraud. 

This decision could potentially lead to a new standard for banks to follow in APP fraud cases, emphasising the importance of the bank’s role in preventing and responding to notification of fraudulent activity. 

This goes beyond the established Quincecare duty which, if this decision is upheld at trial, could require banks to take pro-active steps to recover funds once fraud is detected, potentially increasing their responsibilities and liabilities in fraud cases. 

The Future of APP Fraud Disputes 

The PSR’s new requirement for reimbursement reflects a wider commitment to safeguarding victims of APP fraud, albeit with limitations. 

The Courts have emphasised however that the implementation of a comprehensive reimbursement model remains a matter for regulators and policy makers. 

The developments in 2024 represent significant strides in addressing the challenges posed by APP fraud. They underscore the need for a balanced approach that considers the interests of both financial institutions and fraud victims.

The introduction of the APP Fraud Mandatory Reimbursement Scheme later this year, coupled with the High Court rulings (we are also aware of a number of similar cases been dealt with by the Financial Ombudsman Service) , are the evolving concept of retrieval duty and highlight the commitment to enhancing consumer protection and clarifying the responsibilities of financial institutions. With the scheme’s implementation date approaching, it is crucial for all stakeholders to stay informed and prepared to navigate the evolving landscape of APP fraud and reimbursement.

If you have any queries concerning the issues covered in this article, please do contact Garon Anthony or Eleanor Howells in our Commercial Dispute Resolution group.