Authorised Push Payment (“APP”) fraud, where victims are tricked into authorising payments to fraudsters, resulted in losses of £485.2m in 2022 and is reported to have risen by 22% in 2023.
With consumer protection laws designed primarily to protect and compensate the victims of unauthorised fraud – UK Finance estimates that 98% of such cases are fully refunded – are the options and prospects of recovery for victims of APP Fraud somehow more limited?
Quincecare is the established duty of care owed by banks to their customers in circumstances where there are “reasonable grounds” for believing that a customer’s instructions are an attempt to misappropriate funds. However, at its heart, Quincecare concerns the principles of agency and authority. In simple terms, where a customer’s agent (for example, a director of a corporate customer) sets out to misappropriate funds which belong to the customer, and there are reasonable grounds for believing that the agent’s instructions are an attempt to defraud the bank’s customer, the bank will owe a duty to exercise reasonable skill and care by making inquiries as to the authority of the agent. If it fails to do so, it will have breached its duty of care to its customer and be liable for any loss suffered.
Could that duty be extended to a bank’s customer (rather than an agent) in cases of APP Fraud, where the customer themselves has authorised the payment? This was the question recently considered by the Supreme Court in Philipp v Barclays Bank UK PLC.
Mrs Philipp and her husband had been tricked into transferring £700,000 from their account with Barclays bank to fraudsters in the UAE in an elaborate scam. Mrs Philipp sued the bank, alleging that Barclays acted in breach of the Quincecare duty. At first instance, the English High Court held that no Quincecare duty arose. The Court of Appeal reversed that decision, instead finding the duty was not limited to instructions given by a customer’s agent such that, in principle, it was possible that a duty of care could arise in the case of instructions directly from a customer (whether it was breached in this particular case being a question for trial). So, for a time, it was at least possible that banks would owe a duty of care to their customers to prevent APP Fraud.
However, in July 2023, the Supreme Court unanimously held that there is no such duty. Where a customer unequivocally authorises a bank to make a payment (as was the case in Philipp), the Quincecare duty would have no application. The Bank’s primary duty was to execute its customer’s instructions promptly.
Questions remain as to whether there is any duty on the bank to claw back misappropriated funds, which will be determined at the trial. However, absent any direct remedy against the bank which made the transfer, victims of fraud and misappropriation of assets are left with traditional asset-tracing and recovery tools such as Norwich Pharmacal Relief and claims for constructive trust, unjust enrichment, dishonest assistance and knowing receipt.