Caught out by APP fraud?
19 August 2023. Published by Fahad Islam, Partner
Authorised push payment fraud (or APP fraud) continues to
be a significant problem in UK
It has been reported that in 2022 over £485m has
been lost to this type of fraud, where a victim is induced by a fraudster to
authorise ("push") their own bank to make a payment to a bank account
that is controlled by the fraudster, as they have been persuaded that there is
some legitimate purpose for the payment. Fahad Islam, Belyfted Limited, takes a
look at the best strategy for APP fraud victims and their recovery options.
What first steps should an APP fraud victim take?
It is essential that action is taken swiftly as the
fraudster will be attempting to put the stolen amounts beyond reach as quickly
as they can.
The first step should be to notify the paying and receiving
banks immediately. This can be done by the victim themselves or, if a law firm
can be instructed quickly enough, by the law firm. It may be possible to stop
the payment or, if it has already cleared, to get the receiving bank to block
the recipient account so the funds cannot be dissipated and can ultimately be
returned. This is one practical area where a law firm can add immediate value –
firms which are frequently engaged in assisting clients in these matters will
know who best to contact within many of the major banks to ensure the request
is dealt with immediately and not lost in that bank's usual processes and
procedures. That can make all the difference.
It is also advisable to report the incident to Action Fraud,
the national fraud and cyber crime reporting centre. Although this is unlikely
to lead to the police pro-actively tracking down the wrongdoers, occasionally
it can help join the dots where the recipient account has been used on multiple
occasions for different payment frauds and, as such, is on the police's radar.
Next, a victim should try and obtain as much information as
possible from the banks involved (both sending and receiving). This includes
further details of the account into which the payment was made and, if the
funds have since been paid away (which typically is the case within a matter of
days, if not hours), details of which account(s) they were paid away to. Ultimately,
the more information about the recipient account and any further accounts into
which the stolen funds were paid away, the better. This will assist with lines
of enquiry (eg through forensic accountants and business intelligence firms) to
seek to identify the fraudsters and trace the funds; it will also help the
consideration of potential legal claims available.
Different banks take different approaches to assisting with
this sort of disclosure of information. Typically victims would hope to be able
to obtain from most banks copies of full bank statements for the recipient
account, plus details of the account holder including contact details and
potentially also KYC information. Some banks are willing to assist by providing
this information voluntarily; others require a court order before
assisting.
Where banks refuse to assist voluntarily, it is usually
possible to compel them to provide it by obtaining a so-called Norwich
Pharmacal Order (NPO). This is a court sanctioned order that requires a third
party that has innocently been caught up in the wrongdoing (ie the bank) to
provide information about the issue. In the context of APP fraud, this would
most commonly be used against receiving bank in order to find out more details
about the transaction and the fraudster themselves, as far as the bank holds
that information.
In some cases, it might also be appropriate to ask the court
for a freezing injunction which stops the stolen funds and/or their traceable
proceeds from being moved (further) out of reach. Any information gathered from
an NPO might also assist with such an injunction. Generally, this is a more
onerous application to the court, where the victim will need to show among
other things that there is a real risk of dissipation of assets before the
court will grant the injunction. The applicant is also at risk of paying
damages to the other party if it suffers a loss as a result of an injunction
that is wrongly granted.
Legal claims and other options
There are a few potential legal claims for APP fraud
victims. Often, the identity of the fraudster is unknown and unless substantial
information has been obtained it is more effective to consider a claim against
the paying or receiving bank.
Generally, where the transaction has not been correctly
authorised by the paying bank, the victim may have a claim for breach of
mandate or negligence. It will very much depend on the circumstances of the
individual case whether such a claim can be successful. However, due to the
recent Supreme Court decision in Philipp v Barclays2 it
is no longer possible to argue that the customer's bank breached its Quincecare duty,
ie the duty which requires a bank to refrain from acting on a payment
instruction and to make inquiries when it is on notice of a serious possibility
of fraud. This has now been excluded for the APP fraud scenario where the
customer themselves gives the payment instruction.
Separately, there might also potentially be claims for
unjust enrichment, knowing receipt or dishonest assistance against the
receiving bank, depending on what has happened.
Apart from these claims, it is also worth noting that
Regulation 90(2) of the Payment Services Regulations 2017 (SI 2017/752)
requires the bank to make reasonable efforts to recover the funds involved in
the payment transaction, even if the bank is not liable. This can be used to
persuade the receiving bank to assist in the recovery of the misappropriated
funds, even when there is no direct claim against the bank.
Another avenue for reimbursement is the Contingent
Reimbursement Model Code (CRM Code), a voluntary industry code that came into
force in May 2019. This requires the banks which have signed up to it to
reimburse victims of APP fraud in some cases. However, international payments
are excluded, which are commonly a feature of APP fraud. It is also only a
voluntary code which a selection of banks have signed up to; and even those
that have can take starkly different approaches to their engagement with victims.
The Financial Services and Markets Act 2023 now
also paves the way for a mandatory APP fraud reimbursement scheme that is
currently being consulted on by the Payment Systems Regulator (PSR). The new
scheme will come into force in 2024 and
will apply to domestic payments within the Faster Payments system to consumers,
micro-enterprises and charities. It will require the cost of reimbursement to
be shared equally between the sending and receiving banks.
Conclusion
Victims of APP fraud find themselves in a tricky situation where it is key to act immediately and get the correct legal advice to seek to ensure a positive outcome. In our experience, while some of the legal claims can be challenging, in practice much can be achieved by acting early and obtaining the maximum amount of information about the fraudster and what happened. Happily, the overall trend is that the amount returned to APP fraud victims is on the increase (it rose by 5% in 2022).
If you have any questions or require advice on APP fraud,
please contact Fahad Islam.
