Philipp v Barclays Bank UK plc: Bad news for victims of authorised push payment (APP) fraud

Often the fraudster will have already obtained access to some personal information of the victim, and will then contact the victim purporting to be from the fraud department of their bank. Using scam phone calls, text messages and emails, the victim is pressured to disclose personal details and passwords. The victim is then persuaded to transfer payments out of their bank account on the basis that it has been compromised, to the account of the fraudster.

Victims of APP fraud seeking redress have often sought to rely on the “Quincecare” duty (from the case of Barclays Bank plc v. Quincecare Limited) which established that banks owe a duty of care to their customers not to carry out money transfer instructions, in circumstances when they have reasonable grounds to believe that the instructions provided by customers are part of a fraud. Until now, the extent to which banks are under a duty to verify payment instructions has been unclear.

The Supreme Court has recently allowed an appeal in the case of Philipp v Barclays Bank UK plc and in so doing has provided important clarity on the scope and nature of the Quincecare duty owed by banks to their customers. The key issue in this case was whether the Quincecare duty should apply to APP fraud cases.  Unfortunately for bank customers, the Supreme Court has decided that the Quincecare duty does not have any application to cases of APP fraud, where it is the customer that directly authorises the bank to make a payment.  Instead, the Quincecare duty is now limited to cases concerning payment instructions that have been given by an agent or third party on the customer’s behalf.

Parliament is, however, taking steps to address this issue. The Financial Services and Markets Act 2023 (FSMA 2023) will come into effect in 2024.  Under section 72 of this Act, liability will be imposed on banks “where the payment order is executed subsequent to fraud or dishonesty”, and losses will be allocated equally between the sending (victim’s) and receiving (fraudster’s) banks. The Act will only provide protection for consumers, charities and “micro-enterprises” and so larger businesses will not benefit.

Victims of APP fraud should also be aware of The Contingent Reimbursement Model Code (CRM Code) for APP scams. This is a voluntary code for APP fraud which has been in place since May 2019.  For those banks that have signed up to the code (not all banks have) the starting assumption is that losses arising from APP fraud will be returned to customers unless one of the exceptions in the CRM Code apply.

For advice on APP fraud, and other civil fraud issues, please contact a member of our expert team of lawyers.