APP fraud: Are UK banks facing an increased risk of litigation?

What is happening?

Since Philipp, and no doubt because of it, a trend of case law is emerging whereby APP fraud victims are finding creative ways to bring claims against the receiving bank to try and recoup their losses – and the English Courts have been receptive to some of their arguments, at least on a preliminary basis. (You can read our article on Philipp here). We set out in this article the various lines of attack which we see emerging against the receiving bank from the current case law, of which our financial institution clients need to be aware.

Throughout this article, we refer to the “receiving bank”, but of course the issues we explore are equally applicable to all payment institutions and electronic money institutions (EMIs).  (Indeed, a conclusion in one of the key cases we examine below is that, despite the rules on safeguarding - which, perhaps, should distinguish EMIs from banks for whom monies received are their own assets - there is no substantive difference between the two for the purposes of ascertaining an element of a cause of action in unjust enrichment). 

The “retrieval duty”

Although the decision in Philipp was clear in its outcome, other comments by Lord Leggatt in the judgment left a glimmer of hope for victims in the form of a so-called “retrieval duty” on the paying bank.  Lord Leggatt considered it arguable that, when the APP fraud victim in Philipp informed her bank that she had been fraudulently induced to make the payment, the bank should have promptly taken steps to retrieve the funds.  Seizing this potential argument, in the recent case of CCP Graduate School Ltd v National Westminster Bank Plc¹, an APP fraud victim brought claims against both the paying bank and the receiving bank on the basis of this alleged novel duty.  At a summary hearing, High Court Master Brown found that the “retrieval duty” claim against the paying bank was time-barred, but commented that, if he had had the power to do so, he would have allowed the claim as he could not rule that it had no prospect of success.  He did, however, allow the claimant’s “retrieval duty” claim against the receiving bank to proceed, saying that it was not sufficiently clear for him to strike out the claim pursuant to the defendant bank’s application to do so.  As to how such a “retrieval duty” would work in practice, the Master recognised that it depended on the prompt provision of an indemnity by the paying bank to the receiving bank (to cover any losses which the receiving bank may incur in sending back the money), which is passed on to all banks down the chain of payments until the money is located.

We understand that this case is being appealed.  We can therefore expect further clarification of the law in relation to the “retrieval duty” on receiving banks in the relatively near future.  It may well be that, on proper analysis of the law, the appeal court may be prepared to be more decisive than the Master was in this case in rejecting the existence of such a duty on a receiving bank.  In the meantime, this is an area of potential exposure which will need to be kept under review.  You can read more about CCP in our article here.

A “duty to protect from fraud”

In Larsson v Revolut Ltd², another recent case of an APP fraud victim bringing a claim against the receiving bank to try and recover his losses, the victim also had a bank account with the receiving bank.  It had already been held at first instance in Abou-Rahmah v Abacha³ that, in general terms, a receiving bank does not owe general tortious duties of care to the payer, with whom it has no contractual relationship.  However, in this case, the claimant used the banker-customer relationship between the defendant bank and him as the basis for arguments contending that common law duties were owed to him by the bank, in its capacity as the receiving bank, to protect him from fraud (even though his bank account with the defendant bank was not involved in the fraud to which he was subject).  These arguments failed at summary stage, with Mr Justice Zacaroli saying that a receiving bank did not owe a duty of care to a third party payer, and there was no principled reason for imposing such a duty simply because the payer happened to be a customer of the bank.  He said that to impose such a duty would lead to a “radical extension” of the law.  Although these arguments failed, they nevertheless demonstrate the innovative ways in which APP fraud victims are seeking to make receiving banks liable for their losses.  You can read our article on Larsson here.

 Unjust enrichment

A further cause of action that claimants have sought to utilise is the concept of unjust enrichment.  The unjust enrichment claim in Larsson was paused pending the decision in the case of Terna Energy Trading Doo v Revolut Ltd⁴ (which was proceeding in parallel), the most recent case of an APP fraud victim bringing a claim against the receiving bank to recover their losses. 

To make out a cause of action in unjust enrichment, four elements of the remedy need to be considered: (a) enrichment of the defendant; (b) at the expense of the claimant; (c) that such enrichment was unjust; and (d) the existence or otherwise of any defences.  Terna, being a decision on a strike out and reverse summary judgment application, was targeted on just issues (a) and (b).  On issue (a) the question turned on whether there is benefit to a recipient bank where, at the same time as receipt of the payment, a simultaneous credit is given to the receiving bank’s customer’s account (and also whether it makes a difference if the institution is a bank or an EMI, as here) - and on issue (b) whether the enrichment was really at the expense of the claimant where, in fact, the payment was an international payment via correspondent banks rather than a direct one.  HHJ Paul Matthews rejected the defendant’s application for strike out and reverse summary judgment on both issues.

In relation to the enrichment issue, he held, after extensive examination of the authorities, that it was at least arguable at the summary judgment stage that there was enrichment despite the existence of the simultaneous credit given by the receiving bank to its own customer, at least until such time as the bank in fact paid away such monies on the instructions of its customer (which may give rise to a change of position defence, but that was not for consideration at this stage). The judge placed weight on the fact that, until money was in fact paid away by the receiving institution, the customer credit could be reversed and the money returned to the claimant. (He also held that it made no difference that the receiving institution was an EMI and that the funds were safeguarded in line with applicable regulations, as the EMI still owned the money beneficially).

Most interestingly, in relation to the “at the expense of the claimant” issue, the judge disagreed with the 2022 decision in Tecnimont Arabia Limited v National Westminster Bank plc⁵, a case which, like Terna, also concerned an APP fraud committed via an international bank payment, in which the unjust enrichment claim against the receiving bank failed – which was welcome news for banks at the time.  In contrast, in Terna, the judge concluded that, despite the payment having been executed through third party correspondent banks, there is an arguable case that such correspondent banks were mere agents of the paying and receiving institutions, and such enrichment had been at the claimant’s expense.  Alternatively, he held that the entire arrangement can be viewed as a series of co-ordinated transactions, but still involved the enrichment of the receiving institution at the expense of claimant. He said, in no uncertain terms, that he thought the decision to the contrary in Tecnimont was wrong and declined to follow it. The defendant has since obtained permission to appeal the decision⁶ and, until the matter is settled, the law in this area is uncertain.  You can read our article on Terna here.

As noted above, this case does not address the other potential defences that banks and payment institutions will have against such claims, which are alluded to in the judgment, namely the defences of ministerial receipt, and change of position (where, as will often be the position in cases of APP fraud, the bank or payment institution will have already disbursed the monies received onwards, on the instructions of their own (albeit fraudulent) customer).  These defences will normally be effective as a matter of law, if made out on the facts – but, as  shown by these cases, may need to go to full trial to establish them. 

Dishonest assistance / knowing receipt

Finally, some claimants have advanced arguments based on the law of constructive trusts.  The argument is that, where there has been a breach of trust and a third party knowingly assists in such breach of trust or receives trust property knowing it to be such, that party can be fixed with a constructive trust and be made to account for the proceeds. 

In the case of APP fraud, these claims depend on the proposition that, where funds have been procured by fraud, the transferred funds will constitute trust property. (This proposition itself is subject to conflicting case law). Where money was paid away by the recipient bank despite knowledge of red flags which gave rise to strong doubts about the legitimacy of the transaction and where a blind eye was turned, this may be enough to make out the “objective dishonesty” requirement for this type of liability, making the receiving bank an accessory to the breach of trust, or a knowing recipient (where the money is still held). 

This argument was raised in the Larsson case.  However the judge declined to deal with the issue at summary judgment stage, the issue being too complex and developing as an area of law, and referred the issue to be considered at full trial.  

Of course, the necessity to establish objective dishonesty by the recipient institution is a high bar, and will be hard to establish in most cases.  However, this does nonetheless represent another cause of action which victims of APP fraud are pursuing in order to try to make recoveries.

Interplay with the APP Fraud Mandatory Reimbursement Scheme

In October 2024, the Payment System Regulator’s APP Fraud Mandatory Reimbursement Scheme is due to come into effect. Under the Scheme, payment services providers (PSPs) are required to reimburse victims of APP fraud, subject to certain requirements, up to a maximum level of £415,000 per claim.  The cost of the reimbursement is shared 50/50 between the paying and receiving PSPs – hence, under the Scheme, receiving banks are “on the hook” to the same extent as paying banks. 

In its most recent fraud report, UK finance reported that £459.7 million in losses were suffered by UK APP fraud victims in 2023, and 62% of this was returned to victims by their bank (either, we presume, voluntarily, or pursuant to a decision of the Financial Ombudsman Service (FOS) or pursuant to a court decision).  When the Scheme comes into force, it is likely that the percentage of losses returned to victims will rise – and it is also not inconceivable that the total amount of loss will rise, as fraudsters may consider APP fraud to be “underwritten” by banks.  It is therefore unsurprising that there has been some pushback on the Scheme by the banking industry, with calls for the new Labour government to place liability on tech firms for APP frauds that originate online.  Of the £459.7 million of APP fraud losses reported by UK Finance, 76% started online.

There are reports that, in order to limit their exposure, some UK payments firms propose to close accounts of customers deemed too high risk of APP fraud - although banks must be careful of doing this legitimately and fairly, otherwise they may expose themselves to claims of de-banking by customers.  (De-banking complaints are themselves on the rise, with a 44% increase in complaints to the FOS from 2022/23 to 2023/24).  Other firms are considering introducing new fees on customers, or imposing a maximum value for transactions. These strategies may go some way to lessen the cost to banks under the Scheme, but if the above cases lead to success for the claimants, banks may also face a wider risk of liability under common law. 

Despite the Scheme, there will still be litigation in this space, either because the losses suffered by the victim exceed the Scheme’s maximum level for reimbursement of £415,000 (as in two of the three cases discussed above – with the third case falling just below it), or because of the international nature of the transaction. (The Scheme is limited to domestic payments, but APP fraud is often international in nature).  The final decisions in the above cases are therefore potentially extremely significant as they may widen the risk of litigation against receiving banks for APP fraud. 

What can banks do?

As part of its efforts to crack down on APP fraud, the UK government has proposed regulations which will allow PSPs to delay the execution of a payment order by up to four business days, to give them more time to investigate suspicious payments. The regulations are due to come into force at the same time as the Scheme. These measures will provide some assistance to banks in helping them limit their exposure but, of course, they must ensure they apply the regulations correctly as, on the flip side, they may face claims by customers for breach of mandate.

What else can banks do to guard against this litigation risk?  They would be well advised to review and assess their financial crime and fraud systems and controls, to ensure that KYC procedures at onboarding are undertaken properly in order to minimise the risk of fraudsters setting up accounts, that processes for picking up suspicious payments received into accounts are also working effectively, and that all relevant internal policies are reviewed to reflect best practice, and staff are trained properly.  Small practical steps may lead to significant mitigation of litigation risks.

If you would like to discuss any of the issues raised in this article, please get in touch with any of the contacts listed.