Financial institutions’ exposure to the victims of payment fraud – where are we now?

Over the past five years, we have seen a series of cases against banks and payment service providers (“PSPs”) brought in the English courts by the victims of payment fraud. We then saw significant industry change in the form of the mandatory Authorised Push Payment (“APP”) Scams Reimbursement Requirement that came into effect on 7 October 2024. This piece provides a round-up of the most recent cases, a summary of the law as it now stands, an update on the implementation of the APP Scams Reimbursement Requirement, and comments on the industry and insurance response.

Some of our prior commentary on relevant APP fraud cases includes:

• Philipp and Barclays Bank PLC [2021] EWHC 10 (Comm), [2022] EWCA Civ 318, and [2023] UKSC 25 – commentary here

• CCP Graduate School Ltd v National Westminister Bank PLC & Anor [2024] EWHC 581 (KB) – commentary here

• Larsson v Revolut Ltd [2024] EWHC 1287 (Ch) – commentary here

• Terna Energy Trading doo v Revolut Ltd [2024] EWHC 1419 (Comm) - commentary here (note: appeal outstanding)

So far in 2025 and since the above, we note and discuss:

• Santander UK Plc v CCP Graduate School Ltd [2025] EWHC 667 (KB) (judgment handed down 25 March 2025)
• Hamblin & Anor v Moorwand & Anor [2025] EWHC 817 (Ch) (judgment handed down 4 April 2025)
• Barclay-Ross v Starling Bank Ltd [2025] 7 WL UK 101 (judgment given 2 July 2025 – permission to appeal allowed 29 July 2025)
• The latest data reported by UK Finance in its Annual Fraud Report published 27 May 2025
• The latest data reported by the Bank of England in its CHAPS Annual Report published 21 August 2025

Reminder: What is APP fraud?

A transaction in which individuals or businesses are deceived into authorising the transfer of funds from their own account to an account controlled by a fraudster. By contrast, unauthorised payment fraud includes, for example, lost and stolen card fraud, ID theft and mobile banking fraud.

Legal arguments pursued by the victims of APP fraud

Victims of APP fraud, usually unable to pursue the fraudster directly, have turned to their bank or the fraudster’s bank for reimbursement, pursuing various legal arguments where the bank was not required to or did not agree voluntarily to reimburse the victim. Arguments pursued across the cases above included that the bank:

1. is subject to the Quincecare duty;
2. is subject to a “retrieval duty” in tort;
3. has been unjustly enriched; and/or
4. dishonestly assisted the fraudster.

We discuss (i) and (ii) below as they have been considered further by case law over the past few months. With respect to (iii) unjust enrichment, we continue to await the appeal of Terna v Revolut (our article on the first instance decision is here). As for (iv), dishonest assistance, we are not aware of whether the claimant in Larsson v Revolut has taken the opportunity provided to him to replead that claim (see our commentary on this case here).

1. The Quincecare duty

By way of reminder, under the Quincecare duty, derived from the 1992 case, Barclays Bank Plc v Quincecare [1992] 4 All ER 363, a bank must protect its customer from itself and refrain from executing an order in circumstances where the bank is on reasonable inquiry that there may be a risk of fraud on the account. 

Four non-APP fraud cases then brought the Quincecare duty back into the spotlight: (1) Singularis v Daiwa [2019] UKSC 50[1]; (2) Stanford v HSBC Bank PLC [2022] UKSC 34[2]; (3) Royal Bank of Scotland International Ltd v JP SPC 4 & Anor [2022] UKPC 18[3]; and (4) Nigeria v JP Morgan Chase Bank N.A [2022] EWHC 1447 (Comm)[4].  

The Supreme Court’s subsequent decision in the APP fraud case, Philipp v Barclays Bank UK PLC [2023] UKSC 25, clarified that the bank did not owe a duty to protect the customer from itself where the instructions provided to the bank were clear and unequivocal, even where the bank had reasonable grounds to believe that the customer was being defrauded. Instead, the basic duty of a bank under contract is to make payments in compliance with the customer’s instructions. “Where the bank receives a valid payment order which is clear and leaves no room for interpretation or choice about what is required in order to carry out the order, the bank’s duty is simply to execute the order by making the requisite payment. The duty of care does not apply” [63]. The Quincecare Duty is not “some special or idiosyncratic rule of law” [97]. Rather, it is simply an application of the general duty of care owed by a bank to interpret, ascertain and act in accordance with its customer’s instructions.

The recent case of Hamblin & Anor v Moorwand & Anor [2025] EWHC 817 (Ch), handed down on 4 April 2025, saw the Quincecare duty, as re-formulated by the Supreme Court in the Philipp case, further discussed and applied. This judgment was interesting for a few reasons:

1. Moorwand is not a bank. It is a PSP and electronic money institution (“EMI”). It provides customers with an electronic wallet from which transactions can be made in various currencies. The High Court was comfortable that the Quincecare duty could, in principle, apply to an EMI.
2. The victims of the fraud did not themselves have an account with Moorwand and could not therefore bring a claim for breach of the Quincecare duty. The claim was instead brought as a derivative action. The victims of the fraud brought the claim on behalf of a company, RND, which held the account with Moorwand and which company was used to commit the fraud. Permission to bring the claim as a derivative action was given at first instance and not appealed before the High Court and it will be interesting to see whether other claimants pursue derivative claims in future.
3. What was appealed in this case was whether the lower court was correct to dismiss the victims’ derivative action. The High Court overturned the decision of the Circuit Judge before whom this was first heard to find that the Quincecare duty had, in fact, been breached. The derivative claim therefore succeeded. Moorwand was held to be on inquiry and accordingly required to restore the monies improperly paid away from the RND account.
4. Whether Moorwand was put on inquiry is a question of fact. In this case, the High Court found that Moorwand was subjectively on inquiry (relevant factors including, for example, inconsistency between the stated business purposes of the account when opened and the actual transactions conducted).
5. The judgment also grappled with agency. There were two agents of RND in this case: (1) an individual authorised to give payment instructions; and (2) Moorwand, as an agent authorised to execute those payment instructions. Where that individual agent acts in fraud of their principal the agent plainly has no actual authority. However, Moorwand, in receiving that instruction from the fraudulent individual, will be protected by the agent’s ostensible authority.
6. Moorwand was unable to rely on an exclusion clause in its terms with RND to defeat RND’s claim (brought derivatively by the victims) for reinstatement of the account. That exclusion clause was relevant only to a claim for damages.

2. An alleged “retrieval duty”

A second potential avenue of recovery for victims that was left open by Philipp was a supposed retrieval duty in tort, which was said by claimant victims to require the banks to take steps to trace and retrieve funds following an APP fraud.

CCP Graduate School Ltd v National Westminster Bank PLC & Anor [2024] EWHC 581 (KB) included a claim against the fraudster’s bank, Santander, based on an alleged retrieval duty. That was notwithstanding that CCP was not Santander’s customer (the claim against the customer’s own bank, NatWest, being time-barred). While the Court expressed doubts as to whether a retrieval duty could be owed by the fraudster’s bank, given the uncertainty of the law in this area, the Court rejected Santander’s application to strike out. That decision not to strike out the claim based on the alleged retrieval duty was appealed by Santander.

In that appeal, Santander UK Plc v CCP Graduate School Ltd [2025] EWHC 667 (KB), the High Court found for Santander. The Judge held that CCP’s claim based on the retrieval duty was “bad in law and could have no real prospect of success” [52]. The Judge was plainly concerned about implying a duty on a bank where it had no contractual relationship with the victim of the fraud. Practically, this duty (if it were accepted as pleaded) “would require that, upon a fraud alert being raised by a stranger in relation to an account held by one of its customers, a bank must contact all other banks into which monies from the account have been transferred, and (contrary to the instructions of its customer) either seek an immediate recall of those sums or otherwise not allow further movements of those monies. That, it seems to me, would put a bank in the impossible position of having to make a speedy adjudication upon an allegation of fraud made against one of its customers by a third party” [47]. The Judge commented that “the fact that banks are willing to take steps to try to assist victims of fraud does not mean that the courts should find they have a legal obligation to do so” [46]. The retrieval duty therefore appears curtailed in two important respects: firstly, it is a duty potentially applicable between a customer and its own bank only, and not between the victim and the fraudster’s bank; and secondly, it is a “facet of” the bank’s contractual relationship with its customer, rather than a separate duty in tort.

A duty on a bank to recover funds was, however, discussed again just a few months later in Barclay-Ross v Starling Bank Ltd [2025] 7 WLUK 101. It was held in relation to the bank’s application to strike-out the customer’s claim that there was an arguable case that the bank had breached its duty by failing to seek the customer's instructions to recover payments once fraud had been established. The customer was permitted to amend her pleadings on this point. Interesting points discussed in that case included:

1. Whether or not the Contingent Reimbursement Model to which Starling Bank had voluntarily signed up: (i) had been breached; and (ii) was actionable by the customer. The Judge did not reach a firm decision but suggested that the bank’s “submission about the voluntary nature of the CRM and its non-imposition of duty or liability may have been correct”. 
2. The Judge held that the existence of a duty on a bank to recover payments was at least possible. Once the customer notified its bank of the potential fraud, the bank arguably had a duty to obtain the customer’s instructions as whether it should take steps to recover previously authorised payments out of the customer’s account.
3. While permitted to replead on certain aspects, including to properly quantify the alleged loss, it was held that the customer’s claim for damages for distress was bound to fail and therefore struck out.

Permission to appeal was granted before the summer recess.

Implementation of the APP Scams Reimbursement Requirement and the latest fraud data

A theme of many of the early APP fraud judgments was that this area is properly one for legislators/regulators and not the Courts. Following industry consultation, and with a last-minute change reducing the reimbursement cap from £415,000 to £85,000 per claim, the mandatory “APP Scams Reimbursement Requirement” came into effect on 7 October 2024, applicable to payments made in the UK over Faster Payments (which system is operated by the Payment Systems Regulator (“PSR”)). This was a significant expansion from the voluntary Contingent Reimbursement Model.

Alongside this, the Bank of England, which operates CHAPS, the system for high-value transactions, indicated its commitment to achieving comparable outcomes for consumers making retail payments via CHAPS, setting the same upper limit of £85,000 as with Faster Payments.

According to PSR data reporting on the first six months of the new regime for Faster Payments (i.e. Q4 2024 and Q1 2025):

• Of 109,000 claims reported by consumers, 77,000 (70.6%) were in scope for reimbursement.
• Of in scope claims, 87% of the money lost to APP scams was returned to consumers.
• £66 million was reimbursed to those consumers.
• 86% of claims were resolved within five business days.
• 3% of claims were rejected due to the consumer’s failure to meet the consumer standard of caution.

According to Bank of England data reporting on the new regime for retail CHAPS payments over a slightly longer 7.5 month period (7 October 2024 to end-May 2025):

• Just 31 claims, with a total value £1.8 million, were reimbursable under the CHAPS APP fraud rules.
• All but one of the 31 claims were reimbursed in full (minus £100 excesses where applicable).
• Six of those 31 claims were over the £85,000 reimbursement limit. Five of those six were reimbursed in full. One was partially reimbursed.

UK Finance’s Annual Fraud Report for 2024/25 covers payments executed through Faster Payments, CHAPS, BACS and international payment schemes. It found that Faster Payments was used for 96% of APP frauds. CHAPS was used for just 1% of APP frauds, although they accounted for 3.5% of fraud by value given the high-value nature of transactions using CHAPS.

Overall, the UK Finance data shows that APP fraud has fallen both in terms of the number of cases (down 20% from approximately 232,000 cases to 185,000 cases) and the amount lost (down 2% from £460 million to just over £450 million). Further, the latest FOS quarterly data notes that there has been a decrease in the number of new fraud and scams complaints - consumers filed 6,800 complaints about fraud and scams, down from 8,800 in Q1 2024/25. Around 3,400 of these cases were related to APP frauds. These falls likely reflects the substantial focus and investment in fraud prevention including raising customer awareness and technological developments.

The payments made to customers to date under the APP Scams Reimbursement Requirement (£66 million in six months, even extrapolated to £132 million per year), plus small amounts under the CHAPS rules, amount to substantially less than the £450 million reported as lost to APP fraud last year (and which figure is in itself a likely under-estimate given that instances are under-reported).

The PSR has stated that an independent review of the effectiveness of the APP Scams Reimbursement Requirement will begin in October 2025, with that report expected in spring 2026. It will be interesting particularly to see what the report says in relation to the interplay between sending and receiving PSPs, where they are required to now share the cost of reimbursing victims. The Bank of England has commented that it will engage with the PSR as that independent review is undertaken but, based on currently available data, it sees no pressing case to change the CHAPS APP fraud limit of £85,000.

The insurance of APP fraud

While the number and value of APP frauds are clearly going in the right direction, and the payments to date under the APP Scams Reimbursement Requirement and CHAPS APP fraud rules amount to only a fraction of reported APP fraud, this remains an important exposure for banks and PSPs. Payments to customers under these rules are only part of the picture. There is also, of course, the costs of handling these claims, the investment expected in this area, and the defence of civil or FOS claims that are not in scope of the APP Scams Reimbursement Requirement (for example, losses over £85,000, corporate victims of fraud that are not microenterprises or charities, and non-UK accounts).

From an insurance perspective, we would expect PSPs and those banks that purchase civil liability cover to be covered for the defence of civil claims based on breaches of duty, subject to applicable retentions.

The APP Scams Reimbursement Requirement was a more difficult proposition in the sense that it is a liability imposed by regulation with few ordinary defences – as the PSR data, mentioned above, shows only in 3% of cases were claims rejected due to the consumer’s failure to meet the consumer standard of caution. Outside of these rare instances, payment is then required in just five days, with contributions from both the sending and receiving PSP.

When the PSR began consulting in this area, we noted that aggregation was likely to be relevant to the availability of cover. Even at £85,000, the reimbursement limit was likely to be less than many policy retentions. The likelihood of aggregation would depend on wordings and, of course, be fact-sensitive - for example, if an inadequate system or process failure could be shown to have permitted a particular fraud to succeed.

We were interested, therefore, to see the market respond with a bespoke APP fraud product responding to unexpected spikes in losses[5]. Sitting alongside a Civil Liability or Crime policy, that product is said to remove the need to prove aggregation of losses, instead responding if losses exceed a threshold set with reference to expected losses.

We will continue to watch the development of APP fraud claims in the Courts and before the FOS, as well as the implementation of the APP Scams Reimbursement Requirement, as we seek to understand insureds’ potential exposures and the cover available to them.