Authorised push payment fraud – an alleged “retrieval duty” considered ahead of important regulatory changes due to come into force on 7 October 2024

The High Court considers for the first time whether and to what extent banks and other payment service providers (PSPs) are required to take steps to trace and retrieve funds following an authorised push payment (APP) fraud.

CCP Graduate School Ltd v National Westminster Bank PLC & Anor [2024] EWHC 581 (KB)

With APP fraud on the rise, claimants are actively exploring various routes to recover their losses. Those routes have included a consideration of whether the “Quincecare Duty” applies in this setting – i.e., whether a financial institution must protect its customer from itself in circumstances where it is on reasonable inquiry that there may be a risk of fraud on the account.

However, last year, in Philipp v Barclays Bank UK PLC [2023] UKSC 25 (Philipp), the Supreme Court dismissed the idea that the Quincecare Duty was “some special or idiosyncratic rule of law”. Properly understood it is simply an application of the general duty of care owed by a bank to interpret, ascertain and act in accordance with its customer’s instructions. Provided the instructions by the customer were clear and given by the customer personally, or by an agent acting with apparent authority, no inquiries were needed to clarify or verify what the bank must do. Accordingly, Mrs Philipp’s claim for losses suffered as a result of falling victim to an APP scam failed as the validity of her instructions were never in doubt. The bank completed its duty by executing the instructions as asked. Conversely, if it had failed to do so, that would have constituted a breach of duty, not the breach that Mrs Philipp had alleged (though the Supreme Court acknowledged that there may be limited circumstances where inquiries were needed). See our earlier article on Philipp here.

Whilst this decision was welcomed by financial institutions, it has only provided a short reprieve for them and their insurers. The Supreme Court, in Philipp, left the door open as to whether banks (and other PSPs) might owe some other form of duty to APP fraud victims to take reasonable steps to retrieve misappropriated funds (the Retrieval Duty). The claimant in the recent High Court decision of CCP Graduate School Ltd v National Westminster Bank PLC & Anor [2024] EWHC 581 (KB) asserted just that against both the sending and receiving banks. As the High Court refused the receiving bank’s application to dismiss the Retrieval Duty claim, on the facts, this case will certainly be one to watch.

FACTS

The claimant alleged that it was a victim of an APP fraud orchestrated by a criminal gang. Over a one-month period, 13 September – 12 October 2016, the claimant instructed its bank, NatWest, to make 15 payments, together amounting to just under £416,000, to an account held with Santander. The criminal gang then dissipated those funds. Santander made efforts to recover the funds, but only £14,000 was ultimately retrieved.

Several years later, the claimant issued proceedings against both banks:

• As against NatWest, it was alleged that it owed the claimant a contractual and/or tortious duty not to carry out its payment instructions without taking steps to ensure that this was not an attempt to defraud the claimant (i.e., the so-called Quincecare Duty).
• As against Santander, it was alleged that Santander had actually breached some other duty of care it owed to the claimant (though the Court commented that the pleadings were not clear as to the precise allegations), despite the fact that the claimant was not its customer.

In turn, NatWest and Santander applied for (reverse) summary judgment/strike out. Subsequent to the Supreme Court’s decision in Philipp being handed down, the claimant then sought to amend its claim against both defendants to allege breach of the Retrieval Duty.

DECISION

The Court held that the claim against NatWest was time-barred (the claim having been issued more than six years after the last payment out on 12 October 2016) and therefore should be struck out. Despite the Court’s finding on limitation, it also commented on NatWest’s alternative case that the claim should be struck out because it was founded on the Quincecare Duty, which Philipp had, by then, reformulated to be that the bank’s duty to exercise reasonable skill and care is not engaged unless there are doubts as to the validity of the customer’s instruction. The Court found that it had no application in the present case, given that the claimant had provided clear and valid payment instructions. Indeed, NatWest would have been in breach of its mandate had it declined to carry out those instructions.

Regarding the application to amend the claim to include a Retrieval Duty claim against NatWest, the Court also held that any such claim would be time-barred. Accordingly, it refused permission to amend. Notably, the Court did, however, comment that if it had had the discretion to allow the amendment, it would have exercised it, due to the lack of clarity as to the steps that NatWest had taken once it had been alerted to the fraud, and the timing of those actions.

As for the claim against Santander, the Court concluded that it was not entirely time-barred because at least some of the misappropriated funds remained in the Santander account on 18 October 2016. However, the Court expressly acknowledged that there could be no Quincecare-type duty falling on Santander, as the claimant was not its customer. This is in line with the Privy Council’s decision in Royal Bank of Scotland International Ltd (Respondent) v JP SPC 4 and another (Appellants) [2022] UKPC 18 (RBS v JP SPC 4). The Court in the present case held that this was particularly so where “such a duty would be inconsistent with the contractual duty to effect any mandate by their customer.” Accordingly, to the extent based only on the Quincecare Duty, the claim was struck out.

As for the Retrieval Duty claim, the Court discussed the Supreme Court’s recognition in Philipp that such a duty could exist.

The claimant in the present case argued that if such a duty applies to the customer’s bank, it must be “at least arguable that it would be anomalous if the bank that operates the account of the criminal gang… was not under a similar duty.” Indeed, the claimant alleged that Santander “could and should have taken certain steps to retrieve the sums which had been paid out to others.”

While the Court was reluctant to describe this as a “developing area of law” and expressed doubts as to whether a Retrieval Duty could be owed by the receiving bank, given the uncertainty, it rejected Santander’s application to strike out.

One of the reasons for the Court reaching this view was that it did not consider it necessarily fatal to the claim that there may not have been an assumption of responsibility by Santander to the claimant.

This reasoning was based on the recent Supreme Court case of HXA v Surrey County Council and YXA v Wolverhampton City Council [2023] UKSC 52. Although arising in quite different circumstances (liability of a public authority for abuse by a parent), in that case Lord Burrows outlined the following principles:

"In the tort of negligence, a person A is not under a duty to take care to prevent harm occurring to person B through a source of danger not created by A unless (i) A has assumed a responsibility to protect B from that danger, (ii) A has done something which prevents another from protecting B from that danger, (iii) A has a special level of control over that source of danger, or (iv) A's status creates an obligation to protect B from that danger."

Proceeding on the assumption that the claimant’s argument was correct (i.e., that Santander was in a “special position to take steps to recover the sums due,” so had at least some measure of control), the Court considered (iii) and (iv) may be of some relevance to this case. Santander countered by asserting that it lacked special control over the account holder and was obligated to complete all instructions based on the authorisation provided by its customer. Indeed, the Court observed that in the case of RBS v JP SPC 4, the Privy Council had accepted that the bank did not have a special level of control, however it also noted that that specific case was concerned with the Quincecare Duty and not the Retrieval Duty, and the facts were quite dissimilar to the present case. The Court was therefore seemingly not convinced that Santander’s obligation to follow their customer’s instructions alone would fully absolve Santander from the alleged Retrieval Duty, where an APP fraud scheme is in play.

In reaching this view, the Court appeared to find persuasive the existing commercial practice between banks involving the operation of a series of indemnities. While only considered briefly in the judgment, this practice essentially involves each sending bank in the chain agreeing to indemnify the receiving bank from any liability to the customer (and potentially others) arising from the receiving bank freezing the account. Of course, the success of any retrieval efforts depends on the cooperation of all the banks involved in the process. For this system to function smoothly, presumably the indemnity must be capable of being transferred promptly, as it is unlikely that criminal groups will keep funds in a first-generation account for an extended period of time.

The Court considered that this system, which to some extent already enables a bank to override its own customers’ instructions, would likely be relevant to consider further when determining whether a Retrieval Duty should be recognised at law. 

Overall, the Court was not, therefore, persuaded that the matter was sufficiently clear to strike out the claim.

DISCUSSION 

While this decision is helpful in applying and restating the position in Philipp, as to the correct nature of the duty owed by the bank to its customers when carrying out clear instructions, as the claim was not struck out in its entirety, it does leave the door open for claimants to seek a recovery from financial institutions/PSPs for the alleged failure to recover funds lost to fraudulent activities under this so-called Retrieval Duty.

While the scope of the alleged Retrieval Duty remains unclear at present, including “whether any such [retrieval] duty lies on the bank of those who can be assumed to have perpetrated the fraud,” this decision hints at the steps a bank might be expected to take (such as providing a chain of indemnities) in order to discharge such a duty, should it apply.

If and when this case progresses, we can expect to gain more insight as to the existence and scope of this duty. However, for now, this latest decision is unlikely to be a welcome development for financial institutions/PSPs, or for their insurers. There may now be a “new” duty to contend with, which could allow claims to be brought, in an APP fraud setting, against financial institutions/PSPs by non-customers, as well as their own.

It is also likely to be particularly disappointing given that the Supreme Court in Philipp was at pains to emphasise that it should be for the government and the regulators to determine whether and to what extent financial institutions/PSPs should be required to reimburse the victims of APP fraud (and not the Courts).

In this regard, the substantive hearing of this case may well coincide with the launch of the Payment Systems Regulator’s (PSR) new mandatory reimbursement scheme for APP fraud victims, outlined in its policy statement issued on 19 December 2023, which is due to come into force on 7 October 2024.

Under the new rules, in-scope PSPs (those operating within the Faster Payments system) will be required to reimburse victims of APP fraud within five business days. The costs of this reimbursement will be split 50-50 between the sending PSP and the receiving PSP. PSPs will have the option to charge an excess of up to £100 per claim, with the maximum reimbursement level being capped at £415,000 per claim, in the first instance.

Victims will not be eligible for a refund if they have acted fraudulently, or the PSP assesses that the customer has been “grossly negligent” (which we suspect will present a high bar in practice). Under the rules, vulnerable customers will be afforded extra protections - for example, they will not be charged an excess.

Of significance, though, is that the reimbursement requirement will not apply to civil disputes, payments that take place across other payment systems (for example, if a customer sends funds to their account at a crypto exchange and then pays a fraudster via cryptocurrency), international payments or payments made for unlawful purposes.

In light of the soaring levels of APP fraud, it is therefore likely that victims who fall outside of the PSR's reimbursement scheme may well seek to rely on the Retrieval Duty, at least until a time when the Courts have properly determined its scope.

Whether compensation payments made to APP fraud victims ought to be covered under an insurance policy will likely turn on the specific policy wording, for example, whether the policy in question responds to fraud directly against customers. If it does not, we query whether wordings will now need to be expanded on this basis, to meet these ever-expanding liabilities.

Regardless, given that PSPs will soon be directly responsible for reimbursing victims, fraud controls may need to be revisited and improved to prevent incidences of fraud and more effective communications may need to be issued to customers to increase their awareness of this growing social problem. Further regulatory action may well also follow.