Caught out by APP fraud? Here's the 101 of what can be done

Authorised push payment fraud (or APP fraud) continues to be a significant problem in UK

It has been reported that in 2022 over £485m¹ has been lost to this type of fraud, where a victim is induced by a fraudster to authorise ("push") their own bank to make a payment to a bank account that is controlled by the fraudster, as they have been persuaded that there is some legitimate purpose for the payment. Dan Wyatt, partner at RPC, takes a look at the best strategy for APP fraud victims and their recovery options.

What first steps should an APP fraud victim take?

It is essential that action is taken swiftly as the fraudster will be attempting to put the stolen amounts beyond reach as quickly as they can.

The first step should be to notify the paying and receiving banks immediately. This can be done by the victim themselves or, if a law firm can be instructed quickly enough, by the law firm. It may be possible to stop the payment or, if it has already cleared, to get the receiving bank to block the recipient account so the funds cannot be dissipated and can ultimately be returned. This is one practical area where a law firm can add immediate value – firms which are frequently engaged in assisting clients in these matters will know who best to contact within many of the major banks to ensure the request is dealt with immediately and not lost in that bank's usual processes and procedures. That can make all the difference. 

It is also advisable to report the incident to Action Fraud, the national fraud and cyber crime reporting centre. Although this is unlikely to lead to the police pro-actively tracking down the wrongdoers, occasionally it can help join the dots where the recipient account has been used on multiple occasions for different payment frauds and, as such, is on the police's radar.

Next, a victim should try and obtain as much information as possible from the banks involved (both sending and receiving). This includes further details of the account into which the payment was made and, if the funds have since been paid away (which typically is the case within a matter of days, if not hours), details of which account(s) they were paid away to. Ultimately, the more information about the recipient account and any further accounts into which the stolen funds were paid away, the better. This will assist with lines of enquiry (eg through forensic accountants and business intelligence firms) to seek to identify the fraudsters and trace the funds; it will also help the consideration of potential legal claims available. 

Different banks take different approaches to assisting with this sort of disclosure of information. Typically victims would hope to be able to obtain from most banks copies of full bank statements for the recipient account, plus details of the account holder including contact details and potentially also KYC information. Some banks are willing to assist by providing this information voluntarily; others require a court order before assisting.  

Where banks refuse to assist voluntarily, it is usually possible to compel them to provide it by obtaining a so-called Norwich Pharmacal Order (NPO). This is a court sanctioned order that requires a third party that has innocently been caught up in the wrongdoing (ie the bank) to provide information about the issue. In the context of APP fraud, this would most commonly be used against receiving bank in order to find out more details about the transaction and the fraudster themselves, as far as the bank holds that information.

In some cases, it might also be appropriate to ask the court for a freezing injunction which stops the stolen funds and/or their traceable proceeds from being moved (further) out of reach. Any information gathered from an NPO might also assist with such an injunction. Generally, this is a more onerous application to the court, where the victim will need to show among other things that there is a real risk of dissipation of assets before the court will grant the injunction. The applicant is also at risk of paying damages to the other party if it suffers a loss as a result of an injunction that is wrongly granted.

Legal claims and other options

There are a few potential legal claims for APP fraud victims. Often, the identity of the fraudster is unknown and unless substantial information has been obtained it is more effective to consider a claim against the paying or receiving bank.

Generally, where the transaction has not been correctly authorised by the paying bank, the victim may have a claim for breach of mandate or negligence. It will very much depend on the circumstances of the individual case whether such a claim can be successful. However, due to the recent Supreme Court decision in Philipp v Barclays² it is no longer possible to argue that the customer's bank breached its Quincecare duty, ie the duty which requires a bank to refrain from acting on a payment instruction and to make inquiries when it is on notice of a serious possibility of fraud. This has now been excluded for the APP fraud scenario where the customer themselves gives the payment instruction.

Separately, there might also potentially be claims for unjust enrichment, knowing receipt or dishonest assistance against the receiving bank, depending on what has happened.

Apart from these claims, it is also worth noting that Regulation 90(2) of the Payment Services Regulations 2017 (SI 2017/752) requires the bank to make reasonable efforts to recover the funds involved in the payment transaction, even if the bank is not liable. This can be used to persuade the receiving bank to assist in the recovery of the misappropriated funds, even when there is no direct claim against the bank.

Another avenue for reimbursement is the Contingent Reimbursement Model Code (CRM Code), a voluntary industry code that came into force in May 2019. This requires the banks which have signed up to it to reimburse victims of APP fraud in some cases. However, international payments are excluded, which are commonly a feature of APP fraud. It is also only a voluntary code which a selection of banks have signed up to; and even those that have can take starkly different approaches to their engagement with victims.

The Financial Services and Markets Act 2023³ now also paves the way for a mandatory APP fraud reimbursement scheme that is currently being consulted on by the Payment Systems Regulator (PSR). The new scheme will come into force in 2024⁴ and will apply to domestic payments within the Faster Payments system to consumers, micro-enterprises and charities. It will require the cost of reimbursement to be shared equally between the sending and receiving banks.

Conclusion

Victims of APP fraud find themselves in a tricky situation where it is key to act immediately and get the correct legal advice to seek to ensure a positive outcome. In our experience, while some of the legal claims can be challenging, in practice much can be achieved by acting early and obtaining the maximum amount of information about the fraudster and what happened. Happily, the overall trend is that the amount returned to APP fraud victims is on the increase (it rose by 5% in 2022).⁵

If you have any questions or require advice on APP fraud, please contact Dan Wyatt.

¹https://www.ukfinance.org.uk/news-and-insight/press-release/over-ps12-billion-stolen-through-fraud-in-2022-nearly-80-cent-app
²Philipp v Barclays Bank UK PLC [2023] UKSC 25 (12 July 2023)
³See in particular s. 72.
⁴https://www.psr.org.uk/news-and-updates/latest-news/news/psr-confirms-new-requirements-for-app-fraud-reimbursement/, see also https://www.psr.org.uk/media/iolpbw0u/ps23-3-app-fraud-reimbursement-policy-statement-final-june-2023.pdf
⁵https://www.ukfinance.org.uk/news-and-insight/press-release/over-ps12-billion-stolen-through-fraud-in-2022-nearly-80-cent-app