By Christian Toms, Partner, Litigation Practice, Squire Patton Boggs
It is a familiar story. A party is tricked into paying money to a fraudster posing as someone else in an email. This type of fraud even has its own name: authorised push payment (APP). When the APP fraud is finally discovered, thoughts turn to what can be done and who might be liable.
Assuming that (i) it is too late to recall a fraudulently misdirected payment and (ii) the fraudster’s bank is not notified in time to freeze it, the victim will want to find the fraudster and the funds.
In England and Wales, often-sought remedies include Norwich Pharmacal Orders (NPOs) and Bankers Trust Orders (BTOs). These enable courts to compel banks and other third parties to disclose information about accounts linked to alleged wrongdoing. Further proceedings can then be considered (assuming the wrongdoers have assets) and/or more disclosure orders made against onward recipients.
However, NPOs and BTOs are discretionary remedies. Courts, therefore, guard against “fishing expeditions” and are more likely to reject an application if the victim has delayed taking action. Similarly, a victim must be able to show that the party from whom information is being sought can actually help and that the information will assist with pursuing the fraudster and stolen funds. Such applications are, therefore, not to be deemed foregone conclusions.
Regarding banks in other jurisdictions that receive onward transfers, it is also not a routine matter for a victim to rely on an English order to obtain information. Some jurisdictions’ local laws may prevent compliance with English orders; therefore, pursuing remedies under local laws to obtain further information may be necessary.
When, however, (i) wrongdoers have no other assets, (ii) the stolen funds have been spent, or (iii) the stolen funds end up in jurisdictions where recovery options are limited, we can expect victims to look elsewhere for recompense.
Liability of the defrauded customer’s bank
It is not disputed that financial institutions owe contractual and fiduciary duties to customers. The question is how far these extend when considering fraud perpetrated against customers, particularly when banks process the loss-causing transfers.
A first thought is often the “Quincecare duty” arising from the eponymous 1988 case.1 This duty has, however, recently been revisited and restated by the Supreme Court of the United Kingdom (SCUK) in Singularis Holdings Ltd v Daiwa Capital Markets Europe Ltd2 and Philipp v Barclays Bank UK PLC.3
A Quincecare duty will now apply only when (i) a bank is dealing with an agent of the customer and (ii) the bank has reasonable grounds to believe that the agent is acting without authority or, worse, is perpetrating fraud. Whilst highly unusual, this was the situation in Singularis. The bank was found to have breached its Quincecare duty to its customer, as “there were many obvious, even glaring, signs that [the customer’s agent] was perpetrating a fraud on the company”. The Supreme Court reasoned that because an agent’s authority cannot extend to defrauding the customer when the “on-notice” bank has reasonable grounds to question the agent’s authority, it follows that no ostensible authority can exist on which the bank might rely when directed by the fraudulent agent. This means that the bank itself would be acting without authority from its customer when debiting his or her account. Therefore, the customer would be entitled to a reimbursement from the bank. Accordingly, in situations in which fraud may be more carefully concealed, careful analysis will likely be required before it is possible to establish any bank default.
Philipp then clarifies that when a customer (as opposed to an agent) gives the instruction causing financial detriment, no Quincecare duty will arise. The Supreme Court concluded that because a bank’s primary obligation is to execute customer instructions, it cannot also owe a duty not to carry out an instruction, even if it has reasonable grounds for believing the customer is being defrauded. Therefore, when there are no doubts about the instructions and the authority of the party providing them, the bank has a duty to execute those instructions. However, this does not mean that banks need not take steps to check customer instructions or warn customers about fraud.
Liability of the fraudster’s bank
From the outset, an APP victim is on the back foot with a receiving bank. He or she typically will not be a customer, and no framework will govern their relationship. It is, therefore, highly unlikely that a court would find a receiving bank owed them any duty of care. Consequently, victims have had to consider other ways to pursue receiving banks by, for example, (i) utilising equitable remedies and (ii) claims founded on negligence.4
In terms of equitable remedies, one argument made is that as a consequence of fraud and the resulting transfer to a recipient bank, (i) the bank might be said to have been unjustly enriched at the expense of the fraud victim and/or (ii) the bank’s apparent knowing (or unconscionable) receipt of money obtained by a fraud perpetrated by its customer should be deemed held in trust for the victim. However, there are considerable difficulties to overcome when pursuing such actions.
Knowing receipt relies upon equity in imposing liability on a recipient, whereby (i) it receives assets in breach of trust or fiduciary duty, and (ii) the recipient knows of the breach, or it is otherwise unconscionable for it to retain the benefit. Therefore, when there is no trust property, there can be no knowing receipt. This is relevant for APP victims, as currently, when a victim pays money because of a mistake due to the deceit or fraud of a third party, there is a good argument that the money would not be trust property. A further obstacle is that a receiving bank does not typically receive money for its “own use”.5
For unjust enrichment, there are four broad questions,6 the first two being: (i) Has the defendant been enriched, and (ii) was this “at the expense” of the claimant?
Typically, enrichment is not hotly disputed. To establish enrichment “at the expense” of a victim, the following is needed: (a) direct dealings or transfers between the parties; alternatively, (b) such dealings as the law might treat as direct; and/or (c) the victim and the bank have dealt with each other’s property; and/or (d) the victim can trace an interest into the hands of the bank.7 However, the English Court has found that the requirements at (a) to (c) likely cannot be satisfied for payments passing through the layers of the international banking system.
As to (d), this, too, is difficult, as unless (i) the funds were transferred directly from party to party or (ii) they were transferred in breach of a fiduciary duty, an equitable tracing remedy is not available. Common-law tracing would also not assist, as it cannot trace funds into, through and out of the mixed asset pools maintained by the various banks in international transfers. Accordingly, unless an APP victim can address these issues, the remedy of unjust enrichment is likely out of reach.
Unfortunately, negligence claims are also likely to be difficult. First, negligence requires (i) foreseeability, (ii) proximity and (iii) that it is fair, just and reasonable to impose a duty of care. Second, the Privy Council of England has clarified that there are and should be limits on imposing broader duties to third parties on banks, including negligence.8 Third, the English Court previously expressed its view that banks are more expected to monitor scams being perpetrated onthemselves and their customers than scams by their customers, and, thus, the expectation that banks should investigate their own customers is less strong.
A victim, therefore, would likely need to establish that (i) the recipient bank was not following its own processes and procedures to protect against fraud; (ii) had the bank acted properly, it could or would have discovered a fraud being committed by its customer (or been put on notice of the risk); and/or (iii) a reasonable person in the bank’s position would either have appreciated that transactions were probably fraudulent or would have made more enquiries, and these would or might have revealed the probability of fraud. Such arguments would likely require scrutiny of the bank’s design and operation of fraud- or AML- (anti-money laundering) detection systems and how these worked in practice, particularly around the time of the fraud.
Liability of the counterparty
A successful APP fraud requires the impersonation of a genuine counterparty. When this impersonation is effected not via a hack but by a spoofed display name or a deliberately misspelt domain name that goes unnoticed by the victim, these are likely dead ends, as no fault might be said to attach to the impersonated counterparty. This is also likely to be true if an individual has been hacked; unlike businesses, individuals are less likely to be affixed with heightened duties around email security. However, in cases in which the impersonation arises following an email hack of another business (sometimes referred to as business email compromise), this may present more options.
The most common scenario is that a phishing attack allows fraudsters access to a business’s email services, and they use this to contact customers and suppliers to request payments be diverted to the fraudsters. To establish liability, it may first be necessary to undertake an expert investigation to understand the extent of any hack. In any event, the parties may have contractually provided for minimum cybersecurity standards and/or agreed on who bears the risks of compromised security. If the impersonated counterparty has failed to meet the requisite standards, this may give rise to a breach of contract. In addition, one might consider whether (i) a counterparty owed a duty to take reasonable care to ensure cybersecurity was fit for purpose and (ii) they had taken all reasonable steps to guard against hacks. An argument around implied terms and duties might also succeed if the counterparty was aware its email and other systems had been hacked previously and either responded ineffectively or did nothing.9 However, absent egregious behaviour, arguments around implied duties of reasonable care, as well as implied (mis)representations around a party’s control over security, are unlikely to be straightforward enough to substantiate.10
Given the prevalence of APP fraud, statutory and other recovery schemes exist.
Since 2019, the Contingent Reimbursement Model (CRM) Code has been in place for APP frauds. While voluntary, it seeks to set out good industry practices, requiring its signatory banks, which include key names across the United Kingdom’s retail-banking sector, to reimburse victims of APP fraud in certain circumstances.
Another initiative will likely be introduced in October 2024 by the Financial Services and Markets Act 2023 (FSMA 2023). This will impose a mandatory reimbursement mechanism on banks for some victims of APP fraud committed in the UK utilising the Faster Payments Service (FPS).
Other mechanisms may be considered, depending on how the victim made his or her payment. PayPal offers reimbursement for some scams. Similarly, if a credit card was used for an item costing between £100 and £30,000, Section 75 of the Consumer Credit Act may assist. Finally, debit-card providers operate a “chargeback scheme” that may be available in some scenarios.
Is the victim of fraud still liable to pay?
It should not be forgotten that the stolen payment will often be owed to someone else. While both debtors and creditors are likely to be treated as victims, the courts tend to believe that the mere fact of a hack shouldn’t automatically release a debtor from a payment obligation.11 Therefore, the final unfortunate reality is that unless an APP victim can recover from someone else, they may find themselves doubly out of pocket.
Therefore, individuals and businesses must pay close and careful attention when making electronic payments, particularly in response to requests received via email or other online electronic-payment methods. While it may go against the perceived benefits of our speedy online culture, picking up the phone to call your bank and/or checking in with your trusted counterparty might just make all the difference.
References and Notes:
7 See Tecnimont at  and Investment Trust Companies at  to .
8 See the unsuccessful arguments advanced on behalf of JP SPC 4 and another  UKPC 18, JCPC 2020/0044 (10 February 2022).
9 J Brazil Road Contractors v Belectric Solar Ltd  1 WLUK 294 (Case No: C1EQ331C2 County Court at Canterbury 22 January 2018 WL01993147).
11 See J Brazil v Belectric.