Authorised Push Payment Scams.

Authorised Push Payment Scams.
27 March 2020

Authorised push payment (“APP”) scams are varied, but all involve a scheme to persuade the customer to make a payment under false pretenses. 

£1.2 billion was lost to APP fraud in 2018. It seems fair to assume that fraudsters will look upon the restrictions being imposed as a result of Coronavirus as being an opportunity for further gain. More use of internet banking and less face-to-face communication will make their task much easier.  

An common example takes advantage of a genuine transaction involving the provision of goods or services (“a trader scam”). The fraudster gains access to the records (computer or otherwise) of the trader and provides a false invoice to the customer containing its bank details. The customer transfers money into the fraudster’s bank account. There are practical limits to the amount which can be taken in this way. Telephone or internet transfers will be subject to limits. The larger the sum being taken, the more likely that the customer will want to speak to the trader in order to obtain the correct bank details. 

A more complicated example requires that the customer should be made to believe that employees of the bank are attempting to gain access to the funds in his account and that the same need to be transferred elsewhere to prevent this (“a bank employee scam”). Often the fraudster will claim to be a representative of a Government agency (such as the FCA) or an employee at the head office of the bank and will provide the customer with details of what needs to be said to branch staff if challenged. This type of fraud is more complicated because:

1)         A real telephone number of the bank or the Government agency has to be used (which requires the use of specialized software); and

2)         The customer is likely to require cogent proof of the legitimacy of the request which can only be provided by showing that the fraudster is able to supply correct real-time information about the banking arrangements of the customer. Indeed, the fraudster may well know more about the banking arrangements of the customer than the customer can recall.

Once the customer is convinced that employees of the bank are involved in fraud, any attempt by bank branch employees to scrutinize the transaction will be resisted. Accordingly, there is no practical limit to the amount which can be taken. 

Complaints by way of internal procedures and the FOS 

Since 28th May 2019 the majority of the larger UK banks have been subject to a voluntary code in relation to APP scams (“the Code”). This is called the Authorised Push Payment Scam Code. Currently, the following banks are parties to the voluntary code.

Bank of Scotland PLC

Barclays

Cahoot

Cater Allen Ltd

Co-op bank

First Direct

Halifax

HSBC

Intelligent Finance

Lloyds Bank

M&S

Metro Bank

Nationwide Building Society

NatWest

Royal Bank of Scotland PLC

Santander

Starling Bank

Ulster Bank 

The Code requires the bank to compensate the customer in the event of suffering loss from an APP scam provided that the customer complies with the directions given to him by the bank. The nature of such directions will be known to anyone attempting to make payment by internet banking. The customer is required to confirm that he has taken steps to identify the correct payee and that the payment is not being made under any form of duress. 

The customer needs to make an immediate complaint to the bank and the decision made by the bank as to whether compensation is payable is subject to referral to the Financial Ombudsman Service (“the FOS”). The usual FOS financial limits apply. From April 2019 the financial limit of compensation of £150,000 was increased to £350,000. 

There are two important points to make in relation to the Code. The first is that it is not retrospective. The second is that it does not establish any legal rights enforceable in Court (see R(BBA) v FSA and FOS [2011] EWHC 999 (Admin)) 

For banks which are not party to the Code, the bank (and the FOS on referral) will have to address any complaint by reference to the law and general principles of fairness. At some point, it may be possible to allege that the principles set out in the Code represent an industry standard against which the actions of every bank ought to be judged. 

The Code is directed at trader scams rather than bank employee scams. 

The above considerations apply where the bank concerned is the paying bank. The FOS has now agreed to accept complaints made against a recipient bank. However, it is far from clear what standard is to be applied to a recipient bank. All banks are subject to money laundering regulations and these will apply to any bank account established by the fraudster. It is difficult to see why the receiving bank should be required to go further in relation to bank accounts opened for APP purposes. Payments received as a result of an APP scam are usually transferred out of the initial recipient account immediately. The paying bank will usually take all steps within its power to recover payment in any event. 

The position at law

The Code will assist the vast majority of customers affected by APP scams. Customers required to pursue Court remedies will include:

1)         Customers suffering loss as a result of payments made before April 2019

2)         Payments exceeding £350,000. 

Before dealing with issues relating to he making of the payment, it is worth investigation the conduct of the bank in relation to the provision of information to the fraudster. In many bank employee scams, the shear level of information available to the fraudster in relation to the banking affairs of the customer gives rise to a legitimate suspicion that current or former bank employees have obtained access to the information. The customer may be forced to prove a negative in that he has to show that the information used by the fraudster can only have come from the bank. However, it may be possible to establish this by detailed expert evidence. 

The primary obligation of a bank is to comply with the instructions of its customer promptly. This obligation is subject to the need for the bank to comply with statutory requirements (such as money laundering regulations) and the general duty of care to prevent fraud being perpetrated against the customer. The classic formulation of the general principle is provided by Steyn J in Barclays Bank PLC v Quincecare [1992] 4 All ER 363 at 376:

            “… In my judgment the sensible compromise, which strikes a fair balance between competing considerations is simply to say that a banker must refrain from executing an order if and for so long as the banker is ‘put on inquiry’ in the sense that he has reasonable grounds (although not necessarily proof) for believing that the order is an attempt to misappropriate the funds of the company …”  

Quincecare involved a fraud committed on a company by its director and the above statement needs to be read in that context. There have been relatively few cases in which the Quincecare duty of care has been considered. These include Lipkin Gorman v Karpnale at its various stages and Singularis Holdings Ltd v Daiwa [2019] UKSC 50.  All of these cases involve a fraud committed by an agent as against his principal (the customer) and none concern the situation whereby the customer is induced to make a payment as a result of a fraud by another person. 

Whether the bank has failed to comply with its Quincecare duty of care is separate from the issue of authority. In all of the above cases, the payments were authorised in the sense that the agent had the authority of his principal to make the payment. The issue was whether the bank was required to take steps to protect the customer against fraud committed by its agent. 

The duty on the bank in an APP scam (and particularly a bank employee scam) is rather different.  The customer wants to make the payment and believes that he should not disclose the real reason for the payment to employees of the bank. Two issues arise. When is the bank put on inquiry? What should it do when put on inquiry? 

For obvious reasons, no judgment has sought to set out when a bank is put on inquiry as to the possibility of a fraud being committed on its customer.  It is necessarily fact specific. For a bank employee scam the following will be relevant:

1)         The level of the payment.

2)         The customer’s justification for the payment. Payments which are totally out of keeping with previous practice should set alarm bells ringing.

3)         The customer’s justification for haste in the making of the payment. 

Once put on inquiry, the bank needs to deal with the particular type of APP scam in respect of which it is put on inquiry. For a bank employee scam, asking the customer questions about why he wants to make the payment will not assist. The customer wants to make the payment because he believes that it is the best or only way of avoiding being defrauded by employees of the bank. The bank really needs to explain:

1)         That there is a particular type of APP scam which requires the customer to believe that bank employees are attempting to defraud him.

2)         If bank employees actually defraud the customer, the bank will have to provide compensation.