Banking Scams – Positive Changes Coming for Victims?

What is an APP scam?

This sophisticated type of fraud sees individuals tricked into sending a payment to someone who is not who they claim to be.  Fraudsters may pose as the victim’s bank, or even members of their family. The key element to an APP scam is that the victim has ‘authorised’ the payment, as this type of fraud relies on the victim voluntarily transferring money. This can happen where an individual is misled about why they are sending the money or about who is receiving it.

Unfortunately, instances of APP fraud are on the rise. A report by UK Finance found cases of APP fraud were up 22% for the first six months of 2023 amounting to loses of almost £240 million.

The current regime

The voluntary Contingent Reimbursement Code (CRM Code), overseen by the Lending Standards Board, provides the current protection available to victims of APP fraud. The CRM Code sets out standards to reduce APP scams and requires signatory banks to put in place measures to both detect and prevent APP scams and reimburse customers where they have fallen victim, through no fault of their own.

A customer is defined in the CRM Code as an individual, micro-enterprise (defined as an enterprise that employs fewer than ten persons and whose annual turnover and/or annual balance sheet total does not exceed €2m) or charity (with an annual income of less than £1m) (Customers).

While only 10 banks have signed up to the CRM Code, given their market share, this covers almost 90% of UK APP fraud. However, The Financial Ombudsman Service reported it is now receiving more complaints where the financial provider has not signed up to the CRM Code.

As part of its wider fraud strategy, the Government raised concerns that these measures do not go far enough to protect victims of APP fraud. Therefore, in the Financial Services & Markets Act 2023 (FSMA 2023), the Government legislated to allow a requirement for mandatory reimbursement.

The incoming framework

As required under Section 72 of the FSMA 2023, the Payment Systems Regulator (PSR) announced it would be introducing a new mandatory requirement for all UK PSPs to reimburse their Customers who become victims of APP Fraud. The new reimbursement scheme will apply to payments made after 7 October 2024. The purpose of the framework is to incentivise PSPs to innovate better systems to identify and limit fraud.

The mandatory scheme is being implemented through the PSR giving directions to Pay.UK, the independent operator of the Faster Payments scheme. PSR will direct Pay.UK to amend its rules to implement the reimbursement policy, allowing change to happen quicker than if they waited for regulatory instruments.

While the regime will only apply to Faster Payments, the Bank of England is developing similar rules for UK retail CHAPS payments.

The incoming framework has some similarities to the existing CRM Code, including the same definition of Customer, but there are important differences that both PSPs and scam victims should be aware of. The key takeaways are:

1. Faster payments sent and received by PSPs will be captured by the regime.
2. Both the sending and receiving PSPs will be liable to reimburse victim customers. The sending PSPs will be required to pay the reimbursement initially and will recover 50% from the receiving PSPs.
3. The sending PSPs can apply a claim ‘excess’ of up to £100 (save for claims made by vulnerable Customers)
4. Claims for reimbursement are subject to a £415,000 limit, matching the upper limit of the Financial Ombudsman Service for a single complaint.
5. Victims must be reimbursed within 5 business days.
6. There will be a time limit for making claims of 13 months after the last fraudulent payment.
7. There are two exceptions where reimbursement is not required (1) Where the Customer has acted fraudulently; or (2) where the Customer has acted with gross negligence.

Gross negligence?

The PSR guidance has proposed that Customers should be subject to an express standard of care in relation to APP fraud. The guidance confirms there are four elements to this duty:

1. A requirement to have regard to interventions: Customers should have regard to specific, directed interventions (i.e., communications) made either by their sending PSP, or by a competent national authority
2. A prompt reporting requirement: Customers should, upon learning or suspecting they have fallen victim to an APP scam, report the matter promptly to their PSP.
3. An information sharing requirement: Customers should respond to any reasonable and proportionate requests for information made by their PSP to help them assess a reimbursement claim.
4. A police reporting requirement: Customers should, after making a reimbursement claim, and upon request of their PSP, consent to the PSP reporting to the police on the Customer’s behalf or request the Customer report directly.

These four requirements are the standard that all Customers, save for those identified as vulnerable, can be expected to meet.  A ‘vulnerable consumer’ has not been defined in the new regime but is expected to be determined on a case-by-case basis.

Each reimbursement claim made by a Customer will be assessed on its individual merits to ascertain eligibility for reimbursement – or if the Customer has acted with gross negligence in not meeting the Customer standard of care. The burden of proof falls exclusively on PSPs. While there is no specific definition of gross negligence in this context, the PSR interpret it to be a higher standard than the standard of negligence under common law. They confirm there must be a ‘significant degree of carelessness’.

The PSR policy statement confirms there are very limited circumstances where a PSP can rely on the gross negligence of the Customer to avoid reimbursement.

How does this reconcile with the decision in Phillips v Barclays UK PLC?

The Supreme Court in Phillips v Barclays Bank UK PLC [2023] UKSC 25, focused on the ‘Quincecare Duty’. Quincecare Duty  is a duty on a bank to refuse to comply with a payment instruction in circumstances where it is on notice that the instruction may be part of a fraud. The Quincecare duty has been confined to cases where the instruction to transfer monies has come from an agent, opposed to the customer direct.

The key question for the Supreme Court was whether the Quincecare Duty applied to a scenario in which the payment instruction came from the customer themselves i.e. does the Quincecare Duty apply in cases of APP fraud; the Supreme Court found that it did not. They reiterated that it is a basic duty of a bank under its contract with a customer who has a current account in credit, to make payments from the account in compliance with its customers instructions.

The Supreme Court found that it was a question of social policy for regulators, Government and Parliament to determine how or when victims of APP fraud should be reimbursed. In that sense, the decision in Phillips v Barclays supports the Government’s attempts to tackle APP fraud.

A new frontier?

Notably missing from the framework are international transfers, which form a large percentage of APP frauds in the UK. However, the new framework will provide some relief to Customers that recourse is available to them should they join the increasing pool of individuals who fall victim to APP scams.

However, with any new regime, there are matters which will require clarification; including the parameters of a finding of gross negligence to avoid reimbursement and the detail behind what constitutes a vulnerable customer.

PSPs will have to take steps to ensure they have the relevant processes in place to ensure compliance ahead of the 7 October 2024. Pay.UK are due to provide guidance and processes for the reimbursement process between sending and receiving PSPs. It will be interesting to see whether we will see litigation where PSPs seek to depart from the 50:50 split for reimbursement if they consider the sending PSP has failed to carry out adequate or accurate due diligence on which the receiving PSP has relied.

We will be monitoring the changes in this area. If you have any questions regarding the incoming framework, please get in touch with Phillippa Ellis, David Moore or Charlotte Dawes in our Commercial Disputes team who will be able to support you.