Authorised push payment fraud: risks for fintech firms

Authorised Push Payment (APP) Fraud resulted in £479m in losses in 2020. The vast majority of funds lost are never recovered from the perpetrators of the fraud, leaving consumers and businesses out of pocket. Many victims look to their banks or payment service providers for compensation. We consider the risks this presents for fintech firms and the potential for reform in this area.

What is APP fraud?

APP fraud is where a person or business is tricked into sending money to a fraudster posing as a genuine recipient, for example impersonation fraud, purchase scams, invoice scams, or romance scams.

A key feature of APP is that it is authorised. In other words, the person who is tricked wants to make the payment and authorises it. This is highly relevant to the legal position.

There are, usually, four parties involved in a common APP scenario:

• The victim of the fraud, who could be natural person or legal person like a small business;
• The firm which makes the payment authorised by the victim (the paying firm);  
• The firm which receives the payment on behalf of the fraudster (the receiving firm); and
• The fraudster.

The funds paid to the fraudster are often quickly routed abroad and are generally very difficult to recover for the victim. Accordingly, many victims look to the paying or receiving firm to recover the loss they have suffered.

What is the regulatory position in respect of APP?

There are numerous rule and regulations relating directly or indirectly to APP fraud and these may be broadly categorised as falling into three buckets:

• First, there are regulatory obligations on the firm to have in place measures to prevent fraud and money laundering taking place. These include the Money Laundering Regulations, the Proceed of Crime Act, and requirements such as the systems and controls requirements found in the FCA Handbook.

  While these kinds of requirements will impose obligations on firms to have in place measures to prevent fraud, they won't generally give rise to an obligation to reimburse victims.

• Second, there are regulations such as the Payment Services Regulations which impose requirements on firms to have in place controls to prevent fraud and also to provide reimbursements to customers in certain circumstances. However, the obligation to refund generally won't apply where the payment in question is authorised, as it will be in APP cases.

• Third, there are industry codes such as the APP-specific Contingent Reimbursement Model (CRM) Code, which provides that signatories must have in place measures to prevent APP fraud and must compensate victims in certain circumstances, whether the signatory is the paying or the receiving firm. However, the CRM Code is voluntary and does not apply to international payments, the latter of which are common in APP cases.   

Scope for civil claims against paying firms

Paying firms will have a direct legal relationship with the victim, meaning that the paying firm will likely owe a tortious duty of care to the victim, in addition to its contractual obligations.

Accordingly, victims may threaten or bring claims against paying firms on the basis that the firm has breached its duty of care through failing to prevent APP fraud. For example, it might be alleged that the firm's checks on the payment or warnings about it to the victim were insufficient and therefore represent a failure on the part of the firm to exercise reasonable care and skill. 

However, the paying firm's obligation to exercise reasonable care and skill will only go so far, and will not amount to an absolute obligation to prevent APP fraud. Provided the firm has taken reasonable steps to prevent APP fraud, it will not be liable simply because APP fraud has taken place.

In the context of APP the limitations on the scope of paying firm's duties will be particularly relevant, on the basis that the victim will positively wish to make the payment in question, and therefore might ignore warnings given by the firm. The victim's decision-making might also lead to it being held partially liable on the basis of contributory negligence. 

Victims might also allege that the paying firm is in breach of its Quincecare duty to its customer. The Quinecare duty requires that a firm to decline a payment instruction if there are reasonable grounds for believing that the payment instruction is an attempt to misappropriate the customer's funds.

Typically, however, the Quincecare duty has applied where there are doubts over the motives of an individual acting on behalf of a corporate customer and this approach was adopted by the High Court in the recent Philipp v Barclays case. In the light of the Philipp decision, which is going on appeal, it appears unlikely that the Quincecare duty will give rise to successful claims by individual victims.

Scope for civil claims against receiving firms

A receiving firm will not typically have a direct relationship with the victim and the scope for civil claims against the receiving firm will therefore be much reduced. A tortious duty of care is unlikely to arise unless there has been some positive assumption of responsibility for the victim by the recipient firm. This reflects the fact that the receiving firm's customer is the fraudster, rather than the victim.

Other causes of action that are commonly relied upon by victims against receiving firms are dishonest assistance, unjust enrichment and knowing receipt. However, each of these causes of action will come with particular challenges for the victim.

• For a claim of dishonest assistance to succeed it must be shown by the victim that a single, named, individual at the recipient firm was dishonest. On the basis that the employees of the recipient firm will generally be doing their best to prevent APP fraud, this requirement will generally not be satisfied.  Moreover, the Courts have held that where knowledge of the payment within the firm's organisation is diffuse, a claimant will not be able to aggregate two honest minds so to make a dishonest whole.

• A claim for unjust enrichment depends upon the recipient firm having been enriched. However, if, as is commonly the case, the receiving firm has paid out the funds in question shortly after receipt on the instructions of its customer, the firm will be able to reply on the defence of ministerial receipt, provided that it has not acted in bad faith.

• A claim for knowing receipt will require the victim to show that the receiving firm was aware that the payment represented trust property. Unless there were particular red flags to suggest that this was the case, there will generally be no basis for the recipient firm to have such knowledge. 

Complaints to the Financial Ombudsman Service

The Financial Ombudsman (FOS) settles disputes between consumers and firms and is designed to be less formal than the Court process. The FOS has the authority to require a firm to offer financial compensation to a consumer.

The FOS has jurisdiction to hear complaints that paying and receiving firms did not do enough to prevent, or respond to, APP.

The FOS must determine complaints by reference to what is, in his or her opinion, fair and reasonable in all the circumstances, taking into account relevant law, regulation and codes of practice, such as the CRM Code. Because the FOS only has to "take account" of relevant law, there may be greater scope for the FOS to make an award against a paying or receiving firm notwithstanding the fact that the victim has legal no cause of action against the firm. The victim would, however, need to satisfy the other requirements for a FOS complaint, such as the requirement to be an eligible claimant, and any award would be subject to the FOS award limit.  

Reform on the horizon

The current state of the law in respect of APP fraud is widely recognised as requiring reform. Two of the proposed reforms are of particular relevance to fintech firms.

First, the Payment Systems Regulator published a call for views earlier this year, in which it has proposed three steps that it might take to address APP fraud. These are:

• Requiring firms to publish their APP scam data, including reimbursement and repatriation levels.

• Requiring firms to adopt a standardised approach to sharing data which will help identify APP scams to stop them from happening in the first place.

• Extending customer protection across all firms at a minimum standard by changing payment system rules.

The call for views is now closed and the PSR is expected to announce what action it intends to take in the light of feedback it has received on these proposals.

Second, the FCA, as part of its consultation on a new Consumer Duty, has indicated that it is considering a private right of action for breaches of the FCA Principles for Business (in addition to a specific right of action for breach of a new Consumer Principle).

If this were implemented, it would give certain victims a right to sue firms where they had breached the FCA Principles. Given how broad the Principles are there would be considerable scope for allegations that a Principle had been breached by a firm in the context of APP, for example the Principle 3 requirement that a firm take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.

It should also be noted that regulatory breaches can also result in regulatory enforcement action by the FCA against a firm.

What can fintech firms do to protect themselves?

Given the nature of the legal claims that might be brought against fintech firms in respect of APP, the most effective step that firms can take to protect themselves is to have in place market-leading anti-fraud controls such as data analytics, confirmation of payee and extensive CDD. This will both reduce the risk of APP fraud occurring in the first place, and the risk that a claim could be brought by a victim on the basis that the firm had failed to exercise reasonable care and skill to prevent an APP fraud that has taken place.