Authorised push payment fraud (APP) fraud has become a major problem for businesses and individuals, and its use by fraudsters has increased substantially during the Covid-19 pandemic. In the UK alone, hundreds of millions of pounds are lost to APP fraud each year.
APP fraud involves criminals operating in different ways in order to induce bank customers to transfer funds to their accounts. Increasingly sophisticated means are being used to trick bank customers, including:
- fraudsters hacking into servers and impersonating other organisations in genuine transactions, and then providing false bank account details to the payer or its professional advisors;
- dishonest intermediaries obtaining confidential information and identification documents, and then impersonating the customer in emails and telephone calls in dealings with the bank, including instructing the bank to transfer funds without the customer’s knowledge or consent; and
- fraudsters posing as an employee of the customer’s bank, or another trusted organisation, claiming the customer has been the been a victim of fraud and asking the customer to move its money to a different bank account. The customer will be urged to act urgently to prevent further loss.
As far as the victim’s bank is concerned, at least on the face of it, it will be following the customer’s instructions to make a payment, or at least believe the instructions are genuine and given without any fraud having been committed.
Unless the fraud is immediately identified and steps taken by the customer’s bank to stop the transfer, the funds are usually then paid away, often to offshore jurisdictions.
As a victim of APP fraud, what can you do?
First, it is important to act quickly once the fraud is discovered. It may be that, even if funds have been dissipated, your bank may be able to liaise with the recipient bank(s) to freeze and recover some or all of the stolen funds. However, given the speed with which fraudsters move the stolen money, this is often unsuccessful.
You could make a Norwich Pharmacal application for disclosure of documents held by the fraudsters’ bank(s), which might reveal their identity and provide a means to bring a civil claim for recovery of the lost funds. A Norwich Pharmacal application involves applying to court for an order to compel an innocent participant in the fraud (such as the customer’s bank) to provide the victim of the fraud with information about the identity of the wrongdoers. Due to their obligations of confidentiality, banks cannot voluntarily disclose such information, but they will often not oppose such an application. Therefore, if the court is satisfied that a fraud has been committed, it will usually make an order, subject to reasonable safeguards.
However, since the fraudsters are often outside the UK, the prospect of actually recovering the funds may be remote, even if a civil claim is successful. That said, action might be possible through the courts of foreign jurisdictions. Furthermore, documents and information obtained through a Norwich Pharmacal application may help with any criminal investigation and prosecution, if appropriate, and thus bring the criminals to justice.
That then leaves a potential claim against the banks involved in the unlawful transfers of funds.
The English courts have been reluctant to render banks liable to customers to prevent APP fraud. However, where a bank has reason to suspect that the payment instructions, albeit genuinely provided by its customer, involve an attempt to misappropriate the customer’s funds, it is under a duty to stop the transaction.
In several cases we have been involved with, there are what are deemed to be ‘red flags’ that should have put the relevant bank/financial institution on notice that the payment instructions were given as part of an attempt to defraud the customer. In such circumstances, the bank may well be liable.
We have also seen evidence that banks have failed to comply with regulatory and statutory obligations. For example, the Payment Services Regulations 2017 (which implements the Payment Services Directive 2015 (EU 2015/2366)) imposes obligations on banks and other payment services providers for the purposes of authenticating transactions, although they do not deal expressly with APP fraud. The Regulations may not provide a direct cause of action to the victim of a fraud, but a failure to comply with the Regulations may have serious repercussions for the relevant bank/financial institution. Therefore, it may prefer to settle a claim where loss has been caused through such failures.
Banks and other financial institutions also have obligations in the fight against money laundering under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. They include carrying out proper due diligence in relation to all customers and having in place adequate policies and procedures designed to prevent them being used for financial crime.
From our experience in this area, the fact that so many fraudsters have been able to set up bank accounts (sometimes several at a time with the same bank) and to carry out substantial APP fraud transactions that ought to have put the banks on notice of at least the risk of criminality, strongly suggests that banks are routinely failing in their statutory obligations.
If banks fail to report money laundering which they had reasonable grounds to know or suspect, they may be committing a criminal offence and be subject to fines and other sanctions. This may also open the door to direct claims from customers who have been defrauded.
In the UK, many mainstream retail banks have signed up to the voluntary Authorised Push Payment Scam Code, which launched on 28 May 2019. Under the Code, banks must take various steps to protect their customers and reimburse customers who are the victims of fraud. Anecdotally, however, many banks are not fully complying with their obligation to reimburse, even when there is compelling evidence that the customer is entirely innocent.
Given the scale of the problem, there will be growing pressure on the courts and regulators to provide redress to customers whose bank can be shown to have acted in breach of its statutory obligations.
Since 2019, we have acted on several cases against banks and financial institutions for clients who have been the victims of APP fraud. We are seeing banks and other financial institutions more willing to agree to provide customers with a remedy, including substantial reimbursement of stolen funds, albeit not before the commencement of litigation. This no doubt will be influenced by the potentially serious regulatory consequences and unfavourable publicity of adverse findings by a court that they have breached their duties.
If you are the victim of APP fraud, it is essential to act quickly and, if necessary, seek professional advice.