It travels under several names: Invoice fraud, APP fraud, bank fraud, push payment fraud. And it is very much a modern day problem – enough that a number of banks have even signed up to a voluntary code to compensate its victims under specified circumstances.
And if you are a victim, you will want to sue someone. The fraudsters, generally, have vanished. That leaves the banks.
And that’s “banks”, plural, because it is both the paying bank and the receiving bank that should be the potential targets.
It was an APP fraud underlying the #CourtofAppeal decision earlier this year in the case of Philipp v Barclays. That case generated plenty of attention – excitement and consternation in equal measure – and plenty of commentary (if you doubt that, try an internet search: “Philipp v Barclays”). But the attention was not on the type of fraud, but instead on the argument by the victim, Mrs Phillip, that in the circumstances her own bank owed her a duty to not simply obey her instructions, but to enquire further.
The Court of Appeal agreed with her that the duty that she invoked – known as the #Quincecare duty – might apply.
Not to get too distracted, but the procedural status matters. Mrs Philipp has not yet won. In the High Court, Barclays succeeded in having her case dismissed without trial. She appealed that decision. The Court of Appeal has said only that the duty can apply, even when it is actually the account holder giving the instruction (as opposed to a crooked employee or agent), and has sent the claim back to the High Court for a proper trial to consider whether a duty did arise, and if so then whether it was breached. There will be quite a lot of people watching that space.
That case is all about the paying bank. But you cannot have such a fraud without there also being a receiving bank. And no need for euphemisms here: the receiving bank is operating an account on behalf of a fraudster, who is stealing money from others, and using the receiving bank to process the gains of that. In Philipp v Barclays the receiving banks were in the UAE. Experience suggests that chasing the money into such jurisdictions is pointless.
But we may be able to look closer to home: in keeping with the current government’s message to the world, Britain is open for business. There is something to be said for the number of times that the first receiving bank account – yes, the one that is under the control of the fraudsters – is a UK account with one of the household names here. Those UK banks will have received the initial transfer of stolen money, and then in the vast majority of cases followed the instructions of the fraudsters and quickly transferred the stolen funds offshore.
So, if in the UK, can a victim claim against the receiving bank?
That is where we shift from commentary to opinion. In such a case those receiving banks are subject to the jurisdiction of the English courts, and duties under the laws here. There will usually be no contract between them and the victim (so thus no contractual duty), and also no other relationship: from the perspective of the receiving bank the victim making the payment is an unknown third party. The two more obvious lines of attack are therefore negligence, requiring a duty of care, and “money had and received”.
These claims were tried by a victim previously in the case of Abou-Rahmah v Abacha, a 2005 decision. Both the above lines of attack were pursued. Regarding the first, the Court’s finding was that in the absence of special circumstances the receiving bank did not owe a duty to the victim. As to the second, the Court held that in paying away the monies on the instructions of the fraudsters, the bank had changed its position in good faith.
But the door is not shut
Duty of care cases are frequently fact specific. So are cases involving money had and received – or more particularly the defence to such a claim, namely that in good faith a recipient has changed its position and it therefore would not be fair to require them to repay. In an APP fraud scenario, this change of position defence will involve the receiving bank saying that on the instruction of their customer (that person being the fraudster…) they have innocently paid away the monies.
The courts in Abou-Rahmah v Abacha certainly did not shut the door on future claims by payers against the receiving banks. And although, without doubt, any claimant victim can expect a bank to hold out that case as authority for no duty by them to the payer being imposed (and also that payments away were made in good faith), consider this:
- That case was a 2005 decision. In legal terms that’s relatively young. But changes in the banking industry in the 17 years since have been far reaching. Take as an example a bank’s regulatory obligation to monitor the conduct of its customer’s accounts – and also its ability to do so by the use of increasingly sophisticated algorithms and other analytical tools.
- That ability has improved enormously (even if motivated by being held at regulatory gunpoint), and thus the practical burden of imposing some form of duty on the receiving bank in favour of the payer has reduced dramatically from the days of the Abou-Rahmah v Abacha
On this point: if you are alleging that a professional – such as a bank – has been negligent, then you will usually be comparing their conduct with that of “an ordinary prudent bank”. And an assessment of that standard must clearly move with the times, a point expressly recognised by the Court of Appeal in Philipp v Barclays: the standards expected of a cashier handling cheques in the late 1980s are not to be compared with those expected of bank employees in the current day. The risk landscape has changed profoundly, as has the training that any bank employee can be expected to have received.
- One of the Court of Appeal judges in the Abou-Rahmah v Abacha decision was of the view that in the circumstances of that case the change of position defence was not available. That is encouraging, even if it was a minority view. What is also encouraging is that the assessment of whether a bank paid away money in good faith will be, just like the assessment of negligence and an ordinary prudent bank’s practices, an assessment that moves with the times.
- In those 17 years since Abou-Rahmah v Abacha was decided, the Government has clearly decided that it is appropriate for banks to be in the front line of the fight against fraud and money laundering. Those same public policy reasons might well be co-opted to argue that it is “fair, just and reasonable” to impose a duty that gives to the victim a remedy running in parallel to regulatory fines imposed for the same lapses.
Both in our own experience and anecdotally, a fraudster’s bank account will show a strikingly different profile to a regular legitimate business or personal account: such an account is opened, is then dormant for months, then the first payment received in is a massive sum, and within seconds of arrival the customer is instructing transfers to China, Dubai and Mexico that will typically empty the account as quickly as it filled. Tie in other elements: the account holder name does not match the “payee details” specified by the payer, there may be “gaps” in the KYC for that particular account holder, and so forth.
It will be increasingly common that a bank’s own systems for transaction monitoring, customer profiling and flagging of suspicious transactions on its own customers’ accounts will identify a fraudulent transfer into that account even before the victim has woken up to it. That can only be a good thing. Some banks even maintain “internal fraud suspense accounts”, and even before complaint from a victim, funds are removed from the suspect account and held apart, pending ratification. That is also a good thing. But as an unintended consequence, it will become correspondingly more difficult for a receiving bank to argue that any payments away made by it were done in good faith, and that it can rely on a change of position defence.
Victims of APP frauds should be encouraged by this. As lawyers regularly acting against the banks, we certainly are. And we might venture to suggest that the lack of cases bringing these points anew in the courts says more about the reluctance of any of the mainstream banks to see such claims tested (floodgates, anyone?) than it does the viability of those claims.
 CRM or “contingent reimbursement model”, which sees participating banks refunding blameless victims, and has been committed to by a number of household names.
 Although a confidential settlement by Barclays would surprise no one, as yet there is no genuine controversy around the Court of Appeal decision.
 One of these was Emirates National Bank, the other or others were not identified in the judgment. All receiving banks may well have been absolutely blameless.
 Unless by pure chance the victim holds an account with them
 Loosely speaking: if someone gives you money by mistake, you have to give it back. Sounds obvious. Unless you have innocently changed your position such that it becomes unfair to give it back. That’s where it becomes less obvious.
 And plenty of fines being handed down for exactly this: “FCA fines HSBC Bank plc £63.9 million for deficient transaction monitoring controls” – https://www.fca.org.uk/news/press-releases/fca-fines-hsbc-bank-plc-deficient-transaction-monitoring-controls