In an authorised push payment (APP fraud), the victim is induced by fraudulent means to deliberately authorise their bank to send a payment to a bank account controlled by the fraudster. Unfortunately, the legal advice line receives numerous calls from FSB members in just such a situation. Frequently they have received an email which appears to be from a trusted supplier, or perhaps their solicitor, or indeed anyone else that is considered known and reliable. The email sets out where a payment needs to be made, in relation to an outstanding invoice or similar. The member, believing this to be genuine, simply instructs their bank to pay the money to the account details provided, only to subsequently learn, often sometime later, that the intended recipient never received the funds. This is a horrific situation for the member, and of course they are left wondering who, if anyone, can be held to be responsible, assuming the question of whether the fraudster can ever be caught is ultimately down to the police. The amounts of money involved are often substantial.
You may recall that in a previous edition, last year, we looked at a case in which the Supreme Court (SC), the highest court in the land, looked at the law regarding what is known as the “Quincecare” duty of care in the context of authorised push payment (APP) fraud. The Quincecare duty prevents a bank from executing a payment instruction where it has reasonable grounds to believe that the instruction is an attempt to misappropriate the account holder's funds. In this case SC overturned the Court of Appeal’s previous decision and decided held that the bank did not owe this duty to the account holder, and was therefore not liable on that particular basis. Obviously this was extremely bad news for the victims of such frauds, but the SC did leave a glimmer of hope, as it allowed alternative claim to continue based on the bank's alleged failure to act promptly to try to recall the payments after the fraud was discovered (a “retrieval duty”).
In a recent decision, the High Court (HC) has now considered whether a bank owed a duty, directly to a claimant (C), the victim of the APP fraud, to take reasonable steps to retrieve or recover the sums paid out as result of the fraud. It’s worth noting that as the HC is a lower court than the SC, it is obliged to follow previous SC decisions as they create binding legal precedent. Here the HC considered this retrieval duty in relation to both the sending and receiving banks.
Technically, the HC summarily dismissed the claim against the sending bank on the basis that it was time-barred (that is to say the claim was brought too late) under the Limitation Act 1980, but it refused to do so against the receiving bank (this claim was not time-barred). With regard to the sending bank, the court indicated that it would probably have struck out the claim in any event, following the SC’s earlier decision outlined above. In accordance with the SC decision, The HC felt that the Quincecare duty had no application where the customer provides clear and valid payment instructions, as had happened here, and as is normally the case with APP fraud. For technical reasons linked to it being time-barred, C was not allowed to amend their clam, so ultimately all claims against the sending bank failed.
With regard to the claim against the receiving bank, this was not time-barred, and so the claim was not struck out for this reason. The HC refused to strike out the claim based on the following:
- No Quincecare duty - The HC felt that there could be no Quincecare duty falling on the receiving bank, and so the part of the claim was based on the Quincecare duty was struck out.
- Duty of retrieval – The HC relied on the SC’s previous finding that there could be a duty of retrieval, which could be owed to the C by the receiving bank. On balance, the HC felt that there was some uncertainty on this, and as such, it could not simply strike out the claim.
- Assumption of responsibility - In the HC’s view it was not necessarily fatal to the claim that there may have been no assumption of responsibility To C by the receiving bank. This was because previous case law stated “in the tort of negligence, a person (A) is not under a duty to take care to prevent harm occurring to person (B) through a source of danger not created by A unless:
(i) A has assumed a responsibility to protect B from that danger
(ii) A has done something which prevents another from protecting B from that danger
(iii) A has a special level of control over that source of danger, or
(iv) A’s status creates an obligation to protect B from that danger.”
The HC felt that (iii) and (iv) were particularly relevant here, because the receiving bank did operated the account of the fraudsters, and therefore had at least some measure of control over the payments, so were in a special position to take steps to recover the sums due.
Whilst this latest case is not a final decision, it does continue to keep alive the possibility of some liability falling on banks if they fail to do enough to attempt to recover lost money. To that end victims of APP frauds may find some comfort. Clearly it will be important to keep an eye on how cases such as this progress. In the meantime, of course, it is vitally important for all businesses to exercise due diligence before authorising any bank transfers, even to parties with who they have existing relationships, as this type of fraud is becoming increasingly widespread.