According to the trade body UK Finance, Authorised Push Payment fraud is now the second biggest type of payment fraud perpetrated in Britain, both in terms of the total value involved and the number of scams which have taken place. In this article we explain how Authorised Push Payment fraud arises and what legal action may be available to you as a victim, to obtain compensation.
The alarming statistics
In 2018 alone, losses due to Authorised Push Payment (‘APP’) fraud totalled £354.3m across an alarming 84,624 cases nationally.
Whilst the majority of scams were perpetrated against individuals, of that sum £126m was stolen from UK businesses. Despite the concerning nature of these statistics, and according to the report Fraud The Facts 2019 published by UK Finance, only 23% of stolen funds (amounting to £82.6m) was actually recovered. It is perhaps no wonder, therefore, that the number of APP scams taking place is increasing, and that the fraudsters are becoming even more adept at avoiding the safeguards put in place by banks and other organisations.
What is Authorised Push Payment fraud?
APP fraud takes place when a victim transfers money from their own bank account to an account of which they are tricked into believing is a genuine recipient, but which is actually the account of the fraudster. The fraudster then quickly transfers the received funds elsewhere, usually to numerous other accounts and often abroad, making recovery very difficult, and often impossible.
The methods adopted by the fraudsters can include the following:
- A telephone call to the victim pretending to be from the police or their bank’s own fraud team, alerting them to a fraud apparently being perpetrated upon their accounts. The fraudster then extracts information from the panicked victim, thinking the information is being provided to a genuine bank employee and to prevent the fraud from occurring. In fact, the information provided to the fraudster enables the funds to be removed from the victim’s account.
- A fraudster intercepting and accessing a genuine email providing account details to which funds are to be sent. This commonly occurs in conveyancing transactions, where solicitors request payment from their clients of the funds needed to complete the purchase of a property. It also commonly occurs where suppliers of goods and services seek payment of their invoices. The fraudster amends the account details provided so that the victim sends funds to the account of the fraudster and not the intended recipient.
- The fraudster claims to represent a government department or utility company and requests that the victim pay overdue tax or a penalty, or return funds which have been paid in error, accompanied by warnings of significant fines or even arrest and imprisonment in the event of default.
- The victim receives a communication from someone claiming to be a senior individual within the organisation by which the victim is employed, such as a finance director, or CEO, but who is in fact the fraudster. The fraudster persuades the victim to make an urgent payment, which the victim thinks is a genuine payment but which is in fact to the fraudster’s account.
Whilst in the cold light of day none of us think we will fall for such scams, it is important to appreciate that the fraudsters have done their homework. They will often have researched their targets first, using information they have gathered through social media, data breaches and sometimes malware, to add plausibility to their scam. For example, this may take the form of a simple reference by the fraudster to a victim’s colleague in the Sales team. While this provides implicit credibility, such information could have been obtained readily from the company’s website or from a disclosure by the company’s switchboard. In the heat of the moment the tactics employed by fraudsters are not always obvious.
How do I get my stolen money back?
If your credit card was stolen and used by the thief, as long as you have notified your bank/card issuer of the theft then generally you are not responsible for any transactions which take place after notification; the transactions were not made by you and you did not authorise them.
However, because when an APP fraud takes place you are tricked into authorising the payments (albeit without appreciation of the full facts) the payments are not treated by your bank as unauthorised transactions. As a result, your entitlement to recovery of the funds from your bank is more limited.
On 28 May 2019 UK Finance launched the Contingent Reimbursement Model Code for Authorised Push Payment Scams (‘Code’). This voluntary code (and to which the majority of the ‘big name’ banks have signed up) ensures that many victims of APP scams are reimbursed in full by their bank, provided that the victim has not acted with ‘gross negligence’ in making the payment. The Code applies to all personal customers and micro enterprises (an enterprise which employs fewer than 10 people and whose annual turnover and annual balance sheet total does not exceed €2m). However, it is worth noting that any entitlement to reimbursement under the Code will cover only the stolen funds and not any consequential loss claimed (for example, lost profits from a transaction for which the funds would otherwise have been used). For victims who fall outside the scope of the Code, seeking reimbursement of stolen funds from their bank can be more difficult.
Therefore, as a first step, you should liaise with your bank or building society to establish whether it has signed up to the Code and/or whether it is prepared to compensate you for the losses that you have suffered as a direct result of the fraud.
However, regrettably, and despite the spirit of the Code, many banks have been quick to refuse claims made by victims who have suffered from APP fraud. This is often on the basis that the victim acted (allegedly) with gross negligence in authorising the payment or falls outside the scope of the Code, thus entitling the bank to refuse to reimburse under the Code.
What is ‘gross negligence’ and am I guilty of it?
There is no statutory definition of ‘gross negligence’ and, as yet, the Courts of England and Wales have not sought to carve out a clear definition either. This means that not only is there a greater level of uncertainty for both the bank and the victim, but also that the interpretation of what amounts to gross negligence often turns on the specific facts of a case.
Examples of gross negligence may include:
- Giving the fraudster the ‘secret code’ required to effect online payments from your bank account, despite repeated warnings by your bank never to disclose the code to anyone, including to bank employees.
- Failing to install appropriate virus/anti malware software to your computer systems which has in turn enabled the fraudster to access information which would not otherwise be available but which has been fundamental to the carrying out of the fraud. This is particularly the case where a bank recommends installation of its own specially designed and free of charge antivirus software.
- Giving the fraudster remote access to your computer systems via software such as TeamViewer.
However, the fact that each case must be considered on its own facts and nuances also means that any decision by a bank to refuse to reimburse the stolen funds on this basis should be scrutinised all the more closely and potentially makes it all the more susceptible to challenge.
Authorised Push Payment Fraud Compensation Claims
Even if your bank has rejected your request for reimbursement of the stolen funds, it may still be possible to successfully claim compensation from your bank for the losses that you have suffered as a victim of APP fraud.
Whilst a bank does not have a blanket duty to prevent fraud, it does owe a duty to safeguard its customers from fraud and to exercise reasonable skill and care in that regard. This common law duty is in addition to, and distinct from, any obligations that a bank may have assumed under the Code. Consequently, and once it is ‘put on inquiry’ of fraud, it may be reasonable to expect a bank to stop fraudulent payments from being made, even when they have been authorised by the victim.
A bank is likely to be ‘put on inquiry’ where there are reasonable grounds for believing that a fraud may be taking place. This does not necessarily mean that the bank has to have absolute proof that a fraud is in progress. If, despite those reasonable grounds for suspicion, the bank nevertheless facilitates a payment then there may well be an argument that the bank has breached the duty of care that it owed to the victim and is thus liable to pay compensation, by reimbursing the stolen funds.
Whether or not a bank has breached the duty of care it owes to its customers again turns on the specific facts of a case. However, examples of when a payment might be successfully challenged include:
- Payments made which are atypical of the victim’s usual banking, such as significant payments made to suppliers when usually payments made are much lower in value.
- Payments made from otherwise dormant accounts.
- Payments to foreign accounts when the victim’s business is entirely UK based.
Further legal assistance
As professional negligence solicitors we act for clients nationwide, to resolve claims against a wide range of professionals, including claims against banks and other financial institutions.
In doing so, we rely on the unique insight and experience that we have gained over many years from previously advising many of the leading financial services institutions on industry claims, including claims arising from Authorised Push Payment fraud.
If you would like to arrange an initial consultation with us, free of charge or commitment, please do not hesitate to contact us on 0800 195 4983 or by email at mail@pnclegal.com.
At PNC Legal there is much more than just the fact that we specialise exclusively in resolving claims for professional negligence that sets us apart from most other solicitors.
