Payment scams: Implications for Australian banks of UK Supreme Court judgment on banks' liability for authorised push payment (APP) fraud

On 12 July 2023, the UK Supreme Court handed down an important judgment on banks' liability for authorised push payment fraud (APP fraud): Philipp (Respondent) v Barclays Bank UK PLC (Appellant) [2023] UKSC 25.  The judgment clarifies the scope of the Quincecare duty under UK law.

Key points

• The UK Supreme Court has taken a narrow view of banks’ duties to protect customers against APP fraud. 
• In this note, we consider the implications for the Australian market of the decision and recent regulatory developments in the UK.

Background to the judgment

The claimant was the victim of an APP fraud. As part of an elaborate deception by a third-party fraudster, the claimant transferred £700,000 in two separate tranches from her account with the defendant bank (the Bank) to international bank accounts, in the belief that the money would be safe and that she was assisting an investigation by the Financial Conduct Authority and the National Crime Agency.

The claimant brought a claim against the Bank to recover damages for the loss she suffered by making the two payments, alleging that the Bank owed and breached a Quincecare duty of care to protect her from the consequences of the payments.  The Bank denied the claim and brought an application for strike out / reverse summary judgment, arguing that it did not owe a legal duty of the kind alleged by the claimant and that (even if such a duty was owed and breached) the claimant’s case on causation was fanciful.

The Bank applied to have the claim summarily dismissed on the ground that, as a matter of law, it did not owe the claimant the alleged duty. In 2021, the UK High Court granted summary judgment in favour of the Bank.  However, subsequently the UK Court of Appeal allowed an appeal by the claimant, accepting her argument that, in principle, a bank owes a duty to its customer of the kind alleged.  The Bank appealed that decision to the UK Supreme Court.

The judgment

The UK Supreme Court found that the question of whether victims of APP fraud (i.e. where the victim is induced by fraudulent means to authorise their bank to send a payment to a bank account controlled by a fraudster) should be left to bear the loss themselves, or whether banks should be liable to reimburse victims, is a question of social policy for regulators, governments and Parliament.

Provided the customer's account is in credit, the UK Supreme Court's view is that the ordinary duty of the bank when instructed by its customer to make a payment from the account is to carry out the instruction and make the payment. In making the payment, the bank must execute the transaction and do so promptly. The Court noted: “It is not for the bank to concern itself with the wisdom or risks of its customer's payment decisions”.¹

Further, the Court held that the Quincecare line of authorities – which reasoned that a bank owes a duty not to carry out an instruction from an agent of the customer to make a payment if it has reasonable grounds for believing the agent is defrauding the customer – does not apply to cases where no agent is involved and the customer gives a payment instruction to the bank (i.e. APP fraud).  The Court observed:

Provided the instruction is clear and is given by the customer personally or by an agent acting with apparent authority, no inquiries are needed to clarify or verify what the bank must do. The bank’s duty is to execute the instruction and any refusal or failure to do so will prima facie be a breach of duty by the bank.²

However, the Court has left open the prospect that the bank might still be liable for not acting promptly to recall the payments after being notified of the fraud.  The claimant had argued, as an alternative case, that the Bank was in breach of duty after the fraud had been discovered in not taking adequate steps to recover the money which had been transferred to international accounts.  While the Court of Appeal did not need to address this separately (having decided the main issue in the claimant’s favour), the Supreme Court considered it relevant to revisit this argument, and noted it was “arguable” that, when the claimant reported that she had been induced to make the payments by fraud, the Bank’s staff should have sought her instructions to recall the payments³ Accordingly, the Court refused summary judgment in relation to the alternative case.⁴

Implications for the Australian market

While the UK Supreme Court's decision will not be binding in Australia, it will be influential, and it seems likely that Australian courts would follow similar reasoning on the existence and scope of any duty of care owed by banks.

Generally speaking, claims against banks by victims of APP fraud in Australia have been unsuccessful, whether brought in Courts or the Australian Financial Complaints Authority (AFCA).  For example, in recent AFCA determinations, AFCA has stated that “A bank is contractually obliged to follow its customer’s mandate or instruction” and “Generally, a bank does not have a fiduciary duty to advise the complainant that a transaction … is not in its best interests, or: an obligation to monitor transactions on its customer’s behalf, maintain watching briefs for scams, for its customer’s benefit, prevent the customer from dealing with funds they are contractually entitled to access, and/or reimburse a customer for authorised payments to a third party”.

That position is likely to be reinforced if the UK Supreme Court’s decision is followed in Australia.

However, it should be appreciated that a claim for breach of a duty is not the only potential cause of action that may be available for a scam victim in Australia – for example, actions may be available for knowing assistance, misleading or deceptive conduct, or similar causes of action. 

Further, Australia’s financial services regime imposes other obligations on banks which can be relevant in the context of scams – in particular, the obligation on Australian Financial Services Licensees to do all things necessary to ensure the financial services covered by their licence are provided “efficiently, honestly and fairly”.

A matter of policy?

In Australia, as in other jurisdictions, the debate continues as to the correct regulatory response to scams.  Ultimately, as the UK Supreme Court observed in Philipp, the question of whether banks should bear some or all liability is a matter of social policy, and a matter for government and regulators.

Despite the finding in Philipp, the UK regulatory landscape has shifted markedly in recent years towards holding banks accountable for customers’ scam losses. Following the launch of a voluntary Contingent Reimbursement Model in 2019, the UK’s Financial Services and Markets Act 2023 now places a statutory obligation on the Payment Systems Regulator (PSR) to introduce a reimbursement requirement for APP scams in Faster Payments by the end of February 2024.  On 7 June 2023, the PSR published a policy statement introducing a new reimbursement requirement for APP fraud within the UK’s Faster Payments system, underpinned by several key policies.⁵ The PSR has proposed an implementation date of 2 April 2024.  The new mandatory reimbursement regime will be based on ten key policies:⁶

1. Mandatory reimbursement: The Payment Service Provider that operates the account from which a payment is sent (sending PSP) must reimburse all customers who fall victim to APP fraud (subject to certain exceptions).  This does not apply to:
   1. civil disputes;
   2. payments which take place across systems other than the Faster Payments system;
   3. international payments; or
   4. payments made for “unlawful purposes”.
2. Sharing the cost of reimbursement: The Payment Service Provider that operates the ultimate account into which a payment is received (receiving PSP) must pay sending PSPs 50% of the reimbursement.
3. Exceptions for APP fraud claims: Reimbursement is not required where the customer has acted fraudulently or with gross negligence.  The PSR notes that gross negligence is a high bar, but that it sees “no credible alternative” that would accomplish its objectives. The PSR has indicated it will develop additional guidance on this standard for consultation in Q3 2023.  Noting FCA commentary, it seems likely this standard will require a very significant degree of carelessness.⁷
4. Time limit to reimburse: Sending PSPs must reimburse customers within five business days.
5. Claim excess: Sending PSPs have the option to apply a “claim excess” (with the PSR indicating it will consult on the appropriate level for this).
6. Minimum threshold: There is no separate minimum value threshold for APP fraud claims (noting previous consultation had proposed a £100 minimum threshold).
7. Maximum level of reimbursement: There will be a maximum level of reimbursement for APP fraud claims by value (also to be a topic of consultation).
8. Time limit to claim: Sending PSPs have the option to deny APP fraud claims submitted more than 13 months after the final payment to the fraudster.
9. Treatment of vulnerable customers: The customer standard of caution and claim excess must not be applied to vulnerable customers.
10. Approach to ‘multi-step’ fraud cases: The new reimbursement requirement applies to the Faster Payment to an account controlled by a person other than the customer, where the customer has been deceived into granting that authorisation for the payment as part of an APP fraud.

The UK regulatory position may influence the direction in Australia, and has already prompted calls by consumer groups for a similar mandatory reimbursement scheme to that implemented by the PSR.  Commonwealth Financial Services Minister Stephen Jones has suggested the Federal Government may soon commence public consultation on a new code of practice.  However, it is not clear that the Federal Government is supportive of a regime such as the UK’s. In late 2022, Minister Jones publicly pushed back on the idea that banks should be liable for losses incurred by customers who are scammed, noting that “if banks always pay the net result creates a honey pot for scammers”.

ASIC has also recently called for Australian financial institutions to improve their approaches to handling scams after new ASIC analysis revealed that scam losses for major bank customers exceeded $550m last financial year and impacted more than 31,700 customers.⁸ While ASIC found that Australia's big four banks have invested significantly in their anti-scam efforts over the last several years and have implemented a number of innovative and positive initiatives, it concluded there was more to be done, finding there were inconsistent experiences and outcomes for customers, and that at times the banks were inconsistent and narrow in terms of determining liability.  However, ASIC’s report did not propose mandatory reimbursement obligations.

How should Australian banks respond?

While the Philipp judgment clarifies the scope of the Quincecare duty under UK law, even if it is followed in Australia, it is unlikely to lead to a material shift in regulatory attitude or community expectations concerning the need for banks to address APP fraud and other types of scams. 

It is clear that payment scams will continue to be a significant issue that Australian banks will need to take steps to address by taking prudent measures such as:

• implementing effective frameworks to guide and oversee scam prevention, detection and response;
• investing in systems and processes to enable handling of scams in an end-to-end manner;
• documenting those systems and processes;
• regularly reviewing the bank’s capabilities;
• monitoring and keeping up with initiatives of other banks (and other businesses dealing with scams) both in Australia an globally;
• educating customers on the risk of scams;
• sharing insights with regulators and other banks (as appropriate);
• implementing detection capabilities and anti-phishing measures;
• taking extra care with vulnerable customers; and
• having clear and consistent approach to customer compensation, where available.

1. At [3].
2. At [100].
3. At [118].
4. At [120].
5. On 7 July 2023, the PSR published a consultation paper on two draft directions, which are the legal means to put the new APP fraud reimbursement requirements in place: https://www.psr.org.uk/publications/consultations/cp-23-4-app-fraud-reimbursement-requirement-draft-legal-instruments/
6. https://www.psr.org.uk/media/iolpbw0u/ps23-3-app-fraud-reimbursement-policy-statement-final-june-2023.pdf
7. FCA, Payment Services and Electronic Money – Our Approach: The FCA’s role under the Payment Services Regulations 2017 and the Electronic Money Regulations 2011 (November 2021).
8. https://asic.gov.au/about-asic/news-centre/find-a-media-release/2023-releases/23-101mr-asic-calls-for-improved-approaches-to-scams-as-major-bank-customers-report-over-550-million-in-scam-losses/