No duty of care where customer clears payment

Authorised Push Payment (APP) fraud happens when victims are deceived into making immediate payments to bank accounts managed by fraudsters pretending to be legitimate payees, write Paul Convery and Ronan Shaughnessy of William Fry.

APP fraud involves various tactics – including impersonation scams, where fraudsters pose as legitimate entities such as banks or service providers.

This type of fraud frequently occurs with the victim's consent, as they are unaware that the transaction is fraudulent.

Sensitive details

It can also lead to the loss of sensitive banking details, such as account numbers or PINs. The real-time nature of these transactions leaves little room for detection or reversal, making APP fraud particularly effective and damaging.

A case in Britain’s Supreme Court, Philipp v Barclays Barclays [2023], centred on whether Barclays owed a duty of care, known as the 'Quincecare' duty, to prevent APP fraud.

Fiona Philipp was a victim of APP fraud, losing £700,000 after being convinced by fraudsters to transfer money to accounts in the UAE.

She claimed that Barclays should have recognised the fraud and intervened, invoking the Quincecare duty, which traditionally requires banks to refrain from executing payment instructions if they suspect fraud by an agent of the customer.

Initially, the High Court of England and Wales ruled in favour of Barclays, stating that the Quincecare duty did not apply to APP fraud.

However, the Court of Appeal overturned this decision, expanding the Quincecare duty to include situations where the customer authorised the payment under fraudulent inducement.

The Supreme Court unanimously overturned the Court of Appeal's decision, ruling that the Quincecare duty does not extend to APP fraud where the customer personally authorises the payment.

‘Wisdom or risks’

It emphasised that a bank's primary duty was to execute the customer's instructions promptly and accurately, without questioning the wisdom or risks of the customer's decisions, unless there was an express contractual term to the contrary.

Following this decision, banks in Britain are not legally required to intervene when they suspect a customer is an APP fraud victim.

The duty to act on a customer's instructions is strict and does not include assessing the validity of those instructions unless they come from an agent suspected of fraud.

The British Supreme Court highlighted that it was up to parliament and regulators to determine the extent of banks' responsibilities in APP fraud cases.

The Quincecare duty, therefore, remains applicable in Britain only in situations involving an agent acting fraudulently on behalf of a customer, but does not extend to cases where the customer is directly deceived into authorising a payment.

Recent cases

In Larsson v Revolut [2024] EWHC 1287 (Ch), Larsson was defrauded into transferring funds to fraudulent accounts, believing he was purchasing shares in a non-existent entity.

Larsson claimed that Revolut breached its contractual and tortious duties by failing to detect and prevent the fraud. He also alleged unjust enrichment and dishonest assistance in a breach of trust.

The High Court of England and Wales struck out the claims in contract and tort, finding that Revolut did not owe a duty of care to Larsson.

However, it allowed the dishonest assistance claim to proceed, subject to Larsson amending his pleadings to clarify the existence and breach of trust and Revolut's role in assisting that breach.

In Terna Energy Trading DOO v Revolut Ltd [2024] EWHC 1419 (Comm), Terna Energy Trading fell victim to an APP fraud, resulting in a transfer of €700,000 to Zdena Fashions Ltd, which held an account with Revolut.

Fraudsters quickly dissipated the funds. Terna did not claim against its bank or Zdena but instead brought a claim of unjust enrichment against Revolut.

Revolut argued that it had not been enriched because a liability to Zdena offset any funds it received.

However, the England-and-Wales High Court held that the transfer enriched Revolut and that the position of an Electronic Money Institution (EMI) like Revolut is similar to that of a bank in this context.

The court also rejected Revolut's argument that any enrichment was not at Terna's expense. Revolut has been granted permission to appeal.

The Larsson and Terna Energy cases involved claims against Revolut for failing to prevent APP fraud, with the courts examining Revolut's responsibilities and potential liabilities as an EMI. These cases highlight the ongoing legal scrutiny of EMIs' roles in safeguarding against fraudulent transactions.

Current landscape in Ireland

Figures provided by the Banking and Payment Federation of Ireland (BPFI) show that in 2023, the industry value of APP fraud was €18.1 million.

In response to the growing trend of APP fraud and to assess its effects on consumers and businesses, the Joint Committee on Finance, Public Expenditure and Reform published a Report on Authorised Push Payment Fraud in October 2024.

The report acknowledges that no single measure can effectively prevent APP, but it sets out recommendations towards measures that would allow for a centrally coordinated, comprehensive approach.

The evolving landscape of APP fraud presents significant challenges for both financial institutions and consumers.

The recent British Supreme Court and High Court cases underscore the complexities surrounding the legal responsibilities of banks and EMIs in preventing and addressing APP fraud.

They may provide insight into how the Irish courts would approach similar claims.