The English Supreme Court’s recent judgement clarifying a bank’s obligations to its customers has attracted much comment. Rightly so – the UK’s banking landscape would have been transformed for the worse had the claimants prevailed. But just as the courts reduce the liability of banks in so-called Authorised Push Payment (APP) frauds, regulators are moving decisively in the opposite direction. The result is a muddle.
First, a case summary. In 2018, Mrs P and her husband were victims of a fraud in which they lost £700,000 after transferring money to supposedly “safe” accounts overseas. The scam was outlandish: the fraudsters posed as an elite police unit investigating wrongdoing by bank staff. But it was well executed and all too plausible – hundreds of victims fall for the same hoax every year.
Mrs P brought a claim against Barclays, her bank. She alleged that, given its suspicion that the transfers were part of a fraud, the bank should have refused to carry out her instructions. She claimed that the bank’s obligations to her included what lawyers call a Quincecare duty – so named after a 1988 judgement in which a bank (coincidentally also Barclays) was held to be responsible for the loss to a corporate customer as a result of executing payment instructions from a dishonest director. Ever since, banks have been potentially liable for misappropriation of a corporate customer’s money caused by a customer’s agent (a rogue employee in the accounts department, for example).
The claim failed at the High Court but was appealed. In 2022, the Court of Appeal found that the Quincecare duty could apply to all customers. Many lawyers deemed this ruling “surprising” – legal jargon for “crackers”.
In July the matter reached the Supreme Court. The stakes could not have been higher. Britons lose around £485m each year to APP fraud, the type that afflicted Mr and Mrs P. The Supreme Court was being asked who should pick up the tab.
The Consumers Association believes the banks should do so, as only this will force them to tackle such fraud seriously. Banks retort that they are unfairly singled out: social media platforms, telecom companies and others also make scammers’ lives too easy. Privately, banks suggest sympathy for these victims should be rationed: bank staff repeatedly warned Mr and Mrs P that they were very likely being scammed; a police officer who visited their home did likewise; Mr P misled bank staff about what the money was for; Mrs P visited two bank branches to push the payments through.
The claim failed. The Court ruled that any duty that banks owe customers in relation to the actions of a customer’s agent do not extend to instructions coming directly from a customer. If a customer wants to do something crazy with their money, there comes a point when the bank has to let them do it. The Court went further, finding that the original Quincecare ruling was flawed.
The judgement is a step back towards sanity: banks can’t be liable for the mistakes of their customers. But while the courts go in one direction, the government is heading the opposite way. Less than two weeks before the Supreme Court’s decision, the government’s Financial Services and Markets Act received Royal Assent. It gives new powers to the Payment Systems Regulator, a branch of the Financial Conduct Authority, to impose mandatory reimbursement of fraud victims, such that “most” APP fraud victims will be reimbursed by their bank within five days. The PSR wants the new rules in place in April 2024 and is currently finalising consultation with the sector. (The rules won’t cover payments to non-UK accounts, so would not have helped Mrs P.)
Currently, reimbursement is voluntary and inconsistent. Since 2019, nineteen UK lenders (including the big four high street banks) have operated to a voluntary code, known as CRM. In theory, these lenders are more likely to reimburse APP fraud victims. In reality, compliance with the voluntary code is variable.
When banks refuse to reimburse, customers can appeal to the Financial Ombudsman Service. It has ruled in favour of customers in just over half of cases. In cases involving banks that are members of the CRM, the ombudsman takes the customer’s side in around two thirds of cases. This can hardly encourage more banks to join the scheme.
Not everyone is in favour of automatic reimbursement. The Payments Association (another industry lobby) is opposed to the PSR’s drive for mandatory reimbursement. Among other objections, it claims that fraud could increase as people are incentivised to make dodgy investments. Punters will reason: “What is there to lose? If this crypto/high yield bond/Bahamas timeshare really does double my money in six months, I’m a winner. If it’s a scam, my bank will cover my loss.”
Lloyds, NatWest and Barclays are members of the Payments Association and the CRM, so apparently arguing the case both ways.
Greyhawk’s view is that the wrong banks have been made to pay. The reasons that APP fraud is a British disease are varied and many. They include inadequate law enforcement, a passive corporate registry, and a “faster payments” system that could be too fast to be safe. But each APP case has something in common: the receiving bank (the one to which the victim’s money has been sent) has, by definition, failed in its anti-money laundering obligations. It typically fails more than once. First, in opening the account too readily. Second, in sending on large sums of money overseas shortly after the first deposits were made. (Most times, the funds stay in the dodgy account for a few hours only before being forwarded to Dubai or Hong Kong.)
The PSR recognises this, up to a point. From April, it intends that reimbursement of APP fraud victims should be split 50/50 between sending and receiving banks. This is a fudge. The PSR should abandon its half-measures: make the fraudster’s bank, not the victim’s, cough up in full.