Push payment fraud: High Court considers banks' retrieval duty

CCP Graduate School Ltd v National Westminster Bank Plc [2024]

This article was co-authored by Ed Le Gassick, Trainee Solicitor.

In this article, we discuss a recent summary judgment in the case below, which leaves the door ajar for further claims and the possible creation of an additional retrieval duty for banks following payment diversion fraud. 

'Push Payment Fraud' is a type of payment diversion fraud that has long been a blight on businesses globally and continues to increase in frequency. Typically arising following a business email account compromise, these man-in-the-middle attacks are particularly damaging for businesses that can often lose huge sums, underscoring the importance of having robust practices in place and holding adequate cyber insurance coverage.

One historic complaint from businesses and the insurance market is the ease at which such fraud can be orchestrated. Banks, in some cases, do not manually confirm or challenge large transactions, and recovery can be slow, leading to permanent losses.

We discuss the recent decision in CCP Graduate School Ltd v National Westminster Bank Plc [2024] that could lead to a 'retrieval duty' on banks where funds are diverted. The decision is the latest in a line of decisions that outline the duty of banks to challenge potentially fraudulent payments (often referred to as the 'Quincecare Duty').

What is Authorised Push Payment Fraud?

Whilst there are many variations, in its simplest form, Authorised Push Payment fraud, or 'APP fraud' is a common type of fraud where the victim is deceived into authorising a payment to a fraudster.

These incidents can affect policyholders, such as the payee and payor, depending on the target of the fraud. This can often leave policyholders and insurers out of pocket if the funds cannot be recovered.  

The judgment in Barclays Bank Plc v Quincecare Ltd [1992] established a duty on banks to decline to proceed with an instruction where there was a suspicion of fraud. This duty, known as the 'Quincecare duty', has always sat somewhat uncomfortably against the duty on banks to execute their customer's wishes promptly.

Since 1992, cases such as Philipp v Barclays Bank UK PLC have unsuccessfully sought to extend the scope of the Quincecare duty to circumstances where a customer instructed the bank to execute the payment rather than an agent having provided the instruction.

Phillipp was deceived into transferring around £700,000 to a fraudster's account in the belief that the transfer was being made at the recommendation of the Financial Conduct Authority and National Crime Agency. Attempting to extend the scope of the Quincecare duty, Philipp alleged that Barclays owed her a duty not to execute the payment as they had reasonable grounds to suspect fraud. The Supreme Court rejected this on the basis that no agent had been involved in the transaction. Unless the parties expressly agreed otherwise, Barclays had no duty to refuse to make payment on the grounds of potential fraud.

However, The Supreme Court permitted Mrs Philip's alternative claim that Barclays had breached its duty of care by failing to act promptly when attempting to recall the payments after notification of the fraud.   

 

New developments for victims of payment diversion fraud

CCP alleged that they had fallen victim to an APP fraud. This resulted in instructions to NatWest in 2016 to execute 15 payments amounting to almost £416,000 from CCP's NatWest account to a Santander account controlled by a fraudster.

Similarly to Philipp v Barclays Bank UK PLC, the allegations concerned an alleged breach of the Quincecare duty by NatWest in relation to failing to halt the execution of the payment on the basis that there were reasonable grounds to suspect fraud.

CCP waited several years before initiating proceedings against the banks in question. Following the Philipp judgment, it sought to amend the claim so as to plead an alternative case that, at a certain point, NatWest and Santander (the payor and payee banks) owed a duty in law to take reasonable steps to retrieve or recover the funds in question.

Natwest and Santander applied for summary dismissal of the claim.

The outcome of the claim

Master Brown found that the pleadings, regarding a failure to take reasonable steps to retrieve or recover the funds, constituted a new claim against NatWest. Therefore, Master Brown considered whether the retrieval claim represented the same facts as the initial claim.

He found 'a clear distinction between alleged acts and omissions before the payment out from the NatWest Account, and the alleged absence of steps taken to retrieve the sums after the point when the duty to retrieve arise…'.

The amendment was disallowed, and the application failed because the new claim was outside the relevant limitation period

Whilst the amended claim was rejected on technical legal grounds, it was held that a bank may have a duty to take steps to recover or retrieve funds—a welcome outcome for fraud victims and their insurers.

This 'retrieval duty' may offer possibilities for recovery whereby funds are diverted to, or from, a policyholder. It may also provide more fertile legal ground for potential claims against banks by either (i) policyholders; or (ii) their insurers via a subrogated recovery in line with any losses sought under a cyber insurance policy.

Why is this important?

The decision has the potential to develop the legal landscape concerning payment diversion fraud and could lead to banks having a 'retrieval duty'.

However, as those with experience handling the fallout from cybercrime know all too well, cybercriminals are adept operators who quickly move funds beyond the recovery capabilities of the payor and payee banks (usually to third-party, offshore, or cryptocurrency accounts). As it is unlikely that any reasonable steps in a 'retrieval duty' would extend to tracing funds, even if a duty is confirmed, it is unclear whether it would materially improve the prospects of recovering diverted funds.

To mitigate the risks of payment diversion fraud, we recommend that insurers ensure that their policyholders:

  • Have robust procedures in place to authenticate all payment requests. Organisations which typically handle high volumes of payments (such as conveyancers) should be particularly wary.
  • Routinely undertake assessments of their overall cyber security posture.
  • Ensure that phishing and cybersecurity training are regularly offered to all staff members, including those responsible for arranging and receiving payments.

Related content