Have the Banks been ‘Grossly Negligent’ in their response to Authorised Payment Fraud (APF)?

F

igures published by UK Finance recorded APF losses for 2018 as £354m (i.e. £1m / day). The headline figure for 2017 was £236m. Whilst this is not directly comparable to the figure for 2018 it is, in my view, reasonable to extrapolate that the total value of losses suffered by bank customers between 1st January 2014 and 27th May 2019 is in the order of £1bn.

The question that I am asking is: “Have the banks done all that they reasonably could have done to prevent, or at least mitigate, these losses, or have they been ‘Grossly Negligent’?

The Risks of Faster Payment System (FPS)

When FPS was launched on 27 May 2008 it was based on the use of the Sort Code and Account Number to route the payment to the Payee’s (or beneficiary’s) account at the Receiving Bank. FPS made no reference to or use of the Account Name that the Payer had used to identify the intended Payee.

In my view a thorough and detailed analysis of the risks associated with the introduction of ‘instant payments based solely on an unverifiable sort code and account number’ should have resulted in the development of appropriate security protocols. There were obvious risks.

Even if those risks were not properly identified at the time, then they should have been identified and responded to as they became increasingly obvious in the following years.

Tidal Energy Ltd v Bank of Scotland

Even if the risk of fraud from the use of unverifiable Sort Codes and Account Numbers was not obvious in 2008, it became obvious in 2012 and 2013 with the case of Tidal Energy Ltd v Bank of Scotland (EWHC 2780). In January 2012 Tidal Energy attempted to make a payment of £217,781 but it went to the ‘wrong’ account. The court ruled that Bank of Scotland did not have to reimburse Tidal Energy because it was not banking practice to check the Payee name.

The fact that it was not banking practice at that time to check the Payee name does not, in my view, mean that the banks could remain indifferent to what was now an obvious risk.

Camerata Property Inc v Credit Suisse Securities (Europe)

In this case, together with those of Red Sea Tankers Ltd v Papachristidis (The "Ardent") and Winnetka Trading Corp v Julius Baer International Ltd & Anor, one of the issues that the judges had to consider was that of potential ‘Gross Negligence’.

The specific point that I focus on is the statement made by Mance J that: “the concept of Gross Negligence seems to me capable of embracing ….. indifference to an obvious risk".

The Banks have been Grossly Negligent

Based on the principal that “indifference to an obvious risk” constitutes Gross Negligence, and that the Banks have been aware of the risk since at least 2013, they must, in my view, have been Grossly Negligent since the start of 2014 in that they have, amongst other things, failed to develop and deliver systems to allow Account Holders to confirm the Account Name on the Payee’s account.