Should the banks be reimbursing victims of Authorised Push Payment Fraud (APPF) prior to 28th May 2020?

B

efore we try to answer this important question, we need to understand how scams, fraud and fraud prevention have developed in the last few years.


Scam or Fraud?

Some people refer to a scam, others call it fraud. Some banks have even been known to decline a refund because they say that the customer was a victim of a scam, not a fraud.

Is there a difference? Does it matter?

In 2017 the British Standards Institution (BSI) published a Code of Practice titled “Protecting customers from financial harm as a result of fraud or financial abuse.” It is referenced as PAS 17271:2017 and includes a number of helpful definitions:

Scam: transaction or proposition based on false information, which encourages the victim to reveal security information or pay away funds on the basis that there will be a benefit to them as a result.

Fraud: criminal act involving deception or omission intended to result in financial or personal gain, or to cause loss to another party.

In my view they are two sides of the same coin. The scam is what you see. It’s the advert, the social contact, the urgent email or the ‘helpful’ phone call that draws you in, that gets you hooked. Once hooked you can become the victim of the fraud.

UK Finance’s annual review, Fraud The Facts, has the heading Authorised Push Payment (APP) Fraud and then lists the individual scams that happen.

So, I’m going use the abbreviation APPF unless I’m referring to a specific type of scam.

Authorised Push Payment Fraud (APPF)

APPF is when someone inadvertently authorises (or ‘pushes’) what they believe to be a genuine payment directly from their bank account, but it goes to the ‘wrong’ account, an account that is being used for fraud.

  • You might have received an invoice that appeared to have come from your builder by email, but the fraudster has changed the account details and you inadvertently pay the fraudster, not your builder.
  • You might be putting down the deposit on a future home, but the fraudster has managed to give you their bank details instead of the solicitors.
  • You might be trying to invest some savings, but the fraudster has managed to ‘clone’ a genuine investment company, so your savings all go to the fraudster.

Each of these is an example of a scam that results in the individual, charity or business becoming the victim of an APP Fraud.

Almost anyone can become a victim of APPF. The fraudsters are becoming increasingly sophisticated and often use ‘social engineering’ to convince their victims to do what the fraudsters wants them to do.

APPF was almost unknown 10 years ago and, as far as we can tell, it only started to become a serious issue in 2014/15. But the banks knew about the risk in 2013!

Figures published by UK Finance show that APPF losses have grown at a dramatic rate over the last 3-4 years. In 2019 they were £455m (i.e. £1.25m/day). This is nearly 30% more than 2018 (£354m) and almost double the figure for 2017 (£236m).

Contingent Reimbursement Model - The CRM Code of Practice

In response to growing pressure from consumer groups, some of the banks introduced a Code of Practice called CRM (the Contingent Reimbursement Model) on 28th May 2019. The essential objective of The Code was that if the Account Holder had taken reasonable care and complied with certain specific obligations before and during the payment process, they would be reimbursed. (The full code can be downloaded from the ‘Resources’ tab.)

One of the really important aspects of The Code is that it doesn’t apply to payment made before 28th May 2019. So, if you inadvertently authorised a payment before 28th May 2019 and it turned out to fraud, then you will not be covered by CRM.

Confirmation of Payee (CoP)

To make an online payment to someone who you have never paid before, you need to set-up their Payee (or receiving account) details. These will be their account name, sort code, account number and any reference or message that will go with the payment.

Contrary to what the majority of people believed, the banks have, historically, relied entirely on the sort code and account number, completely ignoring the account name.

You might have been trying to make a payment to ABC Builders, or Smith Solicitors, or ZYX Investments, but the actual account name on the receiving account could have been Mickey Mouse. The banks did not have any system for checking that the account name on the receiving account was what you expected it to be.

This changed on 30th June 2020 when the top six banking groups, covering c.90% of all transactions, were required by the Regulator to introduce Confirmation of Payee (CoP).

The new system applies to the creation of new Payees. It does not check Payees that were created before 30th June 2020. The Payer and the Payee must both bank with one the CoP banks and be making the payment by the Faster Payment System (FPS) or CHAPS (and not by BACS).

With CoP, when you enter the account name, sort code and account number, your bank sends a message to the Payee’s bank, and their bank responds with either:

  • ‘Perfect match’
  • ‘Close match’ or
  • ‘No match’
If the other bank is not part of CoP you will get a message that CoP is not available.

If the response is ‘perfect match’ then it means that the name on the receiving account is what you expected it to be, but you still need to be sure that you are paying the right person and that what you are paying for is genuine.

If the response is ‘close match’ then you will be shown the actual account name for the sort code and account number that you have given. Check this very carefully because the fraudsters might have created a very similar account name. It’s always best to contact the Payee using a trusted contact, such as a phone number you have used before and that you know is genuine.

If the message is ‘no match’ then it is vital that you contact the Payee using a trusted contact, such as a phone number you have used before and that you know is genuine. A ‘no match’ is a serious risk of fraud. The fraudster may tell you that it is a new account and the bank cannot check it yet. This will be a lie! Do not make the payment.

THE BIG QUESTION

The BIG question that I am asking is:

“Have the banks done all that they reasonably could have done
to prevent, or at least mitigate, these losses from APPF,
or have they been ‘Grossly Negligent’?

There are lots of things that the banks could have done, and some of them are listed here but the one that tops my list is Confirmation of Payee. I will explain why.

The Risks of the Faster Payment System (FPS)

When FPS was launched on 27 May 2008 it was based on the use of the Sort Code and Account Number to route the payment to the Payee’s (or beneficiary’s) account at the Receiving Bank. FPS made no reference to or use of the Account Name that the Payer had used to identify the intended Payee.

In my view a thorough and detailed analysis of the risks associated with the introduction of ‘instant payments based solely on an unverifiable sort code and account number’ should have resulted in the development of appropriate security protocols. There were obvious risks of not having CoP.

Even if those risks were not properly identified at the time, then they should have been identified and responded to as they became increasingly obvious in the following years.

Tidal Energy Ltd v Bank of Scotland

Even if the risk of fraud from the use of unverifiable Sort Codes and Account Numbers was not obvious in 2008, it became obvious in 2012 and 2013 with the case of Tidal Energy Ltd v Bank of Scotland (EWHC 2780). In January 2012 Tidal Energy attempted to make a payment of £217,781 but it went to the ‘wrong’ account. The court ruled that Bank of Scotland did not have to reimburse Tidal Energy because it was not banking practice to check the Payee name.

The fact that it was not banking practice at that time to check the Payee name does not, in my view, mean that the banks could remain indifferent to what was now an obvious risk.

Camerata Property Inc v Credit Suisse Securities (Europe)

In this case, together with those of Red Sea Tankers Ltd v Papachristidis (The "Ardent") and Winnetka Trading Corp v Julius Baer International Ltd & Anor, one of the issues that the judges had to consider was that of potential ‘Gross Negligence’.

The specific point that I focus on is the statement made by Mance J that: “the concept of Gross Negligence seems to me capable of embracing ….. indifference to an obvious risk".

The Banks Have Been Grossly Negligent

Based on the principal that “indifference to an obvious risk” constitutes Gross Negligence, and that the Banks have been aware of the risk since at least 2013, they must, in my view, have been Grossly Negligent since the start of 2014 in that they have, amongst other things, failed to develop and deliver systems to allow Account Holders to confirm the Account Name on the Payee’s account.

Historic Reimbursement Scheme (HRS)

On the basis that the banks have been Grossly Negligent and could have prevented a substantial proportion of APP Fraud by introducing CoP in 2014, it is my firm view that they should develop an Historic Reimbursement Scheme for victims of APPF.