Lloyd's Maritime and Commercial Law Quarterly
AUTHORISED PAYMENT SCAMS AND THE BANK’S DUTY OF CARE
Sandra Booysen*
Philipp v Barclays Bank
Payment scams result in substantial losses each year for consumers and businesses alike. The problem has been exacerbated by the Covid-19 pandemic, which has given fraudsters new opportunities to deceive and prey on vulnerabilities.1 The UK payments industry body, UK Finance, has recently said that fraud “is now a national security threat”, requiring coordinated multi-sectoral action from the Government.2
Payment scams take different forms. A category that has attracted particular attention in recent years is the “authorised push payment” (APP) scam. A “push” payment is a payment instruction communicated by a customer to their bank. The main example is a funds transfer instruction using internet or mobile phone banking facilities. By contrast, a pull payment involves the customer’s giving the payment instruction to the payee, who then claims the payment from the payer’s bank. An example is a cheque. The label “authorised” in this context indicates that the payer has been deceived into authorising a payment to the fraudster. From a bank’s point of view, there is a valid instruction to pay from its customer; hence the loss ordinarily falls on the payer—unless there are grounds to hold the bank liable.3 The main common law ground on which to hold the bank liable for an authorised payment is the bank’s breach of its duty of care, and it was the scope of this duty that arose before the Court of Appeal in the recent case of Philipp v Barclays Bank UK Plc.4 While the discussion concerns the duty of care owed by banks, it no doubt has some relevance also for the growing number of other payment services providers.
The growing attention on APP scams in the UK was prompted by the intervention of the consumer organisation Which?, in 2016, out of concern for the upsurge in APP scams, and their damaging consequences for consumers.5 The ensuing investigation by the Payment Systems Regulator culminated in the introduction of the Contingent Reimbursement Model Code for Authorised Push Payment Scams (CRM Code) in May 2019.6 The CRM
* Associate Professor, Faculty of Law, National University of Singapore. I am grateful for useful comments received from Helena Whalen-Bridge, the attendees of the 20th meeting of the International Academy of Commercial and Consumer Law, and for research assistance from Lee Kay Han.
1. UK Finance Press Release, “Criminals Exploit Covid-19 as Fraud Moves Increasingly Online” (23 September 2020), available at: www.ukfinance.org.uk/press/press-releases/criminals-exploit-covid-19-fraud-moves-increasingly-online. See also Australian Competition & Consumer Commission, Targeting scams: Report of the ACCC on scams activity 2020 (June 2021), 1: available at: www.accc.gov.au/publications/targeting-scams-report-on-scam-activity/targeting-scams-report-of-the-accc-on-scam-activity-2020.
2. UK Finance, 2021 Half Year Fraud Update, 2; available at: www.ukfinance.org.uk/system/files/Half-year-fraud-update-2021-FINAL.pdf.
3. An authorised payment contrasts with an unauthorised payment where the fraudster issues the payment instruction to the bank, which is deceived into thinking that it is from the customer.
4. [2022] EWCA Civ 318 (Philipp CA).
5. See Payment Systems Regulator, “Which? super-complaint on payment scams”, online: www.psr.org.uk/how-we-regulate/complaints-and-disputes/which-super-complaint-on-payment-scams/.
6. The latest edition of the CRM Code is 20 April 2021, available online: www.lendingstandardsboard.org.uk/wp-content/uploads/2022/03/CRM-Code-LSB-April-2021.pdf. The Code is overseen by the Lending Standards Board.
350