Payment fraud is a significant problem in the UK causing serious harm to individuals and businesses. UK Finance reported that in the first half of 2024 just over £570 million was stolen in payment fraud.
A fraudulent payment could be either unauthorised or authorised. The former involves a fraudster accessing a victim’s bank account and making a payment to an account the fraudster controls. The latter, which is also known as authorised push payment (APP) fraud, occurs where a victim is tricked by a fraudster into making a payment to an account controlled by the fraudster.
As payment fraud increases, the English courts are increasingly dealing with cases where victims are seeking recovery of their monies. As fraudsters are often untraceable, claims have tended to focus on banks and other payment service providers (PSPs).
There have been a number of developments in this area, particularly in the past couple of years.
Darren Kidd, a partner in our financial litigation team, summarises the key ones below.
Unauthorised payments
The ‘Quincecare duty’
A bank owes a general duty to act with reasonable skill and care when processing customer payments. An application of this duty is what has been called the ‘Quincecare duty’ following the case of Barclays Bank plc v Quincecare Ltd [1992] 4 All ER 363. This applies where an agent of a customer purports to give a payment instruction to a bank. Where the bank has reasonable grounds for believing that the payment instruction is an attempt to defraud the customer, the bank is ‘on inquiry’ that the order is an attempt to misappropriate the customer’s funds and must make inquiries to verify that the instruction has been authorised by the customer and not execute the payment in the meantime. If the bank does not do so and debits the customer’s account, it is prima facie liable to reimburse the customer. An example where this might apply is an employee who uses its employer’s bank account to make a fraudulent payment to itself, or a director of a company who uses the company’s bank account to make a fraudulent payment to an account they control.
Authorised payments
The Authorised Push Payment (APP) Fraud Reimbursement Scheme
As part of its attempts to combat APP fraud, the Payment Systems Regulator (an independent subsidiary of the Financial Conduct Authority) introduced the Authorised Push Payment (APP) Fraud Reimbursement Scheme on 7 October 2024 (this replaced a voluntary code). This applies to eligible payments made on or after 7 October 2024 where a payment is made by a PSP to an account in the UK through either the Faster Payments or CHAPS systems. Under this scheme, a victim, if eligible, may be reimbursed for their losses up to £85,000. In cases where the facts pre-date the scheme’s introduction, or which involve payments exceeding £85,000, or were made using other UK payment systems, or international payments, the scheme will not assist victims of fraud. The scheme is also limited to consumers, micro-enterprises, or small charities so does not apply to companies. Its scope is, therefore, limited.
The Financial Ombudsman Service
If the APP Fraud Reimbursement Scheme does not apply or does not adequately compensate a victim of fraud, a complaint could be made to the Financial Ombudsman Service. The FOS resolves disputes involving firms regulated by the FCA, deciding cases based on what is fair and reasonable in all the circumstances. Depending on the timing of the event in question, the FOS can make an enforceable decision which requires a firm to pay an individual, or certain small or medium-sized enterprises (SMEs), charities and trusts up to £445,000 in compensation.
If both the APP Fraud Reimbursement Scheme and the FOS are inapplicable or unsuitable, a victim of fraud will need to look to the courts.
The ‘Quincecare duty’ does not apply to authorised payments
In 2023, in the important case of Philipp v Barclays Bank UK plc [2023] UKSC 25, the Supreme Court held that the Quincecare duty does not apply to victims of APP fraud. This is because a bank’s general duty to act with reasonable skill and care when processing customer payments is limited and applies only to “interpreting, ascertaining, and acting in accordance with the instructions” of the customer. If the validity of a customer’s instructions is not in question, then a bank is obliged to follow the instructions it receives in accordance with its separate duty to comply with its mandate to carry out payment instructions promptly. Although an individual may have been manipulated into making a payment, for example as part of an investment or romance scam, a bank will not be liable for a breach of the Quincecare duty if it acts in accordance with that individual’s instructions however unwise those instructions might be. The difference between these scenarios and the examples of the employee and director above are the instructions to the bank were not validly given by the employer and company because the employee and director were acting fraudulently.
A ‘Retrieval Duty’?
In the Philipp case, the Supreme Court suggested that a bank may have a duty to take reasonable steps to recover monies which were paid out of its customer’s account as a result of APP fraud, once it is notified of such fraud. In Santander UK plc v CCP Graduate School Ltd [2025] EWHC 667 (KB) the claimant (CCP) argued that a bank which received fraudulent payments owed a duty to it to retrieve the monies. In a decision handed down in March 2025, the High Court rejected the possibility of a retrieval duty for receiving banks. It said the Supreme Court’s comments in Philipp concerned a claim by the victim of fraud against its own bank and arose out of the contractual relationship between them. The court held there was no basis for the incremental development of an equivalent freestanding duty owed to a party with whom the bank had no contractual relationship as was the case here.
Importantly, it remains to be seen whether a paying bank, who has a direct relationship with the victim of fraud, owes a duty of retrieval. It likely only a matter of time before this issue is before the courts.
A derivative action
Another recent attempt at bringing a claim against a receiving bank has been successful. In Hamblin & Anor v Moorwand Ltd & Anor [2025] EWHC 817 (Ch) the claimants had been tricked into transferring monies to an account in the name of a company set up by fraudsters held with a PSP called Moorwand. Those monies were paid away from the company’s account soon afterwards. The claimants argued that they should be able to bring a ‘derivative claim’ by stepping into the shoes of the company as the customer and allege a breach of a Quincecare duty owed by Moorwand to the company which had been defrauded. In a decision handed down in April 2025 the court found in favour of the claimants because of a number of ‘red flags’ it found Moorwand had ignored (many of which were linked to failures to identify the fraudster who was operating the company) and required Moorwand to reimburse the company.
The relevant company is in administration so the claimants will need to submit a claim in the administration to seek to recover the monies and they may not recover all they lost. However, this is an innovative example of claimants circumventing the Philipp decision which has restricted the ability of victims of APP fraud to recover their monies.
Conclusion
Although the law in relation to unauthorised payments is relatively settled, the law in relation to APP fraud is very much a developing area. Whilst the Philipp case restricted the ability of the victims of APP fraud to pursue banks and other financial institutions, recent cases indicate there may be other avenues available to those who do not fall within the scope of the APP Fraud Reimbursement Scheme and the FOS or where those routes are otherwise unsuitable.
Speak to our team
If you have any concerns about fraudulent banking transactions, including if you believe you may have been a victim of such fraud, please contact our expert financial litigation team to discuss your situation.
Posted:
