The fact pattern is depressingly familiar:
- Party A owes money to Party B for goods or services.
- A fraudster, whether by hacking the emails of A or B or otherwise, manages to present an invoice to A with B’s account details revised so that when A pays, the money goes to an account held by the fraudster and not by B.
- The payment is therefore diverted from B to the fraudster.
This type of diverted payment fraud is also known as Authorised Push Payment (or APP) fraud. UK Finance estimates that in the UK in 2020 APP fraud involved payments of £479 million. It is a serious and growing problem.
The first point to make is that, even though its payment has been diverted to the fraudster, A is still obliged to settle its debt to B.
Second, what are A’s options for recovering the diverted payment?
If A discovers the fraud very quickly, then it may be possible to freeze the money in the account of the first bank to receive the payment (the Receiving Bank). Normally, however, the fraudster will have spirited away the money into multiple accounts. If the sum is sufficiently substantial, it may be worth investing in the expensive legal process of searching for the proceeds of the fraud and trying to freeze the money. It has to be said that APP fraud usually (and presumably deliberately) involves sums of money that do not justify this expense.
The next option to consider is whether A has any claim against the bank that paid out the money to the fraudster (the Paying Bank). Provided that the Paying Bank has not been put on notice of any irregularity in relation to the payment, then usually the Paying Bank is simply following the instructions of its customer when making the payment, as it is obliged to do, and is therefore blameless.
The final option is a claim against the Receiving Bank.
If A is (a) a private individual, micro enterprise (an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million) or small charity and (b) the Receiving Bank is a signatory and (c) the transfer was between UK domiciled bank accounts, then A will have the benefit of the Contingent Reimbursement Model Code. In brief, this Code entitles A to full reimbursement unless the Receiving Bank can establish negligence by A, for example a failure to follow its own anti-fraud procedures.
If A does not have the benefit of the CRM Code, then the claim against the Receiving Bank becomes appreciably harder. The fact that the Receiving Bank may have breached the relevant Regulations on customer due diligence such that a fraudster could open and operate a bank account does not give A a private cause of action against the Receiving Bank. Rather, the Receiving Bank may have exposed itself to enforcement action by the FCA. An exceptional fact pattern is needed to establish that the Receiving Bank owes A a duty of care so as to establish liability in negligence. The possible equitable remedies are no easier. In fact, there are conceptual difficulties with potential unjust enrichment claims.
There is also the practical difficulty of obtaining evidence of the Receiving Bank’s operational procedures and what mistakes (if any) the Receiving Bank made.
English law is wrestling with the problem of how to do justice between a number of different parties who are all the victims of fraud. The law is developing in this area as is banking practice so there are a number of moving parts. However, none of A’s potential claims are easy.
June 2021