Cat MacLean: Where next for online fraud claims? – part two

Cat MacLean: Where next for online fraud claims? – part two

Cat MacLean

Ahead of a major ruling of the Supreme Court next month, Cat MacLean takes a look at the jurisprudence of online fraud. Read part one here.

The impact of the decisions north and south of the border

Following the Appeal Court decision in Philipp, Sekers settled in due course for a substantial six-figure sum. Meantime, though, Barclays were given leave to appeal the Philipp Court of Appeal decision to the Supreme Court. The Supreme Court have expedited the hearing, now due to be heard on the 1 and 2 February 2023, with submissions from Barclays and the Philipps as well as from UK Finance, representing the banking industry, and Which?, representing consumers.

This means that a defining decision on the circumstances in which a bank can be responsible for the consequences of online fraud is imminent.

For the time being, the Philipp decision combined with Sekers, means that banks both north and south of the border cannot argue that no duty arises simply and solely because the fraud was not internal. Put another way, the duty can arise, and a bank can be in breach of its duty to its customer, even if the customer has been subject to an external APP fraud – it all comes down to the individual circumstances of the case. Whether or not a duty is engaged will be fact specific and will depend on a number of factors, including what happened in the particular case, and the prevailing banking practice at the relevant time.

Will this remain the position once Philipp has been heard in the Supreme Court? At present, it is extremely hard to say which way the Court will go. From a consumer perspective, it is to be hoped that the Supreme Court will follow the Court of Appeal, who cited with approval the policy reasons for this sort of duty on a bank, referencing the importance of the role of banks in preventing fraud. The bank in Philipp had argued that the duty the plaintiffs were (successfully) arguing for would be onerous and unworkable. The Court of Appeal, however, found that there was evidence to show that the duty of care would be neither unworkable, nor onerous in terms of banking practice. Among that evidence was the existence of at least one voluntary code of practice, which provided evidence of what was feasible for banks at the time.

The Contingent Reimbursement Model (CRM) and its efficacy for customers

The code of practice referred to was the 2019 Lending Standards Board Contingent Reimbursement Model Code, or CRM Code, which currently has nine firms and 21 UK banking brands as signatories.

The 3 overarching objectives of the CRM are to:

  1. reduce occurrences of authorized push payment fraud;
  2. protect customers from APP fraud by enabling reimbursement of fraud victims; and
  3. minimize disruption of legitimate payments.

The starting principle of the CRM is that member banks are to reimburse customers who have lost funds to APP scams, subject to a very limited set of circumstances where a bank is entitled to refuse reimbursement.

Although a very positive and customer focussed initiative which represented a significant step forward in protecting customers, the implementation and application of the CRM has been patchy. A September 2021 report found that most reimbursement claims had been repudiated by the bank, yet when these cases were appealed to the Financial Ombudsman Service (FOS), 73 per cent of them between 2020 and 2021 were ruled in the customer’s favour. In the majority of the FOS decisions, CRM complaints were upheld because warnings issued from a bank were deemed to be too generic, not bringing to life what this type of scam looks like and ultimately not being an “effective warning”. In terms of the Code, for a warning to be effective, it must be impactful so as to “positively affect the customer decision-making in a manner whereby the likelihood of an APP scam succeeding is reduced. The warning must also be specific, meaning that it is “tailored to the customer type and the APP scam risk”.

A government policy paper this year commented that “reimbursement to victims of APP scams remains inconsistent, with many victims continuing to suffer losses without reimbursement. This is in part because some firms have not made voluntary commitments to reimburse victims of APP scams, but also because even amongst firms who have made voluntary reimbursement commitments, there are disparities in how firms interpret their obligations”. In the light of this, the government intends to introduce legislative amendment as part of the upcoming Financial Services and Markets Bill to introduce mandatory reimbursement for APP scams which occur over Faster Payments, as well as other measures to improve fraud prevention.

What to do if you have been the victim of an APP fraud

Online fraud is on the rise. More and more individuals and businesses will be successfully targeted, particularly now that remote and home working seems to be here to stay. Whilst greater consumer protection and regulation in this area is awaited, this won’t necessarily help individuals and businesses who are being defrauded now.

If, as in the Sekers case, the numbers involved are large, litigation may be the best way forward. If the sums defrauded are lower, and it is more difficult to justify the cost of litigating, a claim under the CRM Model to your bank is likely to be the way forward.

If a claim in respect of an APP fraud to a bank is rejected, it is clear from recent and relevant FOS decisions that most of the time such rejections are routinely reversed by the Ombudsman who tend to rule in the customer’s favour. Claims such as this can be advanced without solicitors, but generally the success rate can be higher where there has been solicitor input in making the complaint.

If you have been the victim of an APP fraud, let us know. As a firm, we are constantly monitoring what is happening in this space, and are happy to help you from an informed perspective.

Cat MacLean is a partner at BTO LLP

Share icon
Share this article: