UK payments providers could face extended fraud liability

Credit card being hooked

Share this post

The Supreme Court ruling on Philipps v Barclays case was welcome news for compliance teams at payments companies, however extended fraud liability is not completely off the table.

A Supreme Court ruling in the UK was welcome news for financial institutions as it clarified the boundaries of their fraud liability on consumer payments. However, the ruling may not be the last of it, according to market participants.

The case, Philipp v Barclays, was brought before the Supreme Court in July, who ruled on the side of Barclays. Philipp was suing Barclays as she was the victim of an authorised push payment (APP) fraud – a sophisticated fraud where the victim is tricked into thinking they are sending money to a genuine payee) – and was not refunded by Barclays because she had authorised the payment.

Had the court ruled in favour of Philipp, it would have set a legal precedent on a wider liability of banks on consumer fraud and opened up the way for a wave of copycat lawsuits for payments firms across the country.

“Compliance teams at banks are sighing with relief while the consumer is left with yet more uncertainly over how they can recover funds which are lost as a result of a sophisticated fraud,” says Stephen Ross, partners at law firm Withers.

The case was closely watched by many in the legal community due to the prevalence of APP fraud on consumers and the flood of litigation which could have followed, impacting most payments providers in the country.

While it will have been a relief for payments providers, commentators do not expect this to be the last that’s heard on the liability of payments providers in the UK on this kind of fraud.

“The Supreme Court’s judgment recognises the growing social problem of APP fraud, but emphasises that whether victims of such frauds should bear the loss themselves or whether losses should be redistributed to banks, is a question of social policy for regulators, government and ultimately for Parliament to consider,” says Chris Bushell, partner at Herbert Smith Freehills.

For Bushell, this issue is likely to be brought under the regulatory and legislative microscope and so payments providers may still have to work in an environment with this extended liability.

“The government is currently considering what reforms are necessary to the Payment Services Regulations in order to better address APP fraud,” he says. “In the view of the Supreme Court, it is not the role of the courts to develop the common law to impose new obligations on payment service providers in this area.”

For consumers who have fallen victim to APP fraud, the ruling will have been disappointing.

“Clearly the onus is on customers to ensure that their payment instructions are appropriate and bona fide, where they have been tricked by APP fraudsters they are left in a difficult place.” says James Levy, partner at Ashurst.

“Consolation may be taken from the fact that the Payment Systems Regulator (PSR) has indicated it plans to introduce mandatory reimbursement for victims of domestic APP fraud next year.”

The court ruling is counter to the proposed duty by the PSR, which looks to make banks liable where customers have been defrauded unless there is clear evidence of gross negligence by the payee.

Tony Craddock, founder and director general at The Payments Association, says: “It will be interesting to see if this ruling affects the position of the PSR with its proposed policies setting out to reduce APP fraud.

“For the PSR to enforce a requirement of banks and account providers to reimburse consumers when even the courts think that would not be required would be interesting, for sure.”

Legal details

At the heart of the case, was a question of how far a concept called the ‘Quincecare duty’ stretched.

As a legal precedent, the duty has so far been fairly vague, stating that banks owe fiduciary duties to its customers and therefore, it’s an implied term of the contract between the bank and the customer that the bank would observe reasonable skill and care when executing the customer’s instructions.

The court was therefore deciding whether Barclays was liable because it had not checked the validity of both sides of the transaction when it was authorised by Philipp. The key question for legal teams was when this duty arises.

“The Supreme Court has confirmed that the Quincecare duty does not apply where an individual customer directly instructs their bank to make a payment which is subsequently found to be prompted by fraud,” says Levy.

“This means that the ambit of the Quincecare duty is limited to circumstances where the fraudulent payment instruction is given by an agent of the bank’s customer.”

Had the court ruled the other way, it had the potential to dramatically extend this Quincecare duty of care so that it is not limited to payment processes where an agent is involved (i.e. not just corporate transactions), but extend it to consumer payments as well. This has been at the centre of a number of cases around payments and fraud.

The court also clarified more details of the duty.

The Supreme Court has rejected the suggestion that the Quincecare duty is some special or idiosyncratic rule of law, which operates in tension or conflict with a bank’s primary obligation to make a payment when instructed to do so by its customer.

Instead, the court clarified it relates solely to the validity of a customer’s payment instruction so the bank only has a duty to check the order if the content or validity is unclear.

“In other words, where a bank receives a valid payment order which is clear and leaves no room for interpretation or choice, the bank must execute the order,” says Bushell.

However, as legal experts have made clear, this could change with upcoming regulation or legislative review.

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Sign in or become a member to access this content

Gain Insider Knowledge

Become a member of The Payments Association today

Join The Payments Association and unlock a world of benefits:

  • Up to 25 introductions per year
  • Exclusive member content
  • Access member-only events, as well as free passes to headline events
  • Influence and shape the industry & policy agenda
  • Elevate your brand profile
  • Access an all-year round networking app

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?