Authorised Push Payment Fraud and the Scam-Safe Accord – are we doing enough to protect Australians from scammers?

What is Authorised Push Payment fraud?

Authorised push payment (APP) fraud occurs when an individual is manipulated into making a transaction to a fraudulent party posing as a genuine payee. Methods for obtaining personal data to access funds may include:

1. Impersonation;
2. Phishing;
3. recruitment scams;
4. extortion scams;
5. investment scams;
6. romance scams;
7. remote access scams; and
8. advance fee scams.

Last year, impersonation scams alone accounted for more than 70% of the 234,672 reports received by ScamWatch up to September 2023 contributing to consumer losses of over $92 million.

The case law position in Australia and the UK

The landmark case for establishing a bank’s fiduciary duty to its customers is Barclays Bank Plc v Quincecare Ltd¹. In its simplest form, the Court established that the relationship between the bank and its customer was that of agent and principal – and in conducting its duties under the relationship, there was an implied term of the contract between the bank and the customer that the bank would observe reasonable skill and care in execution of the customer’s payment instructions. By extension, however, there also exists a duty for the bank to refuse compliance with a customer’s payment instructions in circumstances where the bank is put on notice that the payment instruction may be fraudulent in nature. Expiration of this obligation only applies when the bank’s inquiries satisfy it that the instruction is validly authorised. The Quincecare duty has been the primary source of determining a bank’s obligation and exposure to liability in circumstance of fraud.

On 12 July 2023, the UK Supreme Court handed down its judgment in Philipp v Barclays Bank Plc² – in which the Court held that the Bank did not owe a duty to Mrs Philipp in respect of her own payment instructions. Significantly, the Supreme Court established that the Quincecare duty did not extend to APP fraud, in circumstances where a victim is induced by way of fraud to validly authorise their bank to conduct a payment to a bank account controlled by the fraudulent party. The Court held that the fundamental duty of a bank to make payments from the credited account in compliance with the customer’s instructions is strict – and “it is not for the bank to concern itself with the wisdom or risks of its payment decisions”.³ Ultimately, it was found that the Quincecare duty had no application in circumstances where an agent is not involved, and payment instructions are given to the bank by the customer directly and are validly authorised. The Court concluded:

1. Provided the instruction is clear and is given by the customer personally or by an agent acting with apparent authority, no inquiries are needed to clarify or verify what the bank must do. The bank’s duty is the execute the instruction and any refusal or failure to do so will prima facie be a breach of duty by the bank.⁴

The decision in Philipp provides some insight and removes a degree of ambiguity over the expected duties of a bank in conducting payment instructions. However, it remains unclear what banks are required to do to comply with these duties – particularly in the absence of legislative guidance. The flow on effects from Philipp will undoubtedly be considered in Australia’s banking industry, given the rising prevalence of APP fraud.

The UK position

Regulators in the United Kingdom have taken a relatively active approach toward mitigating the risks and subsequent consequences of APP fraud and other scam-related activity. The legislative framework has seen a substantial shift in recent years towards imposing greater accountability on banks for consumer scam losses.

In June 2023, the UK Payment Systems Regulator (PSR) announced a new reimbursement requirement for APP fraud within the UK’s Faster Payments system and the Financial Services and Markets Act 2023 came into effect.

The new reimbursement requirement requires reimbursement to all in-scope customers who fall victim to APP fraud, with costs shared 50:50 between the sending and receiving payment institutions. These reimbursement obligations are anticipated to come into force in Q1 2024.

Prior to these most recent reforms, the UK already had a voluntary re-imbursement framework. The Contingent Reimbursement Model (CRM) Code establishes standards for signatory Payment Service Providers and guidelines for reimbursing customers who are victims of scam activity. Particularly, the Code requires that banks and financial institutions are responsible for reimbursing customers, unless it can be demonstrated that the customer failed to adhere to recommended security protocols. By shifting the financial burden of scams from the consumer to the institutions, the CRM Code created a strong incentive for banks to invest in robust security measures and fraud prevention. The CRM Code also encouraged transparency and accountability within the industry – seeking a secure and resilient environment for individuals’ conducting financial transactions.

The UK position is undoubtedly onerous on the banks, and substantial weight has been placed on ensuring financial institutions remain accountable in safeguarding consumers. By placing mandatory reimbursement requirements on banks in circumstances of APP fraud, regulators are highlighting the increasing importance of ensuring that appropriate measures are in place to mitigate the risk of APP fraud and scam activity.

The Australian position

Anti-scam measures vary significantly across different sectors – and currently there is no overarching regulatory framework dedicated to establishing clear roles and responsibilities for the Federal Government, regulatory bodies, and the private sector. Despite this, the Federal Government has introduced a number of initiatives targeted at reduction of scam activity and financial impacts to consumers. In May 2023, the Federal Government provided the ACCC with substantial funding to establish the National Anti-Scam Centre – a coordinated government and law enforcement initiative targeted at improving intelligence sharing and raising public awareness in relation to scams.

Notwithstanding this increased investment, there are no specific requirements on banks to address scams. ASIC’s Report 761, released in April 2023, analysed the approach of the four major Australian banks in relation to scams strategies and governance – particularly with regard to their ability to prevent, disrupt and respond to scam activity. ASIC found bank customers to be the overwhelming bearer of scam losses, accounting for 96% of total scam losses across the banks. As a collective, the banks were found to have detected and stopped only 13% of scam payments made by customers – whilst reimbursement and compensation rates were particularly low at only 2 to 5%. The report made several key findings, in particular:

1. the overall approach to scams strategy and governance was highly variable, and overall less mature than ASIC had expected;
2. banks had inconsistent and narrow approaches to determining liability;
3. banks have gaps and inconsistencies in their ability to detect and stop scam payments; and
4. overall, a great deal of variability was evidenced in the steps being undertaken by the banks to help prevent customers from becoming victims of scam activity.

In November 2023, the Australian Banking Association (ABA) announced the launch of an industry-led ‘Scam-Safe Accord’. Imposing a number of anti-scam measures across the banking industry, the framework centres around the fundamental components of scam mitigation – being disruption, detection, and response. Among other things, member organisations under the ‘Accord’ will:

1. commit to investing $100 million to roll out a new confirmation of payee system across all Australian banks over 2024 and 2025;
2. introduce new and higher protections into their systems – including increased warnings and delays when conducting payment transactions; and
3. invest in a major expansion of intelligence sharing across the sector by joining the Australian Financial Crimes Exchange (AFCX).

Despite an increase in measures to combat scam activity, Australia’s position is still immature in its capacity to mitigate and address scams and APP fraud. Unlike the UK, Australian regulators have evidenced an unwillingness to impose mandatory reimbursement for customers who are victims of scam activity. There is no doubt that existing Federal Government measures and industry initiatives will have an impact on scam activity – however only time will show whether the gaps and weaknesses across the sector with regard to scam mitigation and response have been appropriately addressed.

¹ [1992] 4 All ER 363.

² [2023] UKSC 25

³ Ibid at [3].

⁴ Ibid at [100].