An Authorised Push Payment scam occurs when a person is convinced by a scammer to send a payment to a genuine account, when in reality they are actually sending a payment to the scammer.
An example might be an aptly named "romance scam": Mr Bloggs meets the person of his dreams on an online dating site. The person of his dreams is unfortunately a scammer. The scammer then persuades Mr Bloggs to send money to the scammer's bank account and over a series of months Mr Bloggs makes numerous payments. The scammer then disappears without a trace.
An APP scam is defined by the fact that, whilst the person making the payment has been tricked or deceived, they are still authorizing their bank to make the payment. The bank accurately makes the payment.
The victim of an APP scam can often feel embarrassed and unsure of what to do next. Unfortunately, the next steps are often complicated and fraught with stress. In this article, we will review the current system and the options available to APP scam victims.
Under law, banks are not liable to refund a consumer where they have consented to the payment. If the consumer has not authorised the payment, then the liability generally shifts to the bank. It is a commonly held belief that if a bank has failed to check that the account details provided by the victim matched an account in the name of the scammer, then the bank must be liable. However, this is highly unlikely to be the case.
In recent years, there has been a push for more protection for victims of APP scams. In 2016, consumer organisation, Which? submitted a "super-complaint" to the Payment Systems Regulator (PSR) claiming that victims did not receive sufficient protection from fraudsters.
PSR's response to this was simple: there was not sufficient evidence to justify a change in liability, but there was some evidence to suggest that banks needed to do more. The result of this was the Contingent Reimbursement Model (CRM) Code, which came into force on 28 May 2019. The Code is voluntary, and whilst most main high street banks have signed up, it is not universal.
The CRM Code was designed to provide more protection for a bank's customers and so it states that where a victim has taken sufficient steps to avoid the scam, they should have their money refunded. However, Which? have reported recently that banks are relying too heavily on fraud warnings, placing unreasonable expectations on victims and failing to properly assess vulnerability. Where a victim is to blame (and is not considered vulnerable), that victim is limited to a maximum 66% refund.
Under the Code, the bank should reimburse the victim of an APP scam unless:
- the victim ignored effective warnings given by their bank, by failing to take appropriate action in response to such a warning;
- the victim did not take appropriate actions following a clear negative Confirmation of Payee result;
- in all the circumstances at the time of the payment, in particular the characteristics of the victim and the complexity and sophistication of the APP scam, the victim made the payment without a reasonable basis for believing that:- the scammer was the person the victim was expecting to pay;- the payment was for genuine goods and services; and/ or- the scammer with whom they transacted was legitimate;
- where the victim is a micro-enterprise or charity, it did not follow its own internal procedures for approval of payments, and those procedures would have been effective in preventing the scam; or
- the victim was grossly negligent.
It is worth noting that in assessing whether a victim should be reimbursed or not, the bank should consider whether the bank's acts or omissions may have impeded the victim's ability to avoid falling victim to the scam, and whether the victim acted dishonestly or obstructively during the process of assessing reimbursement. Banks should also consider the victim's vulnerability.
As soon as a customer suspects an APP scam, they should contact the police's Action Fraud department to report the scam.
The next step should be to immediately contact the victim's bank. Most high street banks have a dedicated fraud contact line, which a victim can call. Once the customer has reached a representative of the bank, they should be aware that all calls will be recorded and we would recommend that the consumer has within reach a clear timeline of the scam.
In the initial call, the customer should inform the bank that they have sufficient evidence to believe the payment(s) may be an APP scam and that the bank should notify the receiving bank. Under the Code, banks should take reasonable steps to freeze the funds and refund the victim. On many occasions, the scammer will have acted quickly and the funds will not be available.
Most consumers wrongly assume that the battle is against the scammers. Instead, it is often a time-consuming battle against the victim's bank and/or the scammer's bank. The manner in which the rules and regulations operate means that victims will call their bank without realising that this initial call is the first opportunity for the bank to gather evidence that the victim has not met their requisite level of care under the Code. Victims must be aware of this.
From the date of the initial call, there is a timeline set out in the Code for banks to follow. Banks should make a decision whether or not to reimburse the victim within 15 business days. If the victim complains of the result of the decision, then the bank must resolve the complaint just as quickly. If the complaint is not successful or early consent is given by the bank, then the victim is allowed to submit a complaint to the Financial Ombudsman.
The Financial Ombudsman takes into account relevant industry guidance and codes of practice in place at the time of the scam, including a number of codes and standards that are not widely available for public viewing. The Financial Ombudsman should take into account the Code and it looks likely that they will do so on the basis of the wording of previous decisions. The Ombudsman is currently the best option to pursue.
Alternatively, victims might consider court proceedings. Seeking legal action is a risky strategy. The receiving bank is not likely to be liable unless they have acted in a manner that is dishonest or in bad faith; and the paying bank is not likely to be liable unless they have acted outside the scope of their instructions or internal procedures.
This area of law is a difficult one, mired in a mixture of best practice standards and voluntary codes. There are of course a number of cases that fall outside the Code and we would recommend that you seek legal advice as early on in the matter as possible to establish what rules and regulations will be relevant to you and how to best approach your bank.