Authorised push payment (“APP”) frauds involve a victim being dishonestly persuaded to make payments to accounts controlled by a fraudster. It has, historically, been difficult for APP fraud victims to obtain reimbursement from financial institutions, but that has changed in recent years because of the effect of voluntary and mandatory regulation. Still, there have been several recent decisions in attempts by claimants to obtain APP fraud reimbursement using the common law. The result of these decisions is that a claimant is unlikely to have a common law remedy unless they have an unjust enrichment claim or their payment instruction was made via an agent. 

Historically, victims of APP frauds have found it more difficult to obtain reimbursement than victims of unauthorised payment frauds. In contrast to APP frauds, unauthorised or “pull payment” frauds involve criminals extracting money from accounts without the account holder’s direct involvement. Victims of unauthorised payment frauds have normally been reimbursed by their financial institutions because unauthorised debits are generally a breach of mandate and, more recently, reimbursement has been required by the Payment Services Regulations 2017.

In the past, APP fraud victims have not typically been reimbursed because they authorised the payments out of their own account. Since 2019, however, the financial institutions which signed up to the voluntary Contingent Reimbursement Model Code agreed to reimburse customers who met the code’s conditions. The introduction of the Mandatory Reimbursement Model in October 2024 now means that, subject to the scheme’s conditions, payment services providers are required to reimburse in-scope payments.

But APP fraud victims may still have reason to bring claims under the common law, particularly where payments are out of scope of the regulatory protection (for example, if they are worth more than £85,000 or not made with Faster Payments or CHAPS).

The UK Supreme Court has largely closed the door on common law claims by APP fraud victims against their own financial institutions. In Philip v Barclays [2023] UKSC 25 the Supreme Court considered cases where banks were said to have a “Quincecare duty” not to act on a customer’s instructions because of suspected fraud. The court held that the duty had no application where an individual customer gave an unambiguous instruction to their bank to make a payment from their own account. 

The true rationale for the “Quincecare duty” was, instead, that an agent acting on behalf of a bank’s customer only had authority to act honestly in pursuit of the interests of the customer. Where the customer was a corporate, this meant that a director who was making payment instructions to defraud the customer had no actual authority to do so. If a bank had reasonable grounds for suspecting that the instructions were fraudulent, and failed to make inquiries, then the bank could not rely on the director’s apparent authority and would be liable to reimburse the customer.

Recent decisions have ruled-out the possibility of contractual or tortious claims against financial institutions who receive funds. Before Phillip, the Privy Counsel in JP SPC 4 v RBS [2022] UKPC 18 had already confirmed that the “Quincecare duty” cannot be owed to a third party who had an indirect interest in funds in a customer’s account. In Larsson v Revolut [2024] EWHC 1287 (Ch) the High Court relied on JP SPC 4 to strike out a claim that the recipient financial institution owed contractual or tortious duties to a person who had been duped into transferring the funds to an account held with it. In Santander v CCP [2025] EWHC 667 (KB) the court also struck out a claim that a recipient bank owed the transferor a duty to try to retrieve funds which had subsequently been paid away to third parties.

But an APP fraud victim might have an unjust enrichment claim against a recipient financial institution which has not paid the funds away without notice of the claim. In Terna v Revolut [2024] EWHC 1419 (Comm) the High Court held that a recipient financial institution will have been “enriched at the expense of” the fraud victim, notwithstanding that (from the financial institution’s perspective) the incoming funds would have been immediately offset by a liability to its customer (the fraudster). Although counterintuitive, the decision was based on well-established authority that, to defend an unjust enrichment claim, an agent must have actually paid (not just credited) its principal without notice of the claim. 

As well as the possibility of an unjust enrichment claim, the court in Larsson did leave open the possibility that a financial institution might arguably be liable for dishonestly assisting a fraudster’s breach of a constructive trust in the stolen funds. In practice, however, such a claim would be much more difficult than an unjust enrichment claim because of the need to establish dishonesty rather than just notice of the claim. 

One claimant has also managed to bring a successful derivative claim against the recipient financial institution. In Hamblin v Moorwand [2025] EWHC 817 (Ch) a fraud victim brought a derivative claim on behalf of the company which received the stolen funds. The company was set up by the fraudster using the stolen identity of a real individual who was innocent of the fraud. It was subsequently put into administration. 

The claimant used the derivative claim procedure to bring a “Quincecare duty” claim against the recipient financial institution on behalf of the company (its customer). The court held that the financial institution had been on notice of the fraud and was, therefore, liable to reimburse its customer.

The claim was originally heard by a Circuit Judge and appealed to a High Court Judge, but there was no appeal of the decision giving permission to pursue a derivative claim. It is not easy to see how the apparent facts of the case fit within the derivative claim procedure. It is likely to be difficult to obtain permission to continue a similar derivative claim in circumstances where: the claimant was not a shareholder of the company, the wrongdoers did not have control of the company at the relevant time, and the company was in an insolvency process. 

Ben Ball, Managing Associate (Knowledge) in London

If you would like to discuss this article further or have any questions, please get in touch with our Banking Litigation team.

The views and opinions expressed in this paper are the personal opinions of the authors and do not necessarily represent the views and opinions of Linklaters LLP.