Payment scams and fraud are of regular concern now to consumers and small businesses who often feel that their bank could and should have done more to prevent, often substantial amounts of money, being extracted from them by fraudsters. We regularly advise businesses facing such difficulties on the extent to which they have legal recourse against their bank.
There are a number of types of law to consider in this area. In terms of regulatory provisions, a bank’s general obligations are governed by the Payment Services Regulations 2009 (“PSR 2009”). There are some provisions in the PSR 2009 which provide protection, for example, a requirement for a payer to have given consent to a transaction. This may be helpful in circumstances where there are concerns about whether a payment was correctly authorised and authenticated.
Where a payment has been correctly authorised (so far as the bank’s systems are concerned) the bank still has a duty under the PSR 2009 to make reasonable efforts to recover the funds. This is relevant where a bank has been notified promptly of a fraudulent payment, but has failed to take reasonable internal action to attempt to recover the funds.
The contractual terms between the bank and customer will also require consideration to identify what has been agreed, contractually, in circumstances of fraudulent payments. Consideration is also required of the bank mandate and on-line banking systems to identify whether a specific payment has been “authorised” or not.
If it can be established that a payment has not been made in accordance with your bank mandate or is in any other way “unauthorised” the bank may be responsible for returning any monies incorrectly paid out.
In circumstances where the contractual or regulatory provisions do not provide protection, a bank may still be liable under the common law, by way of negligence. Whether or not any negligence can be established will be heavily dependent on the factual circumstances of each case as it will be necessary to prove both that the bank was under a duty of care towards the customer and that the duty was breached.
This area of law is currently not well developed and, in general, the Courts are reluctant to impose extensive common law duties of care on banks. We consider, however, that there are some basic duties on a bank under the common law, in the context of payment services, which can be relied upon to establish negligence, dependent on the factual circumstances. For example, a bank must be under a general duty not to facilitate fraud and therefore, where it can be shown that a bank had (or ought to have had) reasonable grounds to suspect that a payment was fraudulent at the time of making the payment a claim may be viable, even if the specific payment had the appearances of an authorised payment.
A particular problem is that the nature of payment scams and fraud is constantly changing meaning that the way in which banks can and should react will depend on the factual circumstances in each case. We have seen examples of the following situations:
- Malware Attack: where a third-party breaches either a bank’s or a customer’s computer security by placing a virus on the victim’s computer or computer system to harvest security codes and passwords allowing the third party to take payments from the customer account. Considerations in this type of case include whether the client met the bank’s anti-malware security standards, the bank knew of the nature of the attack and possibility of attack and whether the bank had given adequate customer warnings (particularly where the attack is carried out by a replication of bank log-in screens); and
- Whaling: where a third party purports to be an authority figure within a business using that persons email to first to identify an individual within the business with bank mandate authority and, then to request that that individual make an urgent payment or payments on their behalf from the businesses’ accounts.
As soon as any fraudulent payment is identified, the first step is to contact your bank on an urgent basis to ask for the payment to be stopped and, if possible, traced. In circumstances where the payment is not recovered and a business or consumer considers that their bank is, or may be, at fault, there are a number of methods to pursue such an issue. We can advise on all potential routes for redress, including internal complaints procedures, the Financial Ombudsman Service (subject to eligibility), Alternative Dispute Resolution, and litigation.
