OVERVIEW
Introduction
The recent case of Hamblin v Moorwand could be a game-changer for individual claimants who have been the victims of Authorised Push Payment fraud, provided that a company has been used to receive and pay away the victim's funds, which it often will. Claimants may be able to bring a claim on behalf of the fraudster's company, coupled with the Quincecare duty as it is now understood, to advance a debt claim against the bank which paid away the proceeds of the fraud.
Because it is a debt claim, rather than having to chase the stolen funds across the world, victims could simply require the company's bank to reconstitute the company's account without having to worry about issues such as causation of loss or mitigation. It should also bypass damages-based exclusion clauses, and plug the hole in the Mandatory Reimbursement Scheme in respect of foreign bank payments. But in future cases, obtaining permission to bring a derivative claim is likely to be hard-fought.
I consider below the recent legal developments which underpin such claims.
Two agency relationships
In Philipp v Barclays [2023] UKSC, the Supreme Court redefined the Quincecare duty as a facet of agency law. The typical factual scenarios usually involve two sets of agency relationships.
First, an agency relationship between a customer and their bank. When making a payment on behalf of a customer, the bank acts as agent on behalf of their customer as principal. The relationship is governed by contract. That is why the bank's principal duty is to process the payment instructions of its customer, in accordance with the mandate given by customer to bank. The bank has very little latitude in performing the obligation. But where the contract does not completely specify what the bank must do, it must act in the way that a reasonably skilful and careful banker would, for example in ascertaining and processing the customer's instructions.
Second, an agency relationship between a company director as agent and their company as principal, where the director owes the company fiduciary duties. A director can defraud their principal, for example by misappropriating company funds. In an APP context, they may have instructed the company's bank to pay away company funds to associates of the fraudulent director. The director as agent will therefore lack actual authority in giving such instructions, since the instructions will be a fraud on the company, as principal.
In the second scenario, the director's instructions may still bind a 3rd party (such as the company's bank), so long as the agent has apparent authority, and so long as the 3rd party is not on notice that the agent lacks actual authority. But if the bank has reasonable grounds for believing that a payment instruction given by an agent is an attempt to defraud their customer the company, and if the bank executes the instruction without making inquiries to verify to that the instruction has actually been authorised by the customer, then the bank is no longer protected by apparent authority principles. In debiting the company's account, the bank will therefore have exceeded its authority, which transaction will not bind the company. Importantly, the bank will therefore owe the debited sums as a debt.
The nature of retrieval duties
The first relationship above explains why paying bank might owe the victim a contractual duty to retrieve the APP funds. Conversely, a 'receiving' bank which has received the proceeds of fraud, does not owe that duty to the victim, which is not its customer.
In further detail, because the relationship between customer and banker is contractual, a customer's own bank might them owe a 'retrieval' duty, to attempt to get back the funds which the customer has instructed the bank to pay away. This was described by Lord Leggatt in Philipp v Barclays [2023] UKSC 25 at [118]. Where a customer informs their bank that they have been tricked into making a recent payment instruction, the customer is implicitly instructing their bank to help them recover those funds. If the contract does not expressly stipulate what the bank is to do, the bank probably has to act with reasonable care and skill in attempting to promptly recall the funds.
But the situation is different for a bank further along the payment chain which merely receives the proceeds of APP fraud. That is why the claimants in CCP Graduate v Natwest [2025] EWHC 667 failed to establish a retrieval duty against a receiving bank: Lord Leggatt's 'retrieval' duty is contractual, and there is no contract between a retrieving bank and the original victim. Nor were there grounds for finding a tortious duty from receiving bank to victim, in a case of pure economic loss without an assumption of responsibility.
Unjust enrichment
The fact that there is no contract between receiving bank and victim theoretically opens the way for claims such as unjust enrichment, which would be ousted by a contract. In Terna v Revolut [2024] EWHC 1419 (Comm), HHJ Matthews considered it arguable that in an APP fraud claim, the receiving bank has been unjustly enriched where it has merely credited its customer's account in a reversible manner, rather than irrevocably paid away the funds: an agent will only have been enriched if they have a legal excuse for ignoring an instruction from the principal as to payment elsewhere. Also, following the cryptocurrency trial in D'Aloia v Bitkub [2024] EWHC 2342 (Ch) a claim in knowing receipt is worth considering.
A debt claim against the bank
In Hamblin v Moorwand [2025] EWHC 817 (Ch), the Hamblins were induced by fraud to pay £160,000 to the fraudster's company, RND Global Ltd. RND held those funds in an electronic wallet with Moorwand, an electronic money institute. The fraudster in control of RND instructed Moorwand to pay RND's monies away. The use of a company to receive APP proceeds will be a relatively common scenario, which will make this case interesting to many others.
The Hamblins brought a derivative claim on behalf of RND, standing in the by-now insolvent company's shoes to sue Moorwand. The claim alleged that Moorwand had breached its mandate and also acted in breach of contractual duty to RND, when debiting RND's account.
When the fraudster in control of RND instructed Moorwand to pay RND's monies away, he acted as agent of RND. He was thereby misappropriating RND's funds. He would have had no actual authority to do so. On appeal, Marcus Smith J applied the agency principles from Philipp v Barclays, and decided that the fraudster had also lost apparent authority. There were red flags which had put Moorwand on notice of an attempt to defraud RND, such that Moorwand needed to ascertain whether the payment instructions given to Moorwand by RND's ostensible agent were actually authorised. Moorwand failed to do so, and instead made payment without verifying that the agent had actual authority, in breach of its mandate.
A claim for breach of mandate is a debt claim, which requires a bank to reconstitute the company's bank account. That gives a claimant significant advantages. It does not require them to prove causation of loss: the bank simply has to pay the debt. It does not require a claimant to have mitigated their losses. Late payment of the debt also gives rise to damages, so a victim can claim for the losses they have suffered as a result of being deprived of their funds. Such a claim will also, as in Hamblin, defeat damages-based exclusion clauses. And it means that there is an identifiable deep-pocketed defendant early on in the journey of any payment away. A debt claim would therefore be an extremely attractive route for victims of APP fraud, if it is available.
Claims on behalf of the fraudster's company
The main obstacle for claimants is that they require permission to bring a derivative claim on behalf of the fraudster's company. One aspect of permission will be whether they have standing to bring such a claim.
A derivative claim is an exception to the rule in Foss v Harbottle that only the company itself has standing to pursue the company's claim. It is a procedural device designed to prevent a wrong going without a remedy, typically because wrongdoers are in control of the company. A longstanding basis for such a claim is that a fraud on the company has been committed and the wrongdoers are in control of the company. One can therefore see a theoretical application to an APP scenario, where the fraudster in control has defrauded the company, and will never bring a claim on its behalf against the bank. In practice, things are more complicated.
Statutory derivative claims can usually only be brought by shareholders of the company: see Part 11 of the Companies Act 2006. That is not, however, a closed category at common law: McGuaghey v Universities Superannuation Scheme [2022] EWHC 1233 (Ch) at [21]. Permission might be sought on the broader basis described by Briggs J (as he then was) in Fort Gilkicker [2013] EWHC 348 (Ch):
24. It is not I think particularly surprising that the court has, where necessary, been prepared to permit derivative claims to be brought on behalf of companies in wrongdoer control by persons other than their immediate shareholders without regarding those cases as special, and in particular without thinking it necessary to distinguish between "ordinary" and "multiple" derivative actions. Once it is recognised that the derivative action is merely a procedural device designed to prevent a wrong going without a remedy (see Nurcombe v Nurcombe [1985] 1 WLR 370 at 376A) then it is unsurprising to find the court extending locus standi to members of the wronged company's holding company, where the holding company is itself in the same wrongdoer control. The would-be claimant is not exercising some right inherent in its membership, but availing itself of the court's readiness to permit someone with a sufficient interest to sue as the company's representative claimant, for the benefit of all its stakeholders.
51. [...]the locus standi given to the member of the intermediate entity is not an aspect of that person's rights as a member, but simply the consequence of the law's search for a suitably interested representative, or champion, of the wronged company.
In Gilkicker, however, Briggs was J allowing members of a holding company to bring derivative proceedings on behalf of its subsidiary (the 'multiple derivative' claim). So APP victims with no membership connection to the fraudster's company would probably need to break new legal ground if taking this route as the company's 'champion': see Boston Trust v Szerelmey [2020] EWHC 1136 (Ch) at [71], where Deputy Judge Stephen Houseman QC considered that Gilkicker did not extend the ambit of standing at common law beyond "ownership of the relevant shares".
If this route is viable, it will be particularly attractive for APP victims who paid foreign fraudsters, since the Mandatory Reimbursement Scheme only covers CHAPS and Faster Payments made to UK bank accounts. In respect of foreign companies, the procedure for bringing a common law derivative claim is set out in CPR 19.17: see Desmarais v Misbourne [2025] EWHC 813 (Comm).
A derivative claim will be for the benefit the company and its creditors. In many situations that dilutes the appeal of bringing such a claim. But in an APP scenario, there may not be that many creditors if the company has only been set up for the purposes of perpetrating a single fraud. Even if the company has been used for multiple frauds, using the above claim structure there may well be multiple recoveries against the company's bankers such that the creditors in the insolvency could be made whole. In any case, if a successful claim is brought, it will make little difference to the bank that it is paying an insolvent company. That may well encourage banks to the negotiating table early on.
But even if a derivative claim does not work in future cases, there is an alternative and perhaps more relevant route: because the fraudster's company is probably insolvent, fraud victims could have the company's claim assigned to them by the liquidator.
Conclusion
Permission has been sought to appeal Hamblin. But for the time being, there might now be a viable route to remedies for APP fraud victims who do not fall within a redress scheme.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
