What is Authorised Push Payment (APP) fraud?
Authorised push payment (APP) fraud is a key challenge for modern banking. The Payment Systems Regulator characterises APP fraud as situations whereby individuals are deceived into approving payments that benefit a fraudster. The rapid development of faster and more seamless digital payment methods has contributed to the scale and persistence of the problem. UK Finance reports total fraud losses of £1.17 billion in 2024, with more than £450 million attributable to bank transfer scams alone.
Although reported APP cases declined by 20% over the past year due to improved detection tools and increased consumer awareness, this reduction should not be overstated. APP fraud continues to pose a systemic threat, affecting consumers, financial institutions and confidence in the wider payments infrastructure.
The underlying problem remains unchanged. Fraudsters continue to innovate more quickly than the legal and regulatory frameworks designed to counter them. Technology enables increasingly persuasive scams, while legislative and regulatory responses struggle to keep up.
Push versus pull
In APP fraud, funds are transferred following instruction from the customer. Even where that instruction is obtained through deception, the payment is nevertheless categorised in law as authorised. This stands in marked contrast to “pull” payment fraud, where a criminal initiates the transfer without the customer’s knowledge or consent. The distinction between payments initiated by customers and those initiated by fraudsters remains central to litigating these disputes.
This legal distinction has historically resulted in far more limited reimbursement options for victims of APP fraud. Unauthorised payments typically constitute an immediate breach of contract by the bank, triggering automatic refund obligations under the Payment Services Regulations 2017. By contrast, the formal authorisation of APP transfers means they do not engage the statutory protections available under that regime
The introduction of the Mandatory Reimbursement Model in October 2024 marked an important regulatory development, placing payment service providers under a statutory obligation to reimburse certain APP fraud losses. However, the regime does not extend to all transactions. High value payments exceeding £85,000, as well as transfers made outside Faster Payments and CHAPS, fall beyond its scope, leaving affected victims reliant on common law remedies.
The Quincecare duty
In disputes arising from APP, the scope of the Quincecare duty is of particular importance.
Under the Quincecare duty, a bank may be required to refrain from executing a payment instruction where there are clear and compelling indicators that the transaction is fraudulent.
The leading modern authority remains Singularis Holdings Ltd v Daiwa Capital Markets Europe Ltd [2017]. In that case, the court found Daiwa liable for continuing to process payment instructions in the face of numerous obvious indicators of fraud. From a claimant’s perspective, the decision demonstrates how the doctrine may provide a basis for challenge even where instructions were technically authorised. From the perspective of financial institutions, it underscores the litigation risk inherent in fact sensitive judgments about what ought reasonably to have been appreciated at the time, particularly when those judgments are later examined with the benefit of hindsight.
That position was significantly narrowed by the Supreme Court’s decision in Philipp v Barclays Bank UK plc [2023] UKSC 25. The Supreme Court declined to extend the Quincecare duty to circumstances in which a customer personally authorises the transfer, emphasising that any such development would raise questions of social policy more appropriately addressed by legislators or regulators. Following Philipp, the legal position is clear: the Quincecare duty does not provide a route to recovery for victims of APP fraud against their bank where the payment has been authorised by the customer.
What next?
While technological change has transformed the way people bank, the underlying banking model has evolved at a far slower pace. Fraudsters have exploited this gap, taking advantage of faster payment systems and predictable patterns of human error.
APP fraud has tested the limits of existing payments law, exposing gaps in traditional legal and contractual protections. The distinction between authorised and unauthorised payments, the narrow scope of common law remedies such as the Quincecare duty, and the impact of recent case law in clarifying where liability does and does not arise have all shaped outcomes for victims. At the same time, the Mandatory Reimbursement Model illustrates how regulatory intervention has started to alter those outcomes, while leaving unresolved gaps for certain categories of transactions. These developments point to a legal framework in transition, shaped by ongoing efforts from both courts and regulators to respond to evolving fraud risks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]