Payment Scams, Authorised Push Payment Fraud and Gibraltar’s Regulatory Framework.
Gibraltar, despite its small size, remains a target for fraudsters who are constantly evolving their methods to exploit individuals and businesses. It is not uncommon for businesses and individuals alike to obtain notifications from local banks as to scam callers and in July 2024 the Royal Gibraltar Police reported that scammers had defrauded local businesses of approximately, £1.7 million, with one company losing up to £1 million through a telephone scam.
Traditionally, these telephone scams, often adopt the form of fraudsters deceiving customers into providing them with access to their online banking accounts under the auspices of that the calls are legitimate. Often, we hear of persons divulging security information such as One-Time Passwords (“OTPs”) which can then be used by scammers to make unauthorised payments without the victims’ knowledge.
However, recently we have seen fraudsters have started to adapt their tactics as consumers knowledge on these traditional forms of fraud has increased and suspicions have risen. A growing concern in this regard has been the rise of Authorised Push Payment (“APP”) Fraud.
What is APP Fraud?
Unlike the traditional telephone scams, APP Fraud occurs where individuals or businesses are manipulated into authorising the transfer of funds from their bank accounts to the accounts of fraudsters. This type of fraud encompasses various tactics employed by criminals to deceive victims that the beneficiary account is safe. Examples of such frauds include invoice scams where a fraudster may send a fake invoice posing as a legitimate supplier or service provider or where victims are convinced into paying for fake investments promising high returns. This differs from the traditional frauds to which persons are now accustomed to, where fraudsters cold call purporting to be members of banks and where stolen credentials or OTPs, which have been obtained by deceit, are used to make unauthorised payments.
Why is APP Fraud a legal concern?
Whilst the distinction is seemingly negligible, the distinction between APP Fraud and the traditional frauds have significant legal implications for consumers in Gibraltar. Under the Financial Services (Payment Services) Regulations 2020 (“PSR Regulations”), payment service providers are only required to reimburse consumers for “unauthorised” payments. As APP Fraud involves a victim voluntarily making the payment, albeit under false pretences, the transactions do not fall under the scope of the PSR Regulations. As a result, victims of APP Fraud in Gibraltar are not guaranteed reimbursement by payment.
The position on APP Fraud in Gibraltar has to be contrasted with that of the United Kingdom, whereby the Mandatory Reimbursement Regime (“MRR”) was introduced in October 2024, ensuring that victims of APP Fraud are reimbursed by payment service providers, provided that they meet certain criteria, such as executing payments through the Faster Payment Service In Gibraltar however, no equivalent regime presently exists and accordingly, payment service providers are not legally obligated to reimburse victims of APP Fraud.
Challenges with Reimbursement in unauthorised payments:
It is important for victims of traditional frauds, where payments have been unauthorised, to note that they may not be entitled to reimbursement. In this regard, it is important that the position of ‘consumers’ and non-consumers (often businesses) are distinguished.
In the case of consumers, the PSR Regulations allow payment providers to refuse reimbursement if the victim’s actions demonstrate gross negligence. This is assessed on a case-by-case basis, however, as the Gibraltar Financial Services Commission is unable to act as an arbitrator and as there is no financial services Ombudsman in Gibraltar, any such cases or disputes arising therefrom must be settled in Court. Legal claims are often expensive and will in very many cases exceed the value of the claim, making challenges unviable.
For non-consumers, such as businesses, the PSR Regulations, expressly permit banks to contract out of the provisions requiring immediate repayment in instances of unauthorised payments and banks often exercise this right.
It is accordingly of vital importance that businesses train their staff and implement rigid internal policies to ensure that they do not fall victim of such frauds, examples of effective preventative techniques include, performing call backs where paying invoices online to check banking details and following the banks’ repeated guidance on prevention.
What should victims of APP and Traditional Fraud Do?
For those affected by APP Fraud, prompt action is crucial. The first step should be to notify both the paying and receiving banks (where known) immediately. Since the fraudster’s identity is often unknown, targeting the banks involved can often be an effective strategy.
Previously, there was some uncertainty as to whether victims of APP Fraud could rely on breaches of the common law ‘quincecare duty’ to recover these monies. Under this duty, banks owe its customers a duty to act with reasonable care and skill when executing orders. In the context of fraud, this meant that banks had a duty to detect and prevent transactions which were known or suspected to be fraudulent and in instances where the bank may be on inquiry that the order was an attempt to misappropriate funds, it is the banker’s duty to refrain from executing that order.
This uncertainty was however put to bed in 2023, when the Supreme Court of England and Wales confirmed in the decision of Phillip v Barclays that it did not so apply in instances of APP Fraud because the customer in these instances had authorised and instructed the Bank to make the payment.
Victims of APP Fraud accordingly have little available to them in terms of legal recourse to recover these monies. That said, even in circumstances where there is no direct claim against the bank, Regulation 64(2) of the PSR Regulations imposes an obligation on banks to make reasonable efforts to recover funds involved in fraudulent transactions. This regulation can be used to press the receiving bank to assist in recovering misappropriated funds, even if it is not directly liable for the loss.
It is accordingly, of vital importance that victims of fraud be it, by way of the traditional form through unauthorised payments or APP Fraud act quickly, document all relevant details and seek legal advice early in order to navigate these complex legal issues and maximise their chances of recovering these monies.
