Out-Law / Your Daily Need-To-Know

CoP could have stopped payment mistake, but not all APP fraud

Out-Law Analysis | 27 Mar 2019 | 12:25 pm | 3 min. read

ANALYSIS: A ruling by Europe's highest court has found that neither of the two banks involved was liable when a payment was sent to the wrong account. New UK procedures would have been likely to have prevented this mistake, but might still fail to prevent all fraud.

Mistaken and fraudulent payments cost UK individuals and businesses £236 million in 2017. The growth of user-friendly mobile payment applications and remote banking has been accompanied by an explosion of fraud in this area, called Authorised Push Payment (APP) fraud. In response the Payment Service Regulator consulted on the introduction of a 'Confirmation of Payee' (CoP) mechanism requiring banks to check that the name and identification numbers of accounts match before sending payments.

The best case scenario for banks and payment services providers (PSPs) is that the CoP mechanism significantly reduces APP fraud and mistaken payments. The worst case is that its impact is minimal, and regulators seek to place more of the preventative burden on PSPs.

The Court of Justice of the European Union (ECJ) has ruled in an Italian dispute between a company expecting a payment, Tecnoservice, and its bank, Poste Italiane. A company tried to pay Tecnoservice but provided the wrong IBAN, the account identifying number. The money was sent to the wrong account.

Tecnoservice claimed that its bank, Poste Italiane, was responsible because it failed to check whether the IBAN and name of account matched. The bank argued that it was not required to make further checks and that it transferred the money to the account with the IBAN it was provided.

The second Payment Services Directive (PSD2) says that if the unique identifier provided is incorrect "the payment service provider shall not be liable…for non-execution or defective execution of the payment transaction".

The Italian court asked the CJEU to clarify whether 'payment service provider' referred only to the bank of the person making the payment, or whether it could also refer to the bank of the person receiving the payment.

The CJEU said that the rule applied to both banks, meaning that neither was liable for the failure to double check whether the IBAN and name matched.

This situation leaves those paying and those being paid without protection against errors, which is the issue that the CoP mechanism seeks to solve.

A CoP mechanism could have prevented a dispute like the Tecnoservice one from arising. The person making the payment would have realised, upon prompting by Poste Italiane, that the name and IBAN in its instructions did not match, and would have corrected the mistake.

This means that CoP would be effective in correcting mistakes, but it does not mean that it would catch every instance of APP fraud. Catching that depends on the manner in which a company being paid is warned of the discrepancy by its bank.

Under CoP a bank receiving a payment must either tell a payer that all the details match; tell them that there is a small discrepancy or warn the payer that the account name which they have provided does not match the real name associated with the account number.

If the bank incorrectly takes the first action, telling a payer that the details provided match, it surely ought to be liable for any loss. But if the bank issues one of the two warnings and the payer still makes the payment it is not clear where liability lies.

The PSP has given the payer an opportunity to amend a mistake or spot a fraud. But the policy reason behind CoP is to re-allocate fraud risk to PSPs who are much better equipped than ordinary consumers to counter it. Should the payee PSP avoid its responsibilities simply because the payer is deceived twice, rather than just once?

Banks have a general duty of care to clients. Unlike asset managers, banks and PSPs are not custodians of their client's assets, there is simply a debt relationship. In English law, the one exception to this rule is the 'Quincecare' duty, which means that a bank can be liable for payments out of an account where it is aware, or ought to be aware, that the payments are fraudulent.

There seems to be no reason, in principle, why a payee PSP could not be subject to a similar duty. It may, for example, have been put on enquiry by a payee's 'know your customer' and anti-money laundering disclosures. Perhaps even more suspicious could be a stream of payments sent to one account number but containing a different name in every payment instruction. The extent to which a payee PSP can satisfy such a duty may depend on the rigour of its CoP process.

Andrew Barber is a financial services regulation expert at Pinsent Masons, the law firm behind Out-law.com