Reimbursing fraud victims: how has big tech financial services shifted the responsibility to banks?

The May 2023 Fraud Strategy states that the Government “will ensure victims of fraud are reimbursed and supported”. This will, in part, be achieved by “changing the law so that more victims of fraud will get their money back”.

The Government is under pressure to make tech giants compensate fraud victims and bear some of the losses, in addition to banks and building societies. Yet the Payments Systems Regulator (PSR) plans only to hold sending and receiving banks or building societies liable (in certain circumstances), as things stand.

The Online Safety Bill, which is making its way through Parliament and will soon become an Act, has provisions to make tech companies responsible for hosting scams and fraudulent content. This Government strategy only proposes reaching a voluntary agreement with the tech sector to tackle scams but does not mention any responsibility for helping compensate victims, only fines for tech companies who break the rules.

There is no current legislative or regulatory framework obliging the tech sector to support the prevention of these crimes, as there is for banks.

What can banks do?

Banks are asking for more to be done to prevent these scams, demanding further action from tech companies, social media and politicians. The banks have called for a victim reimbursement fund to be financed by all firms whose systems and platforms are used to perpetrate scams, including tech companies and banks. Barclays has reported that 88% of these scams, which cause victims to lose £1,000 on average, start on social media platforms.

Tech companies and banks operate under different regulatory frameworks, and their responsibilities regarding fraud reimbursement can vary. In some cases, when a customer experiences fraud while using a service provided by a tech company, the responsibility for reimbursement may fall on that company, especially if the fraud is linked to a specific product or feature they offer.

However, when a customer’s bank account is compromised, the responsibility typically lies with the bank to investigate and rectify the situation in some circumstances. Banks have established protocols and legal obligations to handle such situations.

On 2 July 2023, the Supreme Court handed down its decision in Fiona Philipp v Barclays Bank UK Plc. In what is a blow to consumers and a relief for banks, the Supreme Court has ruled in favour of Barclays, meaning victims of authorised push payment (APP) fraud cannot call on a long-established duty of care known as the ‘Quincecare’ duty to seek reimbursement of funds from their bank or other payment service provider (PSP).

Banks and PSPs will avoid the wave of APP fraud related litigation they had feared, but various developments outside of the courts could still provide some redress to victims of this type of fraud in the future. Read a detailed analysis of the judgment here.

Whilst the Phillips judgment offers some protection to banks, banks are still subject to a more regulated environment than tech companies; for example, banks owe a duty to protect their customers against the acts of customers’ dishonest agents. Banks should take reasonable steps to try to recall payments once the customer requests them to do so, and banks can be held liable if they are on notice of the potential scam/fraud. Tech companies are not subject to this same framework.

In cases where a tech company partners with a bank for financial services (e.g. through APIs or co-branded products), there may be specific agreements regarding fraud responsibility outlined in their partnership contracts. These agreements can dictate who is responsible for reimbursement in different scenarios.

How are tech companies regulated?

Tech companies, especially those venturing into financial services, face a different set of rules. They may not have started as financial institutions, and their entry into the financial sector introduces new challenges for regulators. As a result, there’s ongoing debate and evolving regulation to adapt to this changing landscape and address potential risks related to data privacy, cybersecurity, and fair competition.

The current review into different private-sector actors in the ‘fraud chain’ – the stages of the crime, from identifying a victim to securing victim’s assets, include digital platforms, the holding institution, receiving institution and phone networks all bearing the responsibility for compensation.

This would involve a joint approach whereby social media platforms work with telecoms, financial services and government to stop fraud at the outset – not just after the criminals have struck. That can only be done by the seamless sharing of data and information between sectors. Overall, responsibility for reimbursing victims of fraud depends on the specific circumstances, the nature of the fraud, and the contractual agreements in place between the tech company and the bank.

The Payment Systems Regulator (PSR) confirms new requirements for banks and payment companies that will ensure more people than ever before will get their money back if they are a victim of Authorised Push Payment (APP) fraud; prompting more action to prevent these frauds from happening in the first place. This significant new level of protection is a world first in the battle against APP fraud.

In October, the PSR will give the final legal instruments to Pay.UK and a further consultation on the legal instrument to be given to PSPs.

By the end of 2023, the PSR will publish the claim excess and maximum level of reimbursement, additional guidance on the customer standard of caution (gross negligence) and publication of all legal instruments.

If you are concerned you may be a victim of fraud, please contact Louise Abbott.