Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

APP fraud: testing the boundaries for follow on claims against banks

06 May 2025 England and Wales 10 min read

Authorised Push Payment (“APP”) fraud occurs when a bank’s customer is tricked into making a payment to a fraudster. The latest published data from UK Finance confirms that APP fraud losses in the first half of 2024 were £213.7 million. This comprised £166.5 million of losses for individual (non-business) customers and £47.2 million of losses for business customers.

In 2019, various banks set up a voluntary reimbursement scheme for APP fraud losses. From 7 October 2024, a new mandatory reimbursement scheme in the UK provides for certain customers to recover APP fraud losses from banks and other payment service providers (“PSPs”). However, the reimbursement limit is £85,000, the qualifying customers exclude companies (being limited to consumers, micro-enterprises, or small charities), and international payment transfers are out of scope.

For a number of years now, customers who fall outside the reimbursement schemes have sought to recover losses via the courts against banks and PSPs. There  has been a steady flow of judgments where the boundaries for such claims have been tested. Typically, such claims have been put on the basis of an alleged breach by the bank or PSP of the so-called “Quincecare duty” (i.e. a duty imposed on the bank to refrain from executing a customer’s payment instruction when the bank is put on inquiry that the instruction may be an attempt to misappropriate the customer’s funds). The proper scope of the Quincecare duty was confirmed in the important 2023 Supreme Court decision in Philipp v Barclays Bank UK plc [2023] UKSC 25.

Two recent cases have further shaped the law in this area:

Retrieval duty

Santander UK plc v CCP Graduate School Ltd [2025] EWHC 667 (KB)

Background

  • Between 13 September 2016 and 12 October 2016, CCP gave instructions to its bank (NatWest) to make fifteen payments (in aggregate amounting to £415,909.67) from an account held with NatWest to an account held with Santander.
  • At the time the payment instructions were given, the account with Santander was under the control of a criminal gang and it was alleged that the criminal gang fraudulently induced CCP to make the payments.
  • CCP raised a fraud alert on 22 October 2016. However, by that time, most of the funds held in the Santander account had been dissipated and ultimately lost, and only £14,000 could be retrieved.
  • CCP brought claims against both banks. The claim against NatWest was held to be time-barred.
  • The claim against Santander was based on an alleged breach of a so-called “retrieval duty” i.e. it was said that Santander (as the receiving bank in the chain to whom the funds were transferred) owed a duty to CCP to take steps to retrieve the funds once Santander was on notice of the fraud. Such a duty had been recognised (in principle) as between a customer and its own bank by the Supreme Court in Philipp.
  • The Master at first instance had refused to strike out the “retrieval duty” claim against Santander, deciding that it was arguable and should proceed to trial. That decision was appealed by Santander.
  • On appeal, the court was asked whether, in circumstances where payments have been made into a bank account as a result of fraud, a tortious duty of retrieval can arise in relation to the receiving bank when the paying party (the victim of the fraud) is not a customer of that bank.

Decision

The court decided that no such “retrieval duty” arose in the circumstances of the CCP case and therefore it struck out CCP’s claim against Santander:

  1. On the facts of the CCP case, CCP’s claim was held to be fanciful. The money had been removed from the account before Santander was alerted to a possible fraud.
  2. In any event, Santander (as a “receiving bank”) could not be taken to have assumed any responsibility to CCP as a non-customer third party. The identification in Philipp of an arguable duty of retrieval was one that was owed by a bank to its own customer and it arose out of the contractual relationship between them. When the Supreme Court acknowledged the potential existence of such a duty they did no more than note that this might be a further facet of the bank's contractual obligation to properly ascertain and comply with its customer's instructions. There was no basis for the incremental development of an equivalent duty owed to a party with whom the bank had no contractual relationship. To imply such a duty would cross the line between the proper role of the courts and that of the legislator and regulator.

Therefore, as the law currently stands, if a customer wants to pursue a claim for breach of the so-called “retrieval duty” following an APP fraud, such claim will need to be asserted against the customer’s own bank rather than other banks/PSPs down the payment chain.

Derivative claim for breach of the Quincecare duty

Hamblin & Anor v Moorwand Ltd & Anor [2025] EWHC 817 (Ch)

Background

  • This case concerned a scenario where Mr & Mrs Hamblin had been duped into transferring £160,000 to an account in the name of a company set up by fraudsters (RND Global Ltd) held with a PSP (e-money institution) called Moorwand Limited. That money was then paid away from the RND account shortly afterwards leaving the Hamblins unable to recover it.
  • The challenge for the Hamblins was that they were not the customers of Moorwand (the fraudster company, RND, was).
  • To try to circumvent this issue, the Hamblins argued that they should be able to bring a “derivative claim” seeking to stand in the shoes of RND as the customer. This involved asserting (i) that the monies held in the account of RND were procured by fraud and therefore held on trust for the Hamblins and (ii) a beneficiary of a trust may bring a derivative claim in his or her own name with the permission of the court where the trustee commits a breach of trust or in other special circumstances.
  • The judge at first instance gave permission to the Hamblins to pursue the derivative claim on behalf of RND alleging a breach of the Quincecare duty against Moorwand. However, the judge dismissed the breach of the Quincecare duty claim on its merits.

Decision

  1. On appeal, the court overturned the decision of the judge at first instance and found that the derivative claim for breach of the Quincecare duty against Moorwand should succeed.
  2. The court found that Moorwand had been “put on inquiry” regarding a potential fraud:
    1. There were various issues with the account opening KYC and, once the account had been opened, the trading on the account was not consistent with that described on the opening of the account. This should have alerted Moorwand to RND being a potential vehicle for fraud.
    2. The person authorised to act for RND was a “Mr Stanfield”. However, the court found that there was a good deal of material available to Moorwand to suggest that the person in fact giving Moorwand instructions on behalf of RND was not Mr Stanfield. Instead, Mr Stanfield had himself been the victim of identity fraud and used by the fraudsters to set up RND.
    3. Moorwand should not have acted on instructions to pay away the £160,000 in the RND account without first satisfying itself that the payment instructions from “Mr Stanfield” were proper and not a fraud on RND.
  3. Moorwand was therefore required to restore the £160,000 to the account of RND. The Hamblins would then have a claim to such funds in the context of RND’s administration.

The Hamblin decision is interesting in (i) demonstrating how non-customers might be able to establish a “route in” to allege a breach of Quincecare duty claim against a bank/PSP by bringing a derivative claim on behalf of the fraudsters’ corporate vehicle (being the bank/PSP’s customer); and (ii) providing some examples of the types of “red flags” that might be sufficient to put a bank/PSP on inquiry of a potential fraud and trigger a breach of the Quincecare duty.

Commentary

With APP fraud remaining a significant problem in the UK and with affected customers falling outside the scope of the mandatory reimbursement scheme, customers are likely to continue to look for new and innovative ways to try to bring claims against banks and PSPs to try to recover funds lost to fraud.

Many of those attempts have been unsuccessful to date and the Santander decision confirms the narrow scope of the so-called “retrieval duty”. The Moorwand decision is a rare example of these types of claim succeeding. However, the Moorwand decision is unlikely to open the floodgates for successful new claims in this area. If future claims are brought on a derivative basis as in Moorwand we can anticipate that the right for claimants to bring such derivative claims will likely be subject to greater challenge (in Moorwand permission to bring the derivative claim was given at first instance and this was not challenged on appeal). Also, even where a derivative claim is brought, claims will still need to be assessed on their merits and the factual background in Moorwand was rather extreme in terms of the “red flags” that were missed that should have put the PSP on inquiry as to a potential fraud. 

More insights
Banking & Finance Financial Services Professionals Pension Professionals Financial Institutions Accountants & Actuaries Defendant Personal Injury Dispute Resolution

Explore more

Expert Guide International

CMS Expert Guide for taking security in England and Wales

25 min read
Publication United Kingdom

Security Action for Europe: legal architecture, implementation and private capital’s opening

23 Mar 2026 5 min read
Event United Kingdom

Cross-Border Financial Services 2026 webinar series

05 May 2026
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.