LAW GEMS

.

Unlocking legal insights from national and international Courts.

Choose a category:

The case study is based on open-source information, it may contain historical or legal inaccuracies, and it does not reflect the opinion of the author.

Authorised Push Payment (APP) Fraud in the UK: Reimbursement Rules for Banks, Crypto Wallets, and Fintech

Introduction

Authorised Push Payment (APP) fraud remains a major financial threat in the UK, with victims—often individuals or SMEs—tricked into authorising payments to fraudsters under false pretences. The legal challenge: when the victim initiates the payment, is their bank or any other payment provider liable?

Between 2023 and 2025, a series of UK cases clarified the limits of legal liability for banks and fintechs in these frauds. This blog begins with the most impactful decision in favour of fraud victims—Hamblin v Moorwand—and works backwards through major case law that has largely restricted recovery avenues, ending with the Supreme Court’s Philipp v Barclays, the cornerstone of the current approach.

Each case is unpacked with its legal principles and contextual importance, especially with regard to crypto exposure, EMIs, banking contracts, and judicial restraint.

Case 1: Hamblin v Moorwand Ltd [2025] EWHC 817 (Ch)

Background & Significance

This rare win for fraud victims involved not a traditional bank, but Moorwand Ltd, a regulated Electronic Money Institution (EMI) operating crypto and fiat payment wallets. The fraudsters controlled RND Global Ltd, which opened a payment account with Moorwand and used it to move substantial sums collected from victims through transactions framed as participation in cutting-edge bitcoin-backed fintech portfolios.

Legal Principles Applied

  • Quincecare Duty (Post-Philipp): Still applies when the payment instruction is given by an agent without actual authority: the duty was engaged because Moorwand had reasons to question whether RND’s controller was acting on its behalf or for improper purposes, particularly given the high-risk profile of the account.
  • Derivative Claim Permitted: The claim was allowed to proceed because RND was under the control of the fraudsters and in administration, meaning no independent board could authorise legal action, justifying shareholder intervention.
  • Mandate Rule: Moorwand could not rely on apparent authority or contractual clauses to avoid responsibility where fraud was obvious: the red flags, such as mismatched documentation, crypto trading, and luxury transactions, triggered a duty to inquire.
  • Exclusion Clauses: Clauses barring “damages” did not exclude restitutionary remedies like account reinstatement: the contractual exclusion could not be used to nullify Moorwand’s primary duty to restore misappropriated funds. Clauses barring “damages” did not exclude restitutionary remedies like account reinstatement: the remedy pursued was not barred by contract.

Outcome

  • The High Court held that Moorwand breached the Quincecare duty by failing to halt suspicious transactions and take reasonable steps to verify the legitimacy of the instructions.
  • The judge criticised Moorwand’s inadequate onboarding and monitoring, stating that the documentation and payment activity were plainly inconsistent with RND’s stated business model.
  • The court ordered Moorwand to reinstate £160,000 to RND’s account as a restitutionary remedy.

Case 2: Larsson v Revolut Ltd [2024] EWHC 1287 (Ch)

Background & Significance

Mr. Larsson transferred over £410,000 to Revolut accounts he believed he controlled, as part of a scam involving fake investment schemes. In reality, the accounts were held by third parties. Larsson sued Revolut, a digital wallet and payment provider, for breach of duty in allowing the misuse of his name and the rapid transfer of funds.

Legal Principles Applied

  • No Contractual or Tort Duty Owed: As the payor, Larsson had no relationship with Revolut in respect to the recipient accounts: without contractual privity or a special relationship, no duty could arise.
  • No Assumption of Responsibility: The High Court found Revolut did not owe a general duty to verify whether the name matched the account: banking norms in international payments don’t require this level of identity confirmation.
  • Dishonest Assistance: The only claim allowed to proceed, pending better pleadings, was that Revolut may have knowingly facilitated fraud (constructive trust theory): this hinges on proving knowledge or blind-eye conduct.

Outcome

  • Negligence and contract claims struck out.
  • Dishonest assistance claim allowed to proceed, subject to amendment.

Case 3: CCP Graduate School v NatWest & Santander [2024] EWHC 581 (KB) and Santander v CCP [2025] EWHC 667 (KB)

Background & Analysis

CCP transferred over £415,000 to a Santander account held by fraudsters. While the claim against NatWest (the sending bank) was struck out under Philipp, CCP argued that Santander, as the receiving bank, owed a duty to act after it was notified of the fraud. This was a test case for a “retrieval duty”, theorizing that once alerted, a bank should help stop further dissipation of funds or issue indemnities to downstream banks.

Legal Principles Applied

  • No Duty of Retrieval to Third Parties: Santander had no contractual or fiduciary relationship with CCP: without legal proximity, no tortious duty arose.
  • Judicial Limits Post-Philipp: The Court of Appeal ruled that extending a retrieval duty to non-customers was legally and practically unworkable: courts declined to create new legal obligations without clear precedent.
  • RBSI and Larsson Reinforced: No special control, assumption of responsibility, or proximity existed to support a tort claim: courts insisted on settled principles in bank liability.

Outcome

  • Appeal allowed: CCP’s claim against Santander was struck out in full.
  • The Court found that while Santander had been alerted to the fraud by another bank, this did not create a new legal duty. Santander’s contractual obligation was to its customer (the fraudster), and acting unilaterally against that customer’s mandate—without a freezing injunction or legal compulsion—could have placed it in breach.
  • The court reaffirmed that it is not the role of banks to investigate or reverse payments absent a legal basis to do so, nor of courts to impose new duties on payment providers to assist strangers.

Case 4: Philipp v Barclays Bank UK plc [2023] UKSC 25

Background & Significance

This Supreme Court decision is the foundational modern ruling on APP fraud. Mrs. Philipp authorised transfers totaling £700,000 under the illusion she was helping law enforcement prevent a cybercrime. Barclays executed her instructions. She argued that the bank had a duty to stop her, despite her clear authorisation.

Legal Principles Applied

  • Mandate Rule Upheld: A bank must follow unambiguous instructions from a customer: the duty to follow instructions outweighs the impulse to protect customers from deception.
  • Quincecare Duty Limited: Applies only where an agent, not the customer, is giving instructions: fraud on the principal by the principal herself does not invoke the Quincecare test.
  • Judicial Restraint: The Court emphasised that policy on APP fraud recovery should come from Parliament, not courts: judges declined to act as social legislators.
  • Retrieval Duty Discussed (obiter): A potential duty may exist for a customer’s own bank after notification of fraud, to attempt recalls: discussed hypothetically as a natural extension of contractual loyalty.

Outcome

  • Claim dismissed.
  • The Supreme Court refused to expand the Quincecare duty or invent a new one for APP fraud.

Synthesis: Principles and Their Interactions

1. Mandate Reigns Supreme

  • Once a customer provides clear instructions, banks must execute them.
  • Fraud does not void that mandate unless the payer lacked capacity or actual authority.

2. Quincecare Survives Narrowly

  • Still available in cases like Hamblin, where the instruction comes from an unauthorised agent.
  • Not applicable in Philipp or Larsson.

3. No Third-Party Retrieval Duty

  • Hinted in Philipp, but firmly rejected in Santander v CCP and limited in Larsson.
  • Requires contractual ties and customer instructions to activate.

4. Recipient Banks Owe No Duty to Payers

  • Banks like Revolut and Santander owe no duty of care to senders with whom they have no contractual link.
  • Confirmed in JP SPC 4, Larsson, and Santander v CCP.

5. Judicial Consistency with Regulatory Reform

  • Courts have consistently said: policy solutions (e.g., refunds) belong to Parliament.
  • The Financial Services and Markets Act 2023 introduces a reimbursement scheme (Oct 2024) for many APP frauds.

Implications for Stakeholders

For Financial Institutions

  • Duty of care remains circumscribed by strict contract principles and agency law.
  • Clear KYC protocols and fraud flags are essential for mitigating Quincecare liability, especially in EMI contexts.

For Legal Practitioners

  • Viable claims depend on agency misrepresentation or fiduciary breach.
  • Creative extensions of liability (retrieval, third-party torts) have been categorically dismissed.

For Victims of APP Fraud

  • Litigation routes are closing: success depends on very specific legal constructs.
  • The most effective avenue for redress is increasingly regulatory, not judicial.

Conclusion:

The UK courts have now drawn firm boundaries around APP fraud liability. Unless a fraudulent agent triggers the Quincecare duty—as in Hamblin v Moorwand—litigation is unlikely to succeed. Where payments are authorised by the customer, even under deception, as in Philipp, courts affirm that banks must follow the mandate.

Attempts to create new liabilities—such as a retrieval duty (Santander v CCP) or a duty by recipient platforms like crypto wallets and digital fintech apps (Larsson v Revolut)—have been consistently rejected. Courts have shown little willingness to extend liability in the absence of a contractual relationship or established duty of care.

For now, victims face a sharply limited path to legal recovery. Traditional banks remain protected by mandate compliance, and newer entrants like EMIs and fintech, while exposed to reputational risk, are also insulated by legal doctrine. Legal remedies exist only in narrowly defined scenarios involving agent misconduct or fiduciary breaches.

Cases:

Hamblin & Anor v Moorwand Ltd & Anor [2025] EWHC 817 (Ch) (04 April 2025)

Larsson v Revolut Ltd [2024] EWHC 1287 (Ch) (04 June 2024)

Santander UK PLC v CCP Graduate School Ltd [2025] EWHC 667 (KB) (25 March 2025)

Philipp (Respondent) v Barclays Bank UK PLC (Appellant) – UK Supreme Court

Leave a comment