Civil Fraud Update Spring 2025

In this civil fraud update, we focus on key cases, developments and hot topics to help in-house counsel to stay up to date. Our updates tend to reflect the issues and concerns we see raised by clients most often, and this edition is no exception, with APP fraud and the law’s approach to digital assets being regular topics of conversation with our clients:

1. APP fraud and the 'retrieval duty'
2. ‘Half secret’ commissions and dishonesty
3. APP fraud reimbursement cap
4. Cryptocurrency exchanges’ liability for APP fraud
5. Failure to prevent fraud

You can access more detailed briefings using the links; and if you would like further information on a topic then please contact us.

1. APP fraud and the ‘retrieval duty’

In Philipp v Barclays the Supreme Court held that victims of APP fraud could not rely on the Quincecare duty to found a claim. However, the Court left open the possibility that banks may owe a duty of retrieval to victims, i.e. a duty to take steps once made aware of the fraud to recover the payments that had been induced by the fraudster. In the recent case of Santander UK PLC v CCP Graduate School Ltd [2025] EWHC 667 (KB), the High Court held that a receiving bank does not owe any such retrieval duty to a third-party victim who has no contractual relationship with the receiving bank. It remains arguable that a retrieval duty is owed by a sending bank which will have a direct contractual relationship with the fraud victim, but we are yet to see a case where a fraud victim has established liability based on breach of this duty.

The case concerned CCP Graduate School Ltd (CCP) which fell victim to an APP fraud, authorising payments totalling £415,909.67 from its NatWest account to an account at Santander held by PGW Consultants Limited. CCP brought claims against NatWest and Santander. The claim against NatWest was struck out, but CCP’s claim against Santander, namely that Santander owed a ‘retrieval duty’ to take prompt steps to recover stolen funds, was considered arguable and allowed to proceed.

On appeal, Santander successfully struck out the entirety of CCP’s claim. The High Court held that a receiving bank cannot be assumed to have responsibility to the third-party victim of fraud. Santander's obligation was to comply with its customers’ instructions. There was no basis for a duty to unwind harm already caused to a third party.

The decision clarifies that banks do not owe a duty to third parties to prevent fraud or to reverse fraudulent transactions, emphasising the practical limitations and obligations of banks. However, it remains to be tested whether a sending (as opposed to receiving) bank owes a ‘retrieval duty’ to its customers.

2. ‘Half secret’ commissions and dishonesty

The Court of Appeal recently delivered an expedited judgment in Expert Tooling And Automation Ltd v Engie Power Ltd [2025] EWCA Civ 292, reaffirming that 'dishonesty' is a requirement for establishing accessory liability in the context of ‘half secret’ commissions. Relying on the Court of Appeal judgment in the Hopcraft motor finance case, it was argued that a claimant need only show that an accessory was: (1) paying a broker a commission; and (2) knew that there was a fiduciary relationship between the broker and claimant. In Tooling, the Court of Appeal  held that an accessory must also know the payment of a commission constitutes a breach of fiduciary duty (e.g. due to lack of informed consent from the claimant). 

The case concerned 'half-secret' commissions paid by energy suppliers to brokers for securing energy supply contracts. Tooling, a manufacturer, engaged Utilitywise plc (UW) to secure its energy supply. UW arranged an energy supply contract between Tooling and Engie, an energy supplier, and received commissions from Engie that were built into the unit price of the energy. The commission structure incentivised UW to sign Tooling up for longer contracts to maximise its upfront commission. While Tooling was aware UW was receiving a commission (hence only 'half secret'), it was not informed of specifics such as the amount and incentive structure.

UW ceased trading before Tooling initiated legal proceedings, so Tooling claimed against Engie on the basis it had wrongfully procured UW’s breach of fiduciary duty, due to a lack of informed consent from Tooling to the commission payments.

Amongst other arguments, Tooling relied on Hopcraft to argue that it was unnecessary to show that the accessory knew the commission payment constituted a breach of fiduciary duty.

The Court of Appeal rejected Tooling’s arguments, finding that dishonesty remained a requirement for accessory liability and that Tooling had failed to adduce sufficient evidence of dishonesty.  The judgment of the Supreme Court in Hopcraft is awaited.

3. APP fraud reimbursement cap

The UK Payment Systems Regulator (PSR) made a significant reduction to the reimbursement limit for Authorised Push Payment fraud claims from £415,000 to £85,000. The new cap aligns with the Financial Services Compensation Scheme reimbursement limit and, according to the PSR, aims to protect consumers while ensuring that the fraud reimbursement scheme is sustainable. The new measures came into force on 7 October 2024.

Payment service providers to whom the scheme applies must amend the terms and conditions of their relevant contracts by 9 April 2025 to provide that they will reimburse their consumers as and when required under the scheme.

The maximum reimbursement level will be reviewed in Q4 2025. The PSR has also committed to publish a post-implementation review by October 2025.

The Payment Services (Amendment) Regulations 2024 entered into force on 30 October 2024. The statutory instrument amends the Payment Services Regulations 2017 to allow payment service providers to delay the execution of an outbound payment transaction by up to four business days where there are reasonable grounds to suspect fraud or dishonesty, thereby supporting efforts to tackle APP fraud.

4. Cryptocurrency exchanges’ liability for APP fraud

A recent High Court decision considered whether cryptocurrency exchanges could be liable for the return of fraudulently misappropriated cryptocurrency. While the court found in favour of the exchange, on the basis that the cryptocurrency could not be traced to it, the decision merits careful attention by cryptocurrency exchanges. The judge found that the exchange had sufficient knowledge to found liability for allowing the fraudster to withdraw funds from its account. If the claimant had been able to provide more evidence on the movement of the cryptocurrency through different accounts to allow it to be traced, the cryptocurrency exchange might have been held liable.

Of wider interest to all financial institutions dealing with cryptocurrencies will be the judge’s finding that the cryptocurrency constituted property, following a detailed analysis of the authorities and academic arguments. Taken together with the Property (Digital Assets etc) Bill introduced the day before this judgment, the property status of digital assets in English law is very close to being definitively settled.

Interestingly, the judge also found that the cryptocurrency in question was persistent. In other words, coins that were sent from the first account were the same coins that arrived in the second account. The Law Commission had suggested that the transfer of digital currencies might be more likely to take place by the destruction of the coins in the first account and the creation of new coins in the second account. Persistence of digital currencies will affect tracing and proprietary remedies.

Our team has produced an overview of the decision: Digital assets push payment fraud which is available here.

5. Failure to prevent fraud

The new UK failure to prevent fraud offence will come into force on 1 September 2025.

Our team has prepared a series of articles discussing the offence, the guidance published by the Government in November 2024 and the guidance published by UK Finance for the financial services sector in February 2025. You can access these articles on our hub. 

Under the new offence, an organisation will be liable wherever it is located if the fraud has some connection to the UK. The only available defence will be that the organisation had “reasonable procedures” in place to prevent fraud. The SFO has indicated that it will be looking to prosecute as soon as the new offence comes into force.

In the lead up to 1 September, our team will be publishing a series of articles on key steps organisations should be taking ahead of the offence coming into force. The first article in the series explores one of the first steps in preparing for the new offence: conducting a risk assessment.

The main considerations in a risk assessment are:

1. Deciding who will conduct and oversee the risk assessment: this includes whether to take a global or local approach to the risk assessment, identifying and seeking input from relevant stakeholders and considering whether external support is required.
2. Understanding the relevant risk assessments already in place and what they do and do not cover.
3. Assessing the likelihood of the underlying fraud offences arising. It is crucial that those undertaking the risk assessment understand the underlying offences and potential “grey areas” in sufficient detail to enable an assessment of how the offences could arise in the business.
4. Conducting a “gap analysis” to assess what policies and procedures are already in place and identify any areas for enhancement. Organisations should identify the extent to which the underlying offences are addressed by their existing policies and controls and then identify where enhancements may be required.
5. Producing a written risk assessment and agreeing when it will be reconsidered. It is crucial that an organisation can defend itself if it faces an investigation. Its procedures, including the risk assessment, need to be carefully documented so that it can clearly show decisions made, steps taken and the rationale for those decisions. Risk assessments should be kept under regular review and refreshed as necessary.

You can access the full article here.