Lessons From the U.K.: Potential Reforms to Canadian Banks’ Fraud Prevention Responsibilities

Fraud rates continue to rise in Canada, with recent Statistics Canada data showing a 12% increase in police-reported fraud from 2022 to 2023. This statistic relates to general fraud, which excludes fraud with a specific identity information component (namely, identity theft and identity fraud). One of the most common types of banking-related fraud is authorized push payment (APP) fraud. APP fraud occurs when a fraudster manipulates a victim into transferring money to the fraudster’s bank account using a false pretext, such as by impersonating a trusted entity or becoming romantically involved with the victim. Young Canadians are significantly more likely than middle-aged and older Canadians to have experienced APP fraud, likely due to their higher use of social media platforms and electronic payment methods. APP fraud victims face significant challenges recovering their money because they have often expressly authorized the transfers to the fraudsters.

The United Kingdom recently adopted a regulatory framework that reallocates liability for fraud losses to payment service providers (PSPs), including by mandating reimbursement for APP fraud victims in most circumstances. This framework effectively makes PSPs insurers for fraud in cases where they were not responsible or victimized by it. The ongoing consideration of potential reforms to Canada’s Bank Act, along with recent amendments to Quebec’s Consumer Protection Act, suggests that a similar approach may be on the horizon in Canada.

This article compares the U.K.’s existing APP fraud prevention and compensation framework to Canada’s. It also examines the ongoing review to Canada’s Bank Act, recent Canadian case law and recent amendments to Quebec’s Consumer Protection Act. Finally, it offers practical recommendations for banks to prepare for potential legislative reforms, drawing lessons from the U.K.

The U.K.’s Framework

In Philipp v Barclays Bank (Philipp), the U.K. Supreme Court considered whether banks have a duty to protect customers from APP fraud. The plaintiffs, who were bank account holders, were manipulated by a fraudster posing as a U.K. financial services regulator into transferring £700,000 to the fraudster’s bank account. The facts of Philipp are particularly striking because the plaintiffs ignored warnings from a police officer not to transact with the fraudster.

The U.K. Supreme Court held that the bank was not liable for the plaintiffs’ losses and confirmed that banks have a strict duty to execute customers’ payment instructions. This duty may only be limited by an express contractual right to delay or refuse to execute a customer’s payment instructions if the bank believes, or has reasonable grounds to believe, that the customer is being defrauded.

Shortly after Philipp was decided, the U.K. adopted a regulatory framework that reallocates liability for APP fraud losses from victims to PSPs.

The Financial Services and Markets Act 2023 (U.K.) amended The Payment Services Regulations 2017 (U.K.) to allow the Payment Systems Regulator (PSR) to mandate reimbursement for APP fraud victims. Pursuant to the PSR’s Reimbursement Policy Statements, which came into effect in October 2024, PSPs must reimburse customers who fall victim to APP fraud for losses of up to £85,000 per claim, within five to 35 business days. The sending and receiving PSPs usually split the cost of reimbursement evenly, incentivizing both to enhance fraud detection and prevention measures.

There are two exceptions to the PSP’s reimbursement obligation: (i) where the customer acted fraudulently; and (ii) where the customer acted with gross negligence.

The gross negligence exception applies where the customer has, with gross negligence, failed to meet one or more of the following requirements:

• Have regard to interventions: Consumers should have regard to interventions made by their PSP or a competent national authority, such as the police. These interventions must clearly communicate the PSP’s or authority’s assessment that an intended payment is induced by fraud.
• Prompt reporting to PSP: Consumers should report that they suspect or know they are a victim of APP fraud to their PSP promptly, and no later than 13 months after the last payment to the fraudster was made.
• Share information: Consumers should respond to any reasonable and proportionate requests for information made by their PSP to help them assess a reimbursement claim.
• Reporting to police: After making a reimbursement claim and upon request by their PSP, consumers should consent to the PSP reporting the fraud to the police on their behalf.

PSPs bear the burden of proving gross negligence, which is an expressly higher standard than the common law negligence standard. To meet this standard, the PSP must prove that the consumer demonstrated a significant degree of carelessness — likely comparable to the conduct of the plaintiffs in Philipp.

Canada’s Framework

Unlike the U.K., Canada has not adopted a legislative framework that shifts the losses of APP fraud from victims to PSPs. However, Canada’s legislative framework may be about to change.

Potential Reforms to the Bank Act

The Department of Finance (Department) is reviewing Canada’s federal financial institutions legislation, including the Bank Act. The original sunset date for the review in the statute was June 30, 2025, but has been extended to June 30, 2026. Barring any further extensions, the review should be completed before this new deadline.

The Department’s Consultation Paper on Proposals to Strengthen Canada’s Financial Sector (Paper), which launched the third phase of its review, raises the prospect of significant reforms to banks’ obligations and liability in relation to fraud.

In the Paper, the Department states that “robust consumer protection is more critical than ever.” It notes that banks do not always delay or prevent potentially fraudulent transactions from occurring, despite being in a unique position to do so. It also notes that although banks take steps to protect consumers from fraud, regulators lack the ability to assess the adequacy of these steps.

To address these concerns, the Department sought feedback about several proposals, including:

• The duty to intervene in suspicious transactions: Whether, and under what circumstances, banks should be required to prevent or delay transactions that are potentially fraudulent or associated with a scam
• Enabling customer-controlled safety features: Whether banks should be required to allow consumers to turn off or adjust account capabilities to prevent fraud, such as the ability to complete wire transfers
• Regulated fraud detection policies and procedures: Whether banks should be required to have fraud detection and prevention policies and procedures that meet or exceed a regulated standard
• Limits on liability for fraud losses: Whether a maximum liability limit should be established so that account holders who are victims of unauthorized transactions are only responsible for losses up to the limit, regardless of how their funds were accessed. The implication is that banks would be responsible for any losses above the limit

These proposals signal a potential shift toward the approach adopted by the U.K. in its recent reforms.

Recent Case Law

Recent case law has also opened the possibility that banks may have new prevention obligations in the case of APP fraud, although we have not yet seen a decision on the merits of this topic.

In Zheng v Bank of China (Canada) Vancouver Richmond Branch (Zheng), which involved an AAP fraud, the British Columbia Court of Appeal left open the possibility that banks owe a duty to inquire and warn their customers about suspicious transactions. The appellant customer was manipulated by a fraudster, who impersonated a Chinese official, into transferring C$69,000 to an account in Hong Kong. The customer sued her bank, alleging it failed to meet its duty to inquire and warn her about the transaction, in part because the bank was aware of a prevailing fraud in the community. The Court allowed the customer’s appeal of the order for summary dismissal, holding that the customer’s claim presented a genuine issue for trial. There has not yet been a decision on the merits in Zheng.

Proposed Reforms to Quebec’s Consumer Protection Act

These proposals also align with section 12 of Quebec’s Bill 72, which has been enacted but has not yet been proclaimed into force. Section 12 adds two new provisions to Quebec’s Consumer Protection Act (sections 65.1 and 65.2), which affect banks’ obligations to refund amounts debited from consumers’ demand deposit accounts.

Under new section 65.1, a merchant (including a bank) must refund any unauthorized debits from a consumer’s account that exceed C$50. However, the merchant must refund all unauthorized debits after it is notified that the consumer’s payment instrument (e.g., debit card) was lost or stolen, or of the fraud or unauthorized use of the consumer’s account. This requirement is subject to an exception: the merchant is not required to provide a refund if it proves that the consumer committed a “gross fault” in safeguarding the means for using their payment instrument (e.g., their PIN). The concept of “gross fault” is well-established in Quebec civil law and is defined as a fault which shows gross recklessness, gross carelessness or gross negligence.

Under new section 65.2, a merchant must refund all authorized debits from a consumer’s account where the consumer is a victim of fraud, such as an APP fraud. This requirement is also subject to an exception. The merchant is not required to provide a refund if it proves that it debited the amounts in the absence of strong indications raising a suspicion of fraud or, where such indications existed, after it took the necessary precautions to attempt to prevent the fraud.

The Paper, recent case law and Bill 72 all suggest a growing trend toward increasing Canadian banks’ fraud prevention obligations and liability, including through the introduction of obligations to prevent or delay suspicious transactions and reimburse fraud victims.

Practical Recommendations

It remains to be seen how the Canadian banking industry will respond to the changes, if implemented, but we expect that banks will consider implementing some or all of the following practical measures:

• Increase investment in advanced fraud detection and prevention systems
• Enhance existing fraud detection and prevention policies and procedures
• Ensure all employees, particularly front-line staff, are trained to:
  • recognize the warning signs of fraud
  • document all steps taken to warn customers about potentially fraudulent transactions and protect the bank from liability, such as through customer releases
  • ask customers relevant questions and escalate any suspicious transactions
• Proactively educate customers about the common types and warning signs of fraud, including APP fraud, especially where specific customers are being targeted or where a particular fraud is prevailing in a community
• Introduce warning systems for customers, such as in-app alerts, and require multi-factor authentication or human verification for suspicious and high-risk transactions
• Review and update customer contracts to:
  • clarify loss allocation and bank and customer responsibilities in the event of fraud
  • include a provision which permits the delay or refusal to execute customers’ payment instructions believed to be fraudulent
• Identify and de-market high-risk clients
• Assess how to fund and operationalize reimbursement for fraud victims

For more information, please contact the authors or any other member of our Litigation & Dispute Resolution group.