The last time I went to the bank it took 50 minutes to authorise a payment. The reason for the series of questions posed which caused the delay is a slowly increasing duty on banks to protect customers against fraud. The duty is, however, limited.
Banks are under a duty to act upon their customers’ instructions, but not always. Sometimes they are obliged not to obey them. The Quincecare duty is the duty not to follow instructions when put on inquiry that to do so might facilitate a fraud on their customer. The duty is to take reasonable care in executing payment instructions when there are reasonable grounds for believing that these are an attempt to misappropriate funds. The standard is that of the reasonable banker.
Although the original case (Barclays Bank plc v Quincecare Ltd [1992] 4 All ER 363) dates back to 1992, there have been few reported cases involving the duty until recent years when banks have been faced with frauds not only the result of agent/employee fraud (as in Quincecare), but which involve the customer providing instructions. It is these cases which have been the subject of most recent decisions and regulatory action.
Fraud and cyber fraud in particular are an increasing threat. Authorised push payment (APP) frauds are estimated to have caused losses of £583.2m in 2021 (UK Finance Annual Fraud Report for 2021).
Following consultation with consumers and industry representatives, in May 2019 the Payment Systems Regulator’s (PSR) Contingent Reimbursement Model (CRM) Code came into force. Supported by most major banks, the code aims to reduce ‘the occurrence and impact of APP scams… to give people the confidence that, if they fall victim to an APP scam and have acted appropriately, they will be reimbursed’. It has seen banks take greater responsibility for protecting their customers and many (but not all) reimbursing them suitably.
Earlier this year, in a case involving a bank’s liability for authorising a payment directed as a result of fraud (Philipp v Barclays Bank UK PLC & Anor [2022] EWCA Civ 318) the Court of Appeal considered the Quincecare duty and held that the duty could apply to circumstances in which a customer (as opposed to a customer’s agent) provided instructions to make the payment. It held that where the bank was on inquiry that those instructions may have been induced by fraud it was under a duty to refrain from making the payment while it made suitable enquiries.
In May 2022 the Treasury announced that it intended to introduce legislation to permit the PSR to compel the reimbursement of victims for APP fraud. Following consultation, in September the PSR set out its specific proposals for mandatory reimbursement of these victims. Those measures (as explained by the PSR) include:
- ‘Requiring reimbursement in all but exceptional cases – so more victims will get their money back.
- ‘[Improving] the level of protection for APP scam victims – so there is greater consistency in protections for all victims, irrespective of who they bank with.
- [Incentivising] banks and building societies to prevent APP scams – because responsibility for allowing fraudulent payments is the responsibility of both the sending and receiving banks or building societies.’
So is it all good news for bank customers? Well, no. There are limits to the CRM Code and the manner in which it may be enforced.
Further, presently a bank’s duties apply only to its customers, not others. Several recent cases have tested banks’ liability to those who are not their customers, all without success.
In Royal Bank of Scotland International Limited v JP SPC4 [2022] UKPC 18 the Privy Council considered whether a bank owed a duty of care in tort to the beneficial owner of money held in the account of a bank’s customer where the beneficial owner had been defrauded by that customer. The Privy Council declined to extend the bank’s Quincecare duty to the beneficial owner even though the bank was aware that the account was held on trust.
Elsewhere, a claimant framed its case against a bank which had received the proceeds of fraud as being a claim for unjust enrichment (Tecnimont Arabia Ltd v National Westminster Bank PLC [2022] EWHC 1172 (Comm)). While the parties agreed that the receiving bank owed no duty in tort to the payer, the claimant alleged that the bank was under a duty to freeze the stolen monies before they had been dissipated. The court rejected the claim. It held that the nature of banking transactions means payments are made and received.
Notwithstanding that a subsequent payment from the receiving account had triggered the bank’s anti-fraud processes, the bank was still not liable for the claimant’s losses. The bank’s employees had focused on retrieving the monies paid out rather than freezing the account from which they had been paid; it was not until the receiving bank was aware that the payment had been made to its customer as a result of fraud that it froze the account. The court held that, even if there had been unjust enrichment, the bank was entitled to rely on the defence of change of position and, ultimately, the bank was entitled to focus on protecting its own customer not third parties to whom it owed no duty.
These decisions were confirmed by the court in Nigeria v JP Morgan Chase Bank [2022] EWHC 1447 in which insight was also provided about when the Quincecare duty might arise. This did not include a history of previous fraudulent transactions – the trigger had to relate to the specific transaction complained about – and compliance with anti-money laundering best practice is not a factor.
Given the prevalence of cyber fraud and APP scams, we can expect the number of checks also to increase, particularly if legislation is enacted which extends the banks’ responsibility. It might take longer than an hour the next time I visit the bank to make a payment.
Sophia Purkis is a partner at Fladgate and a committee member of the LSLA
No comments yet