In our recent blog, we considered the duty of care Banks owe to their customers to protect them from fraudulent activity. In a decision of the Privy Council in Royal Bank of Scotland International Ltd (Respondent) v JP SPC 4 and another (Appellants) (Isle of Man)  UKPC 18, issued on 12 May 2022, the scope of that duty of care was tested.
The duty of care in question – referred to as the Quincecare duty – is an implied duty to exercise reasonable care and skill when executing customers’ instructions, which includes not executing payment instructions if there are reasonable grounds for believing they are an attempt to misappropriate funds. The question for the Privy Council was whether this duty was only owed to the Bank's customer or whether it extended to a third party who was known to be the beneficial owner of the funds held in the account of the Bank's customer, and who had been defrauded by that customer.
The claimant was an investment fund based in the Cayman Islands. The fund established a scheme under which lending was provided to solicitors to finance their pursuit of high-volume, low-value litigation. The loans were to be advanced and repaid through an Isle of Man company, Synergy (Isle of Man) Ltd ("SIOM").
SIOM held two bank accounts with the defendant bank (the "Bank"). The claimant alleged that SIOM and two of the individuals behind it were parties to a fraud by which money beneficially belonging to the claimant was paid out for the benefit of those individuals rather than by way of legitimate investments of the kind intended.
The claimant commenced proceedings against the Bank before the Isle of Man courts, seeking to recover the losses it suffered as a consequence of the fraud. The claimant alleged that the Bank ought to have prevented those losses because there were numerous red flags and indications that should have put the Bank on notice of potential or actual fraud. The claimant argued that the Bank did not take the steps that it ought to have taken in response to the evidence of potential fraud.
In order to be successful, the claimant needed to persuade the court that the Bank owed them a duty of care. The difficulty that the claimant faced was that it was not the bank's customer. SIOM was the bank's customer. Could the Quincecare duty of care extend to the claimant? The appeal court in the Isle of Man decided that it could not. The claimant appealed to the Privy Council.
Read In Context
The Board carefully considered the decision in Barclays Bank plc v Quincecare Limited from where the Quincecare duty originated. In that case it was said that “the law should guard against the facilitation of fraud and exact a reasonable standard of care in order to combat fraud and to protect bank customers and innocent third parties.” The Board noted that this statement must be read in context. The relevant parties in that case were the bank and the customer. The reference to protecting innocent third parties was not an acceptance by the judge that the duty of care extended to third parties; rather it was acknowledging that by recognising a duty owed to the customer, this protects not only the customer but also other innocent victims of a fraud.
The Board also considered two subsequent cases in which the Quincecare duty was considered (the Supreme Court's decision in Singularis Holdings Ltd v Daiwa Capital Markets Europe Ltd  UKSC 50 and the Court of Appeal's decision in JP Morgan Chase Bank NA v Federal Republic of Nigeria  EWCA Civ 1641;  2 CLC 559). In both cases, there was no indication by the courts that the duty of care extended beyond the Bank's customers.
Therefore, the Board rejected the claimant's case that the Bank owed a duty of care on the basis of the Quincecare duty of care.
Good News for Banks?
This is a decision that will be welcomed by the Banks. If the Board had found that a duty of care existed, this would arguably have placed an unacceptable burden on Banks, as it extend beyond the contractual relationship with their customers. However, it is unlikely that this will be the last challenge along these lines. Where a victim of fraud is unable to recover from the fraudster, they will increasingly look to other avenues for redress. If a Bank has failed to act in the face of obvious red flags or has failed to follow its own internal processes, then it will be an obvious target notwithstanding the difficulties that would need to be overcome by the claimant.
Therefore, the steps highlighted in our recent blog to mitigate the risk of breaching the Quincecare duty remain relevant and are worth repeating: -
- Ensure robust systems are in place for monitoring accounts and detecting potentially fraudulent transactions and instructions;
- Utilise relevant information available from sources in the public domain in order to 'Know your customer';
- Implement a clear protocol for escalating any concerns to the compliance team and identifying any red flags;
- Train customer-facing staff to be alert to suspicious activity which could put them "on notice" of potential fraud; and
- Ensure that its internal policies are in line with industry standards, as compliance with these standards will be relevant in determining whether the Quincecare duty has been breached.
In a judgment handed down on 14 June 2022, the High Court was again required to consider the Quincecare duty in The Federal Republic of Nigeria v JPMorgan Chase Bank, N.A.  EWHC 1447 (Comm). The decision merits a blog post of its own, but in short the claimant argued that it was a victim of internal fraud and that the defendant bank were on notice that the payments in question were made to facilitate a fraud on the claimant.
The judge ultimately concluded that there was no fraud and so the claimant's case failed. However, the judgment contains helpful comments on the scope of the Quincecare duty. The following points in particular can be highlighted from Mrs Justice Cockerill's decision:-
- The duty is "narrow and confined". It is important to keep in mind that the duty is only engaged at all in circumstances where the Bank is in receipt of what appears to be a valid and proper instruction which it is prima facie bound to execute. Any expansion of the Quincecare duty would therefore come into conflict with the Bank's duty to follow its customer's instructions. Support for this view was taken from the Privy Council's decision in RBSI v JP SPC 4.
- Unless the Bank is on notice that the instruction in question may be vitiated by fraud i.e. that the payment instruction is an attempt to misappropriate the customer’s funds, the duty does not arise.
- In this case, the contract between the claimant and defendant bank meant that the claimant had to show that the Bank was "grossly negligent" in order to establish a breach of the Quincecare duty. This was a hurdle which the judge considered the claimant was unable to meet and so the contractual limitation gave added protection to the Bank.