It has been reported that during the pandemic, bank account and loan fraud has soared in the UK. In the second quarter of 2021, loan fraud rose by 40% and first-party fraud related to loans rose almost 20%. While fraudulent activity has always been an issue for Banks and their customers, the increased reliance on electronic banking seen during the pandemic has resulted in even greater risks.
In the context of fraud cases, the question often arises as to what duties Banks have towards their customers to protect them from fraudulent activity. This has been the subject of numerous cases which attempt to set out the circumstances which would constitute a breach of the Bank's duties.
The starting point – the Quincecare duty of care
The Quincecare duty originated from the decision in Barclays Bank plc v Quincecare Limited . In this case, it was established that a Bank owes an implied duty to exercise reasonable care and skill when executing customers’ instructions, which includes not executing payment instructions if there are reasonable grounds for believing they are an attempt to misappropriate funds. The duty arises once the Bank has been "put on enquiry" that there may be reasonable grounds (although not necessarily proof) for this belief. This is assessed against the objective standard of the ordinary reasonable banker.
Since its inception, the Quincecare duty has been applied by the Courts in various cases involving fraudulent transactions in the context of modern banking.
Developments of the Quincecare duty
The case of Singularis Holdings v Daiwa was the first instance of a Bank being held liable for breaching the Quincecare duty. Singularis was a company wholly owned by an individual (Mr Al-Sanea) who had sole signing powers over its bank accounts and was also a director. On Mr Al-Sanea's instructions, Singularis' bank, Daiwa, paid out over $200million from the company's accounts to various entities ultimately controlled by Mr Al-Sanea. The liquidators of Singularis later sought to recover these sums from Daiwa on the basis of dishonest assistance and breach of the Quincecare duty.
The Supreme Court found that Daiwa had clearly breached its duty of care to the company, as it was a stark case of lack of due care and skill in the context of persistent fraud on the company. It held that a Bank would be liable if it executed an order “knowing it to be dishonestly given, or shut its eyes to the obvious fact of the dishonesty, or acted recklessly in failing to make such inquiries as an honest and reasonable man would make”. This decision was made in the context of an obvious fraud and several fact-specific factors, including:
- The Bank had a dysfunctional system, where "everyone assumes that someone is dealing with investigating the disputed payments";
- The Bank was aware that Mr Al-Sanea and his group of companies were in financial difficulties and that he may have other substantial creditors; and
- The disputed payments were signed off without any discussion between management and the Bank's compliance teams, in contrast to other payments.
By contrast, in Philipp v Barclays Bank UK Plc [2021] , the High Court held that a Bank would not be liable for losses of £700,000 suffered by a customer who had been tricked by fraudsters into transferring money out of their account and into accounts in the UAE. This was an example of authorised push payment ("APP") fraud, where a victim is induced by a fraudster to authorise a transfer into what they believe to be a legitimate account but which is actually controlled by the fraudster. The customer brought proceedings against the Bank, alleging that it had breached its Quincecare duty to her by simply complying with her instructions rather than asking more questions about the purpose of the transfers or placing a block on her account. The Bank successfully obtained summary judgment and strike-out of the customer's claim.
A key factor in this case was that the transfers had been effected by the customer herself rather than someone purporting to act on her behalf. In this case, the Court said that to hold the Bank liable for the customer's losses would have been "an unprincipled and impermissible extension" of the Quincecare duty, which limits the duty "to cases of attempted misappropriation by an agent of the customer". At the heart of the decision was a recognition that a bank has a primary contractual duty to act in accordance with a customer's instructions. This primary duty would become unworkable if the bank also had an obligation to "second guess" a customer's instructions in order to protect the customer from the consequences of their own decisions. This decision is therefore important in establishing clear limits to the Quincecare duty, making clear that it generally will not assist a customer which, at the behest of a fraudster, has given what outwardly appear to be legitimate instructions to their bank.
Can a Bank mitigate the risk of breaching its duties?
It is possible for a Bank to contract out of the Quincecare duty; however, very clear wording must be used. The duty is not negated by an entire agreement clause or a clause which narrows the obligations to simply holding a customer's money and executing instructions. This is because the duty to perform those obligations with reasonable skill and care is the essence of the Quincecare duty.
To mitigate the risk of breaching the Quincecare duty, Banks can take the following steps:
- Ensure robust systems are in place for monitoring accounts and detecting potentially fraudulent transactions and instructions;
- Utilise relevant information available from sources in the public domain in order to 'Know your customer';
- Implement a clear protocol for escalating any concerns to the compliance team and identifying any red flags;
- Train customer-facing staff to be alert to suspicious activity which could put them "on notice" of potential fraud; and
- Ensure that its internal policies are in line with industry standards, as compliance with these standards will be relevant in determining whether the Quincecare duty has been breached.