Cat MacLean: Where next for online fraud claims? – part one
Ahead of a major ruling of the Supreme Court next month, Cat MacLean takes a look at the jurisprudence of online fraud. Part two follows tomorrow.
Online fraud has been on the rise for many years. The pace of attacks has quickened with the pandemic and the advent of working from home. In most cases, recovery from the fraudsters themselves is impossible and whether you can ever bring it home to your bank is more uncertain. As online fraud has become more prevalent, so too have been the attempts by lawyers to establish liability on the part of a bank for permitting the fraud to take place. Finally, the Supreme Court is set to rule on the issue in February 2023.
The Historic Test
For many years the leading case which looked at the circumstances in which a bank could be held to account when fraud had occurred, was a case which actually took place before the age of the internet. In 1992 in Barclays Bank v Quincecare, the court analysed the relationship between bank and customer. They found that, when a customer asks a bank to transfer the funds, the bank is acting as the customer’s agent in making the transfer. As the customer’s agent, the bank is obliged to do as it is asked, and effect the transfer. However, a bank should not execute an order if it has reasonable grounds for believing that the order is an attempt to misappropriate the customer’s funds. The duty to transfer in accordance with customer instructions, unless exceptional circumstances applied (i.e. reasonable grounds for believing the order was a fraud), became known as the “Quincecare duty”. There were two sides to the Quincecare duty: firstly, the duty to effect the transfer, and secondly, the duty not to transfer if the bank had, or ought to have had, reasonable grounds to believe the order was a fraud.
The story in Scotland
Although Quincecare is not binding in Scotland, it proved persuasive in encouraging Scottish judges to follow the same line of reasoning. This was illustrated clearly in the Scottish case of Sekers Fabrics v Clydesdale Bank, which survived a debate (the Scottish equivalent of strikeout) in August 2021, and which then went on to settle successfully in September 2022, on the first day of the proof (Scottish equivalent of trial) – the culmination of five years of litigation on the thorny subject of online/APP fraud.
In March 2017, Sekers were targeted in a sophisticated APP (authorised push payment) fraud. APP fraud is the name given to scams where the victim is tricked into making large bank transfers to an account controlled by the fraudster – often, as happened to Sekers, where the fraudster pretends to be a member of the bank staff. In this case, the company’s cashiers received a call from the fraudster “Steve”, who purported to be from the bank’s fraud team. He said that the company’s bank account had been blocked by the bank as a precautionary measure; (a similar scenario had happened previously to the company) and the fraudster said he would work to unblock the account.
Factual background to Sekers Fabrics v Clydesdale Bank
The cashiers had an element of reservation and sought reassurance from Clydesdale that Steve was who he said he was. They phoned Clydesdale’s helpdesk, and their relationship manager seeking help from both. The relationship manager advised that Sekers should obtain the full name of the person who had contacted them and email this to her. Having done so, the cashiers heard nothing further from the relationship manager. Neither she, nor the helpdesk, took steps to suspend Sekers’ account. Neither did they instruct the cashiers not to do anything, and in particular, not to make any payments. In the absence of any communication from either the relationship manager or the helpdesk, payments of £566,000 were ultimately authorised by the cashiers, a very small amount of which was subsequently recovered.
Proceedings were raised on behalf of Sekers against the bank, arguing that the bank had breached several implied terms of the contract between bank and customer. Sekers alleged specifically that:
- the integrity of the defender’s security system had been compromised;
- the security advice offered in relation to management of the online banking facilities was inadequate;
- the bank’s operating software ought to have recognised that unknown IP addresses were suspect;
- the advice given by the bank’s employees on the day in question fell below the required legal standard.
Updating the historic test
It was this fourth argument which was going to form the crux of the Sekers case until resolution at the very last minute, and it is this fourth argument in particular which has historically vexed lawyers. The Quincecare duty had been largely accepted without comment and the principle appeared to be a given for many years – until, that is, the advent of online fraud, when the Quincecare duty became front and centre.
When an online fraud attack occurs, which side of the Quincecare duty applies?
- Is it the duty to transfer in accordance with customer instructions? or,
- Is it the duty not to transfer on the grounds that the bank ought to have a reasonable belief that there could be an attempt to misappropriate customer funds?
It is important to set out the backdrop against which Sekers played out. In early 2021, an English High Court case of Philipp v Barclays significantly restricted the Quincecare decision, by stipulating that the Quincecare duty, specifically the duty not to transfer if fraud might be taking place, only applied to internal fraud. The trial judge in that case held that the Quincecare duty, and in particular the reasonable grounds exception, only applied to situations of misappropriation of the customer’s funds by internal fraud by a bank employee.
According to this new decision, the Quincecare duty did not apply to authorised payments made to third parties without the complicity of a bank employee. So, where a customer is the subject of a fraud attack, and as a result, mistakenly authorises the transfer of funds to a fraudster, Quincecare should not apply, and there should be no liability on a bank, even if objectively the circumstances surrounding the fraud would suggest that the bank ought to have had reasonable grounds for suspecting that a fraud was taking place.
Philipp was appealed to the English Court of Appeal, but meantime, in August 2021, Sekers came before the Scottish Courts in a debate (strikeout hearing) before Lord Clark. There were a number of legal arguments in play at the debate, as outlined above. The first three related to the integrity of the Bank’s security system and operating software. The central core of the case, however, centred on the fourth argument, which was around the points made in the Philipp case, and how far the Quincecare duty should extend.
Sekers argued that the advice tendered by the bank’s employees to Sekers on the day in question fell below the required legal standard, because nobody at any time had ever advised the cashiers to do nothing, to make no payments, and to cease communication with “Steve” until the position was clarified. Sekers argued that there was no logical reason for the Philipp restriction, and no reason why the Quincecare duty should not apply equally to external fraud, such as in this APP fraud scenario.
They argued that the threshold test for intervention was where the bank was or ought to have been “put on inquiry”. In circumstances where an ordinary prudent banker would or should have identified the fraud risk, those circumstances should trigger a reasonable belief that there could be an attempt to misappropriate customer funds, and so the duty not to effect the transfer should apply. The bank’s duty to exercise reasonable skill and care extended to all of its customers’ instructions, and as part of that, a payment instruction which ought to elicit suspicion through the tell-tale signs of a fraud ought not to be implemented – whether or not the fraud was internal or external.
Lord Clark held that to determine whether or not the bank were liable, it was necessary to hear all of the evidence, because the question of whether in any given case the bank ought to have identified the risk of fraud taking place was fact-specific. In essence, Lord Clark was not prepared to agree that there was a binary distinction between internal fraud on the one hand, and external fraud on the other. It came down to the factual circumstances of each case, and so the evidence required to be heard. The threshold test for legal intervention was where the bank was or ought to have been “put on inquiry”.
By early 2022, in England Philipp was headed for a Court of Appeal hearing in April 2022, whilst in Scotland in September 2022, Sekers was heading for proof (trial) in the Court of Session.
The English decision
The Court of Appeal in Philipp overturned the decision at first instance, holding that the Quincecare duty can arise for a bank even where it is the customer giving instructions to pay money out of their account to a fraudster (that is, following the line taken by Lord Clark). The Court of Appeal unanimously found in Mrs Philipp’s favour, holding that there could be a duty not to transfer, on the grounds that the bank ought to have a reasonable belief that there could be an attempt to misappropriate customer funds. They therefore allowed the appeal
The court, agreeing that a bank acts as an agent for the customer, found that not only has the bank a duty to execute payment instructions, but it also has a duty to use reasonable skill and care in executing the customer’s order. If an ordinary prudent banker would, or ought to be, “on inquiry” that executing the order would result in misappropriation of the funds, then the duty arises, and execution of the payment should not be carried out.
The underlying logic is to protect the customer, and so the duty can apply even though the customer gives the instruction themselves, where they are the victim of APP fraud, provided that there are circumstances which should objectively put the bank “on inquiry” that a fraud may be in the course of taking place.
Cat MacLean is a partner at BTO LLP