Online fraud – when is a bank to blame?
By Cat MacLean
Following a recent judgment in Scotland, Cat Maclean assesses when a bank should be held liable in cases of online fraud.
Online fraud has been on the rise for many years. The advent of lockdown and over a year of working from home has seen the volume of attacks increase by one third, bringing more opportunities for fraudsters to exploit security systems. In most cases, recovery from the fraudsters themselves is impossible.
A judgment issued in the Court of Session in Edinburgh on 28 August, in the case of Sekers v Clydesdale Bank [2021] CSOH 89, may however alter the legal landscape for customers north and south of the border seeking to recover their money from their bank when a fraudulent attack has taken place. To understand why, we need to have a look at the back story.
Until now, what was considered to be the leading case on the circumstances in which a bank could be held to blame when fraud has occurred, actually took place before the age of internet banking, in 1992.
In Barclays Bank v Quincecare [1992] 4 All ER 263, the court held that the bank should not execute an order if they had reasonable grounds for believing the order was an attempt to misappropriate the customer’s funds, and found Barclays to be in breach of the implied term to apply reasonable care in its dealings with its customer.
There wasn’t much case law which touched on Quincecare for many years, beyond a 2019 Supreme Court decision in Singularis Holdings Ltd v Daiwa Capital Markets Europe Ltd [2019] UKSC 50, which confirmed that in the particular circumstances of that case, the bank had breached its Quincecare duty of care to its customer.
Quincecare duty
For many years, legal practitioners tended to refer to the ‘Quincecare duty’ as pivotal when considering whether a bank might be liable in cases on online fraud. The Quincecare duty can be summarised as whether a reasonable banker would have had reasonable grounds for believing, or should have considered as a real possibility, that the person authorising the payment was operating the client account to misappropriate funds.
Then in the English High Court case earlier this year of Phlipp v Barclays Bank UK PLC [2021] EWHC 10, the High Court judge significantly restricted the ambit of the Quincecare decision to internal fraud only. It appeared that the range of circumstances in which a bank might be liable to their customer when a fraud had taken place might significantly have narrowed.
In Philipp v Barclays Mrs Philipp and her husband were victims of an elaborate fraudulent scam. The couple were told by the fraudster they had to remove funds from their account to assist with the investigation. Mrs Philipp made multiple transactions totalling £700,000 from her Barclays account to accounts in the UAE.
She argued that the bank had breached its Quincecare duty of care to her. However, the bank succeeded in securing summary judgment in its favour at strikeout. The decision by the trial judge significantly limited the Quincecare duty to situations of attempted misappropriation of the customer’s funds. According to this new decision, the Quincecare duty does not apply to authorised payments made to third parties without the complicity of a bank employee.
The Philipp decision contained one small glimmer of light: the court held that the restriction on the Quincecare obligation might not apply where the bank could be said to be “acting recklessly in failing to make such inquiries as an honest and reasonable man would make.” The claimant in Philipp was granted permission to appeal, with the appeal hearing scheduled to take place in early 2022.
In Scotland, the case of Sekers v Clydesdale Bank [2021] CSOH 89 had been slowly making its way through the court system, reaching a debate (the Scottish equivalent of strikeout) in June, with the decision issued on 26 August 2021.
The judgment in this case by Lord Clark, a commercial judge in the Court of Session, offers more than just a glimmer of light to customers who have been the target of fraud.
Sekers were targeted by a sophisticated fraudster in March 2017 when the company’s cashiers received a call from “Steve”, who purported to be from the bank’s fraud team. He said the company’s bank account had been blocked by the bank; this type of situation had happened before to the company. The fraudster said he would work to unblock the account.
The two cashiers were uncertain and sought reassurance that the call was genuine from the bank’s helpdesk and their relationship manager. Both the helpdesk and the relationship manager took details from the cashiers but gave no advice as to what they should do. Critically, neither told the cashiers to do nothing until the caller’s true identity had been clarified, and neither took any steps to suspend activity on the company’s account. The cashiers weren’t told they must not make payments. The cashiers felt reassured everything seemed to be in order.
Steve then asked the cashiers to process a number of “blocked” payments. Payments totalling £566,000 were made, a small amount of which was later recovered. The majority of the transferred sums were lost.
Duty of care
In Sekers, the pursuer (claimant) argued as an implied term of the contract between bank and customer that the defender had a duty to exercise reasonable skill and care. Specifically: (1) the integrity of the defender’s security system had been compromised; (2) the security advice offered in relation to management of the online banking facilities was inadequate; (3) the bank’s operating software ought to have recognised that unknown IP addresses were suspect; and (4) that the advice tendered by the bank’s employees on the day in question fell below the required standard, (i) generally, and (ii) in terms of the “reckless” exception to the Quincecare duty.
At debate, the application for strikeout, the claimant argued a need to distinguish (i) the defendant’s general duty of care, from (ii) the Quincecare duty. The former covered the whole range of banking business undertaken by a banker for a customer, and the claimant argued the bank’s duty to exercise reasonable skill and care extended to all of its customers instructions. The claimant added a payment instruction which elicits, or ought to elicit, suspicion through the tell-tale signs of a fraud ought not to be implemented. It was wrong to say that a bank had no duty of care in relation to a customer’s payment instruction beyond its execution.
Lord Clark distinguished Philipp on the basis the claimant’s case had been broader than the pursuer’s case in Sekers, and cases relied on by Sekers, bearing upon the bank’s general duty, including Hilton v Westminster Bank [1926] 135 LT 358 CA, Selangor United Rubber v Cradock (no.3) [1968] 1 WLR 1555 and Karak Rubber Co v Burden (no.2) [1972] 1 WLR 60, were not before the court in Philipp. The factual distinctions between the cases were evident: there were no reasonable grounds in Philipp to intervene, whereas in Sekers the claimant had actively sought the bank’s reassurance that the intended transactions were genuine.
Lord Clark found that the first three duties contended for were not made out on the claimant’s pleadings, but for part (i) of the fourth, the overall duty of care “without full evidence on the factual circumstances here it would be inappropriate for me to conclude on the nature and scope of any duty…The nature and scope of such a duty, and whether it has been breached, are matters to be determined after inquiry. There are in my view sufficient averments to justify inquiry on the issue of whether on this ground there was a breach of duty to exercise reasonable skill and care”.
On part (ii) re Quincecare, he said “one can... see some force in the argument that the matters falls to be determined by application of the Quincecare duty... If there had been no... discussions on matters arising before the authorisation of payment, and this was merely a case of payment being made by authorised individuals, the restricted Quincecare duty, covering the execution of instructions, would have resulted in the pursuer’s case being irrelevant (struck out)”.
He found, however, that as these discussions and inquiries were made, the general duty to exercise reasonable skill and care operated, and the question was then what was its nature and scope. In effect, the pre-authorisation discussions with the helpdesk and the relationship manager, took the matter out with Quincecare.
Lord Clark held that Philipp did not assist either party, given that it merely addressed the question of whether or not the bank should have adopted a system for detecting and preventing the fraud. He distinguished Philipp on the basis that it was not a case in which the bank was notified of activities on the part of the fraudster, as in Sekers.
Claiming against a bank
While the duty is plainly fact specific, Sekers establishes that in principle, a duty is owed by a bank to its customers to apply reasonable skill care in its dealings with the customer, extending across the whole range of its customers ordinary banking business, including the processing of online payments.
The duty includes dealing with communications which a customer sends in relation to its banking business. The nature and scope of the duty, in particular the risks of harm to the customer against which the law imposes on the bank a duty to exercise reasonable skill and care, will depend upon the specific context.
The critical issue for Sekers was the communications to the helpdesk and the relationship manager prior to authorising payment. The question was whether steps ought to have been taken by the bank in advance of the transfer of funds which would have resulted in payment not proceeding – most obviously, issuing an instruction to do nothing and take no action until the bank had verified Steve’s identity and confirmed that he was genuine.
Sekers now provides, in principle, a significantly wider avenue to claim against a bank, bypassing Quincecare, and relying on the earlier cases of Hilton, Selangor and Karak.
What does this mean for other online fraud cases? The question of whether a bank has breached the general duty of care in any given case will be fact-specific. The crux of the Sekers argument is that the bank was put on notice by the company of a potential fraud attack and that, in ignoring this, the bank breached the general duty – taking it beyond the Quincecare duty.
While Sekers is a decision emanating from a different jurisdiction, it is certainly persuasive in England and should give hope to many, including those who had previously sought to rely on Quincecare but were prevented from doing so by the restriction imposed by Philipp.
I began this article by stating the obvious: online fraud is sharply on the rise, and more and more individuals and businesses will be successfully targeted. For those claimants who have suffered an online fraud, the key is showing that the bank was put on notice of grounds for suspecting fraudulent activity was taking place, and therefore that the bank should have made inquiries. If the bank failed to make inquiries, the chances of establishing a breach of the general duty now appear in light of the Sekers decision to be significantly enhanced.
Cat Maclean is a partner at MBM Commercial LLP mbmcommercial.co.uk