Online fraud: when is a bank to blame?

Online fraud has been on the rise for many years. The advent of lockdown and 18 months of working from home has seen the volume of attacks increase by one third, bringing more opportunities for fraudsters to exploit security systems. In most cases, recovery from the fraudsters themselves is impossible.

A judgment issued on 26 August 2021 in the Commercial Court of the Court of Session, in Sekers v Clydesdale Bank [2021] CSOH 89 may however significantly and positively alter the legal landscape for customers north and south of the border seeking to recover from their bank when a fraudulent attack has taken place. To understand why, we need to have a look at the back story.

Until now, what was considered to be the leading case on the circumstances in which a bank could be held to blame when fraud has occurred, actually took place before the age of internet banking, in 1992. In Barclays Bank v Quincecare [1992] 4 All ER 263 the court held that the bank should not execute an order if they had reasonable grounds for believing the order was an attempt to misappropriate the customer’s funds, and found Barclays to be in breach of the implied term to apply reasonable care in its dealings with its customer. 

There wasn’t much case law which touched on Quincecare for many years, beyond a 2019 Supreme Court decision in Singularis Holdings Ltd v Daiwa Capital Markets Europe Ltd [2019] UKSC 50, which confirmed that in the particular circumstances of that case, the bank had breached its Quincecare duty of care to its customer.

For many years, legal practitioners tended to refer to the “Quincecare duty” as pivotal when considering whether a bank might be liable in cases on online fraud. The Quincecare duty can be summarised as whether a reasonable banker would have had reasonable grounds for believing, or should have considered as a real possibility, that the person authorising the payment was operating the client account to misappropriate funds.

Philipp: a restrictive decision

Then in the English High Court case earlier this year of Philipp v Barclays Bank UK plc [2021] EWHC 10 (Comm), the judge significantly restricted the ambit of the Quincecare decision to internal fraud only. It appeared that the range of circumstances in which a bank might be liable to their customer when a fraud had taken place might significantly have narrowed.

In Philipp v Barclays Mrs Philipp and her husband were victims of an elaborate fraudulent scam. The couple were told by the fraudster that they had to remove funds from their account to assist with the investigation. Philipp made multiple transactions totalling £700,000 from her Barclays account to accounts in the UAE.

She argued that the bank had breached its Quincecare duty of care to her. However, the bank succeeded in securing summary judgment in its favour at strikeout. The decision by the trial judge significantly limited the Quincecare duty to situations of attempted misappropriation of the customer’s funds. According to this new decision, the Quincecare duty does not apply to authorised payments made to third parties without the complicity of a bank employee.

The Philipp decision contained one small glimmer of light: the court held that the restriction on the Quincecare obligation might not apply where the bank could be said to be acting “recklessly in failing to make such inquiries as an honest and reasonable man would make”. Philipp was granted permission to appeal: the appeal hearing is now scheduled to take place in early 2022. 

The Sekers claims

Meantime, though, in Scotland, Sekers v Clydesdale Bank has been slowly making its way through the court system. The recent judgment, following a debate, by commercial judge Lord Clark offers more than just a glimmer of light to customers who have been the target of fraud.

Sekers was targeted by a sophisticated fraudster in March 2017, when the company’s cashiers received a call from “Steve”, who purported to be from the bank’s fraud team. He said that the company’s bank account had been blocked by the bank; this type of situation had happened before to the company. The fraudster said he would work to unblock the account.

The two cashiers were uncertain and sought reassurance that the call was genuine from the bank’s helpdesk and its relationship manager, both of whom took details from the cashiers but gave no advice to the cashiers on what they should do. Critically, neither told the cashiers to do nothing until the caller’s true identity had been clarified, and neither took any steps to suspend activity on the company’s account. Neither cashier was told that they must not make payments. The cashiers felt reassured that everything seemed to be in order.

Steve then asked the cashiers to process a number of “blocked” payments. Payments totalling £566,000 were made, a small amount of which was later recovered. The majority of the transferred sums were lost.

The pursuer argued as an implied term of the contract between bank and customer that the defender had a duty to exercise reasonable skill and care. Specifically: (1) the integrity of the defender’s security system had been compromised; (2) the security advice offered in relation to management of the online banking facilities was inadequate; (3) the bank’s operating software ought to have recognised that unknown IP addresses were suspect; and (4) the advice tendered by the bank’s employees on the day in question fell below the required standard, (i) generally, and (ii) in terms of the “reckless” exception to the Quincecare duty.

At debate, at which the defender sought dismissal of the action, the pursuer argued a need to distinguish the defender’s general duty of care from the Quincecare duty. The former covered the whole range of banking business undertaken by a banker for a customer, and the bank’s duty to exercise reasonable skill and care extended to all of its customers’ instructions: a payment instruction which elicited, or ought to elicit, suspicion through the telltale signs of a fraud ought not to be implemented. It was wrong to say that a bank had no duty of care in relation to a customer’s payment instruction beyond its execution.

Beyond Quincecare

Lord Clark distinguished Philipp on the basis that the plaintiff’s case had been broader than the pursuer’s case in Sekers, and cases relied on by Sekers, bearing on the bank’s general duty, including Hilton v Westminster Bank (1926) 135 LT 358 (CA), Selangor United Rubber v Cradock (No 3) [1968] 1 WLR 1555 and Karak Rubber Co v Burden (No 2) [1972] 1 WLR 60, were not before the court in Philipp. The factual distinctions between the cases were evident: there were no reasonable grounds in Philipp to intervene, whereas in Sekers the pursuer had actively sought the bank’s reassurance that the intended transactions were genuine.

Lord Clark found that the first three breaches of duty contended for were not made out on the pursuer’s pleadings, but that in respect of part (i) of the fourth, the overall duty of care, “Without full evidence on the factual circumstances here it would be inappropriate for me to conclude on the nature and scope of any duty… The nature and scope of such a duty, and whether it has been breached, are matters to be determined after inquiry... there are in my view sufficient averments to justify inquiry on the issue of whether on this ground there was a breach of duty to exercise reasonable skill and care.”

On part (ii) of the fourth duty, concerning Quincecare, he said: “one can... see some force in the argument that the matter falls to be determined by application of the Quincecare duty… If there had been no... discussions on matters arising before the authorisation of payment, and this was merely a case of payment being made by authorised individuals, the restricted Quincecare duty, covering the execution of instructions, would have resulted in the pursuer’s case being irrelevant”. He found, however, that as these discussions and inquiries were made, the general duty to exercise reasonable skill and care operated, and the question was then what was its nature and scope. In effect, the pre-authorisation discussions with the helpdesk and the relationship manager took the matter outwith Quincecare.

Lord Clark held that Philipp did not assist either party, given that it turned essentially on the question of whether or not the bank should have had in place a system for detecting and preventing the APP (authorised push payment) fraud. He distinguished Philipp on the basis that it was not a case in which the bank was notified of activities on the part of the fraudster, as in Sekers.

Whilst the duty is plainly fact specific, Sekers establishes that in principle, a duty is owed by a bank to its customers to apply reasonable skill and care in its dealings with the customer, extending across the whole range of its ordinary banking business, including the processing of online payments. The duty includes dealing with communications which a customer sends in relation to its banking business. The nature and scope of the duty, in particular the risks of harm to the customer against which the law imposes on the bank a duty to exercise reasonable skill and care, will depend upon the specific context. The critical issue for Sekers was the communications to the helpdesk and the relationship manager prior to authorising payment. The question was whether steps ought to have been taken by the bank in advance of the transfer of funds which would have resulted in payment not proceeding – most obviously, issuing an instruction to do nothing and take no action until the bank had verified “Steve’s” identity and confirmed that he was genuine.

Sekers now provides, in principle, a significantly wider avenue to claim against a bank, bypassing Quincecare, and relying on the earlier cases of Hilton, Selangor and Karak. 

Put on notice?

What does this mean for other online fraud cases? The question of whether a bank has breached the general duty of care in any given case will be fact specific. The crux of the Sekers argument is that the bank was put on notice by the company of a potential fraud attack and that, in ignoring this, the bank breached the general duty – taking it beyond the Quincecare duty. 

I began this article by stating the obvious: online fraud is sharply on the rise, and more and more individuals and businesses will be successfully targeted. For those claimants who have suffered an online fraud, the key is showing that the bank was put on notice of grounds for suspecting fraudulent activity was taking place, and therefore that the bank should have made inquiries. If the bank failed to make inquiries, the chances of establishing a breach of the general duty now appear in light of the Sekers decision to be significantly enhanced.