In a judgment handed down on 14 March 2022 (Philipp judgment), the Court of Appeal has decided that it is at least possible in principle that a relevant duty of care could arise in the case of a customer instructing their bank to make a payment when that customer is the victim of APP fraud.
Prior to this judgment, claims for breach of the Quincecare duty had been restricted to claims where the payment instruction came from an agent of the customer of the bank which would not arise where an individual customer gives a payment instruction directly.
The Quincecare duty
The Quincecare duty requires a bank to refrain from acting on a payment instruction if, and for as long as, it is put on inquiry by having reasonable grounds for believing that the instruction is an attempt to misappropriate the funds of the customer.
Prior cases have been restricted to situations where the instruction came from an agent of the customer of the bank (e.g. where the customer is a corporate, the agent might be a director or employee that is attempting to defraud the corporate customer by misappropriating its funds).
APP fraud
APP stands for “authorised push payment”. When the customer of a bank is a victim of APP fraud, they have been deceived by a fraudster to instruct their bank to transfer money from their account into an account controlled by the fraudster.
The latest figures show that in the first half of 2021, £355 million was lost to APP scams, overtaking card fraud losses. The growth of this type of fraud has been exponential and shows no signs of abating.
Facts of the Philipp case
The particular facts of the Philipp case are unusual due to the significant sums involved.
Mrs Philipp became the victim of an APP fraud in March 2018. Mrs Philipp and her husband were deceived by a fraudster known as JW to transfer over £700,000 of their savings into an account in Mrs Philipp's name with the defendant bank and then Mrs Philipp instructed the bank to transfer that money, in two payments of £400,000 and £300,000, to separate bank accounts in the United Arab Emirates. The couple believed that in acting on JW’s instructions they were helping the Financial Conduct Authority and the National Crime Agency in moving the money into safe accounts in order to protect it from fraud.
At first instance, HHJ Russen QC granted summary judgment in favour of the bank on the grounds that Mrs Philipp, as an individual, could not bring a claim for breach of the Quincecare duty as this was restricted to payment instructions coming from an agent of the customer.
Following the first instance judgment, the Consumers' Association (Which?) was granted permission to intervene in the appeal. Which? supported Mrs Philipp’s appeal, contending that the court should recognise a duty of care in the circumstances of Mrs Philipp, that the Quincecare duty is unremarkable, and that it would be illogical to confine it to companies or agents.
The key issue on appeal
The key issue in the appeal was whether as a matter of law the Quincecare duty of care depended on the fact that the bank is instructed by an agent of the customer of the bank. On this issue, the Court of Appeal decided that the Quincecare duty was not restricted in this way. The Court of Appeal found that the application of the Quincecare duty “does not depend on whether the instruction is being given by an agent. It is capable of applying with equal force to a case in which the instruction to the bank is given by a customer themselves who is the unwitting victim of APP fraud provided the circumstances are such that the bank is on inquiry that executing the order would result in the customer's funds being misappropriated.”
Having decided that, in principle, the Quincecare duty could arise, the summary judgment order was set aside and the matter will proceed to trial. It is important to note, that there has been no finding as to whether the Quincecare duty in fact arises in this case (nor that such duty has been breached) – these are all matters for the trial judge to consider in due course.
Three stage approach
The Court of Appeal outlined a three stage approach to considering the Quincecare duty:
- The starting point was the correct identification of the relationship between the customer and the bank in the context of an instruction to pay. In this regard, the bank is the agent for the customer as principal.
- Then one considers the state of affairs if the banker knew that the relevant instruction was an attempt to misappropriate funds. A bank which executed that instruction in those circumstances would be liable.
- Once that second step is accepted, the final question is then - what lesser state of knowledge will put the bank under a legal obligation? The answer is that if the circumstances were such that an ordinary prudent banker would be “on inquiry” then the duty arises. Importantly, the Court of Appeal noted that “the duty is not to execute the order while on inquiry, and to make inquiries”.
Would the “extended” duty be onerous and unworkable?
The bank had argued that if the Quincecare duty were extended to cover individuals instructing payments when they were the victim of APP fraud, this would be too onerous and unworkable. As to this issue:
- The bank asked rhetorically how the duty alleged by the appellant could possibly work in the context of the huge number of banking transactions executed every day and having regard to the speed of many of these transactions via BACS and Faster Payment systems.
- At first instance, in support of his decision not to “extend” the Quincecare duty to claims by individuals for APP fraud, the judge accepted the bank's submission that the duty contended for by the appellant would be unworkable in practice. Similarly, he held that it would be commercially unrealistic to expect bank staff to ask the kind of questions contended for by the appellant whenever any payment instruction was authorised by the customer attending the bank in person, regardless of the sum involved. The judge was concerned that, as he saw it, there was no clear framework of rules by reference to which the duty might operate, nor any clearly recognised banking code of practice.
- Which?, as intervener, contended that by 2018 ordinary banking practice in checking whether customers were victims of fraud was more advanced than was appreciated by the judge at first instance. Which? submitted evidence including various decisions of the Financial Ombudsman Service (FOS) in APP fraud cases in which the FOS reported that it upholds about three quarters of customer's 'authorised' scam complaints in the consumer's favour. The intervener also referred to a voluntary 2017 BSI Code of Practice which sets out guidance and recommendations for banks relating to fraud and financial abuse, including authorised push payment fraud. This included staff training about understanding risk factors, recognising suspicious transactions and recognising customers in vulnerable circumstances. The feasibility of a duty on the banks was also said to be supported by the Contingent Reimbursement Model Code for Authorised Push Payment Scams that was introduced in late May 2019.
The Court of Appeal decided that the above arguments would need to be decided at trial. It was at least arguable that the duty of care contended for would be neither unworkable nor onerous in terms of banking practice in March 2018. The Court of Appeal referred to “the careful calibration of the Quincecare duty itself” which would avoid problems in this regard: “It is a duty conditioned by whatever ordinary banking practice is at the relevant time. A finding that the facts of Mrs Philipp's case would, when considered alongside ordinary banking practice in March 2018, have put an ordinary prudent banker on inquiry about APP fraud, simply does not mean that the circumstances associated with any one of the many millions of low value BACS transfers would do so.”
Key takeaways
- There have been a number of cases over the last couple of years regarding the boundaries of the Quincecare duty and some important cases remain to be decided at appellate level. This decision represents an important extension of the duty (in principle) to individuals that have been the victim of APP fraud.
- Whether this opens the floodgates for such claims remains to be seen. Many cases are being dealt with by the FOS (which represents a much cheaper and risk free forum for individual claimants). Also, the facts of the Philipp case are unusual given the significant sums involved. Most APP frauds will involve much lesser sums.
- There remain a number of important questions: What are banks actually expected to do in practice? This judgment refers to a duty to “make inquiries” but it remains unclear as to the scope of this duty. Further, how does the bank reconcile a duty to refrain from processing payments and “making inquiries” with its primary contractual duty to comply with the bank mandate and process payments? If a bank suspects fraud and refuses to execute the transaction whilst they “make inquiries” – is the bank liable for losses if it turns out to be genuine instruction? Comparisons can be drawn with the regime under POCA (where a bank is not liable for losses suffered by the customer as a result of delay in processing a payment having submitted a Suspicious Activity Report (SAR) if it has reasonable grounds for submitting the SAR) but there is currently no equivalent comfort in the Quincecare duty setting unless provided for in contractual terms and conditions.
- For banks, the current incremental developments in this area via case law give rise to ongoing uncertainty. It would be preferable to have clear parameters set out in some form of code but that is unlikely to happen any time soon. In the meantime, we await one or more substantive decisions that provide further guidance on some of the outstanding questions above.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.