Scottish Court rejects argument that Quincecare duty extends beyond internal fraud; allows claim to proceed on limited grounds

United Kingdom

In the recent decision of Sekers Fabrics Ltd v Clydesdale Bank plc [2021] CSOH 89, a bank customer (“Sekers”) that had fallen victim to an authorised push payment (“APP”) fraud sought to recover its losses from its bankers (“the Bank”). Sekers argued both that the Bank had breached its general duty of care in a number of respects, and that it had breached the Quincecare duty[1], arguing that, properly understood, the Quincecare duty extends beyond cases of internal fraud.

In addition to rejecting Sekers’ argument that the Quincecare duty applied, the Court also rejected three of the four alleged breaches of the general duty. The Court stated that it was “unable to find that [Sekers] was bound to fail” on the fourth alleged breach, which related to advice allegedly given by the Bank’s staff on the day in question, and determined that the case should proceed to proof (trial) on that single ground.

APP fraud

APP fraud arises when a fraudster contacts a bank customer and tricks them into authorising a payment to an account controlled by the fraudster. For example, the fraudster may pretend to be a member of staff of the bank and claim to be calling to warn the customer that they need to move funds urgently to a ‘safe’ account. APP scams have become increasingly prevalent and sophisticated in recent years. Furthermore, reports indicate that online fraud has significantly risen during the pandemic.

Background

The APP scam that Sekers fell victim to in this case was a fairly sophisticated one. Sekers’ version of events is set out in the decision in some detail, however, in summary, it was alleged that:

  • A person identifying themselves as “Steve” contacted the customer, claiming to be from the Bank’s fraud team;
  • This person made reference to confidential information about Sekers’ account;
  • In the course of discussions with this person, attempts were made by Sekers’ two cashiers to contact and obtain reassurance and advice from both the Bank’s helpdesk and Sekers’ relationship manager at the Bank;
  • The relationship manager advised that Sekers should obtain the full name of the person who had contacted them and email this to her, however, neither she nor the helpdesk took steps to suspend Sekers’ account. Nor did they instruct Sekers’ cashiers not to make any payments; and
  • Payments of £566,000 were ultimately authorised by the cashiers, although some of these funds were subsequently recovered.

Sekers argued that in these circumstances, the Bank had breached both the Quincecare duty and the Bank’s general implied duty to exercise reasonable skill and care. Four particular breaches of the general duty were referred to by Sekers:

  1. It was alleged that the integrity of the Bank’s security system had been compromised, allowing sensitive information about Sekers’ account to be disseminated to an unauthorised third party;
  2. It was alleged that the security advice offered by the Bank’s staff to Sekers in relation to management of the online banking facilities was inadequate;
  3. It was alleged that the Bank’s operating software ought to have recognised that unknown IP addresses were used on the day in question to login and that multiple payments were being made in quick succession to beneficiary accounts to which no legitimate payments had previously been made; and
  4. It was alleged that the advice tendered by the Bank’s employees to Sekers on the day in question fell below the required standard.

The question before the Court was whether Sekers had a relevant legal case on any of the grounds it had set out in its pleadings, or if the claim fell to be struck out, either in whole or in part.

The Quincecare duty

The Court noted that the authorities make clear that there is a general implied duty on a bank, under its contract with its customer, to exercise reasonable skill and care. It was noted that neither party had referred to any particular express or implied terms of the contract that were relevant in this case, however, the parties had accepted that one highly relevant factor was “the fundamentally important obligation upon the bank, whether express or implied, to comply with the customer’s instruction to make payment.”

While complying with payment instructions was the primary obligation of the bank, a duty had been identified in the Quincecare case which would arise where a bank had reasonable grounds for believing that the person authorising a payment was operating the account in order to misappropriate funds i.e. this arose in cases of internal fraud.

Sekers sought to argue that there was no logical reason why the Quincecare duty should not apply equally to external fraud, such as in this APP fraud scenario. They argued that the Quincecare duty was a sub-set of the general duty of care, and the threshold test for intervention was where the bank was “put on inquiry”. In circumstances where an ordinary prudent banker would or should have identified the fraud risk, the duty should apply.

The Court rejected that argument, pointing out that there was no authority to support that proposition. The Court noted that an external fraudster who influences the instruction of a payment is not interfering with the authority of the person giving the instruction, pointing out that “in making the payment, that authority is exercised”. It further rejected Sekers’ suggestion that the payment instruction was not a properly authorised instruction if it was induced by fraud. From the bank’s perspective, such an instruction was properly authorised.

The general duty of care

With regard to the general duty of care, the Court determined that only one of the four breaches pled by Sekers constituted a relevant case that should be permitted to progress to a hearing on evidence. This was the allegation that the advice tendered by the Bank’s employees on the day in question had fallen below the required standard. While the Court appeared to have some concerns regarding the level of detail in the pleadings in relation to these alleged discussions, it stated that it was unable to conclude that Sekers was “bound to fail” and therefore allowed a hearing on evidence to be fixed to determine the nature and scope of the alleged duty and whether it had indeed been breached. 

The Court was of the view that the remainder of Sekers’ case, i.e. the alleged breaches 1-3 above, were irrelevant. Critically, Sekers’ pleadings did not set out what they considered the Bank ought to have done in respect of its security system or the advice it ought to have offered on the management of online banking facilities. Nor did Sekers specify why the Bank required to verify IP addresses or account names. Finally, Sekers had not set out what ordinary or standard banking practice was as regards any of these alleged breaches of duty so as to formulate a relevant case against the Bank on these grounds.

Comment

In 2019, an APP Scams Voluntary Code was launched. It currently has 18 bank signatories. The Code requires signatories to take certain steps aimed at protecting customers from APP scams and in some circumstances, to reimburse victims of APP fraud.

Customers who are unable to recover losses under the Code, face significant hurdles in recovering losses from their bankers by way of litigation. As confirmed by the Court of Session in this case, the Quincecare duty is narrow in scope and does not apply to cases of APP fraud. Furthermore, while there is scope to plead breaches of duty in relation to a bank’s general duty of care, any such breaches require to be pled in clear and specific terms as regards the alleged background facts relied upon, the standards of conduct that the customer claims the bank ought to have met, and in what respects the bank failed to meet those standards. 



[1] Barclays Bank plc v Quincecare Ltd [1992] 4 All ER 363