Introduction
In the year up to 2022, £1.2 billion was recorded as stolen through fraud in the UK. Of that figure, just under half was down to ‘Authorised push payment’ (APP Fraud). This fraud involves the victim being fraudulently induced to authorise their bank to send a payment to a bank account controlled by the fraudster, as opposed to payments being ‘pulled’ from the victim’s bank account without their authority.
Classic examples of APP fraud include fraudsters impersonating bank employee’s or law enforcement officers, with the scams including phone calls, text messages, emails, and most shockingly, in-person visits.
Imagine a scenario in which your elderly grandmother receives a phone call from a fraudster purporting to be from the Financial Conduct Authority. After an hour of exploiting the former’s vulnerabilities, the bank receives instructions from the grandmother to transfer most of her pension income to an unknown business account in Liechtenstein.
The grandmother is later informed by her family that she was not in fact protecting her funds as per the FCA handbook, but instead has fallen victim to an APP fraud. Her pension income can no longer be located. The bank stands idly by the victim’s side but nothing can be done.
One would be hard pushed to deny that the grandmother has suffered an injustice, but the critical question for this case comment is determining whether the grandmother has a claim against the bank for breaching its Quincecare duty in executing her instructions.
Thesis
This article will consider the legal basis underpinning the so-called ‘Quincecare Duty’, including the Court of Appeal’s ‘principled extension’ of the duty in Philipp v Barclays Bank UK PLC [2022] EWCA Civ 318. It will ultimately be argued that the Supreme Court’s rejection of the Court of Appeal’s extension, and orthodox recasting of the duty, is to be welcomed. Quincecare is not a special duty but applies the general duty of care owed by a bank to ascertain and act in accordance with its customer’s instructions. The doctrine lies in the orthodox principles of agency.
The origins of the Quincecare Duty
The facts in Quincecare [1992] 4 All ER 363 were fairly typical: A bank agreed to lend money to a company for a commercial venture. One of the company agents (the chairman) instructed the bank to transfer the funds, purportedly in drawdown of the loan, to a firm of solicitors. The company agent had instructed the solicitors to receive the money on his behalf and then transfer it to an account in the United States. The company agent’s instruction to the bank was a misappropriation, and when the company were sued by the bank for repayment of the loan, the company counter-claimed for breach of the bank’s duty of care to its customer.
The key paragraph of Steyn J’s judgment can be found at page 376:
“a banker must refrain from executing an order if and for as long as the banker is ‘put on inquiry’ in the sense that he has reasonable grounds (although not necessarily proof) for believing that the order is an attempt to misappropriate the funds of the company...”
The key principle underlying the duty in the case of Barclays Bank v Quincecare can be summarised as follows:
If the customer’s primary agent gives a fraudulent payment instruction to the bank (the customer’s secondary agent), then that instruction has been given without the customer’s authority. It is not, in fact, the customer’s instruction. However, the bank is still entitled to rely upon the agent’s apparent authority unless it has reasonable grounds to suspect that the instruction is an attempt to defraud its customer. Where those reasonable grounds for suspicion exist, the validity of the customer’s instruction is unclear, and the bank’s duty of reasonable care and skill kicks in, requiring the bank to ascertain whether, if the bank were to execute the instruction, it would be acting in accordance with its customer’s instructions. It is then, and only then, that the duty to make inquiries applies: the bank must seek to ascertain whether the instruction is actually authorised by its customer, the ultimate principal.
In short, the bank’s prima facie priority is to execute a customer’s (and their agent’s) instructions. In circumstances where the customer relies on a third party agent to handle their financial affairs, the bank may be put ‘on inquiry’ if there are reasonable grounds for suspicion of misappropriation, and the bank is compelled to honour its duty of care by ensuring the agent’s instructions are not an attempt by the third party to misappropriate funds.
The Court of Appeal judgment: Philipp v Barclays Bank UK PLC
In Philipp v Barclays Bank UK PLC [2023] UKSC 25, Mrs Philipp was the subject of ‘APP Fraud’, being duped by a fraudster purporting to work for the FCA, and instructed her bank to transfer two sums to a UAE bank account. Her claim against the bank alleged that the latter had breached its common law duty (Quincecare duty) in executing her payment instructions that were made on the basis of a third party’s fraud.
The Court of Appeal accepted Mrs Philipp’s submission, holding that in principle it is possible for the bank to breach its Quincecare duty by executing customer instructions if they had reasonable grounds for believing the order was a misappropriation of funds attempt.
Birss LJ rejected the bank’s emphasis on the differing factual matrix, namely that the instructions came from the customer (Mrs Philipp) rather than the customer’s agent (as in Quincecare) and instead focussed on the underlying rationale of the Quincecare duty: protecting customers from fraud.[1]
The CoA’s reasoning was as follows: (a) if the Bank knew that the transaction was an attempt to misappropriate funds, it would be liable under the “Quincecare duty” and that therefore (b) the issue in the case was really what level of knowledge would suffice (at [28]). That was an issue that could only be resolved after trial, not on summary judgment.
According to the Court of Appeal, if the Quincecare duty exists to protect customers from internal fraud (their agent exceeding any apparent authority), then it is a principled step to have the duty protect customers from external fraud (third party fraudsters duping customers into making payment instructions).
The Supreme Court Decision: Orthodoxy Restored
It is submitted that Birss LJ’s analysis is fundamentally unorthodox and unprincipled; the Supreme Court is right to recast the duty in formal terms: nothing more, nothing less than an ordinary duty of care on banks to give effect to a customer’s payment instructions.
In situations of APP fraud, the Quincecare duty is frankly not in point. By the very fact that customer’s payment order has been ‘authorised’ by them, the bank is under a duty to legitimately give effect to this in accordance with their duty of care, there is no question of the bank being put ‘on inquiry’ due to reasonable grounds for suspicion of misappropriation, by virtue of the fact that a customer cannot ‘misappropriate’ their own funds if they themselves give the payment order.[2]
Lord Leggatt dismantles the Court of Appeal’s reasoning by exposing the Quincecare duty for what it is, an ordinary application of agency law.
Firstly, the duty in Quincecare has been mischaracterised. The duty is to ‘observe reasonable skill and care in and about executing a customer’s order’. It is therefore impossible to construe from this ‘a duty not to follow the customer’s order’ in circumstances where the payment order comes from the customer. This duty of reasonable skill and care is subordinate to the duty to carry out the customer’s payment order, “because the exercise of skill and care is directly solely to the effective execution of the order”.[3] Consequently, no independent basis exists for refusing a customer’s payment order. It was thus a wrong turn for Birss LJ to hold in principle that the Quincecare duty not only protects the customer from internal fraud (agent instructions) but also external fraud (third party, APP).[4]
The consequences
In principled terms the correct result was reached[6]: there is no duty to protect a customer from fraud, whether the fraud is committed internally (by customer agent) or externally (third party, APP). The only duty on banks is to take reasonable skill and care; it is not concerned with the prevention or detection of financial crime such as money laundering. Quincecare is primarily a negative duty, requiring a bank not to act upon payment instructions issued by the agent of a customer when the bank knows facts which would suggest to a reasonable and honest banker that the agent was attempting to misappropriate the funds in the customer’s account.
In cynical terms the bank was prevented from being the undue insurer of Mrs Philipp’s incompetence.
However, it must be noted that Lord Leggatt’s judgement has its limitations in regard to the bank’s duties with APP fraud: Imagine a bank has reliable information given by the police about a fraudster operating with a particular customer, suggesting that the payment instruction has been obtained fraudulently. Although the principles of agency dictate that the bank executes the order given the customer has authorised this, would the additional information not serve to put the bank on ‘inquiry’ (as in the case of a dodgy order from a customer’s agent) and thus require them to make further inquires before fulfilling it? It seems scarcely unprincipled to argue that in such circumstances a bank’s failure to carry out inquiries before executing the order would be in breach of its duty of care owed to the customer.[7]
Statutory scheme (relief for Mrs Philipp.. or not)
At para [21], Lord Leggat noted that:
“The Financial Services and Markets Act 2023, which received Royal Assent on 29 June 2023, provides for a mandatory reimbursement scheme. Section 72 of the Act amends regulation 90 of the Payment Services Regulations to enable liability to be imposed “where the payment order is executed subsequent to fraud or dishonesty”. Section 72 requires the Payment Systems Regulator to impose a requirement for reimbursement by payment service providers in such “qualifying cases” of payment orders executed subsequent to fraud or dishonesty as the Regulator considers should be eligible for reimbursement.”
Although to be welcomed, the FSMA 2023 is not a silver bullet and would in any case not have helped Mrs Philipp: (i) it is limited to payment orders executed over the Faster Payments Scheme, not including international payments (ii) it is not proposed that the regulatory obligations arising under the scheme will be directly enforceable by bank customers.
Wider Consequences
For banks, the narrowing of the doctrine is a sigh of relief.
For the wider economy, banks should no longer fear (if they ever did) pausing before facilitating customer transactions. Transactions costs should remain the same if not fall over time as banks are not forced to positively investigate whether customer payment orders are tainted by fraud.
Legal advisers should be cautious; whilst it is possible to exclude the Quincecare duty in a banking contract, the court may not be keen to enforce such when the bank has acted in a manner inconsistent with such reasonable skill and care. In any event, the duty should be easy to discharge given the Supreme Court’s emphasis on its ‘negative dimension’.
In Singapore, a novel framework addressing loss-sharing between the customer, the financial institution, and telecommunication channels has been proposed, in situations where a customer is duped into clicking on a ‘phishing’ link and entering their details for the fraudster. Duties for the bank include imposing a 12-hour cooling off upon activation of digital token, and sending notifications on a real time basis for such activation. Failure to discharge such duties weighs heavily in the assessment as to who bears loss.
Whilst such a framework can be praised for it’s multi-party emphasis, it would not help a customer duped by APP fraud if the bank and telecommunication company had carried out its duties. A better approach may be a bank reimbursement fund, in which customers pay monthly premiums based on their total bank deposits, such that when they are victims of fraud, the bank will reimburse them according to their contribution amount to the fund.
Concluding thoughts
To conclude, the Supreme Court’s judgement restores orthodoxy. The court of appeal’s decision in Philipp v Barclays Bank UK PLC [2022] EWCA Civ 318 wrongly construed the so-called Quincecare duty, as a duty on banks to protect their customers from fraud. As pronounced by Lord Leggatt, such a duty is “inconsistent with first principles of banking law”.[8] Banks are not insurers for customers being duped by fraud. Unless the banking contract provides for such loss allocation, the only expectation on a bank is to execute a payment instruction with reasonable skill and care. In circumstances where the customer gives such instruction, it is frankly impossible to breach such a duty by executing the order: no agency arises and therefore no misappropriation can occur. Overall, the loss from APP fraud is a matter for legislative intervention.
Footnotes
[1] This claim rested on the idea that the bank was to refrain from executing a customer’s order if and for as long as it was put on inquiry, by having reasonable grounds for believing that the order was an attempt to misappropriate funds from Mrs Philipp. [2] [59] Philipp v Barclays Bank UK PLC [2023] UKSC 25 [3] [64] Philipp v Barclays Bank UK PLC [2023] UKSC 25
[4] [63] Philipp v Barclays Bank UK PLC [2023] UKSC 25 [5] [66] Philipp v Barclays Bank UK PLC [2023] UKSC 25
[6] Quincecare is simply an application of agency law. Does the customer’s agent make a payment instruction order that is fraudulent? If so they are not acting with their principal’s (customer’s) authority, and this should put the bank on inquiry (reasonable grounds for suspicion of misappropriation). Executing the order without making such an inquiry is thus acting without reasonable skill and care towards the ultimate customer. A breach has occurred with loss (the transferred monies).
[7] This issue was specifically left unanswered ([109] of the judgement) in similar fashion to Lord Sumption’s refusal to resolve the perennial debate over whether the practical expectation of benefit can constitute consideration for the purpose of a valid contract: Rock Advertising Ltd v MWB Business Exchange Centres Ltd [2018] UKSC 24
[8] [3] Philipp v Barclays Bank UK PLC [2023] UKSC 25