Justin Whelan (Partner, Abu Dhabi) and Thomas Neighbour (Senior Associate, Dubai) recently successfully acted for a claimant company before the DIFC Courts, in what we believe is the first DIFC judgment on these points, the court examined both business email compromise and Quincecare for the first time. The judgment will be of interest to financial institutions and their customers.

Our claimant client was a trader and shipping logistics provider specialising in obtaining and transporting raw materials for use specifically in the steel making industry. The defendant was our client’s bank, based in the DIFC (the Bank).

Business Email Compromise

‘Business email compromise’ is a prevalent and growing form of cyber fraud whereby a hacker targets and obtains access to a business email account, then imitates the owner of the email account with the purpose of defrauding the business. In the case of a supply chain company, for example, this can take the form of fraudulent payment requests emailed to the hacked company’s bank. Despite its increasing prevalence, there is relatively little reported case law on the subject.

Quincecare Duty of Care (‘Quincecare’)

In the 1992 case of Barclays Bank plc v Quincecare Ltd the English courts found that a bank owes an implied contractual and coextensive tortious duty to act with reasonable care and skill when carrying out a customer’s instructions, which in certain circumstances can override the conflicting duty on the bank to execute the customer’s instructions promptly.

The duty is established where the bank is put on inquiry of a suspected fraud. Per Steyn J “a banker must refrain from executing an order if and for so long as the banker is “put on inquiry” in the sense that he has reasonable grounds (although not necessarily proof) for believing that the order is an attempt to misappropriate funds of the company.”1 The standard is that of the ordinary prudent banker.

Whilst Quincecare was decided some 30 years ago, its application is still a developing area of English law that has rarely been relied on by a customer in seeking redress from a bank. It was not until 2019 that the UK Supreme Court found for the first time that a bank had breached the duty in the case of Singularis Holdings Ltd v Daiwa Capital Markets Europe Ltd.2 (see our briefings for further details3).

The Case

It was not in dispute that the claimant was the victim of a cyber-hack. Via a phishing email, the hackers were able to access and take control of the claimant’s email systems, forge invoices and send fraudulent payment instructions to the Bank. The Bank acted on these fraudulent payment instructions and paid out monies to the fraudster.

The primary question before the Court was, in the emerging domain of business email cyber fraud, who should bear the loss, the claimant customer or the Bank?

The claimant’s case was: (i) that the Bank had acted in breach of mandate; and (ii) that there were a number of red flags in the instructions that put the Bank on notice of fraudulent activity. The Bank’s failure to identify the same and its execution of the instructions amounted to a breach of its Quincecare duty.

The Bank’s position was that (i) it was protected by the contractual arrangements in force; and (ii) it was under no obligation to inquire as to the purpose of any transfer seemingly authorised by instruction nor into the identity of the transferee. It also argued that the Quincecare duty only applied where the Bank was holding money deposited on behalf of the customer, and not where the Bank granted a borrowing facility to the customer.

In giving judgment on 11 July 2021, whilst acknowledging that the result was fact-specific, the Court found for the claimant, holding that not only had the Bank acted in breach of mandate, the Bank would also have had reasonable grounds to believe that the payment instructions were an attempt to misappropriate its customer’s funds. The Bank’s failure to identify a number of red flags in connection with the fraudulent instructions was therefore sufficient to amount to a breach of a Quincecare duty. That the fraudulent payment requests did not follow the established payment request procedure between the parties was one such red flag, as was the fact that the stated purpose of the payments did not fit with the claimant’s transaction history.

In considering the Quincecare duty, the Court found that the duty bites as at the time of compliance with the instruction to the Bank to pay out and that there was no basis for distinguishing a situation where the funds were the customer’s own or advanced by way of a loan or facility. The Court firmly rejected the Bank’s argument that the customer owed a duty of care to look after borrowed funds for the benefit of the Bank.

As for the contractual provisions, the Court held that in circumstances where the Bank had been put on inquiry, amongst other things it could not exclude liability for its own subsequent negligence in processing the payment. The judge observed that “it would be an unattractive conclusion that the Bank could act on an email appearing on its face to be sent to it by [the claimant], but which it had reason to believe was an attempt to defraud [the claimant], without incurring any liability.”

The judge also found against the Bank on various other issues relating to causation and alleged contributory negligence that were pleaded by the Bank.

The Outcome

The Court found overwhelmingly in favour of our claimant client and ordered that not only did our client not have to repay the misappropriated funds to the Bank, the Bank was also liable to pay damages in consequential losses and costs on the basis that our client was wholly successful.

Financial institutions and customers alike should take note of this judgment, which confirms that the Quincecare duty of care is very much in force in the DIFC.