The growing issue of banking fraud has again been highlighted recently by the case of Singularis Holdings Limited (In Official Liquidation) v Daiwa Capital Markets Europe Limited[1]. In that case, the High Court found that where a bank was on notice that a director of its customer was likely to attempt to withdraw funds fraudulently, the bank was liable to the customer if it negligently allowed those payments to be made. However, the Court recognised that in circumstances where a bank was dealing with a huge number of daily transactions, it could not be expected to spot the signs of fraudulent activity easily.

The case comes after the consumers’ organisation, Which?[2], made a “super-complaint” to the Payment Systems Regulator (“PSR”) on behalf of banking customers about their vulnerability to fraud – in particular, “push payment fraud”. Push payments are where a customer obtains a payee’s bank details and authorises its bank to transfer funds into the payee’s account.[3] Increasingly, customers are being deceived into authorising payments into the accounts of fraudsters rather than that of the legitimate payees.

Which?’s super-complaint argued that scams which involved authorised payments by customers was an increasing problem and the customer should be better protected against this form of fraud. The PSR responded in December 2016 (the “PSR Response”)[4], saying there was insufficient evidence to require a change in the law. It accepted that there was a problem, but was unsure of the scale and asked for further evidence to be provided so that it could consider what action should be taken. It did not recommend that new legal liabilities should be imposed upon banks. However, it pointed to a number of initiatives being taken forward across the banking industry to increase customer protection against fraud. These include the following:-

  • A “confirmation of payee” system that may reduce the risk of payers sending funds to an account that is not in the name that they expect;
  • Work on tracking funds through the payment systems to help identify the destination account for fraud;
  • Improved information sharing between banks.

Authorised “push” payments

Duties of paying banks

Where payments have been authorised by customers, banks are not generally liable to make refunds, even where the customer has been tricked into paying the wrong recipient. On the contrary, a bank’s principal duty is to obey its customer’s mandate and, indeed, it may be liable to a customer if it fails to comply with a payment instruction.

However, a bank may be liable in contract and/or negligence if it fails to take reasonable skill and care when executing a customer’s order. The test is that a bank must refrain from executing an order (or cancel it where possible) where it is “put on inquiry” in the sense that it has reasonable grounds for believing that the order is an attempt to misappropriate the funds of the customer[5]. That duty applied in the case of Singularis in which the bank was on notice that an agent acting for the customer was misusing his authority to transfer funds.[6]

The question is how far does a bank’s duty of care to its customer extend when it is on notice that the customer is at risk of being defrauded? Does it only apply when the bank is aware that the customer is being defrauded by its own agent (i.e. a director)? In that case, it could be argued that the payment instruction had not been correctly authorised; or can it extend to circumstances where the bank is on notice that its customer is about to be defrauded as a result of a mistaken authorisation.

To date, the courts have considered that it is practically impossible for a bank to check every banking transaction, given the speed and number of transactions which occur. The case of Tidal Energy Ltd v Bank of Scotland plc[7] highlighted the situation where a bank had complied with a CHAPS transfer mandate which had been authorised by the customer. The customer had been given the correct sort code and account number but had been misled about the payee’s name. Although the name on the form was incorrect, the bank was held to be not liable to the customer, since under the CHAPS rules, only the sort code and account number need to be correct for a bank to accept instructions to transfer payment. The court took into account the fact that the customer had the option of whether or not to use the CHAPS system; because the benefit of that system was speed, it was unrealistic to impose an additional burden on banks of having to check whether the name on each CHAPS form corresponded with the name of the payee’s account.

However, many of the legal cases which have decided these issues are from some years ago and often they deal with banking practices which are quite different from those in place today. The PSR Response noted that in general banks appear to have made significant efforts to prevent their customers falling victim to push payment scams. These actions include transaction monitoring, customer profiling and challenge of suspicious transactions.[8]

The question may therefore be asked whether, as increasingly sophisticated fraud prevention systems become available to banks, it will become easier for banks to spot and prevent frauds before they arise. If that is so, a bank which has such systems may find itself liable if it fails to use those systems with care to protect its customers adequately.

Duties of receiving banks

A bank into whose account a fraudulent payment has been made owes no contractual duty to the payer if he is not a customer of the bank. [9] The case of Abou-Rahmah v Abacha is also authority that a receiving bank will not owe a duty of care in tort to a payer of funds save in exceptional circumstances. The question is whether “exceptional circumstances” might include a situation where the receiving bank is put on notice that its accounts are being used for fraudulent purposes.

The PSR Response states that there are two main ways in which receiving banks can help prevent push payment scams. The first involves monitoring of inbound payments to identify potentially suspect activity. Where a bank routinely undertakes such activity, and if it can be shown that a failure to do so resulted in a fraudulent payment being completed, it might be possible to argue that the receiving bank is in breach of a duty to the payer.

A second way in which receiving banks could help to stop frauds is to prevent payment accounts falling under the control of scammers.[10] Questions have therefore been asked whether a receiving bank is under a duty not to open an account in the name of suspected fraudsters. Banks are of course subject to regulatory requirements to “know your customer” and to carry out due diligence to prevent money laundering.[11] They are also subject to FCA regulations which require them to have adequate policies and procedures to counter the risk of being used for financial crime.[12] However, these regulatory duties are owed to the FCA and although they could be punishable by fines for breach of statutory duty, they do not translate into duties owed directly to bank customers.

Unauthorised “pull” payments

Banks are generally legally liable to customers for frauds committed which do not involve the customer authorising payment. If the fraud does not involve the active authorisation by the customer – for example, where a bank card has been stolen – the bank will be under an obligation to repay the customer after the point where he or she notified the bank of the loss or theft of the card. Another potential area of dispute is therefore where a customer has been the victim of an unauthorised payment scam, but the bank refuses to accept liability on the grounds that the customer has been negligent.

Under both the common law and relevant legislation, a customer will only be liable when he has been guilty of gross negligence.[13] The customer is required to:

  • use the payment instrument in accordance with its terms and conditions;
  • inform the PSP “without undue delay” on becoming aware of the instrument’s loss, theft, misappropriation or unauthorised use; and

FCA guidance says that what constitutes reasonable steps will depend on the circumstances, but PSPs must say what steps they expect customers to take in their pre-contract disclosure information. However, those requirements may be unenforceable if they are not reasonable. The FCA’s view is that a contractual term which prohibits the customer from writing down or recording a password or PIN in any form goes beyond “reasonable steps” (and may potentially be unfair under the Unfair Terms in Consumer Contracts Regulations 1999).

Examples of a customer’s obligations have also been set out in case law. For example, the customer is obliged to make out a payment order or cheque in a way that will not facilitate fraud or forgery.[16] However, there is no wider duty to take reasonable precautions to prevent forged cheques being presented or to check bank statements to identify unauthorised payments.[17]

Nevertheless, with online forgery set to increase, banks may be reluctant to continue to pay out losses to customers whom they believe have acted carelessly. The evidence suggests that they may seek to avoid liability and this area too may become a battleground for liability claims between banks and their customers.