Who can be held responsible when a rogue actor directs payment from a company’s bank account? Unless discovered quickly, stolen funds are usually quickly spirited away from easy recovery. Victims of fraud therefore look for other sources of compensation, including the bank itself who executed the instruction. In England, when banks and financial institutions have reasonable grounds to believe that a payment instruction is an attempt to misappropriate a customer’s funds, they owe a duty of care to that customer to refrain from making or executing the order and make necessary inquiries before proceeding.
This duty is known as the “Quincecare duty” after the case that first recognized it, Barclays Bank plc v Quincecare Ltd. It is owed to the bank’s customer and exists in parallel with a bank’s obligations under anti-money laundering and terrorist financing laws, as well as its reporting and record keeping obligations. Indeed, the same “red flags” that would put a bank on alert under these regulatory obligations will be relevant in assessing whether a bank was on notice of the risk of fraud such as to activate the Quincecare duty.
Despite the duty being recognized 30 years ago, there had been limited reliance on it historically. Courts sought to make sure the duty is narrow and confined such that there is only one case in England to date in which the duty has been found to have been owed and breached, Singularis Holdings v Daiwa Capital Markets. Cayman company Singularis held sums on deposit with Daiwa. As an authorized signatory, Mr Al Sanea instructed Daiwa to make payments out of the company’s account. The transfers were approved and completed by Daiwa, despite several signs that Mr. Al Sanea was perpetrating a fraud on Singularis. Singularis brought a claim against Daiwa for breach of the Quincecare duty, which was upheld by the UK’s Supreme Court.
The duty has, however, been pleaded in several recent high-profile cases which have given more clarity about its scope and application.
The significant cases in which the Quincecare duty has been considered have all involved instructions from an agent or authorized signatory of a company or firm, who was acting fraudulently or where a company was in the control of fraudsters. However, the Court of Appeal recently suggested that the Quincecare duty could apply to authorized push payment (APP) fraud cases as well, where an individual customer is deceived by a fraudster into authorizing a payment: see Philipp v Barclays Bank UK plc.
In a recent Hong Kong judgment, PT Asuransi Tugu Pratama Indonesia TBK (formerly known as PT Tugu Pratama Indonesia) v Citibank N.A., Lord Sumption (former UK Supreme Court Justice) doubted that individual customers (such as victims of APP fraud) could be protected by the Quincecare duty, and preferred the view that the duty applied to instruction from rogue agents of customer. While the decision is not binding on English courts, the market is waiting to see if this reasoning influences the UK Supreme Court’s decision in the appeal of Philipp v Barclays, presently awaited after a February 2023 hearing.
Recent data from UK Finance shows that there were ca. 95,000 cases of APP fraud in the first half of 2022 only, resulting in a loss of ca. £249.1 million. The possible extension of the Quincecare duty to cover APP fraud cases would be a significant step in the direction of providing more comprehensive protections to victims of sophisticated (often cyber-)frauds, whether individuals or corporates, and could have a significant impact on preventing such losses, albeit that it would shift a significant gatekeeper burden on to financial institutions.
The increased focus on protecting victims of fraud is a trend that spans other parts of the English legal system, as discussed in our article here in the context of jurisdictional gateways, and in the US as well, discussed here.
By contrast to England, there is no analogous duty or term implied into the customer relationship for US banks. That said, the scheme implemented by regulatory agencies to ensure that banks and financial institutions act with integrity and candour is likely to capture at least some of the equivalent frauds.
For example, the Bank Secrecy Act (BSA), 31 USC 5311 et. seq. establishes program, recordkeeping and reporting requirements for national banks, federal savings associations, federal branches and agencies of foreign banks. Under the BSA, a financial institution is required to file a suspicious activity report no later than 30 calendar days after the date of initial detection of facts that might signal criminal activity (e.g., money laundering, tax evasion).
Failure to abide by these requirements may result in an enforcement action by the US Department of Treasury’s Financial Crimes Enforcement Network.
It would require a significant policy shift for any US jurisdiction to establish a duty like Quincecare, and even within the UK, this duty may shortly be further circumscribed as courts grapple with the policy question of who should act as a gatekeeper against fraud, and in what circumstances to impose that obligation.