The buck stops here: the limits of bankers’ Quincecare duty for push payment fraud
Fiona Lorraine Philipp v Barclays Bank UK PLC [18.01.21]
Fiona Lorraine Philipp v Barclays Bank UK PLC  (Philipp) concerned a couple, the victims of a “push payment” fraud, who were unable to recover damages from their bank for failing to prevent the payment of substantial sums to the fraudster. The High Court found that the so-called “Quincecare” duty of care on financial institutions had not been engaged. The Quincecare duty has recently been the subject of review by the Supreme Court in Singularis (In Official Liquidation) v Daiwa Capital Markets Europe Ltd (Singularis).
Philipp will be of interest to financial institutions and their insurers.
Push payment fraud
Authorised push payment fraud (APP) is a fast-growing and targeted form of fraud analogous to “phishing”. APP fraudsters (usually impersonating a banker, conveyancer or public authority employee) use scare tactics to trick their victim into transferring funds, often by claiming to be assisting the victim to avoid an attempted fraud.
Finance UK estimates that nearly one billion pounds has been lost over the last three years to APP fraud, with the vast majority of these moneys being solicited from personal bank accounts held in retail banks to foreign accounts outside the reach of the UK authorities. Often the victims are elderly and the consequences can be devastating. Unsurprisingly, APP frauds have led to victims attempting to seek redress from their back who they assert owed them a duty to detect and prevent the fraud.
The rule in Singularis
Prior to Philipp, the precise limits of the implied duty placed on banks to use reasonable skill and care when executing a customer’s instructions (i.e. the so-called Quincecare duty) were unclear, with little contextualisation or guidance as to the extent to which financial institutions must go in discharging their duty of care to protect client funds from misappropriation.
In Singularis, the scope of banks’ duty of care under Quincecare was applied so as to include the implementation of appropriate policies and procedures for verifying payments where there is a potential misappropriation of funds by a customer’s agent (such as a company director). This left open the question as to the extent to which banks must take positive and proactive steps to authenticate the payment activity and instructions of customers themselves.
The rule as refined in Philipp
In Philipp, the Quincecare duty has been refined in the context of APP fraud and the decision provides financial institutions with guidance on what is expected of them in circumstances where their customers are victims of APP and other similar frauds.
The claimant and her husband were misled by fraudsters posing as investigators with the Financial Conduct Authority (FCA) who convinced them that an official investigation was being conducted into affairs at their bank. The Philipps’ were persuaded to transfer £950,000 of their savings to “safe accounts” controlled by the fraudsters, which were never recovered. The Philipps’ executed the transfers and on three occasions attended a branch of the bank to confirm their instructions. They did this despite receiving warnings from the police and close friends that they were being deceived.
Mrs Philipp, the account holder, brought an action against Barclays asserting that the bank owed her a Quincecare duty to stop the funds from being misappropriated. In Singularis, the Supreme Court had expanded the scope of banks’ duty of care under Quincecare to include appropriate policies and procedures for verifying client payments which, on the facts of that case, the Supreme Court found to have been breached.
In Philipp, however, the court found that, in the circumstances of the push payment fraud perpetrated on the Philipps’, there was no expectation that Barclays would take further, positive steps to probe the validity of the payment instructions given by the bank’s customer. Specifically, the judge emphasised that Barclays should not be burdened with the obligation of (1) putting additional procedures in place to detect and circumvent prospective push payment fraud and (2) refusing to act on customer instructions which are prima facie legitimate and where there was nothing to put the bank on inquiry.
As noted by the judge in Philipp, UK banks have already been subjected to regulations designed to combat the mounting cases of phishing and APP fraud, including the Contingent Reimbursement Model Code 2019 which can be found here.
Comment: clarity at last?
The clarification provided in Philipp will be welcomed by financial institutions and their indemnity insurers. In the context of APP (and similar) fraud, the Quincecare duty has been limited to a general, common law duty for the bank to abide by the standards of honest and reasonable conduct, effectively excluding any obligations for banks to call into question what appear to be genuine instructions from a customers The Quincecare duty therefore will not generally apply where payments are specifically authorised by the customer, and the duty will be confined to instances were suspicions are raised, or ought to have been raised, that there is an attempt to misappropriate customer funds.
Whilst a consequence of the Philipp decision is that the victims of APP fraud and similar scams are likely to be deprived of any means of redress, the court has recognised that there is a natural limit to which banks should be expected to bear the burden in circumstances where, in the vast majority of cases, they have no practical means of second-guessing customer instructions or of detecting a likely fraud.