By Caroline Brown and Olivia Pointon
Authorised Push Payment (“APP”) fraud is back in the spotlight following the Court of Appeal’s decision in Philipp v Barclays Bank UK Plc.
As part of a sophisticated social engineering scam, Mrs. Philipp was duped into making two large payments – of £300,000 and £400,000 respectively – into a fraudster’s bank accounts based in the UAE. This was an example of APP fraud – a scam by which fraudsters deceive victims into willingly transferring funds to the scammer (for example, by posing as bank representatives and exerting urgent pressure to move funds to a ‘safe’ account). Upon realising the fraud, Mrs. Philipp requested that the defendant bank attempt to recover the money, but recovery action was unsuccessful.
Mrs. Philipp issued proceedings against her bank, alleging breach of a duty to exercise reasonable care and skill in and about executing her instructions. She argued that this included having in place policies and procedures for the purpose of detecting and preventing potential APP fraud. Mrs. Philipp asserted that the nature and surrounding circumstances of her payment request should have put the bank on inquiry, such that it investigated further before carrying out her instructions.
This is characterised as the ‘Quincecare’ duty, which arises where a bank is on notice that a payment instruction may in fact be an attempt to misappropriate the account holder’s funds. In that scenario, the bank should refrain from executing the instruction pending inquiry.
Context and the first instance decision
The case centres around the question of whether the Quincecare duty applied, and was breached, by the bank.
To date, the duty has been found to protect corporate customers where payment instructions have been made to a bank by an agent, acting fraudulently, of the customer. It has not yet been applied to situations where individual customers (who have fallen victim to fraudsters) directly instruct their bank to make a payment.
The bank argued that the Quincecare duty therefore applied only to situations where the bank had been instructed by a customer’s agent. Unlike such cases, Mrs. Philipp herself had authorised the transfer, and so the duty did not extend to cover her situation. The Court agreed, and granted summary judgment in favour of the bank. Mrs. Philipp appealed.
The Court of Appeal has allowed the appeal, setting aside summary judgment against Mrs Philipp such that the case can proceed to trial, and noting in particular that:
- Whilst previous cases applying the Quincecare duty did relate to an agent’s instructions to a bank, the reasoning behind those decisions did “not depend on whether the instruction is being given by an agent”. It is “reasonably arguable that the duty would arise in any case when a bank was on inquiry that the order was an attempt to misappropriate funds”.
- At first instance, the Court had accepted the bank’s argument that to impose a duty of care would involve “onerous and commercially unrealistic policing obligations over the bank's basic obligation to act upon its customer's instructions”. The Court of Appeal did not agree, relying in part on evidence submitted by the Consumers’ Association (Which?) in support of Mrs. Philipp’s case, which included various decisions of the Financial Services Ombudsman in APP fraud cases, industry codes of practice, and guidance provided to banks relating to APP fraud. The Court held that there was “ample evidence” that the duty of care asserted was arguably not unworkable or onerous.
- Notably, the Court of Appeal held that the first instance decision was asking the “wrong question” in taking Mrs. Philipp’s argument to be that a bank needed to put itself on inquiry for “every payment instruction of any sort in any circumstances”. Instead, the questions are “about what facts would put an ordinary prudent banker on inquiry in the first place, and what further inquiries and steps” might follow.
What does this mean for banks and their customers?
The Quincecare duty does not depend on whether the instruction in question has been given to a bank by an agent. The decision opens up banks’ and PSP’s potential liability to individual customers (as well as to corporate customers acting via agents) where questionable payment instructions are being given, as part of an increasing focus on the role banks and financial institutions are expected to play in combatting APP fraud. That said, any examination of APP fraud cases will involve a careful “calibration” of the Quincecare duty in the context of ordinary banking practice.
However, the industry has taken steps to try and combat APP fraud – not least, the introduction of the Contingent Reimbursement Model Code for Authorised Push Payment Scams in 2019, which is a voluntary code providing guidance for institutions to detect, prevent and respond to APP fraud. We have previously reported here on a consultation initiated by the Payment Systems Regulator in respect of further proposed measures to combat APP fraud, including working towards making reimbursement for victims mandatory. Given the changes to the regulatory landscape, would an extension of the Quincecare duty in fact be the wholesale change many thought it might be?