News

Partners Paul Brehony and Simon Fawell discuss the recent High Court case Tecnimont Arabia v NatWest and the scope for money laundering reform, in Fraud Intelligence.

Paul and Simon’s article was published in Fraud Intelligence, 15 January 2022, and can be found here. A version of Paul and Simon’s article was also published in Law.com, 22 February 2022, and can be found here.

How far should banks be liable for the frauds of others where their procedures should have alerted them to potential issues? Tecnimont Arabia Limited v Natwest heard recently before the English High Court and for which judgment is expected in early 2022 may be about to extend the scope of banks’ liability even where the victim of the fraud is not their direct customer.

The case, in turn, raises questions around how effective banks’ ‘know your customer’ (KYC) and fraud monitoring systems are in practice and whether they meet the goals set down by English law and regulation.

The extent of banks’ liability for frauds perpetrated through their payment systems has been in sharp focus before the English civil courts. In particular, the UK Supreme Court’s 2019 ruling in Singularis Holdings Ltd v Daiwa Capital Markets Europe Ltd upheld the first successful claim for breach of the so-called Quincecare duty of care. The Quincecare duty comes into play in certain circumstances where an authorised signatory of one of the bank’s deposit-holder customers gives instructions for payment which later turn out to be fraudulent. Provided the bank has been put on inquiry that the payment instruction may be fraudulent, the Quincecare duty requires that it refrains from making that payment until its concerns have been adequately addressed.

The Quincecare duty, however, is of no assistance to parties who have no direct relationship with the bank. In practice, this creates a serious issue for recovery in the vast majority of cases as it is often the recipient bank rather than the bank making payment that will be best placed to spot that the relevant payments are unusual and potentially fraudulent. It has historically been extremely difficult to claim recourse from banks where the Quincecare duty does not arise but, if the Tecnimont claim succeeds, it potentially opens the door to much broader liability.

This was the case in Tecnimont v Natwest which concerns a classic authorised push payment (APP) fraud from 2018. Tecnimont had intended to make a US$ 5 million payment to a group company and a request was made internally for the relevant account details. After those details had been obtained, hackers gained unauthorised access to the corporate email account of the Group Finance Vice President and sent an internal email from that account providing alternative account details for the proposed payment. Payment was duly made to the ‘false recipient’ account which was held at NatWest in the name of Asecna Limited, an English registered company. Once payment had been received into the account, it was distributed over the following two days to accounts in a variety of jurisdictions by way of 29 separate transfers.

Unable to follow the US$ 5 million which had long since been transferred away, Tecnimont now seeks to recover the funds from NatWest on the basis that, despite a number of its KYC and anti-fraud flags having been triggered, NatWest failed to stop the onward dissipation of the US$ 5 million received into Asecna’s account. While those flags were raised within NatWest, they were overridden by calls from Asecna’s sole director stating that he was trying to make a payment but had been locked out of the account. Without a direct relationship between Tecnimont and NatWest, the Quincecare duty did not arise. Tecnimont instead founded its claims on principles of unjust enrichment and unconscionable receipt in equity, referencing standards of care established by regulatory bodies including the Financial Standards Authority (FSA) and the National Crime Agency (NCA).

At the heart of the case is an argument as to who should bear the primary responsibility for the fraud having been allowed to proceed. The classic defences to claims of unjust enrichment and unconscionable receipt are ministerial receipt (i.e. the bank received the money as an agent for Asecna and paid it away on Asecna’s instructions on principle before becoming aware of the fraud) and good faith change of position (i.e. the bank received the funds in good faith, not knowing of the fraud, and changed its position in reliance on the payment by distributing it according to Asecna’s instructions).

Tecnimont argued at trial that an employee working on NatWest’s Bankline Fraud team shut his eyes “in a way that a reasonable and honest man would not have done.“. “Dishonest mishandling” of alerts relating to the transaction “created the risk of fraud” and the bank failed to prevent the disbursement of the fraudulently obtained money in bad faith. Among the flags relied upon by Tecnimont were that, in the months before receiving payment of US$ 5 million, the Asecna account had maintained an overdrawn balance of between £400-£600 and there had been no transactions on the account over £60. Similarly, Tecnimont alleged that, at the time the Asecna account was opened, its accounts disclosed a single employee and an annual turnover in the range £100,000 to £249,000, none of which came from outside the UK.

For its part, NatWest argues that no single individual on its team had sufficient knowledge to put them on notice of a potential fraud such that their conduct in not preventing dissipation of the US$ 5 million amounted to bad faith or commercially unacceptable behaviour.

NatWest also contends that Tecnimont itself had every opportunity to prevent the fraud and that NatWest’s duties to follow the instructions of its own client should not be overridden. The fraudsters gained access to the Group Finance Vice President’s email account because he clicked on an attachment in a phishing email and entered his username and password. Tecnimont also went ahead with payment to the revised account details despite the email purporting to be from the Group Finance Vice President containing numerous errors and requiring payment to an account in the wrong name and in a jurisdiction different from the group company intended to be the recipient.

Proving that a bank had actual knowledge of likely fraudulent activity has historically been one of the main hurdles to establishing liability in this type of case. In this instance, Tecnimont argued that NatWest’s systems were designed so that they were unlikely to detect the use of accounts for fraud or money laundering by its customers until it was too late.

Not dissimilar arguments were run in SIB v HSBC, which is to be heard by the Supreme Court later this month [January 2022].  In this case, SIB argued that, when dealing with a large corporate entity, it ought to be possible to deploy actual and constructive knowledge to make good corporate knowledge fractured by alleged systematic and personnel failings.  This argument was unceremoniously struck out at first instance and given equally short shrift by the Court of Appeal.  Although this is plainly a developing area of the law, this would suggest Tecnimont may face an uphill struggle to get home in this case.

Whether or not Tecnimont is ultimately able to recover from NatWest (and there are a number of technical defences raised by NatWest that may prevent recovery whatever the court’s findings on knowledge), the arguments raised by Tecnimont shine a light once again on how diligently banks enforce KYC and anti-fraud regulations and whether those regulations facilitate systems that actually do very little to prevent fraud.

Presently, the rather curious position is that there is greater scope for civil liability where a bank fails to prevent its own customer from being defrauded rather than failing to prevent a fraud perpetrated by one of its customers. If the Tecnimont case does pave the way for more claims of the latter type, greater risk of civil liability may itself prompt banks to look again at their systems and focus more keenly on preventing frauds perpetrated by their customers.

The case does, however, also serve to illustrate broader deficiencies in the UK’s KYC, anti-fraud and anti-money laundering regimes. Recently, a significant report on the UK’s AML regime by Chatham House concluded that a significant overhaul was required, finding in the process that: “The British government has placed combatting serious organised crime at the centre of its foreign policy, but often fails to recognise the intimate connections UK society and institutions have with kleptocratic states and their elites, the latter of which continue to find a home-from-home in London”.

The report also found, “a failure of enforcement by the National Crime Agency and other UK state bodies, as expensive and capable lawyers (hired by members of transnational elites or their advisers) defeat or deter the regulators’ often weak and under-resourced attempts to prosecute politically exposed persons”.

Further development of civil liability in cases such as Tecnimont will help commercial organisations to hold banks to account, but further tightening of the regulatory regime looks likely. For example, the government is currently reviewing the responses to its 2021 “call for evidence” on the UK’s AML and counter-terrorist financing (CTF) regimes. This review promises to “assess the progress that has been made in addressing concerns around the inconsistency of supervision and consider how the structure of supervision benefits the overarching objectives of the system. It will also consider the potential drawbacks of the regime, including remaining inconsistencies and potential gaps resulting from the structure: reaching a view on the effectiveness of our current system.” HM Treasury is to publish this report before 26 June 2022.

This is an area of sharp focus for both banks and potential victims of fraud alike and one that will be developing quickly with regulatory tightening and more cases such as Tecnimont in the pipeline that will push the boundaries on civil liability where the banks fail to meet expectations.