Partners Simon Fawell and Paul Brehony and Counsel Kate Gee examine the UK Supreme Court’s long-awaited decision in the case of Philipp v Barclays Bank UK on the so-called Quincecare Duty.
Simon, Paul and Kate’s article was published in Thomson Reuters Regulatory Intelligence, 24 July 2023, and can be found here.
Banks can breathe a sigh of relief and victims of authorised push payment (“APP“) fraud must find alternative routes to recovery, following the long-awaited UK Supreme Court (UKSC) decision in Philipp v Barclays Bank UK PLC  UKSC 25 on the scope of the so-called ‘Quincecare Duty‘ was handed down on 12 July 2023. The decision reverses the apparent expansion of the Quincecare Duty to cover third party fraud, but does leave the possibility for victims’ banks to be liable in certain limited circumstances.
The Quincecare Duty derives from the eponymous Barclays v Quincecare judgment in 1988 (although not reported until 1992) and sets out circumstances in which a bank may be liable to its customer for allowing payments to be made where the payment instructions are given fraudulently. In such circumstances, the customer’s bank may be liable where it is ‘on inquiry’ (i.e., a reasonable banker would have grounds to believe) that the payment may be fraudulent without first taking steps to satisfy itself that the proposed payment is legitimate.
Importantly, the Quincecare Duty had only ever been applied in circumstances where the fraudulent actor was the individual giving the payment instruction (e.g., a company employee directing corporate funds to his own personal account). That is until the Court of Appeal decision in Philipp v Barclays which adopted an expansive view of wording in the 1988 judgment to determine that the Duty could, in principle, apply to frauds perpetrated by a third party. In particular, Mrs Philipp and her husband fell victim to an elaborate APP fraud (the generic term to describe frauds where the victim is induced to make voluntarily a payment to the fraudsters bank account – a classic case would be where a fraudster infiltrates the victim’s email system to provide false account details for payment of an otherwise legitimate invoice).
The UKSC, however, disagreed with the Court of Appeal’s decision, ruling that, while the result in the 1988 Quincecare ruling was correct, the stated reasoning, which allowed the possibility for the Court of Appeal’s expansion of the principle in Philipp, was flawed.
In the UKSC’s view, the logical rationale for what has become known as the Quincecare Duty is a simply question of agency. Where an agent, such as an employee of a company, provides payment instructions on the customer’s behalf, it does so with authority from the customer. If the agent is acting to defraud the principal, it is acting outside the authority given to it. Ordinarily, the bank will be able to rely on the agent’s ‘apparent authority’ to carry out the payment instruction without fear of liability even where the agent is, in fact, acting outside of the authority given to it. However, where the bank is ‘on inquiry’ that the agent may be acting fraudulently, any apparent authority is destroyed unless and until steps have been taken to verify that the payment instruction is genuine.
This, the UKSC said, cannot apply to circumstances in which a customer (or a customer’s agent) is tricked by a third party into making a payment. In those circumstances, the customer’s instructions are honestly given and do not amount to an attempt by the person giving the instructions to “misappropriate” the customer’s funds (the phrase used in the 1998 Quincecare judgment). The customer is attempting to cause the bank to transfer funds which are the customer’s to dispose of and in accordance with their own wishes. While the consequence of executing the payment instruction may be that the funds are misappropriated, that is not to say that the payment instruction itself amounts to a misappropriation and the person giving the payment instruction will, in the ordinary course, have had actual authority to do so. In making its ruling, the UKSC stressed that, provided the payment instruction is properly given, it is not for the bank to concern itself with the wisdom or risks of the customer’s payment decisions. Rather, the bank’s basic duty is to comply promptly with its customer’s instructions.
The Supreme Court also made clear that, while APP fraud is a growing problem which can undoubtedly cause great hardship to its victims, it is a matter of social policy, to be considered by regulators and government, whether the victims of such frauds should be left to bear the loss themselves or the losses should be reimbursed by banks who made or received such payments. It is not for the courts to formulate policy of this type or to impose on contractual parties’ obligations to which they have not consented and cannot reasonably be presumed to have consented.
Notably, the UK Government has responded to some extent to the growing problem of APP fraud. As acknowledged in the UKSC’s judgment, the Financial Services and Markets Act 2023, which received Royal Assent on 29 June 2023, does provide for a mandatory reimbursement scheme to be applied in some circumstances “where the payment order is executed subsequent to fraud or dishonesty“. The scheme provides (subject to adjustment through a dispute resolution process) for a 50-50 allocation of losses between the sending and receiving providers. Presently, however, qualifying cases are limited to payments executed over the Faster Payments Scheme and victims who can benefit are confined to consumers, charities and “micro-enterprises”.
Experience suggests, however, that many of the victims of APP fraud are larger corporations. For those entities, there remains some considerable frustration that, while banks (both paying and receiving) are required to have in place extensive KYC and real-time fraud monitoring systems in place, those systems do not necessarily prevent payments from being made even when an alert has been triggered, and, where the systems fail to meet intended standards, there is limited or no recourse for victims. The UKSC decision in Philipp did, however, leave open the possibility for claims where a bank receives reliable information, not known to the customer, that the customer’s payment instruction has been procured by fraud but nevertheless executes that instruction without first alerting the customer and checking it still wishes to proceed. However, the UKSC also made clear that such an obligation would not have been triggered in Philipp as all of the circumstances that Mrs Philipp alleged should have put the Bank on notice of a potential fraud were matters already known to Mrs Phillip herself such as the size of the payments, the fact that the payments were to be made to the UAE and that Mrs Philipp had no prior relationship with the receiving companies. Such an implied obligation could potentially apply, however, where a bank’s fraud monitoring systems are triggered and the customer would otherwise be none the wiser. Notwithstanding this limitation, this is undoubtedly an avenue that victims of APP fraud will look to explore in future cases.
Notably, Mrs Philipp’s legal journey is not quite over as one aspect of her case did survive the UKSC’s ruling. In addition to her claim that the Bank breached its duties to her by making the payments in the first place, Mrs Philipp alleged that the Bank failed to act sufficiently quickly to recover her lost funds once it had become aware of the fraud. The UKSC agreed that this was, indeed arguable, and should be determined at trail. That aspect of the case now returns to the High Court where it will proceed in the usual manner and be watched with great interest by the wider market.
Sylvie Gallage-Alwis and Nikita Yahouedeou discuss the DGCCRF’s recent practical guide to online shopping and consumer rights in Le Monde du Droit
28 November 2023
28 November 2023