New year, new Quincecare decision
Published on 2nd Feb 2021
Latest ruling on duty to protect against fraud is a victory for banks but fintechs must still be vigilant
Several milestone cases have broadened the scope of the Quincecare duty of care since its establishment in 1992, but, against this tide, the first reported Quincecare case of 2021 – Philipp v Barclays Bank UK plc – is a victory for financial services providers. This case has established that Quincecare does not extend to natural persons (absent the involvement of a third-party providing instructions on their behalf) and, in practical terms, is limited to protecting corporate customers.
The 1992 case of Barclays Bank plc v Quincecare Ltd established that banks operating current accounts owe a duty to companies not to process a transaction where there are reasonable grounds to suspect the payment may be a misappropriation of company funds. The duty is primarily designed to protect corporate customers against fraudulent mandates. Prior to the recent Philipp case, the Quincecare duty has only been recognised where a company's (purported) agent had fraudulent motives (for example, a rogue director withdrawing company funds for personal gain).
The courts recognise the tension between the Quincecare duty and a bank's duty to execute valid and proper mandates promptly. To reconcile this, the Quincecare duty is subordinate and ancillary: "red flags" must trigger the duty. The courts are also mindful of the commercial reality of the sheer volume of transactions that go through worldwide financial systems every day.
There has, however, been "duty creep" in the types of financial services business that have been held to owe the duty to their customers. Starting with high street banks in the inaugural Barclays Bank v Quincecare decision, the courts have since recognised the duty in the context of investment banks (Federal Republic of Nigeria v JP Morgan Chase Bank and Singularis Holdings v Daiwa Capital Markets Europe) and, most recently, payment service providers (Hamblin and another v World First). There were concerns that Quincecare was evolving into a broad and general duty to protect against fraud that would be impractical to adhere to for institutions, particularly fintechs.
The recent case of Philipp bucks the trend of claimant-friendly Quincecare decisions.
Mrs Philipp instructed two large overseas payments (each over £300,000) to a fraudster. Importantly, she gave those instructions in person at bank branches. Both in the branch and via follow up phone calls, the bank carried out identity verification procedures and confirmed with Mrs Philipp that she was authorised to make the payments and wanted to do so. This type of fraud, where a customer is tricked into making a payment, which is genuinely authorised as between the bank and its customer but is ultimately fraudulent, is known as authorised push payment or APP fraud.
Mrs Philipp alleged breach of the Quincecare duty on the basis that the bank's safeguarding procedures failed to identify the red flags that would have caused the Quincecare duty to arise (large transactions to new international payees in quick succession). To succeed, Mrs Philipp needed to convince the court that, contrary to the recognised boundaries of the Quincecare duty to date, the Quincecare duty extended to her as an individual (as opposed to a corporate) customer in circumstances where she directly instructed the bank herself.
Barclays applied for the claim to be struck out and for summary judgment in its favour on the basis that the Quincecare duty is rightly confined to those very boundaries.
The court agreed with Barclays: the Quincecare duty does not arise where an individual customer legitimately provides an instruction. The court was also unwilling to devise a list of red flags, which would impute constructive awareness on banks, and held that the standard remains that of the ordinary prudent banker.
As a matter of civil procedure, it is noteworthy that Barclays succeeded in obtaining summary judgment against the conventional wisdom (which the court invoked in Hamblin, where the applicant bank was unsuccessful) that developing areas of law are not well suited to summary determination. Mrs Philipps has indicated her intention to appeal.
Limited victory for fintechs?
The Quincecare duty presents specific challenges to fintechs because cumbersome anti-fraud checks could get in the way of the speed and automation that sets their user experience apart from traditional banks. While fintechs, particularly those with a significant private individual customer base, can take comfort in the Philipp decision, these challenges remain. In particular, the bank had the benefit of the customer standing in front of them (although still required to verify their identity). Fintechs will need to continue to ensure the robustness of their equivalent payee protection measures, such as identity and authority verification.
This article was written by Charles Crowne, Partner, with the assistance of George Oakes, trainee solicitor.