Quincecare: a challenge to fintechs providing business banking services

Many business banking customers are accustomed to the speed, flexibility and convenience offered by fintech.  They expect to be able to open accounts in minutes, have a loan approved immediately and process payments instantly and cheaply, with all these interactions taking place entirely online. The Covid-19 pandemic has accelerated the growth of digital business banking, particularly among small and medium-sized enterprises, and making a trip to a physical bank branch may be a thing of the past.

While businesses have come to expect near instant payment processing from fintechs, they also expect to be protected from fraud. The courts share this view and this creates an inevitable tension.  A recent spate of cases focusing on the so-called "Quincecare duty" has shone a light on the extent to which financial service providers are duty bound to stop payments that may be fraudulent. The development of this case law is of particular relevance to digital banks and payment service providers (PSPs) given their reliance on automated processes and customer expectations around speed and convenience.

The Quincecare duty

The 1992 case of Barclays Bank plc v Quincecare Ltd – from which the Quincecare duty takes its name – established that banks operating current accounts owe a duty to companies not to process a transaction where there are reasonable grounds to suspect the payment may be a misappropriation of company funds. It is primarily to protect the company against the fraudulent actions of its directors or other authorised personnel.

The rationale for the duty is the agency relationship between a bank and its customer, when making a payment from the customer's account. This agency relationship creates fiduciary duties, which manifest in an implied contractual term to take reasonable skill and care when providing the service.

If facts and circumstances arise that would lead a reasonably competent banker to conclude that the transaction in question may be an attempt to misappropriate company money, the bank is duty bound to investigate and is potentially liable for any loss to the company if it fails to do so and makes the payment notwithstanding.

While actions involving the Quincecare duty have remained relatively rare, the duty has been extended in subsequent cases so that it now applies to deposit-taking institutions (i.e. banks) and, it would appear, other PSPs.

Hamblin and Stanford

Two recent cases – Hamblin and another v World First Ltd and another and Stanford International Bank Ltd (in Liquidation) v HSBC Bank plc – have put Quincecare back in the spotlight, particularly for fintechs.

The case of Hamblin involved a claim by the victims of a sophisticated investment fraud against the PSP who innocently processed the fraudulent payment. The fraudsters were operating a limited company (Moorwand NL Ltd) and the claimants, Mr and Mrs Hamblin, were persuaded to pay £140,000 into Moorwand's account with the PSP. The money was then quickly dissipated by the fraudsters.

The Hamblins issued proceedings arguing that a constructive trust was created when they transferred the money to Moorwand, which entitled them to bring a derivative action on behalf of Moorwand against the PSP. They further argued (amongst other things) that the PSP owed a Quincecare duty to Moorwand, which was breached when the money was transferred out of Moorwand's account to the fraudsters. The PSP was therefore liable for the loss to the company (which the company was in turn obliged to pay to the Hamblins).

The Hamblins' case survived a reverse summary judgment application and will now proceed to trial if it does not settle. The most interesting aspect of the judgment was the unquestioning acceptance by the court that the Quincecare duty applied to a PSP providing current account style banking facilities to a company.

In Stanford, the liquidators of Stanford International Bank (SIB) (the investment bank run by Allen Stanford as a Ponzi scheme) sued HSBC for breach of the Quincecare duty. The liquidators alleged that it was obvious that payments being made by SIB from its accounts with HSBC were part of a fraudulent scheme and should have been stopped.

HSBC applied for reverse summary judgment arguing that as SIB was hopelessly insolvent at the time the payments in question were made it had suffered no real loss as a result of any breach by HSBC. The court disagreed and rejected HSBC's application, maintaining that the loss was real as SIB had been deprived of the use of the monies in question. The point to highlight in this case is that it is likely to encourage other liquidators to look at bringing claims against banks and other PSPs if they processed payments on behalf of insolvent companies that were being used as a vehicle for fraud.

Problems for fintechs

These two cases show how an increase in Quincecare-related claims could prove problematic for digital banks and PSPs providing the equivalent of current account banking facilities to companies.  The Quincecare duty is particularly challenging for fintechs as they pride themselves on speed and automation and will not want cumbersome anti-fraud checks to get in the way of the user experience that sets fintechs apart from traditional banks. Furthermore, fintechs often find themselves on the front line of the fight against cyber fraud and Quincecare provides liquidators and victims of fraud with an opportunity to target PSPs who unwittingly process fraudulent payments.

A potential solution is to expressly exclude the Quincecare duty in terms and conditions with business customers. From judicial commentary in the case of Federal Republic of Nigeria v JP Morgan Chase Bank, this appears to be possible, but very clear language will be required and there is a potential tension between the exclusion of this duty and existing regulatory obligations (for example, under the Payment Service Regulations).

These are difficult issues that fintechs will need to grapple with as they move into the business banking space.