In welcome news for financial institutions, the High Court has emphatically rejected a claim that a bank had a duty to protect an individual customer from losses arising from her genuine instructions to make payments to a third party who was later discovered to be a fraudster.
The case of Philipp v Barclays Bank UK Plc  has confirmed that the Quincecare duty of care does not extend to cases where an individual customer issues a valid payment instruction, even where that instruction has been fraudulently induced by a third party. The decision clarifies that the Quincecare duty is confined to cases where payment instructions are given by the customer’s agent, and the financial institution knows or is put on inquiry that that instruction is part of an attempt to misappropriate the funds from the customer.
The duty is likely to have greater relevance therefore in the context of corporate customers, partnerships, unincorporated associations, and other relationships where instructions to financial institutions are delivered by agents such as directors, partners and/or other authorised signatories.
What is the Quincecare duty?
In 1992, the court held that contracts between financial institutions and their customers are subject to an implied term that the institutions will not execute their customers’ orders if they know or are put on inquiry that the instruction may have been given dishonestly. Importantly, this means that the financial institution may be subject to a positive duty to block a payment if it has reasonable grounds for believing that the payment is an attempt to misappropriate funds from its customer’s account. In these circumstances it must take reasonable steps to investigate the potential fraud.
After many years of dormancy in which the practical application of the Quincecare duty was rarely tested by the courts, there has been a recent rush of cases exploring its boundaries and effect. For more detail on the prior case law, please see our previous articles on the key Supreme Court decision of Singularis v Daiwa  and the Court of Appeal case of JP Morgan Chase v The Federal Republic of Nigeria  .
The factual background of Philipp
Dr and Mrs Philipp were the victims of a sophisticated APP scam in which the fraudster posed as an FCA employee working in conjunction with the National Crime Agency. The fraudster successfully persuaded the couple that they were required to move funds from Dr Philipp’s bank account, and the firm in which he had invested his savings, into “safe accounts” to protect them from an internal fraud allegedly being investigated within Dr Philipp’s bank (HSBC). The couple were warned not to tell anyone, even the police, on the basis that this might prejudice the underlying investigation.
In March 2018, Dr Philipp transferred £950,000 to Mrs Philipp’s account at Barclays. She subsequently attended separate branches on different occasions and instructed bank staff to make international transfers totalling £700,000 to UAE accounts (as required by the fraudster). Mrs Philipp confirmed to Barclays on more than one occasion that she wished to proceed with the transactions and continued with the transfers despite a police officer warning her about the potential for fraud following the initial transfer from Dr Philipp.
The pair were eventually persuaded by their friends to speak with the police and became aware of the scale of the fraud against them. Mrs Philipp, being the account holder, asked Barclays to recover the lost funds and subsequently issued proceedings against them. She alleged that Barclays had breached its duty of care to her as it was on inquiry as to the potential fraud and should have taken steps such as blocking her account, asking additional questions and, ultimately, should have prevented her loss. In failing to do so, and by failing to have preventative policies and procedures in place to detect and prevent APP fraud, she claimed that the bank had not complied with the Quincecare duty. It is worth noting that the Contingent Reimbursement Model Code (CRM Code) for APP scams did not apply to the Philipp’s transfers as the two payments were made in 2018, and so over a year before the CRM Code was introduced in May 2019, and as the CRM Code does not apply to international transfers.
Barclays applied to the court to strike out the claim and for summary judgment in its favour on the basis that there were no reasonable grounds for bringing the claim and/or no real prospect of success.
For the purposes of the summary judgment application, the question before the court was whether the Quincecare duty owed by the Bank required it to have in place the policies and procedures alleged by Mrs Philips, for the purpose of detecting and preventing the APP fraud or for recovering any monies transferred by the victims of the fraud as a result.
Despite expressing acute sympathy for the couple’s predicament, HHJ Russen QC gave summary judgment in favour of the bank, dismissing the claim on the basis that it was an attempt to elevate the existing duty of care to a duty to protect the customer from the consequences of her own decisions in circumstances where the payment instruction given to the bank was authorised and valid (despite the underlying fraud).
The court confirmed the following:
- A bank’s primary contractual duty is to act on its customer’s instructions and the circumstances in which a bank can deviate from that instruction are still very limited. The Quincecare duty is a subordinate and ancillary duty to the duty to comply with a customer’s mandate, and it does not permit the bank simply to decide not to follow instructions other than in the very specific circumstances in which the duty arises.
- When safeguarding against the facilitation of fraud and protecting innocent parties, the law cannot impose too burdensome a duty on banks which would effectively prevent them from carrying out effective banking transactions. The inevitable consequences of the submissions made on behalf of Mrs Philipp (if they had been upheld) would have been to impose a much wider legal duty on Barclays to ensure that the outcome of the transactions were different, either by refraining from executing Mrs Philipp’s instructions, or if it made the transfers, to recoup those funds at a later date. This is an impractical proposition.
- If the duty were to evolve so as to require institutions to “second-guess” the customer's own outwardly genuine instructions, there would need to be some form of clearly recognised banking code or industry wide standard defining the circumstances in which the need for such questions would be triggered. The court noted that no such code existed and that, in the context of individuals, it would be difficult to put in place a clear framework of rules by reference to which the duty might operate. This was a clear obstacle to the imposition of a more onerous duty.
- The Quincecare duty is confined to circumstances where the attempted misappropriation of funds is by the customer’s agent. Where the customer is an individual, the customer’s authority to give the payment instruction to the bank is apparent and must be taken by the bank or financial institution as real and genuine.
- In determining whether a financial institution should have been put “on inquiry”, i.e. have reasonable grounds to believe that an order is an attempt to misappropriate funds, the court cannot expect it to act as an amateur detective nor question the customer’s decision as to how their money is spent. As such, the duty cannot extend to a duty to protect Mrs Philipp from the consequences of her own decisions where, between herself and the bank, the actual payment instructions were valid and not given fraudulently. The court observed that “even a sole shareholder can steal from the company for whom he is a signatory at the bank” but that in this case, Mrs Philipp “could not steal from herself”.
Impact of the decision
The decision provides welcome confirmation that banks and financial institutions are not required to be an insurer of the last resort to individuals who have suffered APP fraud.
The court confirmed that the Quincecare duty is a common law duty which rests upon the more general concept of a bank adhering to standards of honest and reasonable conduct in being alive to suspected fraud. The duty has not been elevated to one of above the standard of an ordinary prudent banker and it does not oblige a bank to question its customer’s instructions.
In a society where fraud is an escalating problem, the decision gives comfort that the duty will be viewed in the context of what is commercially realistic for banks or financial institutions. They are not to be expected to give total protection for consumers in the war against fraud and they cannot be expected to protect individual customers against their own mistakes.
Depending upon the outcome of any appeal, Philipp offers helpful clarification about the applicability of the Quincecare duty to individual customers and may significantly curtail opportunistic claims.
However, there remains uncertainty around exactly what is required when the duty is triggered. There is no detailed industry guidance about the point at which the duty becomes live, and how banks and other financial institutions are expected to balance the competing duties to execute payment instructions promptly and to refrain from doing so where they are put on inquiry that an instruction might be dishonest. For the moment, banks and financial institutions must continue to make risk assessments on a case-by-case basis which inevitably makes this an area which is ripe for further litigation until the courts have further defined the requirements of the Quincecare principle.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, February 2021