Banks have to exercise care towards their customers to avoid customer money being removed from accounts fraudulently. But there are limits on how far that goes – as confirmed recently by the Scottish courts.

Authorised Push Payment (“APP”) fraud, is a particularly nasty scam where fraudsters deceive consumers or individuals at a business into sending them a payment. The unsuspecting individual is tricked into thinking they are making a genuine payment to a legitimate bank account, but (surprise, surprise) are in fact making payment to the fraudster’s account. APP fraud is distinct from other types of deceptions, because the payment is in fact legitimately and properly agreed to by the customer, who intends the payment should be made as they instructed.

It is this type of fraud that formed the background to the recent case involving Clydesdale Bank PLC and its customer, Sekers Fabrics.

Background

The rather unfortunate chain of events unfolded as follows. Sekers had a business account with the Clydesdale. While using the online banking system an employee of Sekers (let’s call her “Jane Smith”) received a call from “Steve” (you guessed it - the fraudster). He pretended to be from the bank’s High Level Fraud Team and told Jane Smith that Sekers’ account had been blocked by the bank as a precautionary measure and he had now unblocked it. He instructed her to make some test payments to make sure the account was working normally, assuring them that no money would actually be transferred.

However, dual authorisation was required, so Steve proceeded to call another employee of Sekers (let’s call him “John Smith”) to authorise the test payments. John Smith attempted to do so, but the online account showed an authorisation failure. During, what sounds like quite a chaotic spaghetti of telephone calls, Steve was transferred back to Jane Smith, while John Smith tried to call the bank’s Relationship Manager to ensure that Steve was who he said he was. John Smith couldn’t get through to the manager so emailed him requesting a call back urgently. John Smith then called the bank’s Business Online Helpdesk, which said they would look in to it.

By some jiggery-pokery, Steve knew that John Smith had tried to call the manager and was now on a call to the helpdesk. Steve was again transferred back to John Smith who was asked to process the blocked payments, which they succeeded in doing. However, as this was happening and to add to the chaos, Jane Smith received a call from the manager who told them to get Steve’s full name and email them about the events. Jane Smith proceeded to email the manager about the events and asked for reassurance the call from Steve was genuine. The manager replied asking for Steve’s full name and telling Jane Smith not to make any payments. Jane and John both thought that the manager would contact them if they had any concerns. However, no further calls were received from the helpdesk or the manager. Ultimately payments were made from the account totalling £566,000 to Steve.

The Claim against the Bank

Sekers argued that the bank had a duty to take care but had failed to do so as:

1. The integrity of the bank’s security system had been compromised allowing Steve to obtain sensitive financial information about Sekers’ bank account.
2. Security advice from the bank regarding the online banking platform was inadequate.
3. The bank’s software should have recognised that unknown IP addresses were being used and that payments were being made to accounts to which no legitimate payments had ever been made.
4. Advice by bank employees on the day fell below the required standard of care.

The bank agreed that it had to take care, but that it had not failed to do so – that it had done enough.

The Decision

The Scottish high court confirmed that a bank must exercise care in carrying out its operations, including dealing with communications sent by customers.

It also said that the bank must comply with a customer’s authorised instruction to make payment. However, a bank must exercise care in carrying out a customer’s payment instructions (this is called a “Quincecare” duty of care). The duty arises once there are reasonable grounds for the bank to believe that the instructions may be an attempt to steal the customers’ funds and requires the bank to (at least) refrain from carrying out the transfer.

The upshot of this is that Sekers could only recover its loss from the bank if the bank ought to have taken steps in advance of the transfers of the money to the fraudster, which would have stopped those transfers.

The court decided that the the bank did not need to take those steps as the bank’s duty to exercise care in carrying out a customer’s instruction did not apply in the present circumstances.  This is because it only applies if it is the agent/employee of the customer (i.e. Sekers here) which is committing the fraud. So, an external third party fraudster (Steve in this case) who influences the instruction of a payment, is not an interference with the authority of the customer. Therefore, in the circumstances, there was a sufficiently authorised instruction given to the bank.

However, in terms of the communications that took place before the payment was authorised, the court said these were still subject to a duty by the bank to take care and the court allowed that part of the Sekers claim to proceed to a full trial.

Comment

This case gives banks some comfort that the bank’s duty to take care in carrying out a customer’s instructions duty will not extend to those circumstances where a third party fraudster, unbeknownst to the bank, influences the instruction of a payment. That said, there still remains the overarching duty to exercise care which applies not only in the authorisation process, but also in any communications the bank has prior to an authorisation. Confirmation of Payee will play a part in reducing some of this type of fraud.  But it is vital that banks continue to have durable systems and controls in relation to fraud and continue to educate their customers to take extra care before transferring funds.

Please do not hesitate to contact us if you have any questions or would like assistance matters such as this.

Related News, Insights & Events