Cat MacLean: Online fraud – when is a bank to blame?
Cat MacLean, partner and head of dispute resolution at MBM Commercial, explores the judgment issued yesterday morning in Sekers v Clydesdale  CSOH 89.
Online fraud has been on the rise for many years. The advent of lockdown and working from home has seen the volume of attacks increase by one third in the past year, bringing more opportunities for fraudsters to exploit security systems. In most cases, recovery from the fraudsters themselves is impossible.
A judgement issued this morning in the Court of Session in the case of Sekers v Clydesdale Bank may however significantly and positively alter the legal landscape for customers seeking to recover from their bank when a fraudulent attack has taken place.
Until now, what was considered to be the leading case on the circumstances in which a bank could be held to blame when fraud has occurred, actually took place before the age of internet banking, in 1992. In Barclays Bank v Quincecare the court held that the bank should not execute an order if they had reasonable grounds for believing the order was an attempt to misappropriate the customer’s funds. There wasn’t much case law which touched on Quincecare for many years, beyond a 2019 Supreme Court decision in Singularis Holdings Ltd, which confirmed that a bank had breached its Quincecare duty of care to its customer.
For many years, legal practitioners tended to refer to the “Quincecare duty” as pivotal when considering when and whether a bank might be liable in cases on online fraud. Then an English High Court case from 2021 whilst refusing to apply Quincecare on the facts, significantly restricted the ambit of the Quincecare decision, to internal fraud only. It appeared that the range of circumstances in which a bank might be liable to their customer when a fraud had taken place might significantly have narrowed.
In Philipp v Barclays a decision by the trial judge significantly limited the Quincecare duty to situations of misappropriation of the customer’s funds by internal fraud by a bank employee. According to this new decision, the Quincecare duty does not apply to authorised payments made to third parties without the complicity of a bank employee.
In Scotland, meantime, the case of Sekers v Clydesdale Bank had been slowly making its way through the court system, reaching Debate in June of this year. The issuing of the judgement in this case this morning by Lord Clark offers more than just a glimmer of light to customers who have been the target of fraud.
In Sekers, the pursuers argued that it was an implied term of the contract between bank and customer that the defender had a duty to exercise reasonable skill and care. Several breaches of that duty were alleged: (1) the integrity of the defender’s security system had been compromised; (2) the security advice offered in relation to management of the online banking facilities was inadequate; (3) the bank’s operating software ought to have recognised that unknown IP addresses were suspect; and (4) that the advice tendered by the bank’s employees on the day in question fell below the required standard.
Sekers were targeted by a sophisticated fraudster who claimed to be from the bank’s fraud team. In March 2017 the company’s cashiers had received a call from the fraudster who gave his name as “Steve” and who purported to be from the bank’s fraud team. He said that the company’s bank account had been blocked by the bank as a precautionary measure; this type of situation had happened before to the company. The fraudster said he would work to unblock the account.
The two cashiers dealing with the fraudster were uncertain and sought reassurance that the call was genuine from both the bank’s helpdesk and the relationship manager assigned by the bank. Both helpdesk and relationship manager took details from the cashiers, but gave no advice to the cashiers as to what they should do. The call handler at the Helpdesk indicated that he would look into matters, but gave no advice beyond this as to what the cashiers should do meantime. The Relationship Manager said that the cashier should attempt to obtain Steve’s full name, and should then send the RM an email. The cashier duly did so. No further advice was given by either the helpdesk or the RM. Critically, neither told the cashiers to do nothing until the caller’s true identity had been clarified, and neither took any steps to suspend activity on the company’s account until the position was clarified. Neither cashier was told that they must not make payments. The cashiers felt reassured that everything seemed to be in order, and understood that either the helpdesk or the relationship manager would come back to them if anything was untoward.
In due course, Steve asked the cashiers to regain access to the web portal and process a number of “blocked” payments. Payments totalling £566,000 were made from the account (a small amount of which was later recovered). The majority of the transferred sums were lost to the fraudster.
At Debate, the pursuer argued that it was central to distinguish between the defender’s general duty of care, and the Quincecare duty. The former covered the whole range of banking business undertaken by a banker for a customer, and the pursuer argued that the bank’s duty to exercise reasonable skill and care extended to all of its customers instructions, and that a payment instruction which elicits, or ought to elicit, suspicion through the tell-tale signs of a fraud ought not to be implemented. It was wrong to say that a bank had no duty of care in relation to a customer’s payment instruction beyond its execution.
In his judgement, Lord Clark distinguished Philipp on the basis that the plaintiff’s case had been much broader than the pursuer’s case in Sekers, and cases relied on the by the pursuer in Sekers, bearing upon the bank’s general duty, including Hilton v Westminster Bank in 1926, Selangor United Rubber v Cradock in 1968 and Karak Rubber Co v Burden in 1972, were not before the court. The factual distinctions between the two cases were evident: there were no reasonable grounds in Philipp to intervene whereas in Sekers the pursuer had actively sought the bank’s reassurance that the intended transactions were genuine.
Lord Clark found that the first three duties contended for were not capable of being established on the pursuer’s averments, but that in relation to the fourth, relating to the overall duty of care, “without full evidence on the factual circumstances here it would be inappropriate for me to conclude on the nature and scope of any duty…The nature and scope of such a duty, and whether it has been breached, are matters to be determined after inquiry. There are in my view sufficient averments to justify inquiry on the issue of whether on this ground there was a breach of duty to exercise reasonable skill and care”.
Philipp clearly restricted the circumstances in which a bank could be liable to a customer for fraud, but Sekers appears to provide a significantly wider avenue to claim against a bank, in reliance on the earlier cases of Hilton, Selangor and Karak, which were not pled in Philipp.
What does this mean for other online fraud cases? It is clear that the question of whether the general duty of care owed by a bank has been breached in any given case will be very fact-specific. The crux of the Sekers argument is that the Bank were put on notice by the company of a potential fraud attack and that, in ignoring this, the general duty was breached – taking it outwith both the Philipp situation and beyond the Quincecare duty.
At heart, the Sekers decision will give hope to many. It seems clear that as a general principle, a duty is owed by a bank to its customers to apply reasonable skill care in its dealings with the customer, extending across the whole range of its customers ordinary banking business, including the processing of online payments. The duty includes dealing with communications which a customer sends in relation to its banking business. The precise nature and scope of the duty, in particular the risks of harm to the customer against which the law imposes on the bank a duty to exercise reasonable skill and care, will depend upon the specific context.
The critical issue for Sekers was the communications made by the cashiers to the helpdesk and the RM prior to authorisation of payment, and the question, which could only be determined after factual evidence has been led, of whether steps ought to have been taken by the defender in advance of the transfer of funds which would have resulted in these not proceeding – the most obvious of which would be the issuing of an instruction to do nothing and take no action until the bank had verified “Steve”’s identity and confirmed to the cashiers that he was genuine.
I began this article by stating the obvious: online fraud is sharply on the rise. More and more individuals and businesses will be successfully targeted, particularly with a greater shift to remote working. For those in a similar situation, who have suffered an online fraud, the key to trying to establish that you fall within the scope of the general duty is to show – as in Sekers – that the Bank was put on notice that there were grounds for suspecting fraudulent activity was taking place, and therefore that the Bank should have made inquiries. If the bank failed to do so, the chances of establishing a breach of the general duty on the facts appear in light of the Sekers decision to be significantly enhanced.