On 12 July 2023, the UK Supreme Court delivered its long-awaited judgment in Philipp v Barclays Bank UK Plc [2023] UKSC 25. The judgment concerns the duty previously known as the ‘Quincecare duty’ (from Barclays Bank plc v Quincecare Ltd [1992] 4 All ER 363). The ‘duty’, as interpreted by subsequent cases, was sometimes said to require a bank to broadly exercise “reasonable care” when executing a customer’s instructions.
However, the (unanimous) judgment has confined any duty to circumstances where the bank has reasonable grounds to believe that an agent is acting outside the agent’s authority (or other, limited, established grounds).
Facts of Philipp
In Philipp, the claimant (Mrs Phillipp) and her husband were victims of an elaborate fraud. The fraudster persuaded the Phillips that he worked for the UK Financial Conduct Authority, which (in conjunction with the National Crime Agency) was allegedly investigating a fraud within another bank. The fraudster ‘spoofed’ the phone number of the NCA and even convinced the Philipps not to trust the Metropolitan Police (who had warned the Philipps before they made the first transfer).
The Philipps were instructed by the fraudster to transfer significant sums to a supposedly ‘safe’ account in the UAE, which they did, losing some £700,000 from Mrs Phillip’s account in the process.
There was no dispute that Mrs Phillip had actually authorised the transactions. On all occasions, the bank checked that the transactions were genuine. Indeed, some transfers were made in person, at a branch.
Court's reasoning
The Court's reasoning was as follows.
(i) Importance of the customer’s mandate
A bank has a strict obligation to undertake a customer’s instructions, referring to our Supreme Court’s decision in Westpac New Zealand Ltd v MAP & Associates Ltd [2011] NZSC 89, [2011] 3 NZLR 751.
(ii) When is the bank on “inquiry”?
There may be circumstances where a bank is on notice of: (a) a breach of trust; or (b) a probable lack of authority by an agent of its customer. In the former case, the funds are not truly the beneficial property of its customer. In the latter case, the bank’s duty to its customer (the principal) requires the bank to make inquiries about the agent’s authority. A bank is also obliged to comply with the law (and so, for example, is excused from a breach of mandate in order to comply with AML rules).
Mrs Philipp argued that a bank is obliged not to execute a customer’s instruction where it has reasonable grounds to suspect the customer is being defrauded. There was no evidence that the bank actually knew of the fraud in this case (but, as an appeal from a summary judgment application, that would have to be assumed). The duty was said to arise from subsequent interpretations of Quincecare, as part of a “reasonable inquiry” when executing a customer’s instructions. However, the Court found that such a duty is inconsistent with the terms of a banking mandate, and the basic duty of banks to act in accordance with their customer’s instructions (as per Westpac v MAP). Even though the Philipps were mistaken about why they were transferring the funds, this did not mean their instructions were invalid (or unintentional). The Court therefore struck out Mrs Philipp’s main argument, although it permitted her secondary argument to go to trial (which related to the bank’s duty to attempt recovery of the funds).
(iii) Agents acting outside the scope of their authority
The Court reasoned that the Quincecare line of cases is really about the law of agency. A bank must make inquiries if an agent of its customer is acting in a manner inconsistent with its apparent authority (for example, an employee who is an authorised signatory transferring large sums to her own account). However, that obligation arises from a banker’s duty to its customer (i.e., the principal, not the agent), not a separate legal duty.
(iv) Bank’s right to freeze an account doesn’t mean the bank is obliged to freeze
Modern banking contracts often provide the bank a contractual right to freeze an account if the bank suspects fraud. That was the case in Phillip (which right the bank eventually exercised – saving Mrs Philipp her last £200,000). However, the Court confirmed that this right cannot be equated with an obligation to always exercise the right.
“Push” vs “pull” fraud
This decision is likely to be relevant primarily to ‘authorised push payment’ or “APP” fraud schemes, i.e., where a customer is fraudulently persuaded to send (i.e., push) money to a third party. In ‘pull’ fraud schemes (or similar), a fraudster obtains unauthorised access to a customer’s funds. In those cases, it is still possible that the bank would be liable, on the basis that the access was unauthorised (and therefore inconsistent with the customer’s mandate).
Takeaway points
The decision provides useful clarity, in the context of increasing online and financial crime. The Government’s most recent Quarterly Cybersecurity Report identified a 66% increase in financial cybercrime.
In part, that increase is due to the increasing sophistication of fraudsters using online and other electronic means to gain victims’ trust. In Philipp the fraudsters used phone number ‘spoofing’ as a tool to gain the Philipps’ trust, as well as less sophisticated techniques (such as having accomplices to vouch for them over the phone). The proliferation of generative AI is likely to assist fraudsters to appear more genuine (for example, to speak in a familiar manner or consistent with a bank officer), and to potentially eliminate the need for them to rely on accomplices for credibility.
The decision itself may not be welcomed by victims of fraud, for obvious reasons. Victims of APP fraud sometimes look to banks to recover their losses, simply because banks have the deepest pockets. However, the Court found such a duty was not consistent with bankers’ established duties (which also protect customers in cases of ‘pull’ fraud). The decision therefore provides useful clarity for both banks and victims of fraud.
An area for regulation?
An open question remains whether regulatory changes are desirable to legislate for compensation to victims of cyberfraud. The UK has several regulations with this objective (including a voluntary code), although none applied to Mrs Philipp. New Zealand presently has no such regulations (potentially, a space to watch).