Quincecare revisited: who pays for cybercrime when something's phishy?

Recently, attention has been focussed on the rather narrow facts and the application of the grounds for summary judgment in the Philipp v Barclays case.

At first instance, where (as we explored in this article) it was found a bank's duty to refund a victim of fraud did not require it to stop payments where, at the time, the customer intended the payment instruction (even though they were duped as to the destination).

Then, at the Court of Appeal, which overturned the summary judgment on the basis that Mrs P's claim was properly arguable where the standards of ordinary banking practice in such matters needed consideration.

However, the Dubai court has approached the legal question in a very different way when the fraudster themselves issued the payment request. Consequently, banks (and their customers) will want to pay close attention: as the responsibility for stopping frauds (and offering refunds) continues to be tested.

Aegis Resources DMCC v Union Bank of India (DIFC) Branch

Background

This is the first case in the Dubai International Finance Zone (DIFC) to consider the scope of the Quincecare duty, first established in Barclays Bank plc v Quincecare Ltd.

The duty obliges a bank not to execute a payment instruction where it has reasonable grounds to believe the instruction is an attempt to misappropriate the account holder's funds.

In Aegis, the Dubai Court of First Instance found that the Union Bank of India's DIFC branch breached its mandate and its Quincecare duty to a UAE bulk raw materials supplier, Aegis Resources DMCC, in relation to payments sent from its bank account made as a result of cyber fraud.

Aegis had entered a credit and overdraft facility with the Bank. Two years later, it was phished by a third party fraudster who accessed an internal email account and issued four fraudulent payment instructions to the Bank.

The Bank paid out on the first two instructions and declined the third due to insufficient funds in the overdraft facility. Recognising the fourth instruction as fraudulent, it alerted Aegis.

The court found in Aegis' favour and ordered that the Bank bear the loss of the sums totalling $US1,067,500 (except for a small sum that was recovered). The Bank also had to pay $US84,680.52 in damages and interest on fraudulent sums paid out.

Issues

The court held the Bank liable for Aegis' losses on the grounds that: (i) the Bank breached its mandate to Aegis by paying out on fraudulent instructions; and (ii) breached its Quincecareduty to Aegis.

The Bank was held to have acted in breach of the overdraft facility terms by fulfilling unauthorised payment requests, which fell outside the agreed scope of the facility and did not conform to the agreed payment process.

In many UK cases, lenders will attempt to import a deemed consent or authorisation provision in their terms and conditions. However, in this case the court did not consider whether the payments could be deemed authorised under the Bank's terms. It simply held these were too general to exclude the Bank's liability for its negligence and, in turn, it had been negligent.

Whilst this was not a case of internal fraud, as in Quincecare, the court found the Bank owed Aegis a Quincecare duty to refrain from paying out on the payment instructions from the fraudster as it had reasonable grounds to believe the instructions were an attempt to misappropriate funds.

This appears to extend the Quincecare duty beyond fraud perpetrated by authorised signatories to situations where the payment is made by a third-party fraudster impersonating the authorised signatory.

The question is, why? And does this extend the Quincecare duty?

Commentary

The English courts have not previously considered the Aegis scenario. It is novel in that it was neither the customer authorising the fraudulent payment (Philipp) nor its authorised signatory (Quincecare) but a third party impersonating the authorised signatory and making an unauthorised payment instruction as them.

Whilst the judgment is not binding in the UK, interested practitioners have long hoped that the point of law would be considered by the English courts. Therefore, Aegis may give claimants confidence that the English court might consider the same approach as the DIFC court but, crucially, in the context of the Payment Services Regulations which provide the regulatory framework.

Should they face such similar arguments, taking lessons from the Aegis case:

• Banks may find it difficult to argue they do not act outside their mandate when paying out from funds advanced on overdraft because "it is the payment out that matters, and the customer is equally harmed whether the money is 'its money' or 'the bank’s money'".

• They may also be thwarted if they submit, based on Philipp, that their Quincecare duty did not require them to act as an amateur detective. The DIFC court held any reasonable bank would have recognised several "red flags" in the Aegis case including the fact that one payment request was made outside established procedure, contained unusual content and was for a beneficiary Aegis had not previously dealt with. 

This raises the question whether banks should be on alert for such "unusual" red flags and if so, how far does the duty extend? What is satisfactory for a bank to monitor and what can it ignore? The recent Court of Appeal ruling which granted the APP fraud victim in Philipp an appeal suggests banks cannot afford to overlook these questions. On the contrary, the decision could open the floodgates for more fraud victims to bring claims against their banks as the Court of Appeal held in that case that a more detailed examination of wider banking practice at the time and the parties' knowledge was required.

It remains to be seen what treatment the English courts will give Aegis. And to that we await the Supreme Court's decision in Stanford International Bank Limited (in liquidation) v HSBC Bank Plc which is due imminently as well as any further decision in the Philipp case.

Banks and their customers will want to know where they stand in these particular circumstances. This is especially true given the difference in treatment between (some) APP victims (who will have recourse to the Contingent Reimbursement Model Code) and those not afforded such refund protections.

In the meantime, the Aegis decision helps to highlight the widespread proliferation of cyber fraud, the evolving duty of banks and payment service providers to scrutinise payment instructions and to reiterate to businesses the importance of ensuring robust internal training procedures and protocols to combat cybercrime.