The Quincecare duty has been with us for over three decades. This is the duty under which a financial institution is required to refrain from executing a customer’s payment instruction if it is “put on inquiry” that the order is an attempt to misappropriate its customer’s funds.
With the Quincecare duty having been paid comparatively little attention for some time, it has recently made a comeback with a number of significant decisions seemingly expanding the reach of the duty. For financial institutions executing voluminous payment transactions daily, the question of when that institution will be taken to be put on inquiry will be critical. Moreover, there will be no safe bet in these situations: to improperly fail to honor a valid payment instruction could constitute a breach of mandate with potential consequential losses. So, when will a financial institution be taken to be put on inquiry?
In our view, the cases broadly fall into two categories:
Category 1: These cases arise in the context of traditional banking relationships where those within the financial institution receiving payment instructions have a close knowledge of the customer and its officers. These cases usually involve an appropriation of the corporate customer’s assets by a rogue officer who, acting as an authorized signatory of the company, gives payment instructions that are part of the fraud. Here, the Quincecare duty has an established application.
Category 2: In these cases, the bank/customer relationship is more transactional and process driven. Rather than an authorized corporate signatory giving instructions, the threat is more likely to come from an infiltration (perhaps based on a cyber-breach) within the customer that leads to a hijacking of the payment process or an outright deception that triggers instructions on a false premise. In these cases, while the Quincecare duty may still apply, its application is less established.
Category 1: The established cases
In Barclays Bank plc v Quincecare Ltd ( 4 All ER 363), the established duty was whether an ordinary prudent banker had reasonable grounds for believing that the payment order is an attempt to misappropriate the funds of the company. Factors such as the standing of the corporate customer, knowledge of the signatory, the amount involved, the presence of unusual features, and the potential to make reasonable enquiries will all be relevant. But the court recognized that it would be natural for a banker to approach the suggestion of a company’s own director being involved in a fraud on the company with “instinctive disbelief”, and that trust forms the basis of the banking relationship. On the particular facts, there was nothing about the requestor, volume, timing, or destination of the payments that meant that the bank was put on inquiry.
Singularis Holdings Limited (in liquidation) v Daiwa Capital Markets Europe Limited ( UKSC 50) was the first case in which a bank was found to be in breach of the Quincecare duty. Singularis was a Cayman Island company set up to manage the personal assets of Al Sanea, who also wholly owned and controlled the companies in the Saad Group. Eight payments totaling $204.5 million were transferred from Singularis’s account at Daiwa Capital Markets Europe Limited on the instructions of Al Sanea to companies within the Saad Group. Singularis went into voluntary liquidation one month later. What were the factors that put Daiwa on inquiry? The High Court found that the factors included:
- The fact that Daiwa was not a retail bank processing many thousands of transactions daily and so was expected to look carefully at each payment instruction.
- Daiwa’s awareness of the “dire financial straits” the Saad Group were in.
- Daiwa’s awareness of the existence of other creditors of Singularis.
- The appearance of $80 million in Singularis’s account shortly after the Saad Group’s other accounts had been frozen.
- The production of an apparent hospital expenses agreement (relating to a hospital company within the Saad Group) to justify payments out of Daiwa’s account even though the payment of hospital expenses was inconsistent with earlier explanations.
This approach suggests that in practice, the standard may differ between a bank tasked with processing many thousands of transactions each day and more bespoke situations where abnormal instructions are given with the bank having a close relationship with its customer.
JPMorgan Chase Bank v The Federal Republic of Nigeria ( EWCA Civ 1641) also involved a claim that authorized payment instructions were deployed as part of a wider fraudulent scheme. More than $1 billion was paid into a depository account held by the Federal Republic of Nigeria (FRN). The bank received payment instructions from the minister of finance and the accountant general of FRN, who were the authorized signatories of FRN. Three transfers, totalling approximately $875 million, were made. FRN argues that the bank should have known that the individuals within FRN who authorized the transfer could not be trusted, alleging that the payments were requested as part of a fraudulent scheme. The bank applied to strike out the claim on the basis that terms of the depository account precluded the Quincecare duty from arising. The Court of Appeal dismissed the strike-out application. The substantive question of whether the bank was sufficiently put on inquiry to attract liability will now be addressed at trial.
Category 2: Imposter cases
There have been recent attempts to expand the reach of Quincecare liability beyond the rogue officer scenario. In Hamblin and another v World First and another ( EWHC 2383 (Comm)) the Quincecare duty has been found to have potential application to payments service providers (PSPs). World First was a PSP and operated an account on instructions from Moorwand NL Limited. Moorwand NL was the corporate vehicle of unknown fraudsters. An instruction from an individual to open an account on behalf of Moorwand NL was sent. That individual’s identity had been stolen, and there were no registered directors of Moorwand NL. In the meantime, the individual claimants (the Hamblins) believed that they were paying money as part of a high-frequency FX foreign exchange transaction and transferred £140,000 into Moorwand NL’s account held at World First. The money was then misappropriated. The Hamblins then brought representative proceedings against World First.
One of the claims was an allegation that World First had breached its Quincecare duty to Moorwand NL not to execute a payment instruction when a reasonable PSP would have been on notice that payments had not been duly authorized. The court refused to strike out this claim, which means that it will proceed to trial. For the purposes of the strike-out application, there was no dispute that there was a proper factual basis for alleging that a reasonable service provider ought to have been on notice that the payments out were not duly authorized. The court found that “[I]t is difficult to see how the absence of a registered director [at Moorwand NL] could not have been ascertained by reasonable enquiry”. Whether these points will be taken at the future trial remain to be seen, but the case makes clear that the initial due diligence at the account-opening stage will be important. If a Quincecare duty is ultimately found to have been breached, it may be that the unique facts involving the total absence of a corporate director within the customer is what distinguishes this case from others in the systemic electronic payment context, where it may be far harder for the financial institution to appreciate that something is amiss.
Philipp v Barclays ( EWHC 10) may by contrast represent the limit of the Quincecare duty’s recent advance. This was an authorized push payment fraud case involving an individual who was deceived into transferring £700,000 from their account to third-party international accounts. Although the customer authorised the payment, the authorisation was based on a deception by the fraudsters. The customer argued that the bank owed her a Quincecare duty and should have stopped or delayed the payments.
The red flags cited by the customer included a significant payment of monies into the account and quick payments to new payees abroad. Those payments contrasted with the previous routine credits and debits that took place on the account. It was argued that those factors ought to have indicated that the payments were highly suspicious.
The bank nevertheless successfully struck out the claim. There was no duty of care on these facts, and the extension of liability to payments authorized by an individual customer under a deception would be unworkable. In particular, “speculation and amateur detective work on the part of a bank have no place in fixing a bank, objectively, with knowledge or belief sufficient to put a payment instruction on hold”. The purported red flags of payment size and payee cited by the claimant had the benefit of hindsight and could at most have revealed the potential that the customer may later disavow the previously intended payments.
The key distinguishing factor to the established Quincecare cases was that the individual customer herself, rather than a corporate agent, authorized the payment. In those circumstances, it would be asking too much of the bank to second-guess the process behind that instruction.
Excluding Quincecare Duties
Very specific wording will be needed to exclude the Quincecare duty. The Court of Appeal in JPMorgan v Nigeria found that it was “not … impossible for a bank and its client to agree that the Quincecare duty would not arise and that the bank should be entitled to pay out on instruction of the authorised signatory even if it suspects the payment is in furtherance of a fraud which that signatory is seeking to perpetrate on its client”. However, the language in this case fell short of what would be required. This was despite clauses that provided that the bank was to be under “no duty to enquire into or investigate the validity, accuracy or content of any instruction or other communication”. To be effective, the clauses needed to have made clear that there will be no duty even if the bank is on notice about the suspicious circumstances.
However, the Court of Appeal left open the possibility that a clause limiting the bank’s liability if a bank acts on what it in good faith believes to be genuine instructions could be effective to exclude liability for fake instructions from an imposter so long as those instructions are believed in good faith. Those types of clauses may provide a degree of protection against Quincecare liability in cases where the payment process has been hijacked by external fraudsters. However, for exclusion clauses with a requirement of good faith, it would still need to be shown that despite having reasonable grounds for believing the payment to be tainted, those payments were still nevertheless permitted in good faith.
The Supreme Court decision in Singularis may perhaps have constituted the high-water mark of the Quincecare duty of care. There is, after all, something of a tension between the manner in which banks’ terms and conditions have been construed in such cases and, for example, the long line of authority insulating banks from intrusive duties to advise customers on the basis of contractual estoppel. In this context, it is perhaps unlikely that Quincecare liability will be significantly extended to the cyber-fraud or imposter-type situations initiated from outside the direct banker/customer relationship. However, the core principles underpinning Quincecare liability remain intact, and the decision in Hamblin, although not a final decision, is a sign that the relevant principles have not fallen quite as much out of fashion as financial institutions might hope.