Can a Customer Claim Against the Bank for an Authorised Push Payment Fraud?
Authorised push payment fraud, wherein technologically savvy fraudsters impersonate legitimate payees and/or manipulate parties into making real-time payments to the fraudster’s bank account, is on the rise. In these circumstances, the question of a bank’s duty of care comes to the fore. Do banks owe a duty of care to its customers when executing customers’ instructions and, if so, what is the extent of such duty? This article aims to be a primer on these issues while offering commercial and legal perspectives on such issues.
Introduction to Authorised Push Payment Fraud
In tandem with the rise of digital payment services, technologically savvy fraudsters are finding ways to impersonate legitimate payees and/or manipulate parties into making real-time payments to the fraudster’s bank account.
Such fraud, also known as authorised push payments fraud (APP Fraud), is becoming more and more prevalent. Victims of APP Fraud would have instructed their bank to pay a party who appears to be a legitimate payee, but would have in fact been tricked into paying the fraudster’s account.
In certain instances, to recover the misappropriated funds, the victim of APP Fraud can quickly apply to the Court for freezing orders to ensure that the funds wrongfully procured by the fraudster are not dissipated. The victim of APP Fraud may also obtain third-party disclosure orders against parties such as banks to obtain information which may assist in recovering the misappropriated funds.
Often times, however, the victim of APP Fraud has little recourse against the fraudster who would have absconded or is nowhere to be found. The victim may then seek to recover his losses from the bank on the basis that the bank had failed in its duty to act with reasonable care and skill when executing its customer’s payment instructions in circumstances where the bank is put on enquiry that its customer might be defrauded.
This article seeks to shed light on whether such a claim against the bank may succeed in Singapore and the extent of the bank’s duty especially in the context of APP Fraud.
The Scope of the Bank’s Duty of Care in Executing Customer’s Instructions in England – Quincecare Duty
In England, it is now well-established that banks owe its customer a duty of care when executing the customer’s orders. Specifically, the bank must refrain from executing the customer’s orders or instructions if the bank has reasonable grounds for believing that the order is an attempt to misappropriate the funds of the company.1Barclays Bank Plc v Quincecare (1992) 4 All ER 363 (“Barclays Bank v Quincecare”) at p.376G This duty of the bank has come to be known as the bank’s Quincecare duty, named after the English case in which the duty was formulated.2Barclays Bank v Quincecare.
Despite the formulation of the Quincecare duty in 1992, it was only over two decades later in the English High Court decision of Singularis Holdings Ltd (in liquidation) v Daiwa Capital Markets Europe Ltd  EWHC 257 (Ch) and, on appeal, the UK Supreme Court decision of Singularis Holdings Ltd v Daiwa Capital Markets Europe Ltd  UKSC 50 (Singularis v Daiwa) where a bank was found to be in breach of the Quincecare duty to its corporate customer for the first time.3David McIlroy and Ruhi Sethi-Smith, “Prospects for bankers’ liability for authorised push payment fraud” (2021) 3 JIBFL 172 at 173.
In these cases, the English Courts have clarified that the Quincecare duty is to protect a company against the misappropriation of its funds by trusted agents who were authorised to withdraw money from the company’s accounts.4Singularis Holdings Ltd v Daiwa Capital Markets Europe Ltd (2019) UKSC 50 (“Singularis v Daiwa”) at (35). The UK Supreme Court in Singularis v Daiwa had therefore found that a bank had breached its Quincecare duty when any reasonable banker would have realised that there were obvious signs that the directing mind and sole shareholder of a company was fraudulently misappropriating that company’s funds.5Singularis v Daiwa at (11) to (12).
Some “red flags” which the English Courts have accepted would or ought to have put a bank on notice include:
- the sudden production of previously unheard-of contracts which was a front or a cover rather than a genuine obligation, to justify a substantial payment out of the bank account;
- large payment transactions carried out by the agent of the bank’s customer when the bank’s customer was in precarious financial state;
- large payment transactions carried out by the agent of the bank’s customer despite the presence of other substantial creditors with an interest in the money held in the account;
- substantial evidence that there was something seriously wrong with the agent’s method of operating the customer’s account, such as a strange request to pay sums to individuals within the company; and
- if concerns had already been raised by the senior management and legal advisors of the bank, stressing that extreme caution must be exercised in handling any further requests for payment from the customer’s account.6Singularis Holdings Ltd v Daiwa Capital Markets Europe Ltd (2017) EWHC 257 (Ch) at (193) to (201); Singularis v Daiwa at (11).
Most recently, and in the context of APP Fraud, the English High Court in Philipp v Barclays Bank UK plc  EWHC 10 (Philipp) held that:
- The bank’s primary duty to act on customer’s instructions: Since the very nature of APP Fraud involves the customer’s own authorisation and instructions to the bank to effect payment, the primary duty of the bank remains to act on the customer’s instructions.7Philipp at (168), (171).
- The Quincecare duty only extends to corporate customers (or unincorporated associations): The English Court made a distinction between customers who are individuals, and corporate customers which are dependent on agents to instruct the bank to effect payment.
- The Quincecare duty would only extend to corporate customers (or unincorporated associations) where the suspicion which has been raised (or objectively ought to have been raised) is one of attempted misappropriation of the corporate customer’s funds by an agent (e.g. representative or signatories) of the corporate customer.8Philipp at (156), (164).
- The Quincecare duty would not apply to individual customers because where the bank’s customer is an individual (as opposed to a corporation or unincorporated association which is dependent upon individual representatives and signatories who have the potential to go rogue), the individual customer’s authority to make the payment is apparent and must be taken by the bank to be real and genuine. As between the individual and the bank, the payment instruction will be no less real and genuine in relation to the intended destination of the customer’s funds because it has been induced by deceit.9Philipp at (164).
Quincecare Duty in Singapore
The Singapore Courts appear to have recognised the application of the Quincecare duty. Specifically, the Singapore Court of Appeal in Hsu Ann Mei Amy (personal representative of the estate of Hwang Cheng Tsu Hsu, deceased) v Oversea-Chinese Banking Corp Ltd  2 SLR 178 (Hsu Ann Mei) has recognised that a bank may be put on notice if it has reasonable grounds, not necessarily amounting to proof, for believing that, amongst others, its client is being defrauded.10Hsu Ann Mei Amy (personal representative of the estate of Hwang Cheng Tsu Hsu, deceased) v Oversea-Chinese Banking Corp Ltd (2011) 2 SLR 178 (“Hsu Ann Mei”) at (24).
However, the Singapore Court of Appeal has also made it clear that if a bank fails to comply with its client’s instructions under circumstances where a reasonably prudent bank would not have been put on notice that its client is being defrauded, then a bank may be acting in breach of its duty to comply with the client’s instructions.11Hsu Ann Mei at (23).
Another Singapore case which, although not expressly recognising the Quincecare duty, but arguably supports the recognition of such a duty, would be Major Shipping & Trading Inc v Standard Chartered Bank (Singapore) Ltd  SGHC 4 (Major Shipping). In this case, a corporate customer had sued its bank for remitting monies in transactions which appeared to have been authorised by the customer, but were in fact instructions from a third-party fraudster. The High Court and, on appeal, the Court of Appeal had examined whether the bank had breached any duty owed to the customer in executing the payment instructions, pursuant to express terms in account opening documents. In doing so, the Courts analysed and ultimately concluded that purported red flags were insufficient to put the bank on suspicion to question the payment instructions. Although the duty of care of the bank in Major Shipping was not expressly referred to as the Quincecare duty and arose from specific terms in the account opening documents, the analysis undertaken by the Courts in Major Shipping appear to be consistent with the recognition or application of the Quincecare duty as cited in Hsu Ann Mei – a bank may be put on notice if it has reasonable grounds, not necessarily amounting to proof, for believing that, amongst others, its client is being defrauded.
At present, the Singapore Courts have not highlighted any difficulty applying the bank’s Quincecare duty to non-corporate customers or applying the Quincecare duty in the context of APP Fraud. However, these issues have not yet been argued before the Singapore Courts and it thus remains to be decided whether the Singapore Courts will apply the English position in Philipp.
It will be interesting to see how the Singapore Courts will decide, if similar issues as in Philipp arise for the Singapore Courts’ determination.
Singapore is a thriving financial centre which continuously seeks to attract financial institutions to establish a presence in Singapore. The English position in Philipp arguably strikes a balance between the need for protection against APP fraud and not imposing unduly onerous obligations on the banks:
- The bank’s primary duty to act on customer’s instructions in the context of APP Fraud: In this regard, and as set out in Philipp, it would be unduly onerous and commercially unrealistic to expect the bank to ask questions or second guess any payment instruction authorised by the customer, regardless of the sum involved. Not elevating the Quincecare duty above a bank’s primary duty to act on their customers’ instructions in the APP Fraud context would then surely accord with the continued development of Singapore as major financial hub seeking to attract financial institutions to establish a presence in Singapore.However, there appears to be advancement of the use of artificial intelligence technology which would enable banks to understand the normal payment behaviour of customers and use behavioural risk models to detect in real-time transactions that are outside the norm.12See, for example, https://www.finastra.com/solutions/payments/corporate-payments/ai-fraud-prevention. With greater advancement in such technology which could greatly ease the burden on banks in verifying payment instructions, the position that the Quincecare duty is subordinate to the primary duty of the bank to act on customers’ instructions, while perhaps commercially realistic at this juncture, may well have to be re-examined in the foreseeable future.
- The Quincecare duty only extends to corporate customers (or unincorporated associations): In this regard, it is relevant to bear in mind that with corporate customers, banks are more likely to have relationship managers with such customers and would therefore be in a position to have a greater insight into the corporate customer’s usual way of transacting (e.g. the frequency of transactions, the usual amounts transacted, and the countries to which transactions would be effected to) in order to be able to detect fraud. In contrast, it may be argued to be unduly burdensome for a bank to monitor the transactions of possibly thousands of individual retail account holders for which the banks lack a similar insight into the individual account holder’s usual way of transacting. Viewed in this light, the decision in Philipp that the Quincecare duty applies only to corporate customer and unincorporated associations is therefore sensible.On the other hand, banks have now established private banking practices where there are also relationship managers for high net-worth individuals. If the above argument that the Quincecare duty reasonably extends to corporate customers given the closer relationship and greater insight into such customers’ usual way of transacting holds water, the Quincecare duty arguably should also extend to private banking clients with whom the bank may also have greater insight into their usual way of transacting through relationship managers.
It is worth mentioning that Hsu Ann Mei was a case concerning the bank’s refusal to execute the instructions allegedly emanating from an individual who was a private banking client, Mdm Hwang, to open and close bank accounts or to transfer deposits to a joint account to be opened. In citing the Quincecare duty, the Singapore Court of Appeal did not highlight any difficulty in applying the Quincecare duty to individuals such as Mdm Hwang. In fact, the Singapore Court of Appeal accepted that the bank had been put on notice of various red flags pursuant to the observations of its officers (the bank was put on notice through the observations of its officers which included a client services officer and a regional marketing manager) and therefore did not breach their duties in refusing to carry out instructions which allegedly emanated from Mdm Hwang through her daughter. That being said, whether the Quincecare duty should extend to individual customers of banks was not an issue before the Singapore Court of Appeal. As appealing as it is to follow the English decision of Philipp to confine the Quincecare duty to corporate customers (or unincorporated associations) as a practical solution to avoid burdening the banks, it is important for a financial hub such as Singapore to be able to reassure banking customers that instead of a static division between a corporate client and individual client the courts will assess the facts in arriving at a just decision striking the right balance.
In the meantime, turning the focus to the practical learning points immediately arising from the developments in England on the Quincecare duty in the context of APP Fraud:
- With the increasing incidence of APP Fraud, it would be prudent for all customers of banks in Singapore to seek advice on the extent of a bank’s Quincecare duty before pursuing a claim against the banks in Singapore.
- To avoid even succumbing to APP Fraud, and especially if the English position on Quincecare duty is to be followed in Singapore, the utmost care should be taken by bank customers. For instance, before making payments, customers should look out for red flags which include any change in bank details provided by the payee, or any suggestion by the payee that payment should be made to a different bank account than the account the payor is used to making payment to.
- As the English position on Quincecare duty currently does not protect individual customers, such customers should all the more be on alert to avoid falling prey to APP Fraud. Fundamentally, good security practices should be adopted which include protecting devices as well as login and access code details to bank accounts. Where the individual customer has authorised other parties to execute payment transactions from his/her account, the individual customer should also frequently monitor the transactions in his/her account to ensure that the party authorised has not gone rogue and, if so, prompt steps can be taken in an effort to minimise the loss.Otherwise, having regard to the English position in Philipp, the victim of APP Fraud may be left to bear his own losses in the event that the fraudster is nowhere to be found – the victim may not be able to turn to the bank to recover his losses as the bank could have simply fulfilled its primary duty to act on the customer’s instructions and transfer the money as instructed.
|↑1||Barclays Bank Plc v Quincecare (1992) 4 All ER 363 (“Barclays Bank v Quincecare”) at p.376G|
|↑2||Barclays Bank v Quincecare.|
|↑3||David McIlroy and Ruhi Sethi-Smith, “Prospects for bankers’ liability for authorised push payment fraud” (2021) 3 JIBFL 172 at 173.|
|↑4||Singularis Holdings Ltd v Daiwa Capital Markets Europe Ltd (2019) UKSC 50 (“Singularis v Daiwa”) at (35).|
|↑5||Singularis v Daiwa at (11) to (12).|
|↑6||Singularis Holdings Ltd v Daiwa Capital Markets Europe Ltd (2017) EWHC 257 (Ch) at (193) to (201); Singularis v Daiwa at (11).|
|↑7||Philipp at (168), (171).|
|↑8||Philipp at (156), (164).|
|↑9||Philipp at (164).|
|↑10||Hsu Ann Mei Amy (personal representative of the estate of Hwang Cheng Tsu Hsu, deceased) v Oversea-Chinese Banking Corp Ltd (2011) 2 SLR 178 (“Hsu Ann Mei”) at (24).|
|↑11||Hsu Ann Mei at (23).|
|↑12||See, for example, https://www.finastra.com/solutions/payments/corporate-payments/ai-fraud-prevention.|