Cat MacLeanPartner and Head of Dispute Resolution atMBM Commercial, examines the Sekers v Clydesdale judgment  CSOH 89.
Online fraud is on the rise since many years. Since lockdowns and the ability to work from home, fraudsters have had an increase in attacks. Most cases are not possible to recover from the fraudsters.
However, the Court of Session issued a judgment in the matter of Sekers and Clydesdale Bank this morning. This decision could have a significant impact on the legal landscape for customers who want to recover their bank account from fraudulent attacks.
The case that was considered the most important on how a bank can be held responsible for fraud, which occurred before the advent of internet banking in 1992, was not the best. Barclays Bank in Quincecare ruled that a bank shouldn’t execute an order if it had reasonable grounds to believe the order was an attempt at misappropriating the customer’s funds. Quincecare was not a topic of much law for many years. The 2019 Supreme Court case in Singularis Holdings Ltd confirmed that a bank had violated its Quincecare duty to its customer.
Legal practitioners used to refer to the Quincecare duty for many years.“This is crucial when considering whether or not a bank may be liable in online fraud cases. An English High Court case involving online fraud, starting in 2021.QuincecareThe facts show that the scope of the investigation was significantly limited.Quincecaredecision to limit internal fraud to only. The range of circumstances under which a bank could be held liable for fraud might have been significantly narrowed.
Philipp v Barclays saw a trial judge limit the Quincecare duty to misappropriation of customer funds through internal fraud by bank employees. This new decision states that the Quincecare obligation does not apply to payments authorised to third parties made without the consent of a bank employee.
The case of Sekers against Clydesdale Bank in Scotland was slowly progressing through the courts, and reached Debate in June this year. Customers who were victims of fraud will be happy to see that Lord Clark has issued a judgment in this case.
InSekers?The pursuers claimed that there was an implied clause in the contract between bank customer that the defender must exercise reasonable skill and care. There were several breaches of this duty. (1) The integrity of the defender’s security system was compromised; (2) Security advice regarding online banking facilities management was insufficient; (3) Operating software of the bank should have recognized that suspicious IP addresses were suspect; (4) Advice given by bank employees on the date in question fell short of the required standard.
A sophisticated fraudster claimed to be part of the bank’s fraud department and targeted Sekers. The fraudster, who claimed to be part of the bank’s fraud department, called the cashiers of the company in March 2017. He gave his name and assumed that he was Steve. The fraudster claimed that the bank had blocked the company’s account as a precautionary measure. This type of situation had occurred before to the company. He said that he would try to unlock the account.
Two cashiers who dealt with the fraudster were unsure and sought assurance from the bank’s helpdesk as well as the relationship manager. The relationship manager and helpdesk took information from the cashiers but did not give any advice to them. Although the Helpdesk call handler indicated that he would investigate the matter, he did not offer any advice other than to tell the cashiers what they should do in the meantime. According to the Relationship Manager, the cashier should try to get Steve’s full name and then send an email to the RM. The cashier did as instructed. Neither the helpdesk nor the RM gave any further advice. Both the helpdesk and the RM were critical in telling the cashiers not to do anything until the identity of the caller was known. Neither took steps to suspend any activity on the company’s accounts until that was done. They were not told by either cashier that they could not make payments. Cashiers felt confident that all was in order and that they would be contacted by the helpdesk or relationship manager if there were any problems.
Steve then asked the cashiers for access to the web portal to process some “blocked” payments. The account was used to make payments totaling PS566,000. A small portion of this amount was later recovered. The fraudster lost the majority of the funds transferred.
The pursuer claimed that the distinction between the general duty of care and the Quincecare obligation was crucial in Debate. The first covered all banking activities conducted by a banker on behalf of a customer. The pursuer claimed that the bank’s general duty of care extended to all instructions from customers and that any payment instruction that raises suspicion or should elicit suspicion through tell-tale signs that fraud is being implemented was not appropriate. It was incorrect to claim that a bank did not have a duty of care regarding a customer’s payment instructions beyond their execution.
Lord Clark made a distinction between Philipp and the pursuer’s case in Sekers. The plaintiff’s case was much more extensive than the pursuer’s in Sekers. Cases relied upon by the pursuer were not before the court. There were clear differences in the facts between the cases: Philipp had no reason to intervene, while in Sekers the pursuer sought out the bank’s assurance that the transactions intended were legitimate.
Lord Clark concluded that the three first duties claimed for could not be established by the pursuer’s averments. However, the fourth duty, which relates to the overall duty to care, was “unable to be established without full evidence on the facts here. The nature and scope a duty like this and whether it was breached are matters that will be decided after inquiry. I believe there are sufficient evidence to support inquiry into the question of whether or not there was a breach in duty to exercise reasonable skill, care em>
Philipp was clear about the limitations of circumstances under which a bank can be held liable for fraud by a customer. However, Sekers seems to offer a much wider range of claims against a bank based on earlier cases of Hilton and Selangor, which were not pled in Philipp.
What does this all mean for online fraud cases elsewhere? The question of whether a bank breached its general duty of care in any particular case is very fact-specific. The core argument of the Sekers argument states that the Bank was notified by the bank of possible fraud attacks and that they ignored this warning. This is in addition to the Quincecare and Philipp situations.
The Sekers decision is a beacon of hope for many. As a rule, banks owe customers a duty to use reasonable skill care when dealing with customers. This applies to all of the bank’s customers banking business including online payments. This includes communications that customers send to banks in relation their banking business. The context will determine the exact nature and extent of the duty and the risks to the customer against whom the law imposes a duty to exercise reasonable skills and care.
The key issue for Sekers were the communications by the cashiers before authorisation of payment. It was also the question of whether the defender should have taken steps in advance of these proceeding. This could be done after factual evidence has been presented.
This article began by emphasizing the obvious: Online fraud is on the rise. With the increase in remote work, more people and businesses will be targeted. If you are in a similar circumstance and have been victim to an online fraud, it is important to prove that you fall within the scope the general duty. This can be done by showing – as in Sekers– that the Bank was notified that suspicious activity was occurring, and that the Bank should have inquired. The chances of establishing breach of the general duty based on the facts are significantly increased if the bank fails to do so.