The decision in Philipp v Barclays Bank UK plc  EWHC 10 (Comm) is an important development that checks the recent expansion of the Quincecare duty. Although unsurprising on its facts, the court held that the Quincecare duty does not extend to authorised push payments (APP fraud), where a customer is tricked into making a payment, genuinely authorised between bank and customer, but made to a third-party fraudster.
In Barclays Bank plc v Quincecare Ltd  4 All ER 363, the court found that the bank’s fiduciary duty to its customer ‘was an implied term […] that the bank would observe reasonable skill and care’ when executing a customer’s instructions. A bank must refrain from executing a payment instruction if and for as long as it was put ‘on enquiry’ that the payment may be fraudulent. The court in Quincecare recognised that this was not a high standard, and that a bank is normally entitled to assume that a director of a corporate customer is not a fraudster. This decision confirms that the Quincecare duty does not extend to dealings between the bank and its customers who are natural persons, where instructions are properly authorised.
l In 2018, Mrs and Dr Philipp were approached by a fraudster, posing as an FCA employee working with the NCA. He said a fraud was occurring at Dr Philipp’s bank and at the firm where his savings were invested. He persuaded them to transfer the savings into ‘safe accounts’ and to inform no one to avoid prejudicing the investigation.
l Dr Philipp transferred £950,000 to his wife’s account at Barclays. On the same day, a police officer visited the couple to advise them that they may be victims of a fraud, but they refused to deal with her.
l In person at different Barclays branches, Mrs Philipp and her husband gave instructions for two payments of £400,000 and £300,000 to be paid into accounts in the UAE. The bank carried out its identity checks and confirmed with Mrs Philipp that she was authorised to, and wanted to, make the payments. Those payments were made. A third payment was later stopped by Barclays when the fraud was uncovered.
l Relying on Quincecare, Mrs Philipp claimed that Barclays had breached its duty of care to her, that it should have asked more questions, identified the circumstances as a ‘red flag’ and prevented the payments. Barclays applied to strike out the claim.
The Quincecare duty was designed for corporate customers and is rarely relied upon by individuals. As such, Mrs Philipp’s attempt to extend the duty was always going to be difficult. She needed to first convince the court to extend the duty to individual customers, and then to find that Barclays had breached it in circumstances where she had genuinely authorised the payment.
A bank must be able to carry out legitimate, authorised instructions from its customers with confidence, giving rise to a tension with its Quincecare duty. Mrs Philipp submitted that the bank’s Quincecare duty required it to have suitable processes to identify ‘red flags’ which would detect and prevent APP fraud. Barclays argued that it had no duty to protect Mrs Philipp from the consequences of her own genuine instructions, even where induced by fraud.
In Philipp, the court held that the implied duty to observe reasonable skill and care would be breached by a bank if it: executed a customer’s instructions, knowing that they were dishonestly given, or shut its eyes to the fact that they were given dishonestly; acted recklessly in failing to make appropriate enquiries into those instructions; or executed them when it had reasonable grounds for believing that they were an attempt to misappropriate funds.
The court struck out Mrs Phillip’s claim and accepted Barclays’ argument that Quincecare did not extend to a duty to protect Mrs Philipp from the consequences of her genuine instructions. The court held that banks ‘cannot be expected to carry out such urgent detective work, or treated as a gatekeeper [of] the commercial wisdom of the customer’s decision’, confirming that a bank’s primary duty of acting upon its customer’s properly authorised instructions takes precedence.
Further, the court observed that there was no clear framework by which an extended duty could, in practice, operate sensibly. The Quincecare duty requires a bank to adhere to the ‘standards of honest and reasonable conduct in being alive to suspected fraud’, which was not ‘too high a standard’ (per Steyn J in Quincecare). It is driven by knowledge, and not by a negligent failure to adhere to an undefined code. Without appropriate legislation or ‘industry-recognised rules from which a bank could identify the particular circumstances in which it should not act (or act immediately) upon its customer’s genuine instructions’, it would not be possible to extend that duty beyond that general concept. Notably, the court did not consider if it might be appropriate for a financial institution’s own code of practice to form part of any such code of conduct.
Against the backdrop of the recent Quincecare decisions and without any statutory or industry guidance, this decision demonstrates the court’s reluctance to extend the Quincecare duty further. However, individual customer protection remains a hot topic, and following the FCA consultation FS19/2: a duty of care and potential alternative approaches, we may see a revised duty of care emerge in the financial services sector.
Despite confirmation that the duty does not extend to individuals in APP fraud, claimants will continue to find it more attractive to pursue a Quincecare claim, within this jurisdiction, against a bank with deep pockets, as opposed to against a fraudster whose financial and geographical circumstances are unknown. As such, we expect to see more litigation involving sophisticated fraudsters targeting commercial entities or banks who have executed payment instructions without fully confirming their veracity.
Paul Brehony is a partner and Kate Gee a senior associate at Signature Litigation, London