Scams where a bank customer is duped into giving a criminal access to their accounts, or transferring funds to a third party are becoming increasingly common both in New Zealand and overseas. The Banking Ombudsman recently reported that New Zealanders lose an estimated $200 million per year to financial fraud.

Bankers and lawyers have therefore been watching the case of Philipp v Barclays Bank UK Plc with interest (and some concern). The case considered the extent of a bank’s “Quincecare” duty - the circumstances in which a bank is obliged not to act on its customer’s instructions, because it believes they are the subject of a scam.

The Supreme Court decision has clarified that that duty is limited and banks will not be liable where the instructions come directly from the customer (even if the customer has been scammed).

Philipp v Barclays

Dr and Mrs Philipp were targeted in 2018 by scammers who convinced them that they worked for the Financial Conduct Authority and that their Barclays bank accounts had been compromised. At the instruction of the scammers, Dr and Mrs Philipp transferred more than £700,000 to accounts in the UAE, which has never been recovered. Dr and Mrs Philipp then brought proceedings against Barclays, for failing to prevent the fraud. This type of scam is commonly known as “authorised push payment fraud”, or APP Fraud.

The High Court found that Barclays had no duty to prevent the transfers and granted the bank’s application for summary judgment. However, this decision was overturned by the Court of Appeal, which found that, in principle, a bank owed a duty to its customers not to carry out their payment instructions where there were reasonable grounds for believing they were being defrauded.

Previous cases had recognised such a duty, but only where the fraud was being committed by an agent of the customer, and the bank should have recognised that the instructions were not, in fact, coming from the actual customer. Recognising an obligation in the Phillips’ case would be a significant extension of the duty, because the instructions came from the customers themselves (not via a potentially fraudulent agent). Such a duty would also create something of a quandary for banks, because it conflicts with their duty to execute customers’ instructions promptly.

The Supreme Court has now confirmed that a bank will not be liable where it has followed a customer’s express instructions, even where the customer has been defrauded. In a unanimous judgment given by Lord Leggatt, the Court found that the Quincecare duty arises from principles of agency law and a bank’s general duty to act on its customer’s instructions. Following this reasoning, a bank may be required to ensure an agent is properly authorised and that the instructions are actually coming from their customer, but this issue does not arise where the instruction comes directly from the customer.

Guidance for banks and financial institutions

A decision of the UK Supreme Court is not binding in New Zealand, but is highly likely to be followed should the question arise here. The decision also cites the New Zealand Supreme Court’s decision in Westpac v MAP & Associates, which confirms there is a high threshold for a bank refusing to act on the instructions of a customer’s agent, in circumstances where it believes that fraud may be occurring. It also supported some of the views expressed by New Zealand lawyer Professor Peter Watts KC on the need to limit the scope of the ‘Quincecare’ duty.

This decision provides some reassurance to banks that they are unlikely to be legally liable for reimbursing losses suffered by customers who are victims of such scams.

The Court also noted that banks’ duties can be modified by express wording in their terms and conditions (being their contract with the customer). However, these terms are usually targeted at expanding the circumstances in which a bank can refuse instructions or freeze a customer’s account, rather than imposing additional obligations on banks.

What does this mean for victims of scams in New Zealand?

While banks can (and do) take precautions to identify and prevent fraud, they are unlikely to be required to compensate customers who fall victim to APP Fraud scams.

The UK Supreme Court commented that, while it was not the role of the courts to address the social problems caused by these types of scams, it was an issue that should be considered by regulators and legislators.

The Payments Systems Regulator in the UK has done just that – announcing in June that it would introduce a mandatory reimbursement scheme for authorised push payment fraud from 2024. (PSR confirms new requirements for APP fraud reimbursement | Payment Systems Regulator). However, this scheme is limited to local payments, so would not have assisted Dr and Mrs Philipp.

There is no similar scheme in New Zealand currently, but the Banking Ombudsman has backed calls for a review of how we determine liability and reimburse victims’ losses and some banks have self-imposed reimbursement policies.

Get in touch

If you would like to discuss any aspect of this case or general guidance on banks’ liabilities for scams, please get in touch with one of our experts.

Special thanks to Lucy Harrison for her assistance in writing this article.