On Wednesday 12 July 2023, the Supreme Court handed down its judgment in Fiona Philipp v Barclays Bank UK Plc  UKSC 25 reversing the Court of Appeal’s decision. The public interest in this case centred around liability for losses sustained by bank customers through authorised push payment (APP) fraud.
This is a fast growing and pernicious type of fraud in which a victim is tricked into authorising payments from their bank accounts to an account controlled by the fraudster, often in the belief (induced by the fraudster) that the destination account is a safe one intended to protect the victim’s funds from some fictional fraud or threat. Mrs Philipp had been a victim of an egregious example of this fraud, transferring £700,000 into overseas accounts controlled by fraudsters. Due to the public interest issue, the Consumers’ Association intervened in both the Court of Appeal and Supreme Court, representing consumer interests, and UK Finance Ltd intervened in the Supreme Court, representing the banking industry.
Those hoping that victims of APP fraud would find some protection in the common law (as was the case under the Court of Appeal’s decision) will have been disappointed by the judgment which has held that the duty of care – known as the ‘Quincecare’ duty after the case of that name (also against Barclays) – does not apply to cases of APP fraud. Under the so-called Quincecare duty, courts have held that a ‘bank has a duty not to execute a payment instruction given by an agent of its customer without making inquiries if the bank has reasonable grounds for believing that the agent is attempting to defraud the customer’ [§5].
The Court of Appeal held that this duty was not limited to the agent/principal situation and could apply where a customer had themselves authorised a payment induced by fraud. The Supreme Court has disagreed and so the Quincecare duty will not come to the aid of victims of APP fraud. Any reimbursement of such victims is a ‘question of social policy for regulators, government and ultimately for Parliament to consider’ [§6].
The Supreme Court’s judgment reformulates the Quincecare duty in a way designed to restrict its application. The Supreme Court stated that:
‘It is a basic duty of a bank under its contract with a customer who has a current account in credit to make payments from the account in compliance with the customer’s instructions. This duty is strict. Where the customer has authorised and instructed the bank to make a payment, the bank must carry out the instruction promptly.’ [§3]
The duty to act with reasonable skill and care (implied into contract by s.13 Supply of Goods and Services Act 1982 and s.49 Consumer Rights Act 2015), only comes into play where the contract between bank and customer gives a bank any latitude as to how the relevant services are carried out [§34-35]: ‘Where the contract prescribes what the supplier must do or achieve in carrying out the services, failure to do or achieve what is required will be a breach of the contract and it is irrelevant whether the supplier has acted with skill and care.’
On this basis, the Supreme Court stated that: ‘Where the bank receives a valid payment order which is clear and leaves no room for interpretation or choice about what is required in order to carry out the order, the bank’s duty is simply to execute the order by making the requisite payment. The duty of care does not apply.’ [§63] The effect of this is that the Quincecare duty does not apply to a case such as Mrs Philipp’s and does not, therefore, apply to APP fraud [§5].
The only basis for a bank not complying with a payment instruction given by a customer who is a victim of APP fraud would be if that were expressly agreed in the contract between bank and customer. A term that gives the bank a right not to make a payment if it reasonably believes that a payment instruction is the result of APP fraud (which is a common term in bank/customer agreements), does not create a duty on a bank to refrain from making a payment on this basis [§114].
On this basis, the Supreme Court took the opportunity to re-cast the Quincecare duty through the lens of actual and apparent authority. Doing so allowed the court to support the outcomes of previous cases whilst rejecting the analysis given in many of those cases.
Where there is actual authority for a payment (ie in the case of an individual giving a clear and unambiguous instruction to its bank or an agent giving an instruction within the scope of its authority), the bank must make payment or risk acting in breach of contract or duty [§100].
The Supreme Court said that the reasoning in Quincecare itself was flawed. Judge Steyn had started on the incorrect premise that when an agent gives a dishonest instruction (such as to transfer the principal’s funds to their own account) they have actual authority (which they misuse). The Supreme Court also pointed out that Lord Neuberger had fallen into the same error in Thanakharn Kasikorn Thai Chamkat (Mahachon) v Akai Holdings Ltd  1 HKC 357; (2010) 13 HKCFA 479. However, agents do not have actual authority to act dishonestly towards their principals [§73]. Where a dishonest instruction is given, it can only be regarded as authorised if it is within the scope of the apparent authority of the agent. Where a bank is on notice that the agent is acting dishonestly then there is no actual authority nor apparent authority (86 & 90).
Where, for example, the agent uses the mandate to make a payment for their own benefit rather than that of the principal, there is no actual authority for that payment - the agent is acting with apparent not actual authority. In these circumstances, the duty for a bank to act with reasonable skill and care comes into play. If the bank is aware of circumstances suggestive of dishonesty which would cause a reasonable banker to make inquiries to verify the agent’s authority before executing the instructions, the bank can be liable to the customer – the principal – if it does not make those inquiries before making payment [§90].
The reason for this is that where there are circumstances of dishonesty, the agent’s apparent authority is put into question. This means that where the customer is only claiming reimbursement of the payment, the customer does not have to prove that, had reasonable inquiries been made, the agent’s dishonesty would have been revealed and the loss avoided  – this proof is, however, necessary where consequential losses are sought.
The Supreme Court has not come to the rescue of consumers who are the victims of APP fraud, but this does not mean they are, or will be, wholly unprotected.
First, as the Supreme Court pointed out, it is for Parliament and the regulators to determine whether, or to what extent, banks should be required to reimburse APP fraud victims. There is movement in the right direction on this front for consumers. The Financial Services and Markets Bill was enacted on 29 June 2023; by the powers conferred on it by the act, the Payment Systems Regulator (PSR) is to introduce mandatory requirements for banks and other payment services providers to reimburse victims of APP fraud where the Faster Payments system has been used.
Further, paying banks and receiving banks will share liability for this reimbursement 50:50. Prior to the act, reimbursement was only under a voluntary code with which even the 10 signatory banks complied to differing degrees. While this mandatory reimbursement scheme applies only to Faster Payments, the Bank of England will introduce a similar scheme in relation to CHAPS payments. However, these changes are not expected to take effect until sometime in 2024.
From the consumer perspective, there are two gaping holes in the intended schemes: (i) international payments are not included and (ii) no private right of action has been given to bank customers to enable them to enforce the bank’s obligations.
As domestic paying and receiving banks are to share liability 50:50 for reimbursement of APP fraud payments, it may be the case that due diligence checks by receiving banks become even more stringent so as to reduce the number of accounts opened by, or connected to, APP fraudsters (thereby reducing receiving bank exposure to this share of losses). That could have the effect of driving more destination accounts offshore (although another payment system would have to be engaged since international payments are outside the scope of Faster Payments).
Failure to reimburse will be a regulatory failing but not one that gives rise to a claim by the customer. Reimbursement is not, therefore, to become a term of the contract, express or implied, between a customer and its bank, and a customer already has no or very limited recourse against the recipient bank (that holds the account of the fraudster).
Second, the Supreme Court’s decision does give some protection to certain vulnerable customers. Where a bank is on notice that the customer lacks mental capacity to operate a bank account or manage their financial affairs then the bank is under a duty not to execute that customer’s payment instruction without making inquiries [§99].
Third, the duty to carry out a customer’s valid payment instructions is not without limit:
Partner Michael Brown and senior associate Charlie Shillito acted on behalf of the Consumers’ Association (Which?), an intervening party in the case, and instructed David McIlroy of Forum Chambers, who co-authored this article.