Outer House rejects three of four contentions in payment fraud action by business banking customer
A judge in the Outer House of the Court of Session has rejected three of four contentions by a fabric business that their bank breached a duty to exercise reasonable skill and care in relation to their account after they sent over £500,000 from their account to a fraudster.
Sekers Fabrics Ltd claimed that Clydesdale Bank Plc had breached their duty by allowing them to transfer money to a fraudster claiming to be an employee of the bank as part of a scam. The defender contended that the pursuer’s claims were irrelevant as they did not fall within the scope of the duty of care.
The case was heard by Lord Clark. The pursuer was represented by Hawkes, advocate, and the defender by Thomson QC.
Authorised push payment
The pursuer held a business bank account with the defender until April 2019, which was used by certain authorised employees. On 20 March 2017, a fraudster who gave his name as “Steve” called one of these employees, PC, claiming to be from the defender’s high-level fraud team and stated that the pursuer’s account had been temporarily blocked as a precautionary measure.
The fraudster then asked PC to process some “test payments” after unblocking the account to check that it was working normally. He assured PC that there would be no actual transfer of funds and that this was simply a convenient means to test the system. Following an authorisation failure, a second authorised employee, GS, telephoned the defender’s business helpdesk as well as the pursuer’s Relationship Manager with the defender, AM. She did not receive any initial response and then successfully completed the payments to the fraudster.
Later, AM emailed the pursuer to advise that they should ask for the person’s full name so that he could check to see if it was genuine. No advice was given to the effect that no further payments should be made. Over the remainder of that afternoon certain further payments were made from the account, totalling £566,000. Some of this amount was later able to be recovered.
The pursuer alleged that the defender had breached an implied term of duty of care to the pursuer in four respects. The integrity of their security system had been compromised, allowing sensitive financial information about a customer’s account to be disseminated to a third party. Further, the advice given to them by AM had been inadequate and fell below required standards, and the defender’s operating system ought to have recognised that multiple unknown IP addressed had been used to log into online banking on that day.
It was submitted for the defender that what the pursuer had fallen victim to was a type of authorised push payment (APP) fraud. At no point had the pursuer informed the defender that it had been instructed to make the payments, only that it was unable to use internet banking. Further, it did not have a positive obligation to address and combat fraud, but rather to refrain from acting on customer instructions where there was suspected fraud.
Properly authorised instruction
In his opinion, Lord Clark said of the defender’s obligations generally: “[The duty] can be summarised as limited to whether a reasonable banker would have had reasonable grounds for believing, or at least would have considered that there was a serious or real possibility, that the person authorising the payment was operating the client account in order to misappropriate funds.”
He continued: “The bank’s primary obligation is to comply with the customer’s mandate and in dealing with instructions to make payment the duty of care is restricted to matters which would cause the bank to question whether the person with authority was nonetheless acting in a fraudulent manner.”
Examining the facts of the case, he explained: “What I view as the only relevant aspect of the pursuer’s case founds upon communications made prior to the authorisation of payment. Their discussions were, on the pursuer’s averments, about whether ‘Steve’ was indeed a genuine member of the defender’s staff. The pursuer avers that the call-handler in the defender’s BusinessOnline Helpdesk had indicated that he would look into matters.”
He went on to say: “If there had been no such discussions on matters arising before the authorisation of payment, and this was merely a case of payment being made by authorised individuals, the restricted duty, covering the execution of instructions, would have resulted in the pursuer’s case being irrelevant. But given that there were these discussions and the inquiries made, the issue is how the general duty to exercise reasonable skill and care operates, and what is its nature and scope, in the present context.”
On whether there was a breach of duty, Lord Clark said: “A third party (external) fraudster who influences the instruction of a payment is not interfering with the authority of the person acting for the customer; in making the payment that authority is exercised. I therefore reject the submission for the pursuer that the duty extends beyond internal fraud. I also reject the pursuer’s contention that there was no properly authorised instruction, because it had been induced by fraud by a third party. From the bank’s perspective, it was properly authorised.”
However, on whether the advice given by the defender was inadequate, he concluded: “I accept the defender’s point that the averment that a failure to issue advice was reckless is not relevant in the absence of a basis supporting recklessness, rather than carelessness. But there are in my view sufficient averments to justify inquiry on the issue of whether on this ground there was a breach of duty to exercise reasonable skill and care. In short, I am unable to find that the pursuer is bound to fail on the issue of breach of duty.”
For these reasons, the defender’s pleas in relation to the relevancy of three of the alleged grounds of breach were sustained. The case was put out by-order to determine what fell to be excluded from probation in light of this decision.