BAILII is celebrating 24 years of free online access to the law! Would you consider making a contribution?

No donation is too small. If every visitor before 31 December gives just £1, it will have a significant impact on BAILII's ability to continue providing free access to the law.
Thank you very much for your support!



BAILII [Home] [Databases] [World Law] [Multidatabase Search] [Help] [Feedback]

Scottish Court of Session Decisions


You are here: BAILII >> Databases >> Scottish Court of Session Decisions >> SEKERS FABRICS LTD AGAINST CLYDESDALE BANK PLC [2021] ScotCS CSOH_89 (26 August 2021)
URL: http://www.bailii.org/scot/cases/ScotCS/2021/2021_CSOH_89.html
Cite as: [2021] CSOH 89, 2021 GWD 29-384, [2021] ScotCS CSOH_89

[New search] [Printable PDF version] [Help]


OUTER HOUSE, COURT OF SESSION
[2021] CSOH 89
CA13/18
OPINION OF LORD CLARK
In the cause
SEKERS FABRICS LIMITED
Pursuer
against
CLYDESDALE BANK PLC
Defender
Pursuer: Hawkes; MBM Commercial LLP
Defender: Thomson QC; Pinsent Masons LLP
26 August 2021
Introduction
[1]
The pursuer had a business bank account with the defender. The pursuer avers that
it was an implied term of the contract that the defender had a duty to exercise reasonable
skill and care. Several breaches of that duty are alleged. The breaches are said to have
occurred at a time when a fraudster was in contact with the pursuer to carry out a scam,
which resulted in funds being transferred from the pursuer's account to accounts under the
fraudster's control. The defender accepts the existence of the implied term, but argues that it
is subject to certain limitations. The defender contends that the pursuer's claims are
irrelevant, primarily because they do not fall within the scope of the duty of care but also for
2
other reasons. The case called before me for a debate on the defender's plea-in-law that the
pursuer's averments are irrelevant and lacking in specification.
Background
[2]
As this is a debate which takes the pursuer's averments pro veritate, for present
purposes I summarise those averments as the factual background. The pursuer is a limited
company which operated its commercial activities by means of its business bank account
with the defender. Certain of the pursuer's employees were authorised to use the online
banking facilities which form part of the account. On 20 March 2017 two such authorised
individuals (PC and GS) were using the online banking. PC received a telephone call from
an individual (the fraudster) who claimed to be from the defender's High Level Fraud Team
and gave his name as "Steve". Statements made by him during the call made it apparent to
PC that he possessed confidential information about the operation of the account, including
references to recent payments. He said that the pursuer's account had been blocked by the
bank as a precautionary measure. This type of situation had happened before to the
pursuer. There had been occasions when calls from the defender had been received to check
that authorised payments should be processed. Neither PC nor GS was able to access the
online portal and its screen was blank, fitting with the fraudster's assertion that the account
had been temporarily blocked.
[3]
The fraudster then said he had unblocked the account. He instructed PC to process a
number of supposedly "test payments" in order to check that the account was working
normally. He assured PC that there would be no actual transfer of funds and that this was
simply a convenient means to test the system. As dual authorisation was in place, the
fraudster stated that he would telephone GS to have her authorise the test payments which
3
PC had initiated. He used a telephone number which was either identical to, or at least
similar to, the defender's number. The fraudster repeated to GS the same information as he
had conveyed to PC. GS put in the appropriate token number to authorise the payments.
The screen showed an authorisation failure. The call was then transferred back to PC and
while that continued GS tried to contact the pursuer's Relationship Manager at the defender,
namely AM. The call to AM's mobile phone was unsuccessful and GS then sent an email
marked "urgent" requesting a call back. The reason for contacting AM was because both GS
and PC wanted reassurance that "Steve" was who he said he was, that is, a member of the
defender's High Level Fraud Team.
[4]
GS then telephoned the defender's BusinessOnline Helpdesk. The call came to an
end and GS had the impression that it had been cutoff prematurely. However, the call
handler had indicated that he would look into matters. The fraudster told PC that he was
aware that GS had tried to call AM and that GS was now on a call to the defender's
helpdesk. The call with the fraudster was then transferred back to GS and she was asked to
regain access to the web portal and process the "blocked" payments. She was able to log in
and authorise the payments successfully. As GS was doing so, PC received a call from AM.
PC explained to her the events thus far. AM advised that an attempt should be made to
obtain the full name of the person on the other end of the call and to then send her an email.
She then rang off. As requested, PC then sent an email to AM explaining the full
circumstances and seeking reassurance that the call was genuine. AM's emailed reply again
requested that PC should ask for the person's full name and it would then be checked to see
if it was genuine. No further advice was given and PC and GS were not told that they must
not make payments. They say that they had expected that AM would have come back to
them if she had any concerns. Over the remainder of that afternoon certain further
4
payments were made from the account, totalling £566,000. No further calls were received
from the helpdesk or AM. Some of the amounts transferred were later recovered. The
pursuer ceased to be a banking customer of the defender in April 2019.
The alleged breaches of the implied term
[5]
The defender was said to be in breach of the implied term in four respects, briefly
summarised as follows. Firstly, the integrity of the defender's security system had been
compromised, thereby allowing sensitive financial information about a customer's account
to be disseminated to an unauthorised third party. Secondly, the security advice offered by
the defender to the pursuer in relation to management of the online banking facilities was
inadequate. Thirdly, the defender's operating software ought to have recognised that
unknown IP addresses were used on the day in question to login to Online Banking and that
multiple payments were being made in quick succession to beneficiary accounts to which no
legitimate payments had previously been made. Fourthly, the advice tendered by the
defender's employees on the day in question fell below the required standard.
Submissions for the defender
[6]
It was important to note that the ground for the pursuer's case is limited in nature,
being solely based upon the implied term. No other breach of duty, for example in delict,
was being argued. What the pursuer had fallen victim to was an authorised push payment
("APP") fraud. This arises where fraudsters deceive consumers or individuals at a business
to send them a payment under false pretences. The account holder believes they are making
a genuine payment to a legitimate bank account. However, the account details provided
relate to an account held by the fraudster. Unlike other varieties of fraud, APP fraud is
5
distinct as the payment is in fact legitimately and properly authorised by the customer, who
intends for the payment to be made in accordance with the payment instructions given.
[7]
The outcome of the telephone conversations with the fraudster was the pursuer
instructing a series of payments in the sum of £566,000. AM had responded to PC's email
requesting that the pursuer provide the name of the caller in order that the authenticity
could be verified. The pursuer did not respond to the defender's last correspondence and
made no attempt at further correspondence before transferring the payments. At no point
during any of the communications was the defender told that the fraudster had instructed
the pursuer to make payments. Rather, the defender was in fact merely informed that the
pursuer was "locked out" of the internet banking portal.
[8]
While the existence of the implied term was admitted, that was under explanation
that in this context it extended only to reasonable skill and care in executing the pursuer's
payment instructions. The pursuer's averments of breach were irrelevant on two broad
grounds. Firstly, to the extent that the pursuer appeared to rely upon what is known as the
Quincecare duty, identified in Barclays Bank plc v Quincecare Ltd [1992] 4 All ER 363 : (i) that
duty is limited in its application to circumstances where a bank is on notice/inquiry that an
authorised agent of its customer is seeking to misappropriate the customer's funds (in other
words, the instruction to debit an account is in fact unauthorised having regard to the duties
imposed on such an agent or fiduciary); and (ii) that duty arises in and about executing the
customer's orders and is wholly negative in nature, being a duty to refrain from acting on
those orders in certain specific circumstances. In other words the Quincecare duty was not
one which imposed positive obligations on a bank to address and combat fraud as such,
contrary to the entire gravamen of the pursuer's pleaded case. Secondly, the pursuer's
averments as to the scope of the duty to exercise reasonable skill and car e, and the alleged
6
breaches of that duty, were not otherwise relevant on any other grounds in law and in any
event they materially lacked specification.
[9]
The primary duty of a paying bank is to honour its customer's instructions and make
payments as instructed in accordance with its mandate: Paget's Law of Banking 15th ed at
para 23.1. That primary duty is not absolute, given the existence of the Quincecare duty, but
the bank's duty is subordinate to its primary obligation to implement its customer's
payment mandate, adhering strictly to the terms of its mandate: Chitty on Contracts 33rd ed
Volume II, paras 34-311. The Quincecare duty, as explained in that case (at 376g-h), is that a
banker must refrain from executing an order if and for as long as the banker is "put on
inquiry" in the sense that he has reasonable grounds (although not necessarily proof) for
believing that the order is an attempt to misappropriate th e funds of the company.
Reference was also made to Singularis Holdings Ltd (In Official Liquidation) v Daiwa Capital
Markets Europe Ltd [2019] UKSC 50 and JP Morgan Chase Bank, N.A. v The Federal Republic of
Nigeria [2019] EWCA Civ 1641, which confirmed and approved the formulation of the nature
and scope of the duty of care as set out in Quincecare. They both involved multi-million
pound frauds facilitated by those in control of the customer and/or its bank account. It was
in such circumstances that the Quincecare duty can, in principle be engaged.
[10]
In the present case, there was no suggestion that those in control of the account
perpetrated the fraud; rather, it was perpetrated by the fraudster. Thus, the payments were
properly authenticated in accordance with both the pursuer's internal processes and the
defender's two-stage payment authentication process. It was already clear from the
authorities that the Quincecare duty would not arise in circumstances such as the present
case, where the instruction itself was authorised. It was confirmed in Philipp v Barclays Bank
UK Plc [2021] Bus LR 451; [2021] EWHC 10 (Comm), that the duty does not apply beyond
7
the limited circumstances already discussed, and thus does not apply to APP fraud. There
was no legal duty upon the defender to verify the genuineness of the recipients of the
payment.
[11]
The pursuer has failed to identify any other relevant basis upon which to found
liability. If it was intended that the averments that the defender should have had various
measures in place to prevent the fraud should be understood as free-standing duties, the
pursuer's averments were irrelevant, because these were essentially nothing more than
assertions. The pursuer failed to plead any recognised basis for the imposition of such legal
duties other than the Quincecare duty, which plainly did not extend to these ancillary
matters. It was important to note that the pursuer's case is not that the defender was told
that the fraudster was instructing payments be made. To the extent that the pursuer may
now be seeking to invoke any other general duty that must fail, as doing so would merely be
a device to circumvent the specific principles developed by the courts in similar cases by
reference to nebulous, general, and unvouched principles.
[12]
There were also serious problems with the individual averments alleging breaches of
duty. The averment about the defender's security system and stopping sensitive
information about a customer's account being disseminated to an unauthorised third party
was antithetical to the notion of the exercise of reasonable skill and care, arguing that a
person should effectively ensure or guarantee that a particular state of affairs will (or will
not) come about. The pursuer does not offer to prove what it is that the defender ought to
have done but failed to do in respect of its "security system". The averment that the security
advice offered by the defender to the pursuer in relation to management of the online
banking facilities was inadequate, and its supporting averments, were irrelevant. They
amounted to the imposition of a duty to warn or protect, for which there was no basis in
8
law, and certainly no basis in the pursuer's averments. The averments that the defender's
operating software ought to have recognised that unknown IP addresses were used on the
day in question to login to online banking and that multiple payments were being made in
quick succession to beneficiary accounts to which no legitimate payments had previously
been made, and its supporting averments, were plainly lacking in specification as to the
basis on which it is alleged the defender had actual knowledge of the matters condescended
upon. Moreover, there was plainly no duty upon the defender to verify IP addresses (or
beneficiary account names) when implementing a customer mandate. The averment that the
advice tendered by the defender's employees on the day in question fell below the required
standard, and its supporting averments, gave no clear offer to prove precisely what it was
that the defender's employees were told by the pursuer. For example, there was no offer to
prove what it was that the pursuer actually told the BusinessOnline Helpdesk. The
averment that the failure to issue advice was reckless was also irrelevant.
Submissions for the pursuer
[13]
It was central to the pursuer's position to distinguish at the outset between the
defender's general duty of care and the Quincecare duty. The former covered the whole
range of banking business undertaken by a banker for a customer. The latter was within a
sub-set of the former, since it applies specifically in the context of payment transactions. The
common law support for that position derived from Hilton v Westminster Bank Ltd (1926) 135
LT 358 CA and Selangor United Rubber Estates Ltd v Cradock (No.3) [1968] 1 WLR 1555. The
latter case supported the pursuer's arguments that: (1) the bank's duty to exercise reasonable
skill and care extends to all its customer's instructions; (2) one aspect of that duty is the
ascertainment of the customer's genuine instructions, as distinct from those delivered under
9
the guise of fraud, whether arising from an agent of the customer (internal fraud) or by
means of a third party intervention (external fraud); and (3) the primary obligation to act in
accordance with the mandate may be qualified by the exercise of the duty, with the result
that a payment instruction which is ex facie valid but which elicits suspicion through the tell-
tale signs of a fraud ought not to be implemented. The contention that a bank has no duty of
care in relation to a customer's payment instruction beyond its execution had been judicially
considered and rejected: Karak Rubber Co Ltd v Burden (No.2) [1972] 1 WLR 602, at 629. The
defender was adopting just such an untenable position. In relation to the general duty,
reference was also made to Royal Products Ltd v Midland Bank Ltd [1981] 2 Lloyd's Rep 194,
at 198.
[14]
What amounts to the "business of banking" was considered in United Dominions
Trust Ltd v Kirkwood [1966] 2 QB 431, which adopted the definition in Bank of Chettinad Ltd of
Colombo v Commissioner of Income Tax, Colombo [1948] AC 378, 383 that a banker is one who
carries on as his principal business the accepting of deposits of money on current account or
otherwise, subject to withdrawal by cheque, draft or order. As technology has developed,
the transfer of money by electronic means and the maintenance of systems to facilitate such
transfers fall within ordinary banking operations, as do a customer's communications with
its banker's staff in relation to such transfers. Paget's Law of Banking, at para 22.52 explains
that when executing the customer's instruction to make a funds transfer the bank acts as its
customer's agent and owes the customer a duty to observe reasonable skill and care in and
about executing the customer's orders. Barclays Bank plc v Quincecare Ltd arose in the context
of "internal fraud", that is the misappropriation of money by somebody within the
customer's organisation. However, as the previous authorities made clear, the Quincecare
duty is, properly understood, a sub-set of the bank's general duty to exercise reasonable skill
10
and care which extends across the whole range of its customer's ordinary banking business.
Moreover, the Quincecare duty should apply equally to external fraud. Singularis Holdings
Ltd (In Official Liquidation) v Daiwa Capital Markets Europe Ltd and JP Morgan Chase Bank,
N.A. v The Federal Republic of Nigeria also involved internal fraud claims. There was no
logical reason why the duty should not extend to the situation of protecting a customer from
fraud where an ordinary prudent banker would or should have identified that risk.
Reference was made to Paget's Law of Banking (at para 22.51) and Lipkin Gorman (a firm) v
Karpnale Ltd [1989] 1 WLR 1340; [1991] 2 AC 548. There was nothing in Quincecare or Lipkin
Gorman to suggest that the statements of general principle apply only in the factual context
of internal fraud. Moreover, in the present case, an instruction vitiated by fraud could not
truly be said to have been "properly" authorised by the customer itself; a fraudster cannot
be characterised as the truly intended payee. The threshold test for intervention was being
put on inquiry, that is by having reasonable grounds for believing that the customer's order
is an attempt to misappropriate funds, whether the grounds arise from an
employee/signatory or a third party.
[15]
In relation to Philipp v Barclays Bank UK plc, the plaintiff's case was much broader
than the pursuer's case here and the earlier authorities bearing upon the bank's general duty
were not before the court. The factual distinctions were evident. The plaintiff on several
occasions actively misled the bank into accepting her authorisation of the transactions. She
told the bank of her willingness to make the payments and as such there was no reason for
the bank to second-guess what it was being told by its customer. Put short, there were no
reasonable grounds to intervene, in contrast with the position here where the pursuer was
actively seeking the bank's reassurance that the intended transactions were legitimate. It
11
was, furthermore, wrongly decided on the issue of whether the Quincecare duty should be
applied in the prescriptive manner. The case was being appealed.
[16]
But even if Quincecare was confined to such cases, there were several elements in the
pursuer's pleaded case here (the interaction with the defender's employees, in particular)
which fell outwith that discrete duty and fell to be tested instead against the general
common law duty on the defender to exercise reasonable skill and care in ordinary banking
business. Payments induced by any type of fraud are not legitimately and properly
authorised by the customer. The true intention of the customer has been subverted
irrespective of the precise manner by which the fraud comes to be realised. If a bank's duty
to exercise reasonable skill and care extends to the communications which the customer
sends to it in relation to his banking business or the whole range of banking business or all
ordinary banking operations, it was not clear why it should nevertheless be excluded
entirely in the case of APP fraud in circumstances where the fraudster is external to the
customer.
Decision and reasons
Existence of a duty of care
[17]
The authorities make clear that there is an implied duty upon a bank, under its
contract with a customer, in carrying out its part with regard to operations within the
contract, to exercise reasonable skill and care. The duty includes dealing with the
communications which the customer sends in relation to his banking business (see eg
Hilton v Westminster Bank Ltd (at 362) and Selangor United Rubber Estates Ltd v Cradock (No.3)
(at 61)). In relation to the general implied duty, the latter case was cited with approval in
Karak Rubber Co Ltd v Burden (No.2) and Royal Products Ltd v Midland Bank Ltd. Obviously,
12
the precise nature and scope of the duty, in particular the risks of harm to the customer
against which the law imposes on the bank a duty to exercise reasonable skill and care, will
depend upon the specific context. Particular contract terms, or implied obligations, on either
side can influence the nature and scope of the duty. In the present case, I was not referred to
the terms of the contract and neither party relied upon any specific terms as being of
relevance to the nature and scope of the duty. However, the fundamentally important
obligation upon the bank, whether express or implied, to comply with the customer's
instruction to make payment plainly is, and was accepted to be, a relevant factor.
[18]
The duty in Quincecare takes that factor into account and can be summarised as
limited to whether a reasonable banker would have had reasonable grounds for believing, or
at least would have considered that there was a serious or real possibility, that the person
authorising the payment was operating the client account in order to misappropriate funds.
The bank's primary obligation is to comply with the customer's mandate and in dealing
with instructions to make payment the duty of care is restricted to matters which would
cause the bank to question whether the person with authority was nonetheless acting in a
fraudulent manner. Singularis Holdings Ltd (In Official Liquidation) v Daiwa Capital Markets
Europe Ltd involved an application of the Quincecare duty and there was no live issue about
the nature or scope of the duty; rather the issue was whether there was a defence based
upon attributing the fraudulent conduct to the plaintiff company. The case did not involve
any matter of pre-authorisation communications. In JP Morgan Chase Bank, N.A. v The
Federal Republic of Nigeria the central issue was whether the terms of the depository
agreement between the parties governing the operation of the depository account had the
effect either that the Quincecare duty never arose in the circumstances of this particular
client/bank relationship or that liability for any breach of that duty was excluded. Again, no
13
issues as to communications prior to the authorisation arose. Accordingly, in cases that
focus upon authorised payments the crucially important obligation to make payment when
the customer authorises it leaves only a limited scope for the duty of reasonable skill and
care and Quincecare demonstrates that restricted scope.
[19]
In the present case, authorised payments occurred and one can therefore see some
force in the argument that the matter falls to be determined by application of the Quincecare
duty. Notably, however, the defender contends that the authorised individuals, in their
communications with the defender's staff, had not stated that the fraudster was seeking
payment, or that payments were to be made. In fact, what I view as the only relevant aspect
of the pursuer's case (as explained below) founds upon communications made prior to the
authorisation of payment. Their discussions were, on the pursuer's averments, about
whether "Steve" was indeed a genuine member of the defender's staff. The pursuer avers
that the call-handler in the defender's BusinessOnline Helpdesk had indicated that he would
look into matters. If there had been no such discussions on matters arising before the
authorisation of payment, and this was merely a case of payment being made by authorised
individuals, the restricted Quincecare duty, covering the execution of instructions, would
have resulted in the pursuer's case being irrelevant. But given that there were these
discussions and the inquiries made, the issue is how the general duty to exercise reasonable
skill and care operates, and what is its nature and scope, in the present context.
[20]
The nature and scope of that duty in circumstances such as the present is not
determined in the case law. There are specific examples, as listed in Paget's Law of Banking
(at [4.25]-[4.26]) of a bank's particular duties falling within the general duty. Without full
evidence on the factual circumstances here it would be inappropriate for me to conclude on
the nature and scope of any duty in this case. But I certainly cannot rule out the existence of
14
such a duty. I do of course accept that the instruction was a key factor in causing the loss
suffered by the pursuer and that the pursuer can succeed in any recovery only if steps ought
to have been taken by the defender in advance of the transfers of funds which would have
resulted in these not proceeding. Any evidence that the defender's employees were not
being told that "Steve" was trying to get the pursuer's authorised staff to make payments
will form part of the factual circumstances concerning the nature and scope of the duty of
care.
[21]
Counsel for the pursuer argued that the Quincecare duty must extend beyond internal
fraud, but acknowledged that there was no authority to that effect. A third party (external)
fraudster who influences the instruction of a payment is not interfering with the authority of
the person acting for the customer; in making the payment that authority is exercised. I
therefore reject the submission for the pursuer that the Quincecare duty extends beyond
internal fraud. I also reject the pursuer's contention that there was no properly authorised
instruction, because it had been induced by fraud by a third party. From the bank's
perspective, it was properly authorised.
[22]
The decision in Phillip v Barclay's Bank UK plc (which I am told is under appeal) does
not in my view assist either of the parties in the present case. In that case, the judge noted
(at para [113]) that the basic issue between the parties was whether or not the bank should at
the material time have had in place a system for detecting and preventing the APP fraud.
While there were, on the facts, communications prior to authorisation of payment, this was
not a case in which the bank was notified of activities on the part of the fraudster; the judge
refers (at para [115]) to the bank's application for striking out resting upon what the
customer was prepared to tell its branch employees about how she wished to spend moneys
without revealing the remote presence and influence of the fraudster. The main issue was
15
the bank's duty when payments were instructed by the customer. In light of its factual
differences and its focus on the Quincecare duty in circumstances concerning instructions on
payment, I do not regard the decision as of particular relevance for present purposes.
[23]
For the reasons given, it is open to argument that in the present circumstances the
bank owed a duty to exercise reasonable skill and care in dealing with the communications
before payment was authorised. Put more simply, I cannot conclude that the pursuer is
bound to fail in relation to any such duty. The nature and scope of such a duty, and whether
it has been breached, are matters to be determined after inquiry.
The alleged breaches of duty
[24]
However, there is the separate issue of the relevancy and specification of the
pursuer's averments on breach. In my view, the first three breaches alleged are not capable
of being established on the basis of the pursuer's averments. I accept the submissions for the
defender on these points. In particular, the pursuer does not offer to prove what it is that
the defender ought to have done, but failed to do, in respect of its "security system" or in
respect of the advice offered in relation to management of the online banking facilities. On
the third alleged breach, (broadly that the defender's operating software ought to have
recognised that unknown IP addresses were used to login to online banking, with multiple
payments made in quick succession to accounts not previously paid) there is no real
specification of what the defender knew or should have known and why the defender
required to verify IP addresses or account names. No averments concerning ordinary or
standard banking practice on such matters are made in respect of these three alleged
breaches.
16
[25]
The fourth alleged breach, that the advice tendered by the defender's employees on
the day in question fell below the required standard, does create some concerns given that
precisely what was told to the defender's staff is not made fully clear. There are, however,
the averments about discussions, such as an email to AM being marked as urgent, and about
seeking confirmation from AM that "Steve" was a genuine employee, and the call-handler
saying he would look into matters. I accept the defender's point that the averment that a
failure to issue advice was reckless is not relevant in the absence of a basis supporting
recklessness, rather than carelessness. But there are in my view sufficient averments to
justify inquiry on the issue of whether on this ground there was a breach of duty to exercise
reasonable skill and care. In short, I am unable to find that the pursuer is bound to fail on
the issue of breach of duty.
Conclusions
[26]
I therefore conclude that the defender's contention that the pursuer's case is
irrelevant as a result of the meaning and effect of the Quincecare duty cannot be accepted,
given that the existence of a duty to exercise reasonable skill and care may have application
in the present context of the pre-authorisation communications with the bank. However, of
the four alleged breaches of duty, only the last one provides a relevant ground for that
allegation.
Disposal
[27]
I shall therefore sustain the defender's plea-in-law in relation to the relevancy of the
first three grounds of alleged breach but before doing so I shall put the case out by-order, to
17
be addressed on precisely which averments fall to be excluded from probation in light of the
conclusions I have reached, reserving in the meantime all questions of expenses.


BAILII: Copyright Policy | Disclaimers | Privacy Policy | Feedback | Donate to BAILII
URL: http://www.bailii.org/scot/cases/ScotCS/2021/2021_CSOH_89.html