The Court of First Instance in the Dubai International Finance Zone (DIFC) has found in favour of a UAE company in its claim against a DIFC bank alleging breach of mandate and breach of the Quincecare duty in relation to payments sent from its bank account to various overseas accounts as a result of a cyber fraud:  Aegis Resources DMCC v Union Bank Of India (DIFC) Branch [2020] DIFC CFI 004.

As a reminder, the Quincecare duty arises where a bank has received a payment mandate from an authorised signatory of its customer, and executed the order, in circumstances where (allegedly) there were red flags to suggest that the order was an attempt to misappropriate the funds of the customer (see our previous blog posts considering the Quincecare duty here).

The Quincecare duty has received significant judicial attention over the past few years, and there has been a noticeable uptick in claims against financial institutions alleging breach of the duty. For banks processing payment instructions, the parameters of the Quincecare duty are important as they will impact the risk profile of any future claims and could lead to changes in policy and procedure. Although the duty was first established in the courts of England and Wales, it has been considered by a number of foreign jurisdictions. The present decision represents the first case in the DIFC to consider the scope of the Quincecare duty.

The decision considers a novel factual scenario not contemplated in previous cases in the UK, namely whether a bank owes a Quincecare duty where the payment instruction was not made by a genuine authorised signatory on the customer's account, but rather by a third party impersonating the authorised signatory. In the present case, the claimant had been the victim of a phishing attack, from which a third party fraudster gained access to an internal email account and issued four fraudulent payment instructions to the bank. The court was satisfied that the bank had acted in breach of its mandate and Quincecare  duty in acting on the fraudulent payment instructions, even though the misappropriation of the customer's funds did not occur as the result of actions taken by an authorised or trusted agent of the customer.

The decision stands in stark contrast to previous Quincecare cases in this jurisdiction, in particular Barclays Bank plc v Quincecare Limited [1992] 4 All ER 363 itself and  Singularis Holdings Ltd (In Official Liquidation) v Daiwa Capital Markets Europe Ltd [2019] UKSC 50 (the first and only successful claim for breach of the duty). These cases reflect the traditional Quincecare scenario, involving a payment mandate made by an authorised signatory on the customer's account, who has gone rogue and attempted to misappropriate the funds of the customer. The DIFC decision can also be contrasted to the reasoning of the English High Court in Philipp v Barclays Bank UK plc [2021] EWHC 10 (Comm) and the Hong Kong Court of First Instance in  Luk Wing Yan v CMB Wing Lung Bank Ltd [2021] HKCFI 279 (see our blog posts  here and  here, respectively). While both of those cases considered the claims of individual (rather than corporate) customers, both judgments rejected the claims advanced on the basis that the purpose of the Quincecare duty is to protect the customer from its trusted agent.

There is a risk that claimants may invite the English court to adopt the same approach as the DIFC court (which of course has no precedent value in this jurisdiction). However, although the decision appears to extend the application of the Quincecare duty beyond its strict established boundaries, it is unclear whether the DIFC court intended to do so and the judgment suggests that the court did not grapple with these complex issues. Given this observation, it may be prudent to treat the DIFC ruling as a decision confined to its particular facts.

The decision also highlights the limits of contractual terms purporting to exclude the bank's liability in executing such transactions. Such terms will not necessarily be interpreted as amounting to an assumption by the customer of the risk of the bank negligently paying an unauthorised payment instruction. The court held that the contractual terms governing the parties' relationship did not exempt the bank from liability where the bank had acted negligently. The court also underlined that there had been no contributory negligence by the company in opening the phishing email, as such an action although unwise fell short of an act which no person acting reasonably would do.

We consider the decision in more detail below.

Background

In June 2017, a UAE company entered into a credit facility with the Union Bank of India (DIFC) Branch for its “general working capital and trade finance requirements” (the Facility Agreement). This included an overdraft facility (the Overdraft Facility) from which advances could be drawn and used to pay for the supply and shipment of commodities. In addition to the Facility Agreement, a form was signed which purported to protect the bank when it acted on instructions from the company (the Form).

In May 2019 the company became the victim of a phishing attack, from a third party fraudster who gained access to an internal email account and issued four fraudulent payment instructions to the bank. Payment was made by the bank on the first two instructions, in the amounts of USD 826,000 and USD 241,500 respectively. The third instruction was declined on the basis of insufficient funds in the Overdraft Facility. The fourth instruction was recognised by the bank as fraudulent: therefore, no payment was made, and the company was alerted.

The company subsequently brought a claim against the bank. The company's case was that: (i) the bank had acted in breach of the terms of the Overdraft Facility by giving effect to payment requests that were unauthorised, fell outside the agreed scope of the Overdraft Facility, and did not conform to the agreed payment process; and (ii) the bank owed a Quincecare duty in executing its instructions and had breached the Quincecare duty.

The bank denied the claim. The bank's case was that the contractual relationship between the parties was all-determinative. The effect of the Form and Facility Agreement was that the risk of giving effect to the fraudulent payment instructions was placed on the company. Also, it did not owe the company a duty of care, on the ground that the funds advanced under the Overdraft Facility were “the bank's money“, and denied negligence.

Decision

The court found in favour of the company and ordered that the lost sums be borne by the bank (with the exception of a small sum that had been recovered).

The key issues which may be of interest to financial institutions are set out below.

Breach of mandate

The court held that the bank had acted outside of its mandate in paying out on the fraudulent payment instructions.

The court commented that it did not matter in principle whether the payments were made from funds owed by a bank to its customer or from funds which the bank had agreed to advance to its customer on overdraft or the equivalent of an overdraft. It is the payment out that matters, and in either case the bank would be acting outside its mandate in paying the funds without the customer's authority.

The court also said that the terms of the Facility Agreement and Form did not exclude the bank from liability for unauthorised payments where the bank was negligent. The exclusion of liability included in the contractual documentation was in the most general of terms, and so far as including liability for acting without authority the liability could be without negligence or could be where the bank was negligent. The bank therefore could not say it was not liable because it acted within its mandate in acting on a payment instruction apparently sent by the company, but in fact sent by the fraudster, if it was negligent in doing so.

Breach of Quincecare duty

The court held that the bank owed to the company a Quincecare duty to refrain from paying out on the fraudulent payment instructions if it had reasonable grounds for believing that they were an attempt to misappropriate the money. There were such grounds, and the bank was in breach of the duty and was therefore negligent.

The court noted that the Quincecare duty found to exist in Barclays Bank plc v Quincecare  and Singularis v Daiwa  related to “genuine” payment instructions, i.e. the instructions were made by an authorised director or officer of a company, but as part of a fraud on the company carried out by that authorised person.

The court then commented that the Quincecare duty of care can be seen as “an application to the particular circumstances of execution of a payment order of the wider duty of care owed by a bank to its customer”. In the court's view, the Quincecare duty was a more particular statement of the duties of care and implied terms of the bank's relationship with the company, which the bank accepted in an “agreed list” of issues before trial. However, the court does not appear to have considered specifically the distinction between the genuine payment instructions given by authorised signatories in Quincecare and Singularis v Daiwa, and the fraudulent payment instructions given by a third party in the present case.

The bank sought to rely on Phillip v Barclays and the High Court's propositions in that case that the primary obligation of a bank is to treat its customer's mandate at face value, it is not required to act as an amateur detective, and if the bank does not have reasonable grounds for believing there is a fraud, it must pay. However, in the court's view, this case did not assist the bank and the propositions should be seen in the light of the facts of that case.

The court also underlined that it did not accept that the Quincecare  duty only arose where the bank was holding money deposited on behalf of its customer, and did not arise where the bank granted a borrowing facility to the customer. There was no reason in principle to confine a bank's obligation to refrain from executing an order if the bank is put on inquiry that the order is an attempt to misappropriate the funds of the company, simply because the funds are being advanced to the company by the bank. The court said that the duty bites at the time of compliance with the instruction to the bank to pay out, when the loan funds may in fact be the company's funds and in any realistic sense are the company's funds because, under a loan agreement with the bank, they are at its disposal. It is the payment out that matters, and the customer is equally harmed whether the money is “its money” or “the bank's money”: in the one case through immediate diminution of its assets by reduction in its current account funds, and in the other case through the incurring of a liability to repay which will upon repayment diminish its assets. Also, in the court's opinion it would make no sense if the bank, once put on inquiry, should in the first case hold its hand, but in the second case is free to pay out and require repayment notwithstanding having been put on inquiry. In either case, it is the customer which suffers, not the bank. In the court's view, the policy reasons behind the Quincecare duty such as guarding against the facilitation of fraud and exacting a reasonable standard of care to combat fraud and protect the bank's customers and innocent third parties have equal force, and no additional burden is imposed on the bank.

The court noted that the terms of the Facility Agreement and Form did not provide for the exclusion of the bank's Quincecare  duty of care or liability for breach of such a duty. The Quincecare duty in fact remained intact.

The court also commented that the bank had clearly been put on inquiry, with reasonable grounds to believe that the payment instructions were an attempt to defraud the company. For example, procedurally, one payment request was outside the established procedure and, in its content, it was also unusual in departing from the universal payment invoice form. The beneficiary was also an entity with which the company had not previously dealt.

Consequential loss

The court said that certain consequential losses, such as the cost of management time and travel expenses incurred in tracing the fraudulent payments, claimed by the company were recoverable.

The court noted that no submissions had been made by the company as to whether consequential loss could be awarded for breach of mandate as well as for breach of the Quincecare duty. However, in the court's view, debiting the customer's account for a payment without authority would appear to be a breach of a term necessarily incidental to the contractual relationship. Also, it was clearly open (to the bank) to compensate for consequential loss as damages for breach of the Quincecare duty.

Contributory negligence

The court said that it was satisfied that contributory negligence by the company had not been made out. Whilst the actions of the company's internal staff in opening the phishing email from an unknown sender “no doubt would have been seen by many as unwise”, in the court's view this fell short of an act which no person acting reasonably would do.

Accordingly, for the reasons above, the court found in favour of the company and declared that the company did not have to repay the bank the fraudulent sums paid out nor any interest referable to those sums, except for a small recovered amount of USD 4,643.31. Also, the bank had to pay the company USD 84,680.52 as damages, and interest on the fraudulent sums paid out.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.