Payment scams are rife. A particularly prevalent form is the authorized push payment (APP) scam. These payments are authorized by a bank customer after falling for a third party’s deceit, which may take many different forms, including fake investment opportunities, impersonation of figures such as bank officers and the police, and diverting an intended payment into the scammer’s account. Because these payments are authorized by the customer, the bank has a valid authority (mandate) to pay and must ordinarily make the payment. Authorized payment scams can be contrasted with unauthorized payments which do not originate from the customer and therefore involve forgery. In such cases, a bank has no authority to pay and at common law will bear the loss, although this is subject to contract terms allocating the loss to the customer. Most authorized payment scams are push payments which means that the payment instruction is sent by the payer to their bank. Examples are payments by mobile phone or home computer. By contrast, pull payment instructions are given by the payer to the payee who initiates the payment process through their own bank. Examples are cheques or direct debits. Pull payments are less prone to authorized payment scams, hence the focus on push payments.
The rise in APP scams prompts the question: what protections are available to reduce the threat they pose to bank customers, and indeed to society more broadly? The answer at common law is ‘not much’. Most of the protections, which vary from jurisdiction to jurisdiction, are regulatory or legislative in nature. Until the case of Philipp v Barclays Bank UK Plc [2023] UKSC 25, [2023] 3 WLR 284, there was one possible qualification to this statement – the bank’s duty of care. Like all service providers, it is uncontroversial that banks owe a duty of care in providing their banking services to customers, including payment services which are a major component of banking services, and it is well-established that the bank’s duty of care extends to the provision of payment services. The most prominent example of the bank’s duty of care operating in the payment context is that a bank must query an apparently valid mandate when it should reasonably suspect that the instruction constitutes a fraud on the customer. This was recognized in several cases in the twentieth century, including Barclays Bank plc v Quincecare Ltd [1992] 4 All ER 363 (giving rise to the shorthand ‘Quincecare duty’), and Lipkin Gorman v Karpnale Ltd [1989] 1 WLR 1340. Significantly, these and other prominent cases dealing with the Quincecare duty concerned a dishonest agent purporting to act on behalf of a business entity in giving the payment instruction. They did not involve APP scams.
The question that arose for decision in Philipp was whether the Quincecare duty applied beyond the confines of dishonest agents and protected customers generally from payments prompted by a fraudulent third party. The answer from the United Kingdom’s Supreme Court was ‘no’ – the bank’s duty of care when processing a payment for a customer, is limited to situations where a bank should reasonably suspect that the payment instruction is invalid. Since a fraudster’s deceit in the APP scam context does not invalidate a customer’s mandate, the duty of care does not require the bank to exercise diligence to guard against that risk. In my paper ‘The Bank’s Duty of Care as Payment Agent’ [2024] Sing JLS 149, I discuss the Philipp decision and express my disappointment at its failure to respond to the APP scam problem.
The Philipps were a retired couple who transferred a total of £700,000 in two payments to accounts held by scammers in the United Arab Emirates. The transfers were made after a series of communications with the scammer who manipulated the Philipps into believing that their monies were vulnerable to a fraud operating in the UK. The Supreme Court’s reasons for rejecting the operation of the Quincecare duty in these circumstances was that a bank has a strict duty to comply promptly with a payment mandate and any duty to do otherwise (such as the duty of care) cannot conflict with this strict duty. From there the court reasoned that the well-recognized Quincecare duty could only operate where the bank exercises some discretion in executing the mandate. A discretion arises in situations where the bank should reasonably suspect that the instructions are not valid because, for example, an agent acting for the customer (typical for non-individuals such as businesses) is defrauding the principal. Other examples identified by the court are a joint account holder who is defrauding the other account holder, and an individual customer (or presumably agent) who lacks the mental capacity to act. As APP scam payment instructions are usually properly given by the individuals with the authority to give them, they cannot be said to be invalid. The fact that the instruction has been elicited by fraud does not render it invalid. Hence, a bank’s duty of care when executing payment instructions does not require the bank to be alert to the possibility that the customer has fallen victim to an APP scam.
I disagree with the decision for two reasons. First, the case authority (including Quincecare and Lipkin Gorman), recognizing the bank’s duty of care to question payment instructions does not cast the duty so narrowly. Second, even if the case authority did support a narrow articulation of the duty, the scale of the APP scam problem warrants the development of the law to complement existing legislative and regulatory measures to provide better protection to the public. Recognizing a broad duty of care will give banks a strong incentive to implement measures to combat APP scams and thereby contribute to a safer payment environment for all. A change of the law in this way by the courts is, I argue, within the scope of permissible judicial development.
Following on from my critique of Philipp, the second part of my discussion considers how the Singapore courts might decide a case with facts like Philipp should they be called upon to do so. With reference to Singapore’s leading case on the Quincecare duty, Hsu Ann Mei Amy v OCBC [2011] 2 SLR 178 (SGCA), I argue that Singapore law takes a wider view of the scope of a bank’s duty of care in the payment context such that it does operate to protect customers from APP scam payments. Hsu Ann Mei Amy was not an APP scam case but the facts were analogous. It involved the exertion of pressure on an elderly account holder by her adult child to transfer substantial funds into a joint account with the child. The bank was suspicious that the customer did not truly intend to give these instructions and declined to act. When sued by the customer for disobeying a mandate (the litigation being driven by the customer’s child), the bank was vindicated for complying with its duty of care. As regards the relationship between the strict duty to honour a mandate and the duty of care which might require the bank to do otherwise, the court said that the duty to obey a mandate was subject to the duty to exercise reasonable care in doing so.
My paper concludes by pointing out that the best protection against APP scams is multi-pronged, and that both legislative/regulatory as well as common law measures are needed to provide more comprehensive protection against these scams. Regulatory measures tend to focus on consumer payers and, depending on their scope, will protect only individuals and possibly small entities (such as small businesses and charities). They may also be limited to domestic payments. The common law duty of care, on the other hand, is unlikely to be engaged when small domestic payments are made as they are less likely to raise red flags such as inconsistency with a payer’s payment history. However, bigger payments and international payments may be more unusual and objectively put the bank on enquiry. Thus, neither approach on its own adequately responds to the problem. The regulatory protections for paying consumer customers in the UK are extensive. In Singapore the regulatory protections are limited but the duty of care appears to be broader. As a result, there are gaps in the protection from APP scams in both jurisdictions.
Keywords: Banking, Quincecare duty, Duty of care
AUTHOR INFORMATION
Dr Sandra Booysen is Director of the Centre for Banking & Finance Law (CBFL) and Associate Professor of Law at NUS. Sandra also serves on the editorial board of two academic journals: Singapore Journal of Legal Studies, the journal of NUS Law, and International Banking and Securities Law, published by Brill.
Email: lawsab@nus.edu.sg