Cybercrime: Business Email Compromise and the Quincecare Duty of Care
Business Email Compromise
Business email compromise is a form of cyber fraud whereby a hacker targets and obtains access to a business email account, imitates the business and emails fraudulent payment requests to the hacked company’s bank.
Quincecare Duty of Care (‘Quincecare’)
In the 1992 case of Barclays Bank plc v Quincecare Ltd the English courts found that a bank owes an implied contractual and co-extensive tortious duty of care to act with reasonable care and skill when performing a customer’s instructions, and not to act on those instructions where it believes the instructions will facilitate a fraud on the account holder.
The Quincecare duty has been developed and upheld: the UK Supreme Court upheld a claim for damages under the duty in the case of Singularis Holdings Ltd (in liquidation) v Daiwa Capital Markets Europe Ltd [2019] UKSC 50, and the English Court of Appeal held that in certain circumstances banks may be required to investigate the payment instruction.
What happened?
We recently acted on a matter that involved the Quincecare duty. Our claimant client was a shipping logistics provider specialising in transporting raw materials for use in the steel making industry. The defendant opponent was our client’s bank based in the DIFC.
It was not in dispute that the claimant was the victim of a cyber hack. Via a phishing email the hackers were able to access and take control of the claimant’s systems, forge invoices and send fraudulent payment instructions to the bank, on which the bank acted and paid out monies to the fraudster.
It was the claimant’s case that there were a number of red flags in the fraudulent instructions that put the bank on inquiry, and that the bank’s failure to spot these and execute the fraud resulted in it breaching its Quincecare duty.
The bank argued that it was under no obligation to inquire as to the purpose of any transfer seemingly authorised by instruction nor to identity the transferee. It also sought to argue that that there was a difference between whether payment out was made from funds owed by a bank to its customer, or from funds which the bank had agreed to advance to its customer on overdraft.
The question before the DIFC court was, in the emerging domain of business email cyber fraud, who was to bear the loss, the customer or the bank? The answer was fact-specific.
What was decided?
The DIFC court noted the number of red flags in connection with the fraudulent instructions, not least that the fraud did not follow the established payment request procedure of the parties and that the purpose of the payments was outside of the claimant’s normal business and mandate.
The DIFC court found that the bank had reasonable grounds for believing that the payment instructions were an attempt to misappropriate the customer’s funds. It also found that the bank did owe a Quincecare duty of care to its customer/the claimant to refrain from paying out on fraudulent payment instructions where it had such reasonable grounds to believe it was an attempt to misappropriate the money.
It further found that the duty bites at the time of compliance with the instruction to the bank to pay out, and that the claimant was equally harmed whether it was its own money or the bank’s money (i.e. an overdraft).
The court dismissed the bank’s argument that the claimant was contributorily negligent for failing to ensure that his email systems were secure.
Why is this significant?
The DIFC court found overwhelmingly in favour of our claimant client and ordered that it did not have to repay to the bank the misappropriated funds, and that the bank pay damages in consequential losses and costs on the basis that the claimant was wholly successful.
Given the common law precedent of the DIFC courts, financial institutions in the DIFC should be aware of the judgment and the application of the Quincecare duty of care in this jurisdiction.
Provided by: