The recent decision of the Caribbean Court of Justice (“CCJ”) handed down on January 31st, 2023 applied Quincecare Duty of care,[1] delves into the concept of “reasonable grounds” for perceiving potential fraud and establishes a Bank’s standard of care to safeguard their customers from fraudulent activities.
Background
Earlier this year, the Caribbean Court of Justice (CCJ) issued its ruling in the case of Caye International Bank Ltd v. Rosemore International Corp. The matter was an appeal from the Belize Court of Appeal and marked the first occasion in the CCJ where questions arose concerning the applicability of the Quincare Duty in the context of online Banking transactions and the extent to which contractual terms can limit or exclude the Banks duty. The implication of this decision is that it reinforces the duty of care that Banks must uphold when executing online transfer requests in the Commonwealth Caribbean.
The dispute revolved around the sum of USD $175,000.00 that the Appellant Bank (the “Bank”) transferred from an account held by the respondent (the “Customer”) to a third party overseas. The transfer was initiated in response to a wire transfer request received in the form of an attachment to a message sent through the Bank’s online Banking platform from the Customer’s account. Subsequently, it came to light that the instructions had not been authorized by the customer but had resulted from a compromise of their email account.
In response to this situation, the Customer brought forth claims against the Bank, alleging breaches of their depository agreement and negligence. The CCJ ruled that the Bank had adhered to the verification and identification procedures outlined in its depository agreement with the Customer. However, the Court concluded that the Bank had violated its Quincare Duty. This duty places an obligation on Banks to refrain from executing a customer’s order if, during the course of the transaction, the Bank becomes aware or reasonably suspects that the order may be an attempt to defraud the customer.
Opinion
In determining whether Caye Bank was in breach of its Quincecare Duty, the CCJ applied a two-stage, subjective and objective test. Firstly, was Caye Bank ‘put on inquiry’ of fraud? If so, did Caye Bank exercise the necessary care and skill of an ordinary and prudent Banker? The court found that Caye Bank was indeed ‘put on inquiry’ of fraud because of the following discrepancies:
- The difference between the signature on the outgoing transfer and that of the authorized signatory;
- An incorrect e-mail address which was not on file was used to perform the transaction;
- The irregular and substantial amount of the sum requested to be transferred given the account’s dormant history;
- The customer had never made a transfer to the proposed beneficiary; and
- The stated intent behind the transfer did not align with the nature of the Customer’s business.
As for the second stage, the CCJ determined that Caye Bank’s omission to directly contact the customer and pose appropriate security related queries before seeking confirmation of the legitimacy of the transfer, or to verify his identity using the two email addresses provided by the fraudster, constituted a failure on the part of Caye Bank to meet the expected standard of care and diligence. Consequently, the CCJ concluded that Caye Bank had failed in fulfilling its Quincare Duty of care.
Comment
Fraud is a significant operational hazard to Banks. Consequently, the effective management of this risk stands as a paramount concern throughout the Banking industry. This case note highlights several takeaways from this ruling that could offer valuable guidance to Banks and their advisors in their efforts to minimize the threat of fraud.
Banks play a role in the battle against cyber fraud and are expected to install secure systems and very strict know your customer methodologies.
Merely ensuring that the online Banking request originates from the customer’s online Banking account is insufficient to escape liability. The onus is on Banks to be vigilant; observing and recording their customer’s transaction history and nature to determine if any ‘red flags’ have emerged that create reasonable suspicion of fraud.
When suspicions of fraud arise, Banks are obliged to proactively verify the identity of the party conducting transaction. Some effective and advantageous measures to consider include: calling the customer to verify the transaction, thorough scrutiny of the purported customer’s signature, meticulous verification of the originating email to confirm its alignment with the customer’s official username and domain, a comprehensive review of the customer’s transaction history, their typical transaction partners, and the usual types of transactions conducted, particularly in the case of corporate clients.
[1] “a Banker must refrain from executing an order if and for as long as the Banker is ‘put on inquiry’ in the sense that he has reasonable grounds (although not necessarily proof) for believing that the order is an attempt to misappropriate the funds of the company ….”. Per Steyn J in Barclays Bank plc v Quincecare Ltd and another [1992] 4 All ER 363 at 376.