Economic risk
Authorised push payment fraud – an alleged “retrieval duty” considered ahead of important regulatory changes due to come into force on 7 October 2024
Cliquez sur chaque termes pour accéder aux articles correspondants
Royaume-Uni et Europe
Economic risk
The recent decision of Larsson v Revolut Ltd [2024] EWHC 1287 (Ch) provides another interesting insight into the ways in which the courts will consider the duties owed by financial institutions when fraudulent transactions occur.
In this case, a claim was brought against Revolut, the UK-based finance and banking app, by one of its customers, Mr Larsson. In August 2022, Mr Larsson paid, from an account he held at a different financial institution, CHF 466,617.73 (approx. £404,000) into five different bank accounts held at Revolut (which were not in his name, though he believed them to be) on the understanding that it was in consideration for shares at a company. However, this was all part of an authorised push payment (APP) fraud and the company did not in fact exist, so Mr Larsson was, in fact, transferring the money directly to bank accounts set up by the fraudsters, which were quickly emptied.
Mr Larsson sought to bring a claim against Revolut on the basis that, as he was also a customer of Revolut (though not the customer in the transactions in question), it owed him contractual and tortious duties of care. In particular, he alleged that Revolut’s failure to detect and/or take adequate steps to mitigate and/or prevent the fraud constituted a breach of contract under Revolut’s standard terms and conditions and in tort. It was further alleged that Revolut was liable in restitution for unjust enrichment and dishonest assistance in a breach of trust.
Revolut applied to strike out or receive a summary judgment in respect of the abovementioned causes of action, with the exception of the unjust enrichment claim which was being dealt with by another court.
Revolut is an electric money institution, not a bank, but it accepted for the purposes of the application before the Court that it owes materially the same duties as a bank and the Court agreed.
The court struck out the contractual duty of care claim. In reaching its decision, the Court considered that the only term in the contract relied on in support of the contention that Revolut was obliged to prevent or mitigate the fraud is the term restricting a customer from opening more than one Revolut personal account. But that term could not be construed either as defining any service to be provided by Revolut or as imposing any obligation on it at all and, in any event, the accounts were not opened in Mr Larsson’s name. In fact, Revolut would only owe a contractual duty of care to its customers which, in this particular transaction, were the fraudsters not Mr Larsson.
As to the tortious claim, the Court cited the general principles that the so-called “Quincecare Duty” (which the Supreme Court in Philipp v Barclays Bank [2023] UKSC 25 held is really just an application of the general duty of care owed by a bank to interpret, ascertain and act in accordance with its customer's instructions) does not apply where the customer – here, the fraudsters - had unequivocally authorised and instructed the bank to make the payment. Further, the duty was not, in general, owed by banks to third parties (JP SPC 4 v Royal Bank of Scotland [2022] HKPC 18). The Court, therefore, looked at whether a novel duty of care – as contended for by Counsel for Mr Larsson – could be established on the basis that Mr Larsson happened to be a customer of Revolut’s, despite not being the customer in the transactions in question.
Benyatov v Credit Suisse Securities (Europe) Ltd [2023] EWCA Civ 14 held that a court should adopt an “incremental approach” and consider the Caparo factors of foreseeability, proximity and fairness, justice and reasonableness when assessing whether a novel duty of care should be established. Reviewing these, the Court held that there was no principled reason for imposing such a duty of care here simply because Mr Larsson happened to be a customer of Revolut. Further, “while it is open to the court to find new duties of care on the basis of the "incremental approach"…to impose a duty on a bank to take reasonable care to protect third parties who make payments to an account of one of its customers from that customer's fraud would be to cross the line between the proper role of the courts, and the role of the legislator and regulator.” The tortious claim was, thus, struck out.
However, the dishonest assistance claim was allowed to proceed to trial. It is common ground that a claim in dishonest assistance in a breach of trust requires, in the first place, that there be a trust. Mr Larsson contends that where a transfer of property is procured by fraud, the transferred funds will constitute trust property.
However, the Judge was not prepared to find, on the scant evidence before him and the conflicting authorities presented, that there was no sufficiently arguable case that a constructive trust arose on the funds transferred to the accounts. Much fuller argument would be required in order to resolve this question, particularly where the answer could have wider implications beyond the facts of this case.
This case is the latest in a string of cases where victims of APP fraud are seeking to recoup their losses from financial institutions. Given the prevalence of this type of fraud, we can expect to see more such cases seeking to extend the duties owed by banks.
This case emphasises that the central duty owed by a bank is to interpret, ascertain and act in accordance with its customer's instructions and that good grounds would be needed to establish a novel duty of care. It is worth noting, however, that the Court in the recent case of CCP Graduate School Ltd v National Westminster Bank plc & Anor [2024] EWHC 581 refused to strike out a novel argument that a receiving bank owes the claimant a “retrieval duty” (see our article on that case here).
As for the dishonest assistance claim, whilst banks can be liable if they know of fraud and their conduct meets the dishonesty threshold, it is extremely difficult for such arguments to succeed as, often, it is simply a failure of processes rather than dishonest knowledge of an underlying fraud. This appears, on the evidence so far, to be the case with Revolut so the Court’s willingness to let the claim proceed is interesting and potentially concerning but we shall have to see how this plays out as the Judge was keen to stress that the evidence and arguments before him were light on the ground.
Fin