A substantial damages award against a bank has once again thrust
digital banking fraud into the spotlight. Recent judgments in the
United Kingdom and Uganda highlight shifting standards in the
application of the duty of care owed by a bank to its customers and
introduce the element of shared liability. The decisions emphasise
the importance of robust fraud detection measures, customer
vigilance, and the role of regulators in addressing electronic
banking fraud.
The banker’s Quincecare duty
The Quincecare duty requires a bank to refrain from honouring
suspicious transactions. In the landmark 2023 case of Philipp v
Barclays, the United Kingdom Supreme Court ruled that banks
are not obligated to block customer-authorised payments in cases of
authorised push payment (“APP“) fraud,
except where an agent, such as a director, is involved. The court
emphasised that a bank’s primary contractual duty is to
promptly execute clear payment instructions from its customers,
without questioning the customer’s judgment or the risks
involved. While this duty requires banks to withhold execution of
payment instructions if they have reasonable grounds to suspect
fraud and to verify the customer’s authorisation, the Supreme
Court clarified that this duty does not apply to APP fraud where
the customer has clearly authorised the payment. In such cases,
provided the instruction is clear and comes directly from the
customer, the bank must carry out the payment without further
inquiry. Bank transfers conducted through online or mobile banking
and cash payments are examples of push payments.
The refined Quincecare duty was approved and applied in Uganda
in Post Bank Uganda v Egesa, where the court held that
banks are not liable for fraudulent withdrawals made through ATMs
if the correct card and PIN are used. The court emphasised that
while banks must inform customers about protecting their accounts,
it is ultimately the customer’s responsibility to safeguard
their ATM card and PIN to prevent unauthorised access.
In Aida Atiku v Centenary Bank, the High Court found
the customer was entirely responsible for unauthorised transactions
because she had carelessly shared her account information. The
Court highlighted that, although banks are required to maintain
reasonable security measures, customers also have a duty to protect
their own account credentials. The ruling established that the
party in the best position to prevent fraud should bear the loss.
Since the customer failed to safeguard her account details, she was
held solely liable for the financial loss.
In Stanbic Bank Uganda v Gabigogo, the High Court held
that a bank will not be held liable once it shows that the security
procedure it has in place is a commercially reasonable method of
providing security against the fraud, in this case, unauthorised
digital payment orders.
The Ugandan Courts’ recent balanced
approach
In Abacus Parenteral v Stanbic Bank, the High Court
took a more balanced approach compared to earlier cases like
Philipp, Aida Atiku, and Egesa. The court found
that both the bank and the customer shared responsibility for the
financial losses suffered by the customer resulting from fraudulent
transactions. The court therefore split the liability between the
bank and its customer, with the bank carrying only 20% liability
for the claimed damages. Citing the bank’s inadequate fraud
detection systems and its failure to verify beneficiary details
before processing payments, the Court determined that the bank
breached its contractual duty by honouring payment instructions
with incorrect beneficiary information and stressed that banks must
reject erroneous instructions.
However, the court also found Abacus liable for 80% for
its own negligence. This was due to the company’s lax internal
controls, such as allowing one person to both initiate and approve
transactions and share passwords, which violated their contractual
obligations to maintain proper safeguards. The court held that the
plaintiff’s failure to detect irregularities in its own records
significantly contributed to the losses.
The Court adopted a nuanced comparative negligence approach to
apportion liability for the fraud, which reflects the growing
recognition that fraud prevention is a shared duty between banks
and their customers, and liability should be allocated based on the
level of negligence and control each party had over the transaction
occasioning the fraud.
In Christian Rural Eyesight Promotion v Stanbic Bank,
fraudsters cloned account details and diverted donor funds to a
fake account. The court ordered Stanbic to pay up for failing to
spot the fraudulent account. This shows that banks can’t just
shrug when identity theft slips through their systems.
Interestingly, Kenya’s Courts show a similar balancing act
to Uganda. In Barclays Bank Kenya v Tamima
Ibrahim, the court held the bank 70% liable for failing to
verify account details in an electronic funds transfer but dinged
the customer 30% for providing incorrect details. This suggests
East African courts are pushing for shared vigilance, unlike the
UK’s more customer-focused liability.
What should banks do to stay out of the fraud
trap?
Heightened security measures: Ugandan Courts
now require banks to implement strong fraud detection measures,
marking a shift from the more limited approach seen in the UK. This
heightened expectation exposes banks to the risk of substantial
damages if they fail to address systemic weaknesses.
The liability attributed to the banks in Abacus and in
Atiku warns banks to tighten internal controls, as
negligence reduces recovery. With online banking platforms, banks
and clients must secure digital channels to meet legal standards.
Banks must review transaction monitoring and account verification
processes. Banks must also enforce strict PIN and password policies
for employees.
Customer Duties and Security Awareness: A
consistent theme across the cases is the clear reminder to
customers of financial institutions to vigilantly safeguard their
banking details to minimise the risk of fraud. Staying vigilant is
cheaper than a bad day at the ATM or online! Additionally,
customers are obligated to promptly notify their banks of any
losses or suspected account compromises, reinforcing the shared
responsibility in preventing and addressing electronic banking
fraud.
As digital financial services rapidly evolve, the responsibility
for protecting banking transactions increasingly falls to
regulators, the government, and Parliament. In Gabigogo,
the High Court highlighted that determining whether banks or
victims should bear the loss from electronic banking fraud is a
matter best resolved through policy, rather than the Courts. The
court stressed that legislators and regulators are best positioned
to evaluate the wider social impact, consult with stakeholders, and
create balanced, comprehensive policies. However, it remains
uncertain whether these bodies will effectively address the growing
risks associated with digital banking fraud.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
link