The Quincecare Duty in Flux: Legal Implications for Banks and Digital Asset Platforms

With the increased sophistication of online payment methods, it is unsurprising that incidents of fraud have become commonplace, with fraudsters often employing innovative means against unsuspecting victims. Users, regulators and industry players in the banking sector are, in many aspects, struggling to keep pace with the continually evolving legal landscape of the fraud space. Similar challenges also begin to arise in the digital asset space for the various platforms engaged (whether for trading or staking).

In recent years, a significant question has resurfaced concerning the liability of entities such as banks and digital asset platforms for the losses suffered by fraud victims, specifically when these entities facilitated the fraudulent payments. Central to this debate is the “Quincecare duty”, originating from the eponymous decision of Barclays Bank plc v Quincecare Ltd and another [1992] 4 All ER 363 (“Quincecare”). This duty compels payment services providers to use reasonable skill and care when executing its customers’ instructions, and to refrain from carrying out their customer’s instructions if they have reasonable grounds to believe that the instructions are the result of fraud and would have the effect of misappropriating funds.

A series of critical recent reported decisions from various levels of the English Court, the Privy Council, and the Hong Kong Courts, have at least suggested the potential for bank liability in such cases. Given the potentially onerous consequences arising from the duty, these such developments have naturally led to excitement and consternation in equal measure.

A particularly interesting decision is that of the Privy Council’s in the Royal Bank of Scotland International Ltd v JP SPC 4[2022] UKPC 18 (JP SPC 4). In that case, JP SPC 4 was an investment vehicle set up to lend money to solicitors for the purposes of them pursuing low-value, high-volume claims. The contention was over approximately GBP110 million of investors’ money. It was alleged that only GBP65 million was transferred to the law firms, with the remaining sum fraudulently misappropriated. The key issue in the case was whether a bank owes a duty of care in the tort of negligence to a person known to be the beneficial owner of funds held in the account of a bank’s customer and who has been defrauded by the customer.

JP SPC 4 argued, in reliance on Steyn J’s judgment in Quincecare, that it was possible for claims to be made by third parties. Specifically, it relied on the observation that “the law should guard against the facilitation of fraud, and exact a reasonable standard of care in order to combat fraud and to protect bank customers and innocent third parties”. However, in the Privy Council’s view, this had to be read in context; it should be understood as recognising that the Quincecare duty, even though owed only to the customer, protects both the customer against fraud but also innocent third parties. In the Privy Council’s view, there was nothing in Quincecare itself or in the later cases applying it to support the argument that the Quincecare duty of care extends beyond being a duty owed to the bank’s customer, which arises as an aspect of the bank’s implied contractual duty of care and co-extensive duty of care.

While the Privy Council in JP SPC 4 refused to extend the scope of the Quincecare duty, this stands in contrast to the findings of the English Court of Appeal in Fiona Lorraine Philipp v Barclays Bank UK Plc [2022] EWCA Civ 318 (“Philipp”). There, it was concluded that the earlier decisions provided “ample support for the conclusion that it is reasonably arguable that the Quincecare duty would arise in any case when a bank was on inquiry that the order was an attempt to misappropriate funds”.

It is also important to note the ongoing matter that most recently resulted in the English High Court’s decision in Tulip Trading Ltd v Bitcoin Association[2022] EWHC 667. The claimant, Tulip Trading Limited (“Tulip”), maintained that it owned digital assets valued at over GBP3 billion held in two addresses on four Bitcoin networks. Tulip claimed that it could not access the funds because it lost private keys associated with the addresses owing to a hack committed against it. Tulip argued, inter alia, that the defendants, Bitcoin developers, owed a tortious duty of care to provide those who have lost their private keys with means to access their Bitcoin, drawing upon analogies with the Quincecare duty. However, Falk J held that the defendants did not owe such a tortious duty of care. Specifically, there was no Quincecare duty, because the starting point for that duty of care is the contractual relationship between the bank and its customer, and the fact that a banker acts as agent of the customer in executing payment instructions. It remains to be seen whether the Court of Appeal may potentially answer the question of whether Bitcoin developers owe a duty of care to Bitcoin owners.

The exact parameters of the duty therefore remain in flux, and future decisions on the matter continue to be of great significance. One important distinction to note is that in JP SPC 4, the Privy Council appeared to base its decision on the conceptualisation of the duty as one in a tortious duty of care. In contrast, Phillip identified a relationship of agency between the customer and the bank as a “starting point” in the imposition of the duty. The choice to situate the Quincecare duty between either of these duties may prove to be critical, as the principles and scope underlying either of those areas would naturally affect how the Quincecare duty is conceptualised and the situations to which it could further apply.

Another possible foundation for liability, albeit one that has not arisen thus far in the cases, would be to view the incidence of liability on these entities as an application of a vicarious liability or non-delegable duties. Both doctrines seek to impose liability on a third party (in this case the bank/platform) for acts carried out by a tortfeasor (the fraudster) on a victim. While this would have to be subject to further, and more thorough analysis (particularly as to how the scope of employment would work), this could offer viable solutions to the present conundrum as to the liability on the banks/platforms. Moreover, these potential solutions could serve as alternatives to the unchecked expansion of the Quincecare duty, an issue that has perplexed courts and legal practitioners recently, albeit requiring further exploration.