A substantial damages award against a bank has once again thrust digital banking fraud into the spotlight. Recent judgments in the United Kingdom and Uganda highlight shifting standards in the application of the duty of care owed by a bank to its customers and introduce the element of shared liability. The decisions emphasise the importance of robust fraud detection measures, customer vigilance, and the role of regulators in addressing electronic banking fraud.
The Banker's Quincecare Duty
The Quincecare duty requires a bank to refrain from honouring suspicious transactions. In the landmark 2023 case of Philipp v Barclays, the United Kingdom Supreme Court ruled that banks are not obligated to block customer-authorised payments in cases of authorised push payment (“APP”) fraud, except where an agent, such as a director, is involved. The court emphasised that a bank’s primary contractual duty is to promptly execute clear payment instructions from its customers, without questioning the customer’s judgment or the risks involved. While this duty requires banks to withhold execution of payment instructions if they have reasonable grounds to suspect fraud and to verify the customer’s authorisation, the Supreme Court clarified that this duty does not apply to APP fraud where the customer has clearly authorised the payment. In such cases, provided the instruction is clear and comes directly from the customer, the bank must carry out the payment without further inquiry. Bank transfers conducted through online or mobile banking and cash payments are examples of push payments.
The refined Quincecare duty was approved and applied in Uganda in Post Bank Uganda v Egesa, where the court held that banks are not liable for fraudulent withdrawals made through ATMs if the correct card and PIN are used. The court emphasised that while banks must inform customers about protecting their accounts, it is ultimately the customer’s responsibility to safeguard their ATM card and PIN to prevent unauthorised access.
In Aida Atiku v Centenary Bank, the High Court found the customer was entirely responsible for unauthorised transactions because she had carelessly shared her account information. The Court highlighted that, although banks are required to maintain reasonable security measures, customers also have a duty to protect their own account credentials. The ruling established that the party in the best position to prevent fraud should bear the loss. Since the customer failed to safeguard her account details, she was held solely liable for the financial loss.
In Stanbic Bank Uganda v Gabigogo, the High Court held that a bank will not be held liable once it shows that the security procedure it has in place is a commercially reasonable method of providing security against the fraud, in this case, unauthorised digital payment orders.
The Ugandan Courts' Recent Balanced Approach
In Abacus Parenteral v Stanbic Bank, the High Court took a more balanced approach compared to earlier cases like Philipp, Aida Atiku, and Egesa. The court found that both the bank and the customer shared responsibility for the financial losses suffered by the customer resulting from fraudulent transactions. The court therefore split the liability between the bank and its customer, with the bank carrying only 20% liability for the claimed damages. Citing the bank’s inadequate fraud detection systems and its failure to verify beneficiary details before processing payments, the Court determined that the bank breached its contractual duty by honouring payment instructions with incorrect beneficiary information and stressed that banks must reject erroneous instructions.
However, the court also found Abacus liable for 80% for its own negligence. This was due to the company’s lax internal controls, such as allowing one person to both initiate and approve transactions and share passwords, which violated their contractual obligations to maintain proper safeguards. The court held that the plaintiff’s failure to detect irregularities in its own records significantly contributed to the losses.
The Court adopted a nuanced comparative negligence approach to apportion liability for the fraud, which reflects the growing recognition that fraud prevention is a shared duty between banks and their customers, and liability should be allocated based on the level of negligence and control each party had over the transaction occasioning the fraud.
In Christian Rural Eyesight Promotion v Stanbic Bank, fraudsters cloned account details and diverted donor funds to a fake account. The court ordered Stanbic to pay up for failing to spot the fraudulent account. This shows that banks can’t just shrug when identity theft slips through their systems.
Interestingly, Kenya’s Courts show a similar balancing act to Uganda. In Barclays Bank Kenya v Tamima Ibrahim, the court held the bank 70% liable for failing to verify account details in an electronic funds transfer but dinged the customer 30% for providing incorrect details. This suggests East African courts are pushing for shared vigilance, unlike the UK’s more customer-focused liability.
What Should Banks Do to Stay Out of the Fraud Trap?
Heightened security measures: Ugandan Courts now require banks to implement strong fraud detection measures, marking a shift from the more limited approach seen in the UK. This heightened expectation exposes banks to the risk of substantial damages if they fail to address systemic weaknesses.
The liability attributed to the banks in Abacus and in Atiku warns banks to tighten internal controls, as negligence reduces recovery. With online banking platforms, banks and clients must secure digital channels to meet legal standards. Banks must review transaction monitoring and account verification processes. Banks must also enforce strict PIN and password policies for employees.
Customer Duties and Security Awareness: A consistent theme across the cases is the clear reminder to customers of financial institutions to vigilantly safeguard their banking details to minimise the risk of fraud. Staying vigilant is cheaper than a bad day at the ATM or online! Additionally, customers are obligated to promptly notify their banks of any losses or suspected account compromises, reinforcing the shared responsibility in preventing and addressing electronic banking fraud.
As digital financial services rapidly evolve, the responsibility for protecting banking transactions increasingly falls to regulators, the government, and Parliament. In Gabigogo, the High Court highlighted that determining whether banks or victims should bear the loss from electronic banking fraud is a matter best resolved through policy, rather than the Courts. The court stressed that legislators and regulators are best positioned to evaluate the wider social impact, consult with stakeholders, and create balanced, comprehensive policies. However, it remains uncertain whether these bodies will effectively address the growing risks associated with digital banking fraud.
--
Read the original publication at ENS
.jpg)