The Americas / Mandates no substitute for sound judgment: 4 reminders for banks from Caye International Bank Ltd v Rosemore International Corp  CCJ 4 (AJ) BZ by Khamaal Collymore
Mandates no substitute for sound judgment: 4 reminders for Banks from Caye International Bank Ltd v Rosemore International Corp  CCJ 4 (AJ) BZ
Earlier this year, the Caribbean Court of Justice (CCJ) delivered its judgment in Caye International Bank Ltd v Rosemore International Corp. This was an appeal from Belize, which raised for the first time in the CCJ the applicability of the Quincecare duty in online banking transactions, and the extent to which that duty can be limited or excluded by contractual terms. As the court acknowledged, the decision in this case is of considerable importance for Belize and other CARICOM jurisdictions.
The dispute surrounded US$175,000 which the Appellant bank (the “Bank”) transferred from an account held by the Respondent (the “Customer”) to a third-party abroad. The transfer was processed in response to a wire transfer request received as an attachment to a message sent via the Bank’s online banking platform from the Customer’s account. It was later discovered that this instruction was not authorised by the Customer but was the result of an email compromise.
The Customer claimed against the Bank for breach of their depository agreement and negligence. The CCJ found that the Bank had followed the verification and identification processes set out in its depository agreement with the Customer. However, the court found that the Bank breached its Quincecare duty. Formulated by Steyn J in Barclays Bank v Quincecare  4 All ER 363, the Quincecare duty imposes an obligation on banks to refrain from executing a customer’s order if, and for so long as, the bank is ‘put on inquiry’ that the order is an attempt to defraud its customer.
The CCJ found that several features of the wire transfer request were sufficient to put an ordinary prudent banker on inquiry, including:
- Discrepancies between the signature on the outgoing wire transfer and that of the authorised signatory, which a handwriting expert described as “observable”;
- A request to send confirmation of the transaction to an email address not on file, and with a different domain name to the email addresses on file;
- The unusually large amount of the sum requested to be transferred given the account history;
- The fact that the Customer had never made a transfer to the proposed beneficiary; and
- The stated purpose of the transfer was inconsistent with the Customer’s business.
Notwithstanding that the Bank followed the agreed verification and identification processes, the CCJ found that the Bank ought to have exercised greater caution in the verification process having been put on inquiry. The court noted that a phone call to the authorised signatory could have averted the fraud.
Finally, the court also found that exclusion and indemnity clauses relied upon by the Bank did not exclude liability for the Quincecare duty.
Fraud presents a substantial operational risk for banks. The mitigation of this risk is therefore a top priority across the banking sector. This article highlights 4 reminders from this decision that may be helpful for banks and their advisors in mitigating the risk of fraud.
- Be careful of wolves clothed as sheep
Most of the cases on the Quincecare duty involved customers being defrauded by their own fraudulent directors or officers. In this case, the CCJ accepted that the duty also extends to cases where cyber fraudsters pose as customers. One common element in both types of cases is that the instructions appear to be given by a legitimate source, either an authorised officer of the customer, or, on the surface, the customer itself.
It is a fallacy to assume that a bank is absolved of its duty to exercise reasonable care and skill once an instruction comes from an apparently legitimate source. In a sense, this is when sound judgment is most needed. As the cases in this area acknowledge, fraudsters will seldom announce their arrival.
Whether an authorised officer turned rogue or a third-party fraudster posing as the customer, the lesson here is simple: it is not enough for banks to be satisfied that instructions are or appear to be from an authorised person. Banks must remain alert to circumstances that would put a prudent banker on inquiry that the instruction is an attempt to defraud the customer, irrespective of who gives the instruction.
- Prudent banking is more than ticking boxes
Perhaps an extension of the first point, it is critical that banks appreciate that the discharge of the duty to exercise reasonable care and skill will often involve the exercise of judgment above and beyond written processes. The Bank in this case was liable even though it followed the processes for verification and identification agreed with the customer in their depository agreement.
When I worked at a bank, my General Counsel would remind our team that we were hired for our judgment. It didn’t take long to appreciate what he meant. Banks devote significant time developing processes. Ultimately however, it is impossible to anticipate and reduce to writing the innumerable ways in which issues might arise. This is especially true in the ever-evolving world of cyber-fraud.
Checklists and processes are therefore best viewed as aids – and not substitutes – for sound judgment.
- Exclusion clauses will hardly save you
The CCJ did not rule out the possibility of banks and their customers agreeing to exclude the Quincecare duty from their banking relationship. However, it is clear that cases in which banks will be able to successfully rely on exclusion clauses and indemnities to exclude liability for the Quincecare duty will be rare.
As the court observed, whether a traditional or modern approach to interpretation is adopted, the threshold required for successful reliance on exclusion clauses is high. In plain English, the clause relied upon to exclude liability would have to effectively convey to a reasonable observer that the customer agreed that the bank will not be liable for ignoring red flags.
By all means, banks should maximise whatever protection is available by way of exclusion clauses and indemnities, but the key to managing the Quincecare duty remains the exercise of sound judgment. In cases of poor judgment, exclusion clauses will hardly save you.
- Combatting fraud is everyone’s job
Though not part of the court’s reasoning, there is a significant aspect of the chronology that makes this point. On the day of the transfer, the Customer’s UBO received an email notification of a message in the Customer’s online banking account. The UBO then made several attempts to access the Customer’s online banking account but was unsuccessful. He notified the Bank within 3 business days. However, another 2 months passed before his online banking access was restored (it is not clear whether the entirety of the delay was attributable to the Bank). Once restored, the UBO immediately detected the unauthorised debit.
Customer support functions such as restoring access to online banking are typically performed by different teams from those processing transactions, often off-site and even abroad. One could be forgiven for overlooking the role these teams (ought to) play in combatting fraud. However, when properly staffed and organised, such departments are more than just catchments for perceived non-tech-savvy customers with unending queries.
In the world of recalling wires, time, quite literally, is money. A fast and efficient process for resetting credentials is a simple tool for detecting fraud and initiating timely recalls.
Khamaal is a commercial litigator at Caribbean law firm Stanbrook Prudhoe. He previously worked in-house at a leading Caribbean bank. His experience in the financial services sector includes investigations and remediation support. Khamaal regularly leads litigation in a wide range of commercial matters, including domestic and cross-border insolvencies, shareholder disputes, sovereign debt-restructuring and regulatory overreach.