Having been away from the office undergoing medical treatment over the past 6 months, it occurred to me that in many ways, online fraud is like a serious illness – it can happen to anyone, but we never think it is going to happen to us. it’s something that happens to other people and other companies – until of course it happens to you.
When you’ve been targeted by an online fraud, there are many of the same feelings of confusion and bewilderment that are experienced when you’ve been diagnosed with a serious illness. Why has this happened? How could I have let this happen? What do I do now? Can it be put right?
In some cases the fraud may have been detected so quickly that funds can be frozen in the fraudster’s account and returned to their rightful owner. Online frauds are, however, becoming more and more sophisticated. Commonly, by the time either the customer or the bank have become aware of the fraud, the money has been passed into multiple different accounts and withdrawn immediately from ATM machines.
If that happens, the money will very often be “lost” and as a customer you will face an apparently impossible task in persuading your bank to give you your money back. However, all is not lost: there are ways and means to persuade a bank that they should not have parted with your money!
The starting point is that legally a bank is under an implied contractual duty of reasonably skill and care in its dealings with its customer, and the bank is required to follow the customer’s instructions, using reasonable skill and care in executing the customer’s orders. The bank must not execute any order that should objectively set alarm bells ringing.
What does that mean? For the bank, it means that they MUST put in place commercially reasonable security procedures to identify whether there are reasonable grounds for believing that the supposed order was “suspicious” and may have been an attempt to misappropriate the customer’s funds. For example, behavioural software (which is much more common in the US) is now commercially available; this acts as the modern equivalent of the bank teller checking the signature on cheques against a specimen held in the branch. This was a safeguard that was quite clearly considered appropriate in the pre-digital age; so why should a bank not be required in the modern digital age to have some manual oversight on suspicious transactions, or to invest in software which automatically red flags payments with characteristics suggestive of fraud?
A lot depends on the particular circumstances of the online fraud, but it is worth looking at whether or not it can be argued that there were clearly suspicious characteristics about the transaction that a reasonable bank with appropriate and commercially reasonable security procedures, should have picked up. If this can be argued, then the bank would be in breach of their duty to take reasonable skill and care in executing its customer’s orders.
There is another way to achieve the same result, and that is to argue that there is a “fiduciary relationship” between banker and customer meaning that the bank is under a duty act in good faith towards its customer. You might expect a bank to be under an automatic duty to act in good faith but until recently no such duty was said to exist: traditionally relationships between banks and their customers were regarded as being at “arms length”.
However, over recent years this view has changed: firstly because of the changing nature of banking and financial services with banks now seeking actively to provide an array of financial services and products to customers; and secondly because the law itself has changed, and is beginning to recognise that where there are long term “relational” contracts between parties this means that there is a fiduciary relationship between the parties. The important point about a fiduciary relationship from a bank customer’s perspective is this means that a duty of good faith should be implied into the contract between bank and customer.
The question then is what safeguards a bank acting in good faith ought to have? A customer should arguably be entitled to assume that a bank acting in good faith ought to have in place behavioural analytics in an online banking relationship which would identify for example, the location of the log-in; the customer’s history and pattern of previous transactions; the usual IP address or addresses and the frequency and size of the transactions.
You might well be reading this and thinking: “that’s all very well in principle, but will this actually persuade my bank to pay out?” Of course there are no guarantees, but depending on the size of your organisation, the bank may be keen to compromise in order to maintain an ongoing commercial relationship with the company. Perhaps more significantly, our experience is that banks will actively seek to avoid any adverse court decision which establishes a duty act in good faith. If a precedent is set, this will lead to “piggy-back” claims which the bank will very definitely want to avoid; a quiet and confidential settlement is greatly preferable to the bank rather than a court case with lots of unwelcome publicity.
If you’ve been affected by online fraud, and are just not sure where to turn, please do get in touch – my team and I would be happy to help.
Head of Dispute Resolution
DISCLAIMER: While every effort has been made to ensure the accuracy of this blog post, it is not intended to provide legal advice as individual situations will differ. No recipients of content in this blog post should act or refrain from acting on the basis of the blog post without seeking the appropriate legal advice on the particular facts and circumstances at issue from a qualified solicitor in their jurisdiction. The blog post is for general information only and is not legal advice. The law changes frequently and varies from jurisdiction and jurisdiction. No solicitor-client relationship is formed nor should any such relationship be implied. If you require legal advice, please consult with a solicitor qualified to practise in your jurisdiction. Should you be interested in seeking our assistance with a legal matter, please contact the Dispute Resolution team on 0131 226 8200.