Online fraud has been on the rise for many years, and solicitors, with transactional money passing through their accounts, are an obvious target. The pace of attacks has quickened in the past year with the majority of solicitors now working from home. The most obvious culprits, the fraudsters themselves, are usually beyond reach, their cash safely withdrawn or transferred to a jurisdiction where the money cannot be traced. So, who else is there to blame?
Two English cases from 2016 and 2017 suggest that where solicitors are involved, the courts will be quick to allocate blame, given that they have indemnity insurers standing behind them. Neither has yet been followed in Scotland, but it seems only a matter of time, and law firms need to ensure that they have robust risk management procedures in place. Solicitors are now generally aware of the risk and, if they are not, they should be. At the very least, they should have addressed their own cyber security measures from an overall risk management perspective.
Another consideration is the possibility of liability on the part of a bank for negligence in permitting the fraud to occur.
Generally, a bank is under a duty of reasonable skill and care in its dealings with its own customer. The consequence of that duty is that commercially reasonable security procedures should be implemented and banks ought either to have manual oversight on suspicious transactions, or at the very least software which red-flags payments suggestive of fraud.
However, an English decision from 2021 appears to restrict this duty: in Philipp v Barclays Mr and Mrs Philipp were victims of a fraudulent scam involving Authorised Push Payment (APP) transactions. The bank sought and were granted strike out; the judge limited the bank’s duty to situations of in-house misappropriation of the customer’s funds by an employee.
There are nevertheless circumstances where a bank might still be held to blame: if it had ‘acted recklessly in failing to make such inquiries as an honest and reasonable man would make’. So, if the Bank has been put on notice of “reasonable grounds” but has ignored this, it will probably then fall into the category of acting recklessly. The difficulty currently is knowing what qualifies as reasonable grounds/acting recklessly. The Philipp decision does not spell this out.
What will this mean for Scotland? The Philipp decision is “persuasive” only here, and the courts aren’t bound to follow it. MBM are in fact leading the way in Scotland on this: we are running a very similar claim in the Court of Session which is going to a legal debate on the issue in early June. Early indications are that the Scottish courts are not minded to blindly follow the English decision without considering carefully. Where the bank is on notice of reasonable grounds for believing fraud may have occurred, we will be arguing that there is a duty on the part of the bank to make inquiries and, if inquiries were not made, it is then arguable that that in transferring funds, the bank were negligent. A decision on the point will follow in the summer once the debate has taken place. Meantime, I guess at this stage, all that can really be said is that where there is uncertainty, it generally cuts both ways, and is almost always an opportunity for negotiation.