Online fraud is on the rise, and solicitors, with transactional money passing through their accounts, are an obvious target. At MBM, we have spent a great deal of time and effort putting enhanced security protocols in place to help guard against fraud and we keep them continually under review.
When fraud takes place, it can have enormous and traumatic impact on the individuals defrauded. The most obvious culprits, the fraudsters themselves, are usually long gone, their cash safely withdrawn or transferred to a jurisdiction where the money cannot be traced. In practical terms, they are beyond reach. So who else is there to blame?
The obvious targets are either the banks, or the solicitors themselves. A landmark decision in the English courts in 2016, Purrunsing, found in favour of the claimant against his solicitors and held that “when exercising discretion regard must be had to..considerations such as the financial strength of the loser, and the availability of insurance to meet the loss”.
In that case, a firm of solicitors (“A”) were instructed to sell property by a fraudster (who did not in fact own the property) who said he needed to conclude a sale quickly. A carried out ID checks on the fraudster who “passed” – he had provided a copy of his passport but this turned out to be forged, and utility bills provided in his name were for a different property.
A marketed the property and quickly found a potential buyer (“B”). However, B’s solicitors began asking a few searching questions about the fraudster’s employment. A raised these with the fraudster who took fright and announced that he no longer wished to sell to B.
The judge criticised A for not picking up on what he said ought to have been a big red flag: despite the fraudster insisting he wished a quick sale the judge said it was obvious that it was exclusively the request for information about employment that caused the fraudster to withdraw from the sale. A continued to market the property. Within a fortnight, another buyer, Mr Purrunsing (“P”) was found. He had agreed to pay cash from sums raised from a number of sources. P’s solicitors, House Owners Conveyancers Ltd (“HOC”) had searched the relevant register and realised that the property had no security over it. They wrote to A to say that they assumed that there had been a Deed of Gift, but did not, however, pursue this. In due course the sale completed. HOC transferred the purchase funds from their client to A, who in turn transferred the funds to a Dubai account on the instructions of the fraudster. The fraud came to light when an attempt was made by HOC to register P’s title.
P sued both A and HOC. The trial judge held that both were liable, although on slightly different bases. A was liable for “breach of trust” for transferring the money over to the fraudster which was described as a “strict liability” offence: this meant that the obligation in relation to purchase money was an absolute obligation not to release money before completion, and A had breached this obligation.
The trial judge also upheld P’s claim for damages for breach of contract and negligence against HOC, because HOC had not passed on to P information that indicated that in all the circumstances the transaction was risky.
Purrunsing was followed in January 2017 by a decision against the venerable firm of Mishcon De Reya, who were ordered to pay more than £1m to a claimant who had been the victim of an ID fraud, again on the basis of breach of trust.
Mishcon (“M”) were acting for a purchaser client buying property apparently being sold by Penny Hastings. The real Penny Hastings rented the property to tenants and the supposed seller was merely the tenant. The fraudster had changed her name by deed-poll to “Penny Hastings” after signing the lease. This meant the solicitors acting for the fraudsters were able to match the fraudster’s ID to the registered title interest for the property, and to the utility bills. After the purchase price of £1 million had been paid over to the fraudsters, it transpired that they did not own the property and M’s client’s money was lost.
At trial, the judge held that both firms involved on either side of the transaction had acted honestly and innocently. However, as M had insurance to cover the loss suffered in full, the “only practical remedy” open to the client was to sue M, who were held to be in breach of trust in releasing monies to the fraudster, again because of an implied term that monies would only be released on completion.
Although in Mishcon the firm was held not have been negligent, as they were said to have committed a breach of trust, the practical effect was just the same as if the firm had been found to have been negligent, with a £1 million award made against it in favour of their client. Permission to appeal Mishcon has been granted, but is yet to be heard.
Neither Purrunsing nor Mishcon has yet been followed in Scotland, but it seems only a matter of time. The Law Society has issued Guidance on Cyber Security and a number of articles have appeared regularly in the Law Society Journal on fraud risk since 2014. It is clear that awareness of fraud in the context of solicitors firms is now heightened.
To reduce the risk of a Purrunsing or Mishcon judgment, law firms need to ensure that they have robust risk management procedures in place. Although it is hard to see what more Mishcon could reasonably have done to prevent the fraud occurring (and in a sense, in concluding that there was no negligence, the judge agreed that there was little more that M could have done) if lessons can be learned from Mishcon, they are whether there were more searching questions which could have been asked which might have raised a red flag and derailed the scam: more detailed questions about the seller, the original purchase, how and when the seller acquired the property, who the purchasing solicitors had been, and how long the seller had been in residence at the property. In Purrunsing, questions asked by B about the seller’s Abu Dhabi employment, resulted in the fraudster taking fright and refusing to progress the sale to B’s client – little help to Mr Purrunsing but good news for B.
Transactional work can be a competitive environment when it comes to fees, and the notion that more will be required of solicitors on both sides of the transaction, will be unwelcome. Nevertheless, it would appear that it is only a matter of time before the Scottish courts start to see cases like Purrunsing and Mishcon De Reya.
A final consideration is whether there could be any liability on the part of a bank. As a matter of general law, a bank is under an implied contractual duty of reasonable skill and care in its dealings with its customer.
In Barclays Bank v Quincecare Ltd (1992) 4 All ER 363 the court held that as part of that duty, the banker was bound to refrain from executing an order if they had been reasonable grounds for believing the order was an attempt to misappropriate the customer’s funds. The logical consequence of such a duty is that commercially reasonable security procedures should be put in place to identify such grounds, and in particular, that banks engaged in online banking ought either to have some manual oversight on suspicious transactions, or at the very least to invest in software which automatically red-flags payments which possess certain characteristics of fraud.
A number of recent US decisions have echoed this approach, emphasising the need for a bank to put in place enhanced security procedures, which would include avoiding a generic security approach for all customers, and to impose enhanced customer verification.
Whether in all the circumstances a bank, in transferring funds, breached such a duty will be a factual question and each case will be fact-specific. However, a number of high value fraud claims against banks have already been settled on a compromise basis, and it is likely that more claims will follow. Watch this space!
For further information please contact:
0131 226 8218