Chapman Tripp | “Duty of retrieval” – a bank's obligations to a non-customer victim of fraud

The English High Court has confirmed that a bank does not owe non-customer victims of fraud a “duty of retrieval” in respect of fraudulent payments received by the bank and transferred on instruction of its own (fraudulent) customer. This aligns with earlier decisions in the English Courts supporting a bank’s obligation to execute a valid unambiguous payment order from its customer.

The decision in Santander UK PLC v CCP Graduate School Ltd builds on the UK Supreme Court’s 2023 decision in Philipp v Barclays (see our previous article). In that case, the Court found that the Quincecare duty arises only in circumstances where the bank is “put on inquiry” (in the sense of having reasonable grounds for believing) that a payment instruction it has received from an agent may not be a valid instruction from the customer. The UK Supreme Court accordingly struck out the customer’s claim seeking to extend the duty to circumstances of authorised push payment (APP) fraud. It did not, however, strike out an alternative claim that Barclays did not do enough to retrieve the funds fraudulently transferred. The Santander case has followed in that context.

The Santander case

Santander received payments from CCP, a Natwest customer, using a Natwest account following an authorised push payment (APP) fraud. Santander subsequently, on instructions from its customer (which committed the fraud), transferred funds to a range of other accounts held with different banks.

The CPP sued Santander for breach of duty to take reasonable steps to retrieve or recover those payments. The essential allegation was that Santander, once notified that the payments were fraudulent, needed to contact further recipient banks to recall the payments or to prevent any further transfer.

Santander applied to strike out the claim. The English High Court struck it out in a successful appeal from a first instance decision of a Master who had allowed the claim to proceed. Building in part on the reasoning in Philipp v Barclays, the Court found:

the fact that a fraudster held an account with Santander did not give the bank any “special level of control” over that customer. Its obligation was simply to comply with its customer’s instructions. The Court found that there was no basis for finding that Santander’s status as the fraudster’s bank in “some way gave rise to an obligation to protect those who might be harmed by its customer’s actions”
a recipient bank cannot be taken to have assumed any responsibility to the third-party victim of a fraud (a customer of another bank entirely). Such a duty would be directly contrary to its own customer’s payment orders, and the bank had no authority or obligation to try to reverse payments. In making this finding, the Court considered the comments from the UK Supreme Court in Philipp v Barclays about the extent to which a bank owes its own customer a “duty of retrieval”. That remains a live issue following the Supreme Court’s decision in Philipp. However, the High Court found that, if the duty exists, it would be an extension of the contractual obligations to a bank’s own customers, and it cannot extend to a third-party victim of fraud
such duty, if created, would “place an unacceptable burden on banks going outside their contractual obligations with customers”, given the volumes of payments processed by banks and the need to make rapid decisions on whether allegations of fraudulent payments were legitimate
when notifying recipient banks of fraud, banks as a matter of course provide voluntary indemnities to protect the recipient bank against liability to its customer if it declines to make payments as instructed. Such actions do not, however, create a duty of care: “the fact that banks are willing to take steps to try to assist victims of fraud does not mean that the courts should find they have a legal obligation to do so”.

Notably, the payments had left the Santander account before Santander was notified of the fraud. However, the Court found that, even if there was a dispute about when Santander was given notice of the fraud, there would have been no realistic prospect of the victim succeeding in its claim against Santander, for the reasons above.

Finally, the Court (like the UK Supreme Court in Philipp v Barclays) also expressed its sympathy for the victims of fraud, but considered that such issues were a “question of social policy for regulators, government and ultimately for Parliament”, rather than expansion of common law. It also observed the steps taken by banks to protect against fraud and the mandatory reimbursement scheme as factors pointing against creating an expanded duty.

Chapman Tripp comment

The Santander decision provides further clarification of banks’ obligations and duties to consider and deal with the effect of fraudulent transactions in which they are involved.

The decision applies orthodox reasoning. When a bank receives a valid unambiguous payment order from a customer, the bank’s duty is simply to execute the order as instructed. A recipient bank cannot be taken to have assumed any responsibility to a third party who is not the bank’s customer, and with whom the bank has no legal relationship. The Court was appropriately cautious in assessing the potential expansion of a duty of care in that context. That a bank may arguably owe a duty of retrieval to its customer “provides no basis for the incremental development of an equivalent duty owed to a party with whom the bank had no contractual relationship”.

We are not aware of any comparable claim having been made in New Zealand. Although not binding, we expect that the English High Court’s reasoning will be persuasive if such a claim is brought.¹

Obligations and actions of a recipient bank have been only a passing feature of the Banking Ombudsman Scheme’s (BOS) guidance and published fraud and scams case notes. The BOS Practice Note on “Fraud” comments only that “Recipient banks should contact a customer who has received fraudulently obtained funds as soon as possible about the return of the funds”. BOS cannot currently deal with complaints against receiving banks, but it is seeking to have the Code of Banking Practice amended to allow it to do so.²The Australian Securities and Investment Commission (ASIC) has expressly recorded its concerns about recipient banks failing to respond in a timely manner to recovery requests from the sending banks, “resulting in significant customer distress”.³

Accordingly, despite the Santander decision, a recipient bank should assess carefully all the available information, including that received from another bank or its customer, and determine whether it can validly stop any further transfer of a fraudulent payment or any steps it can reasonably take to recover already-transferred funds.

The big question which remains unresolved is whether – and if so to what extent – a bank will be found to owe a “duty of retrieval” to its own customer. Whether that will be resolved as part of the continuing Philipp litigation or otherwise is yet to be seen. We will be monitor further developments on this front.

1. The English High Court referred with approval to the New Zealand Supreme Court’s decision in Westpac New Zealand Ltd v MAP and Associates Ltd [2011] NZSC 89, [2011] 3 NZLR 751.
2. Banking Ombudsman Scheme, Consultation on Proposed Rule Changes, 18 November 2024.
3. Australian Securities and Investment Commission, “Anti-scam practices of banks outside the four major banks”, Report 790, August 2024, at page 9. See also Australian Securities and Investment Commission, “Scam prevention, detection and response by the four major banks”, Report 761, April 2023.

Our thanks to Nathan Whittle for preparing this article.