Following hot on the heels of NatWest’s record £267 million fine for AML breaches in pretty egregious circumstances involving cash deposits carried in bin-liners, the bank finds itself again in the spotlight over its AML and KYC procedures in a case that considers what obligations it is reasonable to impose on a bank in circumstances where their procedures and systems alerted them (or should have) to a potential fraud by one of its customers.
Tecnimont Arabia Limited v Natwest, for which judgment is expected imminently, may extend the scope of banks’ liability even where the fraud victim is not their direct customer. This distinguishes it from the more common pathway to claims against banks engaging the “Quincecare duty”.
This is a species of obligation a bank owes its own corporate customer to stop a transfer request when the bank is ‘on enquiry’ that the request may have been made fraudulently – often by a delinquent director or owner.
The Quincecare duty returned to prominence following the Supreme Court’s 2019 ruling in Singularis Holdings Ltd v Daiwa Capital Markets Europe Ltd and has remained en vogue ever since.
The facts of the Tecnimont Arabia case are depressingly familiar and concerns an APP fraud – in this instance Tecnimont, a Saudi based entity, intended to make a $5m payment to a group company and an internal request was made for the relevant account details.
Having gained unauthorised access to the corporate email account of the Group Finance Vice President (GFVP), hackers sent an internal email from that account providing alternative account details. Payment was then made to the ‘false recipient’ account at NatWest in the name of Asecna Limited, an English registered company, from which it was quickly dissipated via various jurisdictions through multiple transfers.
Tecnimont seeks to recover the payment from NatWest on the basis that, despite anti-fraud flags, NatWest failed to stop its onward dissipation. As stated above, absent any direct relationship between Tecnimont and NatWest, there was no Quincecare duty engaged. Tecnimont instead founded its claims on principles of unjust enrichment and unconscionable receipt in equity, referencing standards of care by regulatory bodies, such as the Financial Standards Authority (FSA), and that the history, parameters and pathology of the Asecna account did not sit well with a receipt of $5m from Saudi.
Central to the case is who should bear primary responsibility for the fraud having been allowed to proceed. Tecnimont argued that an employee of NatWest’s Bankline Fraud team shut his eyes “in a way that a reasonable and honest man would not have done.” “Dishonest mishandling” of alerts relating to the transaction “created the risk of fraud” and the bank failed to prevent the disbursement in bad faith.
A duty of the type alleged by Tecnimont doesn’t sit particularly well with what NatWest argued was the bank’s primary obligation to follow its mandate and execute the instructions of its customer.
NatWest also contends that, to the extent there was any duty at all, Tecnimont had every opportunity to prevent the fraud and that in such circumstances NatWest’s obligation to follow client instructions should not be overridden. The fraudsters accessed the GFVP’s email account because he clicked on a phishing email attachment, entering his username and password. Tecnimont proceeded with payment to the revised account details despite the email, purporting to be from the GFVP, containing numerous errors and requiring payment to an account in the wrong name and in a different jurisdiction.
Tecnimont’s arguments shed light on how diligently banks enforce KYC and anti-fraud regulations and whether, in reality, current regulations facilitate systems that do very little to prevent fraud. Presently, the law operates to facilitate greater scope for civil liability where a bank fails to prevent its customer being defrauded rather than failing to prevent a fraud perpetrated by one of its customers which seems counter-intuitive.
A perennial problem in cases of this nature is in fixing the bank with actual knowledge of the fraudulent activity. This is usually pivotal in establishing liability and may yet prove to be Tecnimont’s Achilles’ heel. Attempts on the part of Liquidators to plug the knowledge gap in the recent case of Stanford International Bank vs HSBC were given short shrift and will likely continue to be problematic for claimants pending a change in the law. In that case the liquidators were unsuccessful in seeking to argue that, when dealing with a large corporate entity, it should be possible to deploy actual and constructive knowledge to make good corporate knowledge fractured by alleged systematic and personnel failings.
If the Tecnimont case does facilitate more claims of this non-Quincecare type, greater risk of civil liability may prompt banks to re-examine their systems. The case also serves to illustrate broader deficiencies in the UK’s KYC, anti-fraud and anti-money laundering regimes. A recent Chatham House report on the UK’s AML regime concluded that a significant overhaul was required.
Further development of civil liability will help commercial organisations to hold banks to account: tightening of the regulatory regime looks likely. For example, the government is currently reviewing responses to its 2021 “call for evidence” on the UK’s AML and counter terrorist financing (CTF) regimes. HM Treasury will publish this report by June. Given recent criticism of the Johnston administration for permitting the UK to become a “haven for kleptocrats and money launderers” after ditching the economic crime bill, this issue is likely to remain a hot one.
As matters stand, on these particular facts, a bank seems to have less exposure when it’s their client that is the bad actor and they fail to intervene rather than where it is their client that is the victim of a fraud which is an anomaly that needs to be addressed.
Paul Brehony and Simon Fawell are partners at commercial disputes law firm, Signature Litigation.