Claims against crypto exchanges: could a Quincecare duty ever apply?
Locations
Our first article in this series examined proprietary and other claims that a defrauded claimant could potentially make against a crypto exchange in the English Court.
Whilst the previous article examined the types of claims that a claimant could potentially make against exchanges if they were able to trace their misappropriated assets to an exchange, this article examines whether a wallet holder may have a claim in negligence against an exchange administering that wallet if that customer were defrauded by a mandatary or by a push payment fraud. More specifically, could an exchange be liable for breach of a Quincecare duty of care?
The Quincecare duty
The case of Barclays Bank Plc v Quincecare Ltd [1992] 4 All E.R. 363 held that a bank could be held liable in negligence if it did not refrain from acting on a payment instruction if, and for as long as, it was put on inquiry by having reasonable grounds for believing that the instruction was an attempt to misappropriate funds. The 'Quincecare claim' was reignited three years ago following Singularis Holdings Ltd v Daiwa Capital Markets [2019] UKSC 50, which was the first decision holding a bank liable for breaching its duty to scrutinise customer transactions for possible fraud.
Singularis and other Quincecare claims in the English Court concerned mandataries dishonesty using their powers to operate their principal's account. The situation in the recent case of Philipp v Barclays Bank UK PLC [2022] EWCA Civ 318 was different. In Philipp the claimant had personally given payment directions to their bank, but had been defrauded by an external party, having been duped by fraudsters into making payments as a result of a series of telephone calls. The claimant alleged that the bank should have noticed a number of factors that were inconsistent with the existing pattern of the claimant's use of her account, and accordingly should not have actioned the payments. The Court of Appeal held (although it should be noted that the case is under appeal to the Supreme Court) that the Quincecare duty did not depend on the fact that the bank was instructed by an agent of the customer of the bank. Therefore, it was possible, in principle, that a duty of care could arise in the case of a customer instructing their bank to make a payment when that customer was the victim of fraud orchestrated by a third party, such as push payment fraud.
Are exchanges analogous to banks?
The first hurdle a claimant would need to overcome if it were to make a claim in negligence for breach of Quincecare duty against a crypto exchange would be establishing that exchanges owe such a duty. Banks are regulated entities with sophisticated systems and controls designed to prevent their customers being defrauded. By contrast, exchanges are not regulated and do not utilise nearly the same level of fraud prevention techniques. Whether the duty could extend to exchanges is debateable, but the English Court is often willing to impose duties of care of this nature to financial institutions.
The second issue in this respect is that the Quincecare duty is assessed by reference to the ordinary prudent banker and accordingly, whether that bank, acting with reasonable care and skill, would have actioned the relevant payment from the customer's account. Transposing this test to exchanges, the standard would need to be one of the ordinary prudent exchange. In circumstances where it "is a rare situation for a bank to be put on inquiry, there is a high threshold" (as per Vos CJ in Singularis), the reasonably prudent exchange, lacking the same levels of fraud prevention controls as banks, would likely be subject to an even higher threshold. Exchanges operate in a far more administrative manner to banks, exercising significantly less monitoring of the wallets they operate. Some exchanges do employ software that is able to track crypto currency that is the proceeds of fraud, but that is irrelevant in circumstances where a customer has fallen victim to a push payment fraud.
Customer or beneficial owner?
A further obstacle that claimants would face in making a Quincecare claim is the distinction between customer and beneficial owner. The recent Privy Council decision in Royal Bank of Scotland v JP SPC & Ors [2022] UKPC 18 confirmed that the Quincecare duty is only owed to the bank’s customer and not a beneficial owner of the relevant funds. Fraud victims rarely hold an account with the relevant exchange to which the funds have been sent, instead they send their own crypto assets to a blockchain address not linked to an exchange and it is typically moved to an exchange for conversion into fiat currency or another crypto currency. Therefore, a claimant would need to be a customer of the exchange, using one of the exchange's wallets for a Quincecare claim to apply. If a victim's monies are merely held on an exchange as the beneficial owner, a claim would not arise.
Jurisdictional issues
A third problem relates to the location of exchanges. Crypto exchanges are typically located outside the English Court's jurisdiction, commonly in the Cayman Islands and the British Virgin Islands. If it is not possible to found a claim in England, any claim would need to be pursued under the local law of the exchange. Cayman and BVI law are similar to English law, but Quincecare claims are not as developed in those jurisdictions, if at all.
The future
A customer of an exchange or a person that is the beneficial owner of crypto currency located on an exchange who is defrauded of their assets will likely need to look to other remedies for recovery outside of negligence. But whilst Quincecare claims against exchanges appear to have multiple inherent obstacles, increased regulation by financial authorities could change that picture. As exchanges become more regulated and such regulation is akin to traditional banking regulation, it will become more likely that the courts will be willing to impose duties of care on exchanges.