The ruling represents a comprehensive review of the law in the area, and when banks can be liable to customers under so-called Quincecare duties, derived from an English case of the same name.
For over three years starting in September 2010, the plaintiff engaged in what she thought were investments offered by the defendant and introduced to her by one of the bank's employees, Miss (Ms.) Liu King Yee, the securities manager at a branch of the bank.
The investments were explained as "internal" in that they were only available to the bank's staff/employees (not to outsiders) and would generate high monthly yield (around 100 times the amount banks were otherwise paying on deposits). By forged receipts and online records created by Ms. Liu, the plaintiff was led to believe that all HK$24 million that she had transferred to Ms. Liu's account with the defendant, was placed in the investment.
The fraud was brought to light in March 2014, with Ms. Liu being convicted of three counts of fraud in October 2015 and sentenced to 10 years in prison. The plaintiff lost all her money.
The issue before the court was whether the bank could be held legally responsible for the losses sustained by the plaintiff as a result of the fraud perpetrated by the bank's employee.
The plaintiff made various claims against the bank, primarily in vicarious liability and negligence. The court rejected all of them.
The plaintiff sought to rely on the doctrine of vicarious liability in its claim against the bank, by which employers are in certain circumstances held liable for tort committed by their employees. While the "close connection" test is firmed established as the test for vicarious liability (whether, taking note of the nature of the employee's job, there was a sufficient connection between the position in which he was employed and his wrongful conduct such that it would be just and fair to hold the employer liable), the Honourable Mr. Justice Coleman noted that in cases involving employee fraud/misrepresentation, the test for liability requires an examination of whether the employee's fraudulent misconduct falls within the scope of the employer's authority, actual or ostensible.
The court noted that apparent authority is found where: (1) a principal has represented, by words or conduct, to a third party that the agent has authority to enter into the kind of transactions in question; (2) the third party enters into a transaction in reliance on that representation; and (3) the reliance is reasonable.
On the plaintiff's evidence alone, the court found there was "real force" in the bank's submission that it could not have intended to offer, or have authorized its staff to offer on its behalf, internal investments to outsiders. It was illogical to think that the apparent authority of a bank employee to sell securities products would extend to authority to sell any kind of product, including those expressly understood by an outsider as not being available to outsiders. Accordingly, the court found that there was no representation or holding out by the bank that Ms. Liu had authority to offer the investments to the plaintiff and as such, there could be no actual reliance.
The court found that the plaintiff was "simply overjoyed to be offered and apparently given the sort of return identified, and she did not care why, how, or what was the logic of the investments," in effect being "blinded by her greed."
The claim in negligence was based on the so-called Quincecare duty (derived from the case of Barclays Bank plc v. Quincecare Ltd.  4 All ER 363) being the duty to refrain from executing a customer's order when the bank is put on inquiry that the order is an attempt to defraud the customer, described as "a specific manifestation of the duty of care owed by a banker to its customer in relation to instructions."
The court found the plaintiff's submission that "red flags" – including substantial transfers being made from a client's account to a member of staff's account, should have caused the bank to enquire into the transactions, would significantly extend the previously described delineation of the duty. From previous authority, the Quincecare duty had been held to arise only in circumstances of attempted misappropriation of the customer's funds by an agent of the customer, not by a third party perpetrating a fraud on the customer which induces the payment.
Where the bank's customer is an individual, the individual customer's authority to make payment must be taken by the bank to be real and genuine. To impose on the bank professional standards of detective and investigative work, aimed at establishing whether or not a payment is potentially fraudulent would "elevate that duty to a point where too much doubt would be cast over the effectiveness of the customer's instructions."
The Quincecare duty is a common law duty based on the general concept of a bank adhering to standards of honest and reasonable conduct in being alive to suspected fraud, referenced to the standards of the ordinary prudent banker. If a bank were to be held to a higher standard, then the bank needed to know the terms which would need to have industry-wide application in the form of industry-recognized rules or a banking code so that a bank could identify the circumstances in which it should "second guess" a client's instructions.
The court did not consider the duty was triggered on the pleaded facts of the case. There was nothing in either the regulator's guidelines or the bank's own internal guidelines that would assist the plaintiff. On one view, the plaintiff was, "a victim of her own greed and gullibility" – and this was not caused by any negligence or breach of duty on the part of the bank.
In closing obiter remarks, Coleman J. said that it might be, in an age of increasing sophistication in and the use of artificial intelligence, that an argument could be made out that banks are in a position to monitor the operation of bank accounts held by their employees at their banks, so as to better assist protection of customers from fraud conducted by employees.
But that would, "involve potentially significant invasions of privacy and other matters which would require careful consideration and, as I have already indicated, industry-wide consultation and implementation." Even if that were to happen, determined fraudsters could operate their fraudulent activities through bank accounts held at banks which did not employ them.
If something seems too good to be true, then the court noted that it probably is.
The ruling will be welcome to banks and financial institutions as a further confirmation that duties owed to customers are generally circumscribed, being limited to particular fact patterns which in many instances, prove elusive.
Authored by Yolanda Lau and Nigel Sharman.