Banking Litigation Trends – Spring 2024 Update
This year is one that continues to threaten multiple challenges for financial institutions. They arise from two main sources: the rapid pace of technological change and geopolitical upheaval affecting the financial markets. This in-depth read explains the risks that financial institutions face so you can take practical steps to manage and prepare for them.
Case Insights from Norton Rose Fulbright’s Court Intelligence Database
Economic Crime and Corporate Transparency Act
ESG and similar global policy-based litigation
Technology: AI, Crypto and FinTech
Margin calls and market volatility
Case Insights from NRF’s Court Intelligence Database
Our proprietary Court Intelligence Database mines information about ongoing large scale banking and finance litigation in England. It records information about the types of claims and their progress whether or not they reach judgment.
Our latest analysis shows that fraud remains the single largest category of claims. There was a spike in 2017 of payment fraud related cases, some of which are still going through the courts. The era of misselling litigation appears essentially to be over – high levels in the middle of the last decade have now dropped to almost zero.
Looking forwards, we can see recent growth in claims based on capital markets transactions and prospectus liability. Where the previous financial crisis led to misselling claims in the derivatives markets, recent market stresses appear to be leading to litigation involving public markets and both retail and professional investors. It is possible that increased sophistication in litigation funding and the management of group litigation is contributing to the growth in High Court claims by disgruntled investors.
Economic Crime and Corporate Transparency Act
Financial institutions are likely to face new litigation and investigation risks from the Economic Crime and Corporate Transparency Act (ECCT Act). It contains significant developments including: (i) expanded powers for Companies House (ii) a new failure to prevent fraud offence and (iii) reform of the identification doctrine.
The ECCT Act received Royal Assent on 26 October 2023. It follows publication of the UK Government’s response to the Corporate Transparency and Register Reform White Paper published in February 2022 and builds on the Economic Crime (Transparency and Enforcement Act 2022 (ECTEA) which received Royal Assent in March 2022.
The ECCT Act sets out further wide-ranging reforms to tackle economic crime and improve transparency over corporate entities, including through reforms to the role of the UK companies registry, Companies House. The reforms relating to Companies House are aimed at, among other things, strengthening the UK’s business environment and improving the reliability of data it maintains so as to inform business transactions and lending decisions across the economy. A number of changes are also being made to processes and requirements for company formation and administration, including requiring identity verification of directors and persons with significant control of UK companies.
The ECCT Act also creates a new failure to prevent fraud offence to hold organisations to account if they profit from fraud committed by their employees or third parties providing services for them, or on their behalf (for example any agents or service providers). Under the new offence, an organisation will be liable where a specified fraud offence is committed by an employee or agent, for the organisation’s benefit, and the organisation did not have reasonable fraud prevention procedures in place. The government is due to issue guidance on what constitutes ‘reasonable’ procedures, although this is not expected to be published until late 2024. It is likely the offence will then come into force after publication: either in late 2024 or early 2025. Given the increased scrutiny on fraud, it is expected that this could also give rise to an increased number of civil fraud claims.
In addition, the ECCT Act reforms the corporate criminal liability doctrine to hold corporations liable in their own right for economic crime. Previously, for an organisation to be liable for a criminal offence, the “directing mind and will” of the Company would have to be implicated. This has now been expanded so that organisations can be held criminally liable for actions of their “senior managers”. This is aimed at strengthening the ability to apply corporate liability to the makeup of modern corporations, particularly large complex structures. This came into force on 26 December 2023.
Implementation of the remaining provisions in the ECCT Act (which, among other things, amend the Companies Act 2006 (CA 2006)) will be in stages since many will need systems development and secondary legislation before they can be implemented. While the implementation timetable has not yet been published, Companies House is being readied to oversee and enforce a large number of the changes being introduced.
ESG and similar global policy-based litigation
The litigation playbook for ESG in the UK uses what we call the Triple Play: a combination of three separate legal devices that, when used together, enable litigation against large corporates in the UK based on their global policies and regulatory standards. Although to date claimants have focused on ESG-related claims, the approach could be used against any large, geographically dispersed organisation subject to regulation in different jurisdictions with centralised management and control systems. Banks fall squarely into this category.
The three elements of the Triple Play are: parent-subsidiary liability, group litigation and anchor defendants. Liability starts from an alleged tort committed in a foreign jurisdiction by a company within the defendant group. Breaches of environmental standards have been behind the tort in most cases – including the two Supreme Court decisions in Vedanta v Lungowe [2019] UKSC 20 and Okpabi v Shell [2021] UKSC 3 – but any standard of care imposed by regulation or law will suffice. Then, liability for the tort is fixed on a parent of the group company located in England using parent-subsidiary liability. This is the argument that the parent has taken on a duty of care to oversee the actions of its subsidiary and this duty of care is owed to all those who have suffered damage due to the subsidiary’s breach. Following Vedanta, promulgation of policies and procedures by a parent company can be used to found parent-subsidiary liability.
Once an English parent company has been fixed with liability, proceedings may be started against it in the English courts. Using the parent as an anchor defendant, other defendants can be added to the English action. Group litigation orders or representative actions may be used to accommodate a large class of potential claimants. As a result of the Triple Play, large organisations may find themselves exposed to group litigation in the English courts due to alleged breaches by individual subsidiaries of local regulations in different jurisdictions.
The Triple Play has also been used to extend supply chain liability. In Begum v Maran [2021] EWCA Civ 326, a shipowner who sold a ship was held liable in respect of a breach of employment standards by a Bangladeshi shipbreaker who ultimately ended up with the task of breaking up the ship. In Limbu & Ors v Dyson Technology Ltd & Ors [2023] EWHC 2592 (KB), migrant workers brought an action against companies in the Dyson group alleging forced labour and exploitative conditions in a factory in Malaysia which manufactured products and components for Dyson branded products (the claim failed on jurisdiction grounds, for more information see our post here). Similar principles could be used to impose liability on lenders. So the Triple Play could be used to extend liability to banks for the torts of their customers as well as their subsidiaries. If the Triple Play starts to seep further up the supply chain in other situations, this could constitute a substantial extension of liability, especially for environmental claims.
One change that threatens to limit the power of the Triple Play is the departure of the UK from the Brussels Regime for determining court jurisdiction following Brexit. Under the Brussels Regime, the Court was obliged to exercise jurisdiction over defendants domiciled in England. Now, claims against an anchor defendant located in England are subject to a discretion of the Court to stay proceedings in favour of a more appropriate forum elsewhere. Triple Play torts may be vulnerable to these arguments. In Municipio de Mariana v BHP [2022] EWCA Civ 951, the Court of Appeal rejected a challenge to jurisdiction over an anchor defendant in respect of tort liability arising from the collapse of a Brazilian dam. But more recent cases suggest that the Courts will increasingly use this discretion to limit the Triple Play: in Limbu v Dyson, considered above, the Court stayed the claim on the grounds that Malaysia was the more appropriate jurisdiction.
Overall, the Triple Play is a fast-growing source of litigation that is likely to spill over to banks and financial institutions. In order to mitigate this risk, financial institutions should review their corporate strategy and consider any internal governance framework to ensure sufficient oversight across overseas subsidiaries and supply chains.
Cyber Risk
Theft of data, possibly coupled with ransom demands, is an operational and reputational risk for banks, with the World Economic Forum Global Risks Report 2023 reporting that cybersecurity and privacy are in the top 10 risks that concern businesses. Cyber-attacks against financial institutions are on the rise and with an average cost of $5.9 million in 2023, a data breach in the financial sector can have devastating consequences. As reported in IBM’s 2023 Cost of Data Breach Report, data leaks made up 64% of all cyberattacks in the financial sector, with a rise of attackers compromising financial organisations not only through traditional means, but also by actively exploiting vulnerabilities in the network perimeter (such as the Moveit Transfer CVE-2023-34362 vulnerability).
Trustwave found that in 2023, 40% of ransomware incidents against financial services companies were linked to Cl0p, with other major threat groups including LockBit and Black Basta also targeting financial institutions. In May 2023, Indonesia’s BSI Bank suffered a ransomware attack with LockBit demanding $20million for 1.5TB of data which was subsequently published on the dark web following a negotiation failure. IBM reported that 2023 also saw a significant percentage of incidents (22%) in which the compromise primarily occurred through supply chain attacks. In one attack, the cybercriminals even created a fake LinkedIn page where they impersonated an employee of the targeted bank to avoid suspicion while distributing malicious npm packages. Such attacks could become a trend in the coming years, given the widespread use of open-source software by companies, including financial organizations, in their in-house software development projects.
Following the aftermath of the Covid pandemic and its impact on consumer habits, there has been a rapid decline in the use of cash with more digitised financial transactions taking place than ever before. Financial institutions also often hold a significant amount of sensitive personal data which relates to the end customer. These factors increase the attractiveness of this sector to cyber criminals. Boston Consulting Group found in 2019 that financial firms experience 300 times more cyber-attacks than other industries. Further, in IBM’s 2023 Cost of Data Breach Report, IBM reported that data breaches in the financial industry have the second-highest costs after the healthcare sector. According to SentinelOne, ransomware attacks on financial services have increased from 55% in 2022 to 64% in 2023, which is nearly double the 34% reported in 2021.
Data protection regulation imposes risks for financial institutions. In the UK, the data protection authority, the Information Commissioner’s Office, can issue significant fines for regulatory breaches if, following an investigation, it finds that the relevant company was in breach of its regulatory obligations to maintain appropriate technical and organisational measures. Further, the obligation in many circumstances to contact those potentially affected by a data breach within a very short time frame may make it difficult for banks to manage their reputational and litigation risks.
As the data targeted by cyber criminals will often relate to the bank’s customers, it may also create a risk of liability to them. Potential causes of action include negligence and breach of regulatory requirements under the various data protection landscapes. This has the potential to lead to large scale group litigation and significant legal costs for financial institutions, in addition to any regulatory fine imposed. Financial institutions may also be forced to pay higher premiums for their cyber insurance coverage following an incident.
Technology: AI, Crypto and FinTech
The growth in FinTech and its rapid deployment by banks create a number of distinct litigation risks, summarised below.
Crypto and fraud
Victims of fraud typically seek recourse against those they can find and who have sufficiently deep pockets ie banks, even if they were not the ones that perpetuated the fraud . Crypto exchanges are unregulated and currently do not fall under the same level of duty of care as banks, which are highly regulated and should have sophisticated fraud prevention tools and systems. Therefore, banks involved at the border of the crypto economy may be targeted by victims of fraud.
In particular, as the crypto economy grows and engagement with it becomes more unavoidable, there may be attempts to establish the liability of banks on the perimeter of the crypto space that allow accountholders to send their fiat currency to crypto exchanges or wallets. Take the situation of a person tricked into paying cryptocurrency to a fraudster. The transfer itself is a disintermediated transaction, impossible to reverse and outside any regulatory protection but the victim may have made this transfer by converting fiat currency to cryptocurrency by a single transfer from a bank account to a crypto wallet or exchange. This appears to be outside the scope of the limited Quincecare duty (as to which, see the discussion below under ‘Push Payment’ Fraud) or any regulatory protection, but situations of this type may lead to litigation as victims of fraud seek new channels to recover their losses. As banks consider whether and how to interact with the crypto economy, they should take into account this potential exposure.
Victims of fraud have also attempted to use proprietary claims and injunctions to recover their assets. There is now some uncertainty as to this approach, following the decision in Piroozzadeh v Persons Unknown [2023] EWHC 1024. In that case, Binance, a crypto exchange, successfully argued that an injunction against it should be discharged on the basis that it functioned in a similar way to a bank: crypto assets deposited with it were not segregated and the depositor retained only a contractual claim against it rather than any proprietary rights in crypto assets. This throws doubt on the possibility of any proprietary or restitutionary liability against exchanges. Proprietary remedies may still be relevant in other situations and practical redress might be obtained through other remedies, such as freezing injunctions served on exchanges so as to fix them with knowledge of the fraud and require them to freeze the fraudster’s account But, until the property status of crypto assets and the role of crypto exchanges is settled, the scope of remedies available to victims of fraud will remain uncertain. It may become clearer if action is taken following the Law Commission’s final Report on Digital Assets (published on 28 June 2023). The Law Commission proposes explicit statutory recognition of digital assets as a ‘third form’ of property and the creation of an advisory technical group, which will facilitate the creation of a principled set of remedies involving digital assets.
Intermediary liability
When transactions involving complex cross-border structures go wrong, participants look for solvent and regulated parties who may be liable to compensate them for their losses. Recent examples include fintech startups or smaller companies based in offshore jurisdictions. In those transactions, financial institutions are a more attractive target for litigation, even if they were less directly involved. This leads to the use of legal arguments that can tie in more remote parties, such as fiduciary or agency liability, bribery, tracing and regulatory liability. Bribery can be used to rescind contracts. Fiduciary and agency liability can lead to proprietary remedies and coupled with tracing this can extend liability to banks only peripherally involved in transactions. Courts have shown a willingness to extend tracing and similar techniques to cryptoassets. As banks are more highly-regulated than many other institutions, they are more vulnerable to regulatory investigations which may reveal potential sources of liability in transactions where they have acted as intermediary. Recent litigation in the United States against banks and crypto exchanges regarding their involvement in token offerings and sale of cryptoassets is set out in the References section below. This sort of litigation is likely to be replicated in the English courts.
Crypto participation liability
As banks become more directly involved in decentralised finance (DeFi) transactions or elsewhere in the crypto economy, this creates new litigation risks. For instance, banks may be founders or administrators of permissioned blockchains – many of these are being established to improve clearing and settlement arrangements in the financial markets. J.P. Morgan announced in 2021 that it was utilising blockchain technology in order to improve the efficiency of international fund transfers between banking institutions. Swiss National Bank trialled using R3’s distributed ledger technology in 2020 as part of a pilot to settle large transactions between financial institutions using digital currency and described the pilot as a ‘success’. And the Swedish Central Bank is considering releasing its own digital currency using the Corda distributed ledger technology, in conjunction with Handelsbanken and Riksbank.
When there are disputes between participants in permissioned blockchains, they may expect the administrator to intervene on their behalf, perhaps by rectifying the blockchain using their control over the consensus mechanism. This could draw banks into these disputes. Also, where banks participate in public blockchains, perhaps by providing infrastructure to support consensus or custody mechanisms, they might become vulnerable to arguments that they have incurred a duty of care to other participants. Participation by banks in DeFi pools, perhaps by sponsoring a new pool or setting parameters for liquidity or collateralisation, is another route to impose a duty of care.
These arguments on duty of care are central to the Tulip Trading litigation, which the Court of Appeal has allowed to proceed to trial following a jurisdiction challenge (see Tulip Trading Ltd v van der Laan [20223] EWCA Civ 83). A trial of at least some of the issues is expected in 2024. In this litigation, the claimant argues – among other things – that software developers and miners of Bitcoin owe a duty of care to Bitcoin holders, essentially because the decentralisation of Bitcoin is a ‘myth’. Until this dispute is resolved, which may take several years if there are multiple split trials and appeals, financial institutions, as well as software developers and DeFi sponsors, will be unsure as to their potential duties of care. Many are already taking advice on operational measures to limit their potential exposure and 2024 could see litigation in this area in addition to Tulip Trading.
There are other potential sources of liability that could lead to litigation. For instance, the scope of collective investment scheme regulation in relation to blockchain mechanisms such as pooled staking is very unclear as is the partnership status, especially cross-border, of crypto organisations including DAOs and DeFi pools.
Crypto contagion
The risks of involvement in the crypto economy, including fraud and intermediary liability as well as general participation, are heightened when investor losses increase. This is exactly what has been happening due to the recent collapse of crypto exchanges and related entities. It is possible these failures will extend to hedge funds and other market participants, especially when investment has been leveraged. The large number of end investors likely to be affected by any widespread collapse would amplify the risks to banks and other financial institutions of involvement in this sector.
Artificial intelligence
In many banks, an entire ecology of artificial intelligence (AI) based systems is developing with little oversight or systematisation. The deployment of AI based on Large Language Models such as ChatGPT and the publicity surrounding them has led to extremely rapid growth in the use of these systems by banks. AI-based systems tend to transfer liability up the supply chain, increasing litigation risks for banks. For instance, a centralised AI-based loan credit scoring system may incur liability for the bank through systemic bias, which would not be a risk for credit scoring done by multiple individuals based on their own criteria. Individuals may have their own biases, but only a centralised system generates the standardised comparable data that could be used to prove bias – the subjective preferences of individual people are not exposed in the same way as a computer algorithm. Inadequate supervision of individual systems increases the risk of AI for a bank, because they are not aware of what risks they may be assuming. Consumers and small businesses may have more cause to be aggrieved during a period of high interest rates and decreasing credit scores. Litigation, including group litigation, is a possible result.
Banking duties and fraud
New forms of fraud against bank customers and crypto market participants have exposed gaps in regulatory and legal protection. The English Courts have been sympathetic to arguments aimed at filling these gaps, providing remedies and interim relief. But recent cases have seen the Courts retreat from constructing new remedies, accepting that regulation is better placed than the common law to deal with fraud in some circumstances. This tussle is likely to continue in 2024, with Courts granting some remedies while being careful not to intrude in regulatory areas that they consider should be policy-driven.
We have seen this in the recent reversal in the expansion of the Quincecare duty. This duty states that a bank should avoid executing a customer’s payment instruction if, and for so long as, it is “put it on inquiry” that a payment instruction is an attempt to defraud the customer. A series of cases widened the ambit of the Quincecare duty (see in particular Singularis v Daiwa [2019] UKSC 50). However, in the recent decision of the Supreme Court in Philipp v Barclays Bank UK plc [2023] UKSC 25, the Court rejected a claim against a bank for breach of an extended Quincecare duty and reset the entire basis of that duty (see our article here). The judgment definitively ends any argument that the Quincecare duty might apply to an instruction given by the customer and not their agent. An instruction given by the customer must be followed (subject to following regulatory obligations placed on the bank). An instruction given by an agent of the customer must also be followed, but if it is given dishonestly, it is not a valid instruction at all, and the bank is not in breach of any duty in undertaking further enquiries before executing it. This highlights the practical importance to banks of continuing their efforts to maintain proper audit trails of customer communications.
In contrast, a new statutory reimbursement scheme for push payment fraud is set to be introduced in 2024. In June 2023, the Payment Services Regulator published Policy Statement PS23/3: Fighting authorised push payment fraud: a new reimbursement requirement: Response to September 2022 Consultation (CP22/4) (PS23/3). In this Policy Statement, the Payment Services Regulator proposes a new reimbursement requirement for payments made using the Fast Payments system, subject to limited exceptions and limits, including where the customer has acted fraudulently or with gross negligence. The Regulator will direct Pay.UK to put the new reimbursement requirement into the Faster Payments rules using its powers under section 55 of the Financial Services (Banking Reform) Act 2013 and this is expected to come into force in 2024.
The new statutory scheme and the limits to Quincecare will leave significant gaps in coverage: for example, payments made outside the Faster Payments system, including many international payments and payments made by corporate entities, will be outside the scheme. There will also be maximum limits to reimbursement which can trigger disputes and forum shopping into jurisdictions with lower regulatory thresholds or for amounts above the maximum limit in the UK.
Margin calls and market volatility
Sudden market dislocations often lead contractual counterparties to attempt to avoid their contractual obligations. Recent years have seen a succession of crises that have put particular pressure on the financial markets and several current and anticipated shocks are set to continue this trend, particularly the Liability-Driven Investment (LDI) crisis and energy and supply chain shocks caused by geopolitical events.
The Autumn 2022 budget led to wild swings in the gilt market and this translated, through to the first half of 2023, into unforeseen losses in the LDI market. Insurers and pension funds were placed under financial pressure, requiring government and private sector support. This is likely to lead to contractual and regulatory claims. Wider political disruption this year could also lead to consequential litigation. Elections are due to be held in 2024 in many countries, including the UK, India, Pakistan, across the European Union and the United States. The US election, in particular, might lead to abrupt changes in foreign policy that may affect world markets, not forgetting the wide market swings that can be seen in the currency markets in the run up to election outcomes. Already, the Middle East conflict following the October 7 attack in Israel has increased pressure on supply chains, already fragile due to the Ukraine war and other geopolitical tensions, which may also lead to contract claims.
Following Brexit, wars in Ukraine and the Middle East and the consequent sanctions, counterparties have revived arguments based on vitiating factors such as mistake, as well as frustration and force majeure, in order to avoid contracts. Some recent cases in this area are set out in the References section below.
Banks may also face the usual arguments based on lack of capacity – recent examples are also set out in the References section below – and on grounds of illegality, especially in respect of the wide illegality clause in the 2002 ISDA Master Agreement.
Market dislocations, including significant movements in the price of commodities, have also led to an increased number of margin calls. The usual playbook for disputing margin calls includes (i) insisting on strict compliance with notice obligations and timing, (ii) challenging valuation, and (iii) checking the terms and discretionary basis of the margin call. On valuation, counterparties might challenge the valuation of collateral (particularly if it is illiquid such as private company shares, options or structured credit products as opposed to listed shares) and/or argue that the collateral was sold too cheaply. Where there is at least some form of discretion, banks may face arguments that there should be a Braganza implied term such that exercise of the margin call should be exercised in good faith and not in an arbitrary, capricious or irrational way. Whilst this is as yet untested in the English courts, the qualifications on contractual discretions may play a greater role in future claims. Margin calls also increase the likelihood of Events of Default being triggered, on which the High Court has recently issued new guidance (covered in our Inside Disputes post here). When derivative transactions have to be closed out in an unstable market, there is a higher risk of market participants finding themselves significantly out of the money when closing their positions and this can inevitably lead to them challenging the close out in order to seek to recoup or stem their losses.
Inflation and higher interest rates are also likely to lead to an increase in corporate distress, restructurings and insolvencies, in turn giving rise to disputes around the enforcement of security and parent / personal guarantees and the discovery of fraudulent activities.
Long Tail Mis-Selling Risk
Developments in the calculation of limitation periods may lead to the continuation of the long line of misselling cases. The recent case of Loreley v Credit Suisse [2023] EWHC 2759 (Comm) illustrates this trend. The dispute arose from alleged representations relating to a residential mortgage-backed synthetic collateralised debt obligation (CDO) made in 2007. The claimant argued that the limitation period was deferred due to fraud or concealment (under s32 Limitation Act 1980) and, on the particular facts of the case, the judge held that the limitation period had started by 2012 so the claim was still time-barred. However, other claimants may raise similar arguments with more success on different facts.
S32 of the Limitation Act was considered in detail by the Supreme Court in Canada Square v Potter [2023] UKSC 41. In a major departure from the previous position, the Court held that facts could be ‘concealed’ even if the defendant had been under no legal, moral or social duty to disclose them. This substantially widens the potential scope of s32 and means that 2024 may see attempts by litigants to introduce historic claims based on fraud or concealment that might otherwise have been time-barred. This is particularly relevant to mis-selling risk and may also affect claims for hidden commission or breach of regulatory duty by financial institutions that only came to light in subsequent investigations. Following Potter, the High Court has very recently addressed the knowledge requirements in s32 in long-running tax litigation (BAT Industries Plc v Inland Revenue [2024] EWHC 195 (Ch)) and this appears to be an active field of litigation. Accordingly, banks should continue to monitor any reports into historic malfeasance by regulators that are made public for long-tail litigation risk.
References
Recent notable cases on vitiating factors:
Litasco SA v Der Mond Oil & Gas Africa SA [2023] EWHC 2866 (Comm) (impecuniosity of sanctioned entity not force majeure)
Gravelor v GTLK [2023] EWHC 131 (Comm) (payment clause not vitiated by sanctions)
NKD Maritime v Bart Maritime (No. 2) [2022] EWHC 1615 (Comm) (Covid lockdown measures in India not constituting force majeure)
Laysun Service Co Limited v Del Monte International GmbH [2022] EWHC 699 (Comm) and MUR Shipping v RTI Ltd [2022] EWCA Civ 1406 (US sanctions on Iran did constitute force majeure, although in some cases this could be overcome by reasonable endeavours)
Recent notable cases on capacity:
Banca Intesa Sanpaolo SpA v Comune di Venezia [2023] EWCA Civ 1482 (Court of Appeal held that an Italian local authority did not lack capacity, as a matter of Italian law, to enter into various hedging transactions)
Dexia Crediop SPA v Province of Pesaro e Urbino [2022] EWHC 2410 (Comm)) (mandatory Italian rules did not apply to interest rate swap with Italian municipal authority)
Recent US litigation on token offerings and sale of cryptoassets:
SEC v Ripple Labs Inc., 20-cv-10832, US District Court, Southern District of New York (Manhattan))
SEC v Ripple Labs Inc., 20- cv-10832, US District Court, Southern District of New York (Manhattan)
LCX AG v. John Doe Nos. 1-25, case number 154644/2022, Supreme Court of the State of New York, County of New York)