What will be keeping in-house litigation teams at banks busy in the year ahead?

Legal claims against PSPs for permitting fraudulent transfers

This year in-house litigation teams in banks will be busy adjusting to a heightened focus on the adequacy of the steps taken by banks and other Payment Service Providers (PSPs), following the discovery of fraudulent transfers from their clients' accounts, to help recover the misappropriated funds. 

Seasoned Quincecare-rs will recognise this being the fallback argument that survived the Supreme Court's judgment in the Philipp case, the essence of the argument being that the bank was too slow to seek to recall the transferred funds (an argument contested by the bank). The merits of such claims will of course depend largely on their facts (both for breach and causation). 

PSPs are already required to have processes in place for this: the PSRs 2017 impose requirements on PSPs to make reasonable efforts to recover funds in certain situations; some firms are signed up to UK Finance's Best Practice Statements which provide procedures and timeframes for responding to reports of a fraudulent transfer; and under the new reimbursement requirements (see below), a sending PSP will be required to notify a receiving PSP within a specified period (to be determined by Pay.UK) of a report of an APP scam in respect of the transfer.  

The new requirements on PSPs from 7 October 2024 to reimburse APP scam victims (see the policy statement released by the PSR shortly before Christmas) – which will supplement the existing requirements of the PSRs 2017 and (where applicable) the Contingent Reimbursement Model – should in theory mean that fewer would-be claimants will have need to consider the steps taken by banks to recover misappropriated funds, as their losses will have already been reimbursed.  However, the new reimbursement requirement has a number of important limitations (e.g. Faster Payments and domestic transactions only, an exception where non-vulnerable consumers have not exercised the prescribed standard of caution, a 13-month cut-off for claims, a maximum level of mandatory reimbursement (currently £415,000), it applies only to individuals, microbusinesses and smaller charities, etc), so some claimants will continue to fall outside these protections. The application of such limitations is likely to be contentious and, by their nature, they may have particular application for banks' high-net-worth clients.   

Any clients that fall outside of the new and existing reimbursement schemes and requirements will be looking not only at whether the bank's statutory obligations or general duty of care to interpret, ascertain and act in accordance with their instructions (of which the Quincecare duty forms part) were breached in the processing of the fraudulent transfer, but also at whether a separate breach occurred in relation to the efforts made by the bank to seek to recover the funds.  Given the narrowness of the Supreme Court's Philipp v Barclays decision, I think clients will increasingly look to the second of these points in 2024.

Author: Philip Linton

New landscape for opt-out claims for consumer law breaches

In-house litigation teams at banks are going to have to grapple with the potential for the introduction of an opt-out collective actions regime for breaches of consumer law. Such a proposal is currently being considered as part of amendments to the Digital Markets, Competition and Consumers Bill (DMCC Bill). If implemented into law, this would dramatically increase the risk of class actions for all consumer facing businesses. 

Currently, there is only a bespoke opt-out class action regime for infringements of competition law. This regime was introduced by the Consumer Rights Act 2015 (CRA) and there has long been debate about whether, and if so when, that regime would be expanded. This is particularly so since the government said when introducing the CRA that, rather than bringing in opt-out class actions across the board (as was recommended to it by the Civil Justice Council), it would adopt a "sector-based approach", with the competition regime effectively acting as a trial run.

After a slow start, that regime is obviously now developing at some pace. At the time of drafting, there are 43 class actions in the Competition Appeal Tribunal covering an aggregate amount at risk of more than £100 billion. There are two particularly striking features of this regime at present:

1. Only 9 of these proceedings are follow-on actions, whereas 30 are standalone actions and 4 are mixed actions.
2. The boundaries of competition law are being explored by claimants, with some novel and wide-reaching claims brought under the existing competition framework, and where the conduct at issue is not conduct where competition law was the obvious first remedy.

This second point is arguably in part as a consequence of the absence of an opt-out regime available for other (non-competition) claims. Is all that about to change?

In the House of Commons, Sir Robert Buckland proposed at the Report Stage of the DMCC Bill a clause that would have extended the coverage of the current regime to claims for infringements of the consumer law provisions in Part 4 of the DMCC Bill (consumer protections from unfair commercial practices). Although that amendment was rejected, in the House of Lords debate on Second Reading, Lord Etherton KC, the former Master of the Rolls, supported the idea of extending opt-out collective proceedings to consumer law claims - and it is likely that amendments will be put down to that effect.

The DMCC Bill is yet to finish its passage in the House of Lords and the exact form of any potential amendment does not appear to have been publicly debated by peers. Even if an amendment regarding collective actions is incorporated into the DMCC Bill, it will then go back to the House of Commons for further consideration. However, any financial institution with a consumer facing business should be keeping a very close eye on the DMCC Bill as the expansion of the collective action regime to claims brought on the basis of infringements of consumer law could be a very significant development in 2024.

Author: Tim West

Expansion of corporate criminal liability for economic crime to cover the actions of 'senior managers'

One new or unexpected issue that I think that in-house litigation teams at banks are going to have to grapple with in 2024 is how to adjust systems and controls to take account of the change in the attribution of criminal liability for firms, brought in by the Economic Crime and Corporate Transparency Act 2023.

The Act contains a new statutory basis for the identification doctrine, the principal basis for attributing liability for the criminal acts of individuals to corporates.  Since the 1970's, attribution for criminal acts has been limited to those representing the 'directing mind and will' of the company.  The new expansion, which will apply in relation to economic crimes, including fraud, covers the actions of a 'senior manager'.  This is a broad category of those who play a significant role in decision-making of whole or part of the firm's activities. 

Importantly, those drafting the new Act did not map this category of 'senior managers' to Senior Managers under the FCA's SMCR.  So the Act will create a particular type of challenge for regulated businesses, who will need to manage this mismatch. 

In the first instance, it will be important for firms to understand which decision makers could create corporate liability, through their criminal acts.  Awareness raising and training will follow.  Systems and Controls will likely need adjustment so that:

• financial crime prevention plans make reference to the change in the law, and to additional risks (and corresponding controls);
• the new population of 'senior managers' is identified across the firm;
• conduct controls and monitoring are adjusted to focus on this new, higher risk, population; and
• internal investigations into potential criminal conduct by the 'senior manager' population are flagged and escalated, to ensure the risk to the firm is considered.

While it is likely that firms with strong systems and controls will need to make little augmentation to risk mitigation, it will be key to assessing the risk, record the steps you take in response and to adjust training and monitoring in a proportionate and targeted way.

Author: Ruby Hamid

Be prepared for litigation following a data breach or cyber attack 

In-house litigation teams will need to be aware of the possible return of significant litigation following a data breach or cyber-attack.  After the Court of Appeal decision in Lloyd v Google, we witnessed a significant expansion in the number of claimant law firms bringing multiple, low-value claims, usually with little or no attempt to particularise the damage suffered and accompanied by a confident assertion that damages were recoverable simply for the fact of breach because of a so-called "loss of control" of their data.  The Supreme Court subsequently held that loss of control damages were not available on the facts of Lloyd.  

The Supreme Court also held that the representative action procedure being used by the claimants in Lloyd was not appropriate in situations where an individualised assessment of damages was required, as was the case in Lloyd given the variability of personal data across the individual class members (see our briefing here).  This is important because a representative action procedure allows a claim to be commenced by persons as representatives of others who have the 'same interest' in the claim.  The court's judgment binds everyone that the representative party purports to represent - a representative action therefore proceeds on an opt-out basis and the members of the class are not necessarily identified in or joined as parties to the claim.  A further attempt at a data based representative claim also failed in Prismall v Google and Deepmind (see our briefing here).  

However:

1. In the past 6 to 12 months, we have seen an increase in claimant law firms advertising that they are investigating claims following cyber-attacks and data breach incidents.
2. Group Litigation Orders and bespoke directions by the courts remain a viable mechanism for potential claims, albeit on an opt-in basis.
3. There has been some suggestion that privacy activists may be cooperating with claimant law firms and litigation funders to explore and develop data-based claims.
4. Claimants are increasingly using competition law arguments to pursue data related claims in the Competition Appeal Tribunal where there is a procedure for opt-out class action style claims.
5. We are aware that claimant law firms are actively looking at ways to get round the Prismall and Lloyd decisions and pursue opt-out claims – one suggestion has been the use of a methodological survey to help identify those who might all have the same claim that has a reasonable prospect of success and to define the class accordingly. 

These issues will be key for any financial institution when forming an effective litigation defence strategy in response to a serious cyber-attack. 

Author: Jon Gale

Increased risk of disputes from restructuring plans and supply chain issues

There is likely to be a continued increase in restructuring plans introduced by the Corporate Insolvency and Governance Act 2020, with the potential for significant disputes, which will be important for those financial institutions with distressed desks. Given the relative newness of the plans, a number of uncertainties and/or contradictions in certain areas remain for the courts to deal with in 2024 including some under consideration by the Court or Appeal. Supply chain pressure remains a key focus both for those companies reliant on them but also those lending into them at any levels in the chain; insolvencies of key suppliers will continue to require refinancing and potential restructuring providing both opportunities and challenges for financial institutions.

Finally, pressure on cash flow more generally will of course see a likely rise in corporate insolvencies, with the broad range of complex issues and disputes that these frequently give rise to.

Authors: Lynn Dunne and Louise Youngman

Improper exchanges of competitively sensitive information between banks

In 2024, regulators and authorities will be focusing on the exchange of competitively sensitive information between financial institutions (and avoiding efforts to obtain "market colour" going too far) particularly in over-the-counter markets.  Whilst a familiar theme, the EU Commission issued another infringement finding on this topic in late 2023 against Rabobank, and the CMA's investigation into the exchange of competitively sensitive information in gilt markets is ongoing.  Access to data will continue to be a focus both at the wholesale level (illustrated by the FCA's ongoing market study), but also at the retail level, with suggestions that there may be renewed focus on "open finance" (i.e. extending open banking-like data-sharing to a wider range of financial products). 

The application of competition law to co-operation in financial services markets in relation ESG initiatives will continue to attract scrutiny, particularly following welcome guidance from the CMA on this point in the Autumn of 2023.  We expect that in-house counsel may increasingly be asked to advise on the limits of permissible co-operation between financial institutions in the context of developing and launching digital assets (e.g. in the context of digitisation of tradable financial instruments).  As Jon and Tim mention above, claimant firms and funders are devoting increasing resources to developing imaginative ways of packaging consumers' claims as competition breaches so as to enable them to take advantage the class action regime under the Competition Act will also almost certainly continue. This has already impacted the financial services sector through recently launched class action claims brought in respect of the terms on which motor vehicle finance was provided.

Author: Duncan Liddell

Expanded risk of claims from new data protection and digital information regime

UK data protection law is set to change this year with the progression of the Data Protection and Digital Information Bill through parliament and there is still much debate as to whether the UK are going to produce separate legislation governing the use of AI.  Although the legislation in its current draft doesn’t include any specific additional rights for data subjects in the UK (indeed its aim is to reduce the burden on data controllers in the UK), past experience tells us with legislative change in the field of information law in the UK usually comes an increased awareness of individual rights which manifests itself in an increase in claims of misuse of data.  In-house litigation teams should keep abreast of these legislative developments but the best mitigation for such claims is usually robust first line processes for dealing with data subject requests, making sure they are identified and dealt with following statutory time periods.

Author: Rhiannon Webster

A new enforcement strategy from the FCA

We are likely to see a busy year on the FCA enforcement side. The relatively new Enforcement Co-Directors, Therese Chambers and Steve Smart, will be focused on reducing the backlog of legacy cases, which has led to the FCA taking an average of 40 months to complete investigation stage in regulatory cases (see our briefing here). Enforcement will be battling a number of high profile matters at the Tribunal (including the action against Jes Staley, Banque Havilland and two individuals and the three individual bond traders from Mizuho International Plc, all of which include allegations of a lack of integrity or recklessness. Given the FCA's lack of success with a string of integrity cases in the past year (Stuart Forsyth, Markos Markou and Seiler, Whitestone and Raitzin), it will be interesting to observe whether it tries any different tactics this year. FCA Enforcement will also be focused on opening new investigations into priority areas (the Consumer Duty and non-financial misconduct, in particular). We are also expecting to hear more about the Enforcement division's forward-looking strategy in the coming weeks, so do look out for our updates on that. 

One of the biggest policy changes to emerge from 2023 was the FCA and PRA's new policy on Diversity and Inclusion, and of most impact to Enforcement, was the FCA's proposed changes to include non-financial misconduct explicitly within its rules on conduct (COCON), fitness and propriety (FIT) and firms' Threshold Conditions. These rules are likely to come into force at the end of this year. Firms should be considering their forward-looking strategy and where their risks might lie - plus ensuring that rigorous fitness and propriety assessments are conducted, conduct of staff is monitored carefully and that there are robust systems in place to ensure that staff grievances can be heard and investigated appropriately.

Author: Adam Jamieson

Failure to prevent fraud offence

One particular focus for banks will be implementing the new failure to prevent fraud offence, which was introduced by the Economic Crime and Corporate Transparency Act 2023 and which comes into force later this year.  It creates a standalone criminal offence by which an organisation can be liable for failing to prevent fraud committed for the benefit of the organisation by an associated person. The failure to prevent fraud offence will be a strict liability offence meaning it will enable prosecutors to pursue acts of fraud where there is no knowledge or awareness of senior managers or board members of the relevant fraud offence.  The list of prescribed fraud offences is broad and covers existing common law and statutory fraud, in addition to offences relating to false accounting and cheating the revenue.  Importantly, a firm will not commit the offence if it is the target or victim of the intended fraud.  

Firms can anticipate a significant uptick in internal and external investigations driven by a broader range of conduct which could potentially expose the firm to corporate criminal liability.  We have seen the enforcement risk materially increase since the failure to prevent model was first introduced for bribery offences in 2011.  In-house litigation teams should anticipate more escalation of fraud incidents (including whistleblowing disclosures) and be prepared to advise stakeholders on incident response, including self-reporting considerations to law enforcement agencies.  

The offence is expected to come into force in Q3 or Q4 2024 following the publication of government guidance on the reasonable procedures defence.  We expect this will largely reflect existing guidance for the failure to prevent bribery and facilitation of tax evasion offences.  In-house litigation teams should ensure they are engaged as a key stakeholder on internal projects to identify risk areas and uplift existing financial crime compliance procedures in readiness for implementation.  

Author: Neil Donovan

New anti-greenwashing rules and the risks of legal liability arising from nature-related issues

In-house litigation teams at banks are going to have to grapple with the FCA's new final rules and guidance on its proposed framework for the UK sustainability disclosure and labelling regime. It includes the new anti-greenwashing rule, which comes into force on 31 May 2024. Hot on the heels, from 31 July 2024, the labelling rules come into force and from 2 December 2024, the naming and marketing rules. We focus on the first of these but see here for a more detailed briefing. Firms will need to grapple with each of these rules at speed, particularly in terms of gap analysis of their current processes and procedures. 

Anti-greenwashing rule: the anti-greenwashing rule requires firms to ensure that any reference to the sustainability characteristics of a product or service is, indeed, consistent with the sustainability characteristics of that product or service, and fair, clear and not misleading. The rule applies to all FCA-authorised firms, including those that approve financial promotions for unauthorised persons for communication in the UK, and irrespective of whether they are subject to the Consumer Duty. Note also that the rule applies even if the Consumer Duty does not. 

Anti-greenwashing guidance: The rule will be accompanied with guidance (GC23/3) that will also come into force on 31 May 2024. The guidance is the subject of consultation now and will close on 26 January 2024. It is intended to help understand the FCA's expectations under the anti-greenwashing rule. It is an essential read for any firm with products or services with sustainability characteristics. In particular, the seven illustrative examples of practices that would breach the anti-greenwashing rule. These are most instructive and should be carefully considered. They give a sense of just how detailed the gap analysis should be to not fall foul of this new rule in the FCA's eyes. 

Another issue that in-house litigation teams will need to engage with is the risk of legal liability arising from nature-related issues.  Bank litigators are already familiar with the risks of climate litigation, and the leading cases across their jurisdictions.  In 2024, they should consider nature-related litigation risk.  In September 2023 the Taskforce on Nature-related Financial Disclosures published its framework for management of disclosure of nature-related risks and opportunities.  As an example of a risk, it cited a financial institution facing liability by financing a company contributing to deforestation.  We have already seen NGOs pursue complaints against banks for laundering of funds obtained from activities that cause deforestation.  At the end of 2023 a shareholder in an Australian bank filed an action seeking disclosure of how the bank managed its climate change and biodiversity risks.  Expect more of this targeted type of claim in the years ahead.    

Authors: Tom Cummins and Anna Varga

Enhanced risk of litigation from collective redundancy exercises and moves away from flexible working arrangements

During 2024, in-house litigation teams at banks may well be busy dealing with the fallout from situations where restructuring or collective redundancy exercises may not have been handled correctly in the continuing uncertain economic environment.  For example, where a fair process is not carried out, there is increased exposure to employment claims including unfair dismissal, breach of contract and crucially claims for a protective award if the employer has failed to follow the information and consultation requirements.  In practice, where a large workforce is concerned, the protective award can be a significant liability. 

Firms could also see challenges from employees where there is an emphasis on getting staff back into the office either full-time or for an increased number of days.  Where employers are considering changing remote or flexible working arrangements, they need to ensure that before they make a final decision, they consider all the individual's circumstances to avoid potentially expensive discrimination claims especially if there are caring responsibilities, for example, which drive the employee's request.  Careful due diligence of the employee's request is key to ensure that employee claims are minimised.

Author: Crowley Woodford

Preparing for the PRA's new enforcement landscape

Over the coming weeks, the Bank of England's Head of Legal, Enforcement and Litigation, Olie Dearie, will be announcing the PRA's new approach to handling enforcement investigations.  I expect there will be a fairly short lead time for the new policy to come into force and so banks encountering new significant issues during 2024 will quickly need to get to grips with the various nuances of the PRA's new "early account" scheme.  

On the positive side, this will offer up the chance to take much more control over an investigation and therefore to present factual findings in a clear, informal and properly balanced way.  On the negative side will be a range of issues relating to interviews of relevant officers and employees, including what steps can be taken – and by whom – to prepare individuals for their interviews, and the prerequisite to agree to make (and share with the PRA) audio recordings of each interview – with reduced scope for maintaining privilege over those interviews (whether in the UK, the US or elsewhere).  

In addition, once the factual report is provided to the PRA, banks will be walking a tightrope in deciding whether or not to put their hands up proactively to regulatory failings – and if so how quickly to do so (given the possibility of the PRA itself coming to the view that the issues do not merit enforcement action).  Coupled with the need to find an independent senior individual (SMF) to give an attestation on the report, and a new penalty structure seemingly guaranteed to result in larger fines, there will be a lot for in-house litigation teams to get to grips with and advise the business on in the initial period following discovery of a material issue.

Being seen as an enforcement-heavy regulator has become important to the PRA in recent years and with these changes in place we expect to see a real increase in regulatory action against banks and Senior Managers in 2024.   

Author: Nathan Willmott