The Ever Rising Bar: What the NatWest Thurrock Lawsuit Tells Us About the Limits of Bank Fraud Prevention

The Ever Rising Bar: What the NatWest Thurrock Lawsuit Tells Us About the Limits of Bank Fraud Prevention

👁25views

The Thurrock case underscores that banks are liable only when they possess actual knowledge or turn a blind eye to fraud, not merely when transactions appear unusual in hindsight. Courts continue applying the Quincecare duty narrowly, requiring clear red flags a reasonable banker would have spotted. This lawsuit tests whether processing large, seemingly legitimate transfers for a corporate customer crosses that threshold, or whether liability remains confined to gen

CloudScale AI SEO - Article Summary
  • 1.
    What it is
    The NatWest Thurrock lawsuit explains how the Quincecare duty applies to corporate agent fraud, and how this differs from the mandatory APP scam reimbursement rules for retail customers.
  • 2.
    Why it matters
    Understanding this distinction shows why banks face proof based liability for agent misuse of company funds, unlike the no fault reimbursement scheme that already covers deceived retail payment instructions.
  • 3.
    Key takeaway
    Rockfire is framed as a Quincecare case specifically because Philipp v Barclays already ruled out any general duty to question a customer's own personally authorised payment instructions.
~16 min read

1. The claim in outline

Liquidators of Rockfire Capital and Rockfire Investment Finance are pursuing NatWest subsidiary RBS for roughly £250m, alleging the bank processed payments that let businessman Liam Kavanagh siphon money out of the Rockfire group for personal use, including a yacht, an aircraft and luxury cars. The money originated with Thurrock Council, which poured around £398m of public funds into Rockfire bonds meant to finance solar farms, and lost most of it when the council collapsed under £1.5bn of debt. The Serious Fraud Office is investigating the wider scandal. NatWest says it will defend the claims, and Kavanagh denies the allegations.

Strip away the yacht and the aircraft and what remains is a familiar legal question dressed in a fresh set of facts. Did the bank know, or ought it to have known, that the person giving payment instructions was using the company’s account for his own benefit rather than the company’s? Most commentary on cases like this asks what banks should do differently. The more interesting question, and the one this piece is actually about, is whether there is any achievable definition of enough. Every improvement in fraud prevention raises the standard the next case will be measured against. At some point it is worth asking whether that standard can rise forever without ever reaching perfection, and what that means for how banks should actually allocate their effort.

2. The duty at the centre of the claim

The relevant legal concept is the Quincecare duty, named after Barclays Bank plc v Quincecare Ltd in 1992. The principle is narrow but important. A bank must exercise reasonable skill and care when executing a customer’s payment instructions, and if it receives an instruction from an agent of the customer, in circumstances that would put a reasonable banker on inquiry that the agent is misappropriating funds, the bank must pause and ask questions rather than simply pay out.

For decades this duty was mostly theoretical. It took until 2019, in Singularis Holdings v Daiwa Capital Markets, for a bank to actually be found liable under it. Daiwa paid out money from a company account on the instruction of the one person with authority to give that instruction, despite what the Supreme Court called obvious signs that he was defrauding the company he supposedly served. That is structurally close to the Rockfire allegation. Money moved out of a corporate account, approved by someone with apparent authority to approve it, while the company itself was allegedly heading toward insolvency and the payments allegedly served the individual rather than the business.

3. Where the courts drew the line in 2023

The other case every banking lawyer will mention alongside Rockfire is Philipp v Barclays Bank, decided by the Supreme Court in 2023. Mrs Philipp was tricked by fraudsters posing as the Financial Conduct Authority and the National Crime Agency into personally instructing Barclays to send £700,000 to accounts in the UAE. The Court of Appeal had extended the Quincecare duty to cover this kind of authorised push payment fraud even when the customer herself, not an agent, gave the instruction. The Supreme Court reversed that. Lord Leggatt held that Quincecare only bites when an agent’s authority is in question. When a customer of sound mind clearly and personally instructs a payment, the bank’s job is to pay, and no general duty to second guess that instruction against the customer’s own interest exists in common law.

Philipp mattered because it drew a firm boundary. Banks are not, absent an agency problem, insurers against their customers being deceived. That boundary is precisely why Rockfire is being framed as a Quincecare case and not an APP fraud case. Liquidators are arguing there was an agency problem: Kavanagh allegedly lacked real authority to direct company funds toward himself, so the payments were never properly authorised in the first place, and RBS ought to have spotted the obvious signs, including the company’s financial position, and refused or queried them.

It is worth being precise about what a case like this actually establishes when it eventually concludes. A finding against NatWest, if it comes, would not mean the court thinks banks are unreasonable. Courts decide individual disputes on their own facts, and each individual judgment is rational in isolation. The problem, if there is one, is collective rather than judicial. Each case nudges the outer edge of what counts as reasonable a little further out, and banks are left trying to build systems against a standard that keeps moving after the fact, defined only in hindsight, one lawsuit at a time.

4. The parallel bar: mandatory reimbursement for consumers

This matters for Rockfire specifically because it marks the edge of the wrong category. A statutory regime already exists for deceived consumers, and Rockfire is not that. It is a corporate agency dispute, precisely the kind of case that regime was never built to reach, which is why the older common law duty still has to carry the full weight of the claim.

Running alongside the case law in sections 2 and 3 is a separate and much blunter instrument. Since October 2024, the Payment Systems Regulator has required banks to reimburse most Faster Payments APP scam victims up to £85,000, split fifty fifty between the sending and receiving institution, generally within five business days. This is not a common law duty of care. It is a statutory liability shift that applies regardless of whether the bank did anything wrong, subject only to narrow exceptions for first party fraud or gross negligence by the customer. Roughly 85 to 88 per cent of reimbursable claim value has been returned to victims under the scheme through 2025, worth around £215m across 2025 alone. APP fraud itself continues to grow year on year, with UK Finance data showing the large majority of scams now originate online rather than through any weakness in the payment rails themselves.

Put the two regimes side by side and the picture for banks becomes clear. For retail customers deceived into authorising their own payment, Parliament and the regulator have already decided banks carry most of the financial risk, full stop, regardless of fault. For corporate and institutional customers where an agent misuses authority, the older common law duty still requires proof that the bank ought reasonably to have been on inquiry. Rockfire falls into the second category, and that is exactly why it will be fought hard on the facts rather than settled on principle.

5. What monitoring can actually do today

Banks today can and do run real time behavioural and network analysis across payment flows: unusual counterparties, rapid movement of funds to overseas jurisdictions, transaction patterns inconsistent with a stated business purpose, and correlation with known mule account typologies. Confirmation of Payee checks whether a payee name matches the account it claims to belong to. Sanctions and adverse media screening can flag a named individual with a public profile. Where a bank holds both sides of a relationship, account behaviour, credit exposure, insolvency signals, it can build a reasonably rich internal picture of a corporate customer’s financial trajectory.

What none of this does reliably is establish intent or authority. A payment from a company account to a car dealership or a yacht broker is unusual, but it is not self evidently fraudulent, and banks are explicitly not meant to second guess the commercial wisdom of a customer’s instructions. Kavanagh, on the facts as alleged, was the person with the mandate to instruct RBS. Distinguishing “the mandate holder is using company money in a way the company disapproves of” from “the mandate holder never had authority to do this because he was defrauding the company” is a legal and evidentiary judgement, not a pattern a model can safely make on its own.

6. The economics of diminishing returns

This is the part of the discussion that tends to get skipped, and it is probably the most important one. Fraud prevention does not scale linearly with investment. It behaves like most engineering problems that trade cost against a residual failure rate: early gains are cheap, and each additional increment of protection costs more while catching less.

A useful way to see it:

Fraud prevented
^
|                                    ___________
|                              _____/
|                        _____/
|                   ____/
|              _____/
|          ___/
|      ___/
|   __/
|__/
|________________________________________________>
                Investment and customer friction
        "Diminishing returns in fraud prevention"

The first half of fraud losses can usually be eliminated with straightforward controls: sanctions screening, Confirmation of Payee, basic anomaly detection, staff training on common scam scripts. The next portion requires increasingly sophisticated analytics, behavioural biometrics, cross channel correlation, and continuous model retraining against fraud patterns that shift as fast as the defences do. The final few percentage points may require interventions so intrusive, holding payments for review, demanding documentary proof of a transaction’s purpose, that they meaningfully inconvenience millions of legitimate customers to catch a small number of bad actors. Card fraud rates have fallen substantially over the past two decades as chip and PIN, tokenisation and 3D Secure matured. APP fraud has grown precisely because it targets the layer none of those controls touch: the customer’s own judgement.

No industry that manages risk at scale chases a theoretical zero. Aviation does not pursue zero accidents by grounding every aircraft, it manages risk through layered redundancy, and accepts that residual risk remains. Hospitals do not eliminate every medical error by refusing to treat patients. Both industries instead ask a harder question: where does further investment in safety stop producing proportionate returns, and where does it start producing new harms of its own, treatment delayed, care withheld, patients who never present. Banking fraud prevention sits on the same curve. Fraud will not reach zero. What can be chosen, deliberately rather than by accident of litigation, is where on that curve a bank decides to sit.

7. Opportunity cost is a board level question, not a footnote

Suppose a bank spends an additional £200m on fraud controls and reduces losses by two per cent of the residual amount. That is £200m that could instead have gone toward faster payment infrastructure, broader financial inclusion, cyber resilience elsewhere in the estate, or simply better priced lending. None of those alternatives are less morally serious than fraud prevention. A financially excluded household denied access to affordable credit is also a harm, just one that rarely produces a headline or a lawsuit.

This is where the incentives of the different actors in this system genuinely diverge, and it is worth naming plainly rather than leaving implicit. Courts decide individual disputes, and their job is to do justice between the two parties in front of them, not to optimise a banking system. Regulators are trying to minimise systemic and consumer risk across an entire market, which pushes toward blanket rules like mandatory reimbursement. Consumer groups exist to minimise harm to the people they represent, which is a legitimate and narrower mandate. Media coverage rewards outrage and individual stories, understandably, because that is what readers respond to. Banks are the only actor in this list trying to optimise a portfolio of risk across millions of customers and a finite budget, balancing fraud losses against friction, false positives, and the cost of the controls themselves. None of these positions are wrong. They are simply not the same optimisation problem, and expecting the outcome of court cases, regulatory policy and public commentary to converge on a single coherent standard is expecting five different equations to have the same answer.

8. The permanent limits: what should never be expected of a bank alone

Three limits are worth stating plainly, given the economics above, and they are permanent in the sense that no realistic amount of investment removes them. They are about what a bank cannot do, not what it has not yet built.

First, a bank cannot be expected to verify the underlying commercial purpose of every corporate payment against the customer’s own stated objectives. That would collapse the basic separation between banker and business owner that both Quincecare and Philipp preserve, and it would slow every legitimate payment in the system to interrogate a small minority of illegitimate ones.

Second, a bank cannot be expected to detect insolvency in real time from outside the company, particularly across a multi year period, using information the company itself may have concealed. Rockfire’s liquidators allege the company was bordering on insolvency or insolvent. Whether RBS could reasonably have known that from banking data alone, as opposed to only becoming apparent with hindsight and forensic access to the company’s own books, is a question of fact the court will need evidence to answer, not an assumption to be waved through.

Third, no single bank can see across the whole payment chain once funds leave its own ledger. Confirmation of Payee, network analytics and sanctions screening all operate on data the paying bank holds. Money that moves overseas, or through intermediaries the paying bank has no visibility into, exposes a structural limit of a bank centric model rather than a failure of any particular bank’s tooling.

9. The gaps worth closing: what could be built but currently isn’t

The limits above hold for any single bank acting alone. They are not, however, an excuse to stop building. What follows is deliberately a different category: not things a bank cannot do, but things the industry collectively has not yet done, several of which exist precisely to soften the permanent limits above without pretending to remove them. Four areas deserve real investment ahead of the next Rockfire.

Agency and mandate risk, not just payment risk. Most fraud tooling is built to catch anomalous transactions. Far less is built to continuously reassess whether the person still holding a mandate should still hold it, especially for long lived corporate relationships where the same signatory has operated unchallenged for years. Periodic, evidence based mandate review, triggered by financial deterioration signals rather than calendar dates, is a genuine gap, and it sits on the cheap end of the returns curve, not the expensive end. It does not solve the second permanent limit above, a bank still cannot see inside a company’s own books, but it narrows the window in which a deteriorating mandate goes unexamined.

Cross institutional signal sharing for corporate accounts. The third permanent limit above is that no single bank sees the whole payment chain. That limit does not go away, but shared infrastructure can shrink its practical size. Consumer APP fraud already has shared infrastructure through Confirmation of Payee and the reimbursement data reporting standards. Nothing comparable exists at scale for corporate insolvency or director conduct signals across banks, which is precisely the blind spot a case like Rockfire sits in.

Faster regulatory clarity on where Quincecare ends and statutory liability begins. Philipp settled the consumer APP question. Rockfire is a reminder that the corporate agency question remains fact dependent and expensive to litigate case by case. A clearer, published standard of what “on inquiry” means in practice for corporate customers, similar to the specificity the PSR has brought to consumer reimbursement, would reduce years of costly litigation for everyone, including claimants, and would let banks calibrate investment against a fixed target rather than a moving one.

Treating public sector counterparties as a distinct risk category. Thurrock Council’s £1.5bn collapse is not an isolated event in local government finance. Local authorities investing in commercial ventures using public borrowing, sometimes with limited in house financial expertise, is a known and recurring pattern. Banks handling flows tied to local authority investment vehicles have a case for applying a materially higher level of scrutiny to that category specifically, independent of any single customer’s history, given the scale of public money and the weak governance that has repeatedly characterised these arrangements.

10. Conclusion

Thurrock Council did not collapse because a solicitor misread a clause. It collapsed under £1.5bn of debt after public money meant for solar farms ended up funding a yacht, an aircraft and luxury cars, because the person who controlled the money never had the authority he was treated as having. That is a mandate risk failure, not a payment risk failure, and it sits squarely in the gap this piece has argued banks should now be closing: continuous scrutiny of who still deserves to hold a mandate, not just continuous scrutiny of where money moves once someone with a mandate tells it to move.

Every successful fraud prevention measure changes public expectation. Chip and PIN was once a competitive differentiator, it is now an assumption. Confirmation of Payee was once innovative, it is now baseline. Yesterday’s innovation becomes today’s minimum standard, and the standard a court applies with the benefit of hindsight rarely resembles the one a bank was actually operating under at the time the payments were made.

The question is no longer whether banks should keep raising the bar on authorised push payment fraud, banking liability and payment fraud controls generally. They should, and the evidence on fraud reimbursement and financial crime trends over the past two years shows real progress. The harder question, and the one Rockfire puts back in front of the industry, and in front of any bank that lends to or banks a local authority, is whether society is prepared to say out loud where the curve of diminishing returns makes further spending irrational, rather than letting the next council collapse quietly redefine the answer after the fact.


References

  1. Norman, S. “Natwest hit with £250m lawsuit tied to Thurrock Council scandal.” City AM, 1 July 2026. https://www.cityam.com/natwest-hit-with-250m-lawsuit-tied-to-thurrock-council-scandal/
  2. “Barclays Bank plc v Quincecare Ltd.” Wikipedia. https://en.wikipedia.org/wiki/Barclays_Bank_plc_v_Quincecare_Ltd
  3. DLA Piper. “The Quincecare duty clarified: Is a bank liable for executing a fraud victim’s payment instruction?” https://www.dlapiper.com/en/insights/publications/2023/07/the-quincecare-duty-clarified
  4. Bryan Cave Leighton Paisner. “Supreme Court narrows the scope of the Quincecare duty in Philipp v Barclays Bank.” https://www.bclplaw.com/en-US/events-insights-news/supreme-court-narrows-the-scope-of-the-quincecare-duty-in-philipp-v-barclays-bank.html
  5. White & Case. “Landmark UK Supreme Court decision clarifies scope of banks’ so called Quincecare duty.” https://www.whitecase.com/insight-alert/landmark-uk-supreme-court-decision-clarifies-scope-banks-so-called-quincecare-duty
  6. White & Case. “Court of Appeal: Banks’ Quincecare duty may apply to instructions from defrauded customers.” https://www.whitecase.com/insight-alert/court-appeal-banks-quincecare-duty-may-apply-instructions-defrauded-customers
  7. TLT LLP. “Supreme Court clarifies Quincecare once and for all.” https://www.tlt.com/insights-and-events/insight/supreme-court-clarifies-quincecare-once-and-for-all
  8. Linklaters. “The Supreme Court refuses to extend Quincecare duty of care in APP fraud case.” https://www.linklaters.com/en/insights/blogs/bankinglitigationlinks/2023/july/the-supreme-court-refuses-to-extend-quincecare-duty-of-care-in-app-fraud-case
  9. HFW. “Quincecare Duty Decision: What It Means for UK Banks.” https://www.hfw.com/insights/the-uk-supreme-courts-decision-on-the-quincecare-duty-aug-2023/
  10. Womble Bond Dickinson. “The Quincecare duty on banks: the Supreme Court’s decision.” https://www.womblebonddickinson.com/uk/insights/articles-and-briefings/quincecare-duty-banks-supreme-courts-decision
  11. Payment Systems Regulator. “PS25/5 Consolidated policy statement: APP scams reimbursement requirement.” https://www.psr.org.uk/media/rhelv4op/ps25-5-app-scams-reimbursement-consolidated-policy-statement-may-2025.pdf
  12. Payment Systems Regulator. “APP scams reimbursement dashboard for Q4 2025.” https://www.psr.org.uk/information-for-consumers/app-scams-reimbursement-dashboard/
  13. ThreatMark. “Six Months of the UK’s APP Scam Reimbursement: Lessons for Banks.” https://www.threatmark.com/six-months-of-psr-scam-reimbursement/
  14. Edgar, Dunn & Company. “APP Fraud Reimbursement: Progress and New Challenges.” https://www.edgardunn.com/articles/one-year-on-uks-app-fraud-reimbursement-rules
  15. Freshfields. “Authorised Push Payment fraud: a new mandatory reimbursement regime for UK PSPs.” https://www.freshfields.com/en/our-thinking/briefings/2024/09/authorised-push-payment-fraud-a-new-mandatory-reimbursement-regime-for-uk-psps
  16. BBC News. “Thurrock Council investigated by Serious Fraud Office.” https://www.bbc.co.uk/news/articles/c0r1x1r127po