A prudent question is one half of wisdom: The consequences of business email compromise for banks and attorneys

It was Sun Tzu who famously said, “He who is prudent and lies in wait for an enemy who is not, will be victorious.” However, what happens to an attorney who is sufficiently prudent to confirm the banking details of a recipient but fails to question a change in the previously provided banking details of the same recipient and then falls prey to fraudsters? This question was answered by the full bench of the High Court in the case of Hartog v Daly and Others (A5012/2022) [2023] ZAGPJHC 40; [2023] 2 All SA 156 (GJ) (24 January 2023).

30 May 2023 5 min read Dispute Resolution and Real Esate Law Article

At a glance

  • In the case of Hartog v Daly and Others, an attorney fell victim to fraudsters who intercepted email communication and provided false banking details. The attorney made a payment into the fraudulent account without further questioning the change in details, leading to a claim against him by the rightful recipients of the funds.
  • The court rejected the attorney's argument that the recipients should be held liable for the loss, stating that there was no tacit term in the mandate regarding the security and integrity of emails. The court also found no duty on the bank to match account names with numbers and monitor the account for fraudulent activity.
  • The court concluded that attorneys need to exercise caution and verify the integrity of emails for payment purposes. However, banking institutions that comply with their legal obligations, such as FICA requirements, cannot be held liable for losses resulting from business email compromise.

In this case, the appellant, an attorney practising for his own account, under the name of Gavin Hartog Attorneys, was provided with an oral mandate to act as a conveyancer to transfer a property from Brigitte Daly and the late Karin Foulkes-Jones SC to the purchaser. In terms of the mandate and subsequent instructions, the appellant was instructed to pay R100,000 of the proceeds of the sale into Foulkes-Jones’s account. This was duly done. The balance of R1,421,228.06 had to be paid to Brigitte Daly and her husband Patrick Daly (collectively referred to as the respondents) into the nominated account of Patrick Daly.

Intercepted communication

Prior to the transfer of the funds due to Brigitte Daly into Patrick Daly’s nominated account, a fraudster intercepted email communication between the parties and sent a “spoofed” email to the appellant, as if from Patrick Daly, with instructions to pay the funds due into the account controlled by the fraudster. Prior to receipt of the spoofed email, Patrick Daly had previously provided his bank account details together with a statement containing the banking details. The attorney decided to confirm these bank details again via email. The fraudster intercepted Patrick Daly’s response email and sent a fraudulent email with different banking details. The appellant made payment into the second account.

The respondents therefore launched a claim against the appellant in which they sought to hold the appellant liable for the loss suffered based on the contractual agreement between the parties. The appellant applied for the joinder of Standard Bank and sought an order holding Standard Bank liable should the court find that he was liable to pay the amount of R1,421,228.06 to the respondents.

The court considered the fact that after the appellant received confirmation from Patrick Daly of what the nominated account would be for payment of the proceeds, the appellant required further confirmation of the correctness of the nominated account. The appellant did not explain why this further confirmation was again requested by way of email. An email was sent by a fraudster purportedly from Patrick Daly’s email address with an alternative account. Without further enquiry as to the reason for the change of account number, payment was made by the appellant into this alternative account.

The appellant’s argument

The appellant argued that the respondents should be held liable for the loss as the mandate also had a tacit term to the effect that they would exercise the utmost caution when instructing the appellant to make payment, and that they would do all that was reasonably possible to ensure the integrity of the emails addressed to the appellant and to keep and maintain their data security.

The court rejected this argument. The full bench was of the view that if the express terms of the mandate are considered together with the surrounding circumstances, the probabilities do not support the existence of the alleged tacit term averred by the appellant. Furthermore, even if the probabilities would support a tacit term that emails would be used, there was no indication that either party would have included a term relating to the security and integrity of the emails.

In respect of Standard Bank, the appellant, in delict, firstly argued that Standard Bank was negligent in respect of the opening of the bank account into which the funds were deposited as the bank failed to comply with the prescripts of the Financial Intelligence Centre Act 38 of 2001 (FICA) when the account of the fraudster was opened.

The appellant further argued that when receiving (collecting) payment by way of an electronic funds transfer (EFT), Standard Bank, as the collecting bank, should have ensured that the account name on the EFT instruction matched the name of the account holder into which the funds were collected.

Finally, the appellant contended that a duty existed on Standard Bank to have monitored the account after receiving payment, to prevent the withdrawal of funds from that account.

The finding on the bank’s duty

In respect of the opening of the account of the fraudster in terms of FICA, the court found that Standard Bank had duly complied with its FICA obligations in that at the time of the application for an account from Standard Bank, the bank had verified the identity of the fraudster as he had produced the necessary identification document to prove his identity and had provided his proof of residence. These records were generated in the ordinary course of the business of Standard Bank. Therefore, there was no reason to suspect that the account was going to be used for fraudulent purposes.

Of importance to banking institutions, the court found that Standard Bank had shown that it was general banking practice in South Africa that EFTs are done by way of account numbers only and not with reference to the name of the account and account number. This practice was corresponding to the Payment Association of South Africa (PASA) rules. Consequently, in terms of PASA rules, inter-bank transfers are conducted with reference to account numbers only and the electronic banking system in South Africa does not have the technological functionality in place where account numbers are matched with the name of accounts. Therefore, the court found that no duty exists on banks to match an account name with an account number.

In respect of monitoring the account of the fraudster after receiving payment, to prevent the withdrawal of funds from that account, the full bench found that this allegation had not been supported with sufficient factual allegations to indicate that there was a duty on Standard Bank to monitor withdrawals of funds from the fraudster’s account. The court further found that even if such duty existed, the funds were withdrawn from the account within a short period of time after the deposit. No evidence was provided as to how this could have been avoided by Standard Bank.

Consequently, the court found that for the appellant to hold Standard Bank liable in delict, he had to establish wrongfulness, negligence, causation and damages. In light of the above facts, the court was not satisfied that the bank could be held liable for such loss as it had opened the account after the required identification of the account holder was done. The payment into the account was collected on the account number only, and not with reference to the account holder’s name, as the PASA rules require. In any event, the appellant failed to establish what practical measures the bank could have taken to guard against the loss.

It is therefore clear that the consequences of business email compromise could be severe for attorneys who are not prudent enough to question the integrity of the emails which they receive for purposes of payment. The court has, however, vindicated banking institutions which have duly complied with their FICA obligations.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.