Contact

A prudent question is one half of wisdom: The consequences of business email compromise for banks and attorneys

Back to top

A prudent question is one half of wisdom: The consequences of business email compromise for banks and attorneys

It was Sun Tzu who famously said, “He who is prudent and lies in wait for an enemy who is not, will be victorious.” However, what happens to an attorney who is sufficiently prudent to confirm the banking details of a recipient but fails to question a change in the previously provided banking details of the same recipient and then falls prey to fraudsters? This question was answered by the full bench of the High Court in the case of Hartog v Daly and Others (A5012/2022) [2023] ZAGPJHC 40; [2023] 2 All SA 156 (GJ) (24 January 2023).

30 May 2023 5 min read Dispute Resolution and Real Esate Law Article

At a glance

  • In the case of Hartog v Daly and Others, an attorney fell victim to fraudsters who intercepted email communication and provided false banking details. The attorney made a payment into the fraudulent account without further questioning the change in details, leading to a claim against him by the rightful recipients of the funds.
  • The court rejected the attorney's argument that the recipients should be held liable for the loss, stating that there was no tacit term in the mandate regarding the security and integrity of emails. The court also found no duty on the bank to match account names with numbers and monitor the account for fraudulent activity.
  • The court concluded that attorneys need to exercise caution and verify the integrity of emails for payment purposes. However, banking institutions that comply with their legal obligations, such as FICA requirements, cannot be held liable for losses resulting from business email compromise.

In this case, the appellant, an attorney practising for his own account, under the name of Gavin Hartog Attorneys, was provided with an oral mandate to act as a conveyancer to transfer a property from Brigitte Daly and the late Karin Foulkes-Jones SC to the purchaser. In terms of the mandate and subsequent instructions, the appellant was instructed to pay R100,000 of the proceeds of the sale into Foulkes-Jones’s account. This was duly done. The balance of R1,421,228.06 had to be paid to Brigitte Daly and her husband Patrick Daly (collectively referred to as the respondents) into the nominated account of Patrick Daly.

Intercepted communication

Prior to the transfer of the funds due to Brigitte Daly into Patrick Daly’s nominated account, a fraudster intercepted email communication between the parties and sent a “spoofed” email to the appellant, as if from Patrick Daly, with instructions to pay the funds due into the account controlled by the fraudster. Prior to receipt of the spoofed email, Patrick Daly had previously provided his bank account details together with a statement containing the banking details. The attorney decided to confirm these bank details again via email. The fraudster intercepted Patrick Daly’s response email and sent a fraudulent email with different banking details. The appellant made payment into the second account.

The respondents therefore launched a claim against the appellant in which they sought to hold the appellant liable for the loss suffered based on the contractual agreement between the parties. The appellant applied for the joinder of Standard Bank and sought an order holding Standard Bank liable should the court find that he was liable to pay the amount of R1,421,228.06 to the respondents.

The court considered the fact that after the appellant received confirmation from Patrick Daly of what the nominated account would be for payment of the proceeds, the appellant required further confirmation of the correctness of the nominated account. The appellant did not explain why this further confirmation was again requested by way of email. An email was sent by a fraudster purportedly from Patrick Daly’s email address with an alternative account. Without further enquiry as to the reason for the change of account number, payment was made by the appellant into this alternative account.

The appellant’s argument

The appellant argued that the respondents should be held liable for the loss as the mandate also had a tacit term to the effect that they would exercise the utmost caution when instructing the appellant to make payment, and that they would do all that was reasonably possible to ensure the integrity of the emails addressed to the appellant and to keep and maintain their data security.

The court rejected this argument. The full bench was of the view that if the express terms of the mandate are considered together with the surrounding circumstances, the probabilities do not support the existence of the alleged tacit term averred by the appellant. Furthermore, even if the probabilities would support a tacit term that emails would be used, there was no indication that either party would have included a term relating to the security and integrity of the emails.

In respect of Standard Bank, the appellant, in delict, firstly argued that Standard Bank was negligent in respect of the opening of the bank account into which the funds were deposited as the bank failed to comply with the prescripts of the Financial Intelligence Centre Act 38 of 2001 (FICA) when the account of the fraudster was opened.

The appellant further argued that when receiving (collecting) payment by way of an electronic funds transfer (EFT), Standard Bank, as the collecting bank, should have ensured that the account name on the EFT instruction matched the name of the account holder into which the funds were collected.

Finally, the appellant contended that a duty existed on Standard Bank to have monitored the account after receiving payment, to prevent the withdrawal of funds from that account.

The finding on the bank’s duty

In respect of the opening of the account of the fraudster in terms of FICA, the court found that Standard Bank had duly complied with its FICA obligations in that at the time of the application for an account from Standard Bank, the bank had verified the identity of the fraudster as he had produced the necessary identification document to prove his identity and had provided his proof of residence. These records were generated in the ordinary course of the business of Standard Bank. Therefore, there was no reason to suspect that the account was going to be used for fraudulent purposes.

Of importance to banking institutions, the court found that Standard Bank had shown that it was general banking practice in South Africa that EFTs are done by way of account numbers only and not with reference to the name of the account and account number. This practice was corresponding to the Payment Association of South Africa (PASA) rules. Consequently, in terms of PASA rules, inter-bank transfers are conducted with reference to account numbers only and the electronic banking system in South Africa does not have the technological functionality in place where account numbers are matched with the name of accounts. Therefore, the court found that no duty exists on banks to match an account name with an account number.

In respect of monitoring the account of the fraudster after receiving payment, to prevent the withdrawal of funds from that account, the full bench found that this allegation had not been supported with sufficient factual allegations to indicate that there was a duty on Standard Bank to monitor withdrawals of funds from the fraudster’s account. The court further found that even if such duty existed, the funds were withdrawn from the account within a short period of time after the deposit. No evidence was provided as to how this could have been avoided by Standard Bank.

Consequently, the court found that for the appellant to hold Standard Bank liable in delict, he had to establish wrongfulness, negligence, causation and damages. In light of the above facts, the court was not satisfied that the bank could be held liable for such loss as it had opened the account after the required identification of the account holder was done. The payment into the account was collected on the account number only, and not with reference to the account holder’s name, as the PASA rules require. In any event, the appellant failed to establish what practical measures the bank could have taken to guard against the loss.

It is therefore clear that the consequences of business email compromise could be severe for attorneys who are not prudent enough to question the integrity of the emails which they receive for purposes of payment. The court has, however, vindicated banking institutions which have duly complied with their FICA obligations.

The information and material published on this website is provided for general purposes only and does not constitute legal advice. We make every effort to ensure that the content is updated regularly and to offer the most current and accurate information. Please consult one of our lawyers on any specific legal problem or matter. We accept no responsibility for any loss or damage, whether direct or consequential, which may arise from reliance on the information contained in these pages. Please refer to our full terms and conditions. Copyright © 2024 Cliffe Dekker Hofmeyr. All rights reserved. For permission to reproduce an article or publication, please contact us cliffedekkerhofmeyr@cdhlegal.com.

You might also be interested in

6 Feb 2024

by Jackwell Feris and Njeri Wagacha

Positive disruptors in African mining: Technology, AI and critical minerals for Africa's industrialisation

Industrials, Manufacturing & Trade

14:49 Minutes

10 Aug 2023

by Nomlayo Mabhena-Mlilo

The test for insolvency revisited: Setting aside liquidation proceedings

In the case of The Commissioner for the South African Revenue Service v Nyhonyha and Others (1150/2021) ZASCA 69 (18 May 2023) the Supreme Court of Appeal (SCA) was confronted with the question of whether the High Court erred in setting aside an order for the liquidation of Regiments Capital (Pty) Ltd (Regiments) in circumstances where the conditions that led to the order for liquidation had sincechanged. 

Business Rescue, Restructuring & Insolvency

7 min read

20 Apr 2023

by Koketso Maake and Liso Zenani

Rectification of security cession agreements: How far does it go?

The provision of security is imperative for most transactions in finance. Various types of security exist, one of them being a “ cession in security ”, which forms the basis of what follows. A cession in security typically creates security interests in the cedent’s personal rights to book debts, moneys in bank accounts, insurance policies, shareholder claims, etc. but what happens when it emerges that the cession in security agreement incorrectly describes the security’s beneficiary? This was the question considered by the Supreme Court of Appeal (SCA) in Prevance Bonds (Pty) Ltd v Voltex (Pty) Ltd (58/2022) ZASCA 40 (31 March 2023).

Finance & Banking Law

3 min read

2 May 2023

by Rizichi Kashero-Ondego and Njeri Wagacha

The concept of menstrual leave

Inclusion in the workforce has come a long way and as inclusion and diversity increase in the workplace globally, we are beginning to understand that biological distinctions, such as menstruation, mean that men and women face different challenges in the workplace. In this article, CDH critically analyses the concept of menstrual leave.

Employment Law

6 min read

21 Apr 2023

by Jacquie Cassette, Elgene Roos and Gift Xaba

Court confirms the rights of pregnant and lactating women and children under six to free healthcare

On Friday, 14 April CDH’s Pro Bono & Human Rights practice celebrated victory in one of its long-standing matters concerning the enforcement of the rights of pregnant and lactating women and children to free healthcare. The practice represented the public interest law organisation, Section 27, and three individual applicants, to challenge the validity of Gauteng provincial legislation, departmental policies and practices which have been used to deny migrant and undocumented pregnant and lactating women and children under six free healthcare to which they are entitled, in health facilities across the province.

Pro Bono & Human Rights

5 min read

16 Oct 2023

by Taryn York and Mapaseka Nketu

Revised critical skills list

The Immigration Act 13 of 2002 empowers the Director-General of the Department of Home Affairs to issue a critical skills visa to an individual who is in possession of “ such skills or qualifications determined to be critical for the Republic from time to time ”, subject to meeting all the other requirements for the issuing of the visa. The skills and qualifications determined to be critical are published in a critical skills list issued by the Minister of the Department of Home Affairs (Minister) from time to time. A critical skills visa is issued based on compliance with the critical skills list and allows the holder to work in South Africa within a specific occupation listed on the critical skills list.

Immigration

2 min read

This website uses cookies to enhance the browsing experience. For more information, please see our Cookie Policy.

Accept Decline