Due to the general flexibility granted to banks by their standard account opening terms, corporate victims of online banking frauds often face substantial hurdles in court in their attempts to recover the sums lost from the bank. These frauds are often committed through emails sent from hacked corporate accounts. This article examines recent judgments in Singapore and England and considers some simple proactive steps which corporations might use to adopt more secure methods of instructing banks and avoid becoming the latest victims of cybercrime.
There is an increasing trend of cybercrimes being carried out through email scams, whereby fraudsters impersonate key appointment holders in companies and send fraudulent transfer instructions to their banks. In response, courts worldwide have had to confront difficult legal issues arising from these frauds, including deciding which party (bank or customer) has to bear the risk of the fraud and how to actively enforce court orders against the fraudsters.
In Major Shipping & Trading Inc v Standard Chartered Bank (Singapore) Ltd[1], the Singapore High Court considered a claim from a company which was a victim of an email scam and sought to recover its losses from its bank, which had acted upon fraudulent transfer instructions sent by a third-party fraudster from the company’s email account. The bank had unsuccessfully attempted to contact the company’s representatives to independently verify the instructions but had proceeded to act upon the instructions anyway.
The company argued that the bank had failed to act with reasonable care by ignoring several red flags such as “irregularities” in the quantum and frequency of the fraudulent transfers, and the different manner in which the fraudulent transfer instructions were sent. In its defence, the bank argued that its standard terms only required that it act in good faith in dealing with the transfer instructions; that the terms did not require the bank to independently verify the instructions; and that the “exclusion-of-liability” clause under its standard terms were not commercially unfair under the Unfair Contract Terms Act.
The Court held in favour of the bank and dismissed the claim. After considering the history of the banking relationship, the Court found that the quantum and frequency of the fraudulent transfers were not unprecedented. The Court also found that bank officers are generally not required to scrutinise the details of every transfer given the number of transfers that banks receive on a daily basis. In analysing the manner of the fraudulent transfers, the Court considered that in this case there was no pre-agreed method of executing transfer instructions. Based on these findings, the Court dismissed the claim, holding that the bank was not grossly negligent and could rely on the “exclusion-of-liability” clause.
The Court indicated it sympathized with the victim, but it was not inclined to place the burden of the losses on the bank because of the claimant’s failure to prove a pre-agreed manner of transfers and a departure from that method.
Beyond risk allocation, the courts have also developed novel ways to enforce orders against email fraudsters who have sought to hide behind a cloak of anonymity. The English Commercial Court in CMOC v Persons Unknown[2]recently granted a worldwide freezing injunction against “persons unknown” in relation to funds that were fraudulently transferred from a London bank to bank accounts around the world. To further enhance the freezing order, the Court also ordered the affected banks to disclose details of the fraudulently transferred funds to assist the claimant in tracing the money. This decision demonstrates the Court’s willingness to consider the practical difficulties a claimant faces in identifying fraudsters in the context of cybercrime.
These two judgments hold important lessons for corporations: