The case of Japanese publisher Nikkei, recently reported to have lost $29m in an alleged fraud involving a third party who purported to be a management executive, is an all too familiar example of the kind of payment fraud which is affecting companies worldwide.
Fraudsters have become increasingly sophisticated in passing themselves off as company insiders. Having hacked into a company’s email system, they can spend weeks making themselves familiar with payment arrangements, even to the extent of imitating the writing style of authorised managers. They are then in a position to issue instructions diverting payments from bona fide recipients to accounts controlled by the fraudsters.
So what recourse does a company have once a fraud has been discovered? Speed is of the essence in seeking recovery. The fraudsters’ best bet is to try to make tracing the funds as difficult as possible by dispersing them to as many different accounts as possible. In addition to reporting the fraud to its bank and the police, a company can take civil legal action to try to recover assets. The first step in tracing the missing funds is to obtain disclosure orders from the court against banks to which money has been dispersed and freezing orders over those accounts. Many of the suspect accounts are likely to be overseas, so international legal action may be needed. One successful example of this kind of action is the case of CMOC v Persons Unknown and others, which was notable for the fact that the court was willing to impose worldwide freezing orders even against unknown persons.
Another possibility to consider is whether the company’s bank may be sued in negligence for allowing the fraud to happen. Banks may be negligent if they are “put on notice” that a fraud is likely to occur but the question is how high that threshold is.
Rigorous systems to detect frauds
At one extreme, the courts will not require banks to investigate all payment transfers for signs of fraud because it is recognised that companies have to accept a trade-off between the convenience of high speed transfers and the risk of fraud. To date, the courts have accepted it is not practically possible for a bank to check every transfer, given the speed and number of transactions which occur. The Tidal Energy v Bank of Scotland case highlighted the situation where a bank had complied with a Clearing House Automated Payment System (CHAPS) transfer mandate which had been authorised by the customer. The customer had been given the correct sort code and account number but had been misled about the payee’s name. The bank was not held to be liable since, under the existing CHAPS rules, only the sort code and account number need to be correct for a bank to accept instructions to transfer payment. Although this particular danger will soon be mitigated because payee names will be required for transfers from March 2020, the courts may still be reluctant to impose a duty on banks to proactively investigate individual transactions when they are dealing with a huge number of daily transfers.
On the other hand, the courts will order banks to recompense companies where it can be shown that they have been put on notice of a fraud and it seems the courts are more willing to require banks to take a more active role in preventing payment fraud. In the case of Singularis v Daiwa, the Supreme Court recently upheld a decision that where a bank was on notice that a dominant director of its corporate customer was likely to attempt to withdraw funds fraudulently, the bank was liable to the customer if it allowed those payments to be made. It is noteworthy that the Supreme Court expressly recognised the public policy of increased reliance on banks and other financial institutions to play an important part in reducing and uncovering financial crime.
Companies are best advised to put in place rigorous systems to ensure as far as possible that frauds can be detected before they occur. One way to do this is to ensure that payment instructions (particularly for international transfers) are double-checked by speaking to the authoriser in person (email may not be sufficient where the fraudsters still have access to emails). However, with fraudsters adopting ever more sophisticated techniques, prevention is unlikely to be foolproof and companies need to be aware of the potential legal remedies available should they fall victim to fraud.
Robin Henry is Partner and Head of Dispute Resolution at Collyer Bristow LLP