Redirecting bank wire transfers has become an increasingly common method of fraud, frequently perpetuated through hacking or otherwise impersonating individuals representing a business. In the aftermath, there is often dispute about who bears responsibility for the financial loss: the company that mistakenly sent funds to the wrong bank, or the company whose email was hacked.
The law on liability in wire transfer fraud is developing, with Ontario and Québec seeing particular activity in the courts. Companies are increasingly being held liable where they are found to have failed to act prudently in detecting and preventing the fraud in question. Businesses should accordingly bolster their fraud detection and prevention practices to mitigate litigation risk. Financial institutions in particular should ensure that their practices meet a reasonable standard of diligence.
A typical wire transfer fraud scenario unfolds as follows: a fraudster impersonates a company employee—either by hacking into the employee’s email account or through other means—and provides fraudulent wire transfer instructions (usually via email) to pay out a large sum for a transaction. The recipient then wires the funds to the fraudulent account to complete the transaction. The fraud is typically uncovered when the company does not receive the funds and begins to investigate. The financial institution that authorizes or executes the fraudulent wire transfer is also often implicated in lawsuits that follow this type of fraudulent transaction.
When a loss occurs in the above scenario, courts have held that the party who was in a position to prevent the loss should bear the loss. When both parties to a transaction had at least some ability to prevent the loss, Canadian courts have found that the party best positioned to detect and prevent fraud is liable. Courts are particularly willing to assign loss to the party best positioned to prevent it where the court finds the party has been careless in exposing the other party to the loss.
This principle was notably illustrated by the Ontario Superior Court of Justice in a 2018 decision1, which held that between a financial institution and a corporate client, the financial institution was in a better position to prevent the fraud, as it could have exercised greater diligence in dealing with the fraudster. The decision demonstrated that liability falls on the party that failed to exercise due diligence in identifying and acting on multiple clear red flags indicating fraud, and in so doing carelessly exposing the other innocent party to risk of loss by enabling the fraudulent transaction to take place. The Court also considered the fact that staff members of the bank in this case failed to properly follow the institution’s own policies on fraud prevention.
It is important to note that, based on this decision, when both parties have exercised insufficient diligence in preventing the fraud, liability will fall on the party better positioned to have prevented it.
If a contract exists between the parties targeted by a fraudster, any terms that are relevant to the transaction are crucial to the liability analysis. For instance, typically when large sums are concerned in commercial transactions, wire transfer instructions are verified over the phone and not just emailed to counterparties to ensure their authenticity. However, Ontario courts have found that where an agreement—such as one between a client and a bank—contains a term that expressly authorizes one party to rely only on email wire transfer instructions that are believed in good faith to be genuine, then that party is entitled to rely on such instructions. That party may escape liability even where such reliance is not the most prudent course of action, unless there is a finding of gross negligence or willful misconduct2.
Ultimately, the emerging case law suggests the following chain of liability: if a wire transfer fraud occurs whereby a fraudster impersonates or assumes control of Party A’s email account and issues fraudulent instructions to Party B, who then transfers funds to the fraudster’s account, Party A is not liable for the loss, unless:
For practical reasons, parties that are victims of fraudulent transfers have often named the authorizing financial institution as a defendant in resulting litigation. In response, courts have concluded that, particularly in circumstances where banks have institutional knowledge pertaining to the type of fraud being committed, financial institutions are expected to exercise reasonable prudence and diligence when authorizing wire transfers. However, parties that were victim to the fraud have been held to be contributorily negligent even where the financial institution is found liable.
A recent decision from the Québec Superior Court4 concerned a fraudster targeting a company, Alfagomma, which resulted in wire transfer transactions that were considered “objectively … out of the ordinary” by the Court. In this case, the fraudster impersonated a senior member of the company and fraudulently authorized large sums to be transferred to the fraudster’s account. Alfagomma claimed that the bank that authorized and executed the fraudulent transactions breached its obligation of prudence and diligence in doing so. This was in part because HSBC failed to enforce the $500,000 limit on wire transfers that was present on the relevant account, and accepted the transfer with only one signature when ordinarily two were required. The Court agreed, holding that in these circumstances, a bank has “a most basic duty to its client is to execute its instructions without interfering in a client’s internal affairs” but that “by its nature, the banking contract implies a duty to act with reasonable prudence and diligence”. In this case, the bank had institutional knowledge of the type of fraud that was being committed, and so the Court found that the “reasonable banker” ought to have done something to ensure that the client was not a victim of such a fraud.
Ultimately, the Court found that but for the bank’s errors, the fraud would have been avoided. In addition to its institutional knowledge of the type of fraud perpetrated against its client, the bank failed to enforce internal requirements regarding large wire transfer transactions which would likely have uncovered the fraud, meaning that the bank’s negligence was the immediate cause of the loss.
Importantly, the Court also assessed Alfagomma’s conduct and found that its own negligence in failing to detect and prevent the fraud also contributed to the loss. Given the nature of the facts in this case, the Court apportioned the liability evenly between the two parties, though this does not necessarily mean liability in all cases involving similar fraudulent circumstances will always be split 50/50.
The issue of the extent of a bank’s duty of care when it has pre-existing knowledge of a specific type of fraud is not completely settled.
The Ontario Court of Appeal has limited the duty of care that banks owe to their clients to simply taking reasonable steps to ensure that transfers were properly authorized and properly carried out in accordance with instructions provided by the clients. In a 2020 decision between a bank and a customer that had been subject to a fraudulent wire transfer scheme, the Court held that the bank’s duty of care did not require the bank to pass on information to the customer that it had received from a Polish bank regarding the particular type of suspicious transaction to which the customer had fallen victim5. The claim was therefore dismissed on summary judgement, and there was no decision on liability. This suggests that financial institutions need not go above and beyond a reasonable standard of diligence when executing wire transfers, so long as the transfers are properly approved and the appropriate procedures are followed.
However, more recently, the British Columbia Court of Appeal found that a bank with knowledge of a “prevailing fraud” could possibly form a basis for the bank to owe its customers a duty to inquire and to warn if it appeared the customer might be falling victim to such a scam6. Though there has not been a decision on liability in this case, the Court did not summarily dismiss the claim here as the Ontario Court of Appeal did. The potential breach of the bank’s duty to warn was considered a genuine issue to be resolved at trial. The fraud in this case involved impersonating officials and threatening the individual victim with imprisonment and deportation if the funds were not transferred, but the principle may apply to institutional knowledge of frauds targeting commercial transactions as well.
The body of law around this relatively novel type of fraud continues to evolve. Courts have thus far been fairly clear that where an organization has the resources or the institutional knowledge to potentially detect and prevent the fraud from occurring, but failed to do so by inadequately following its own procedures and practices, it is likely to be found liable for the losses.
Wire transfer fraud, and other similar schemes that will no doubt emerge as technologies and methodologies develop, are likely to become both more frequent and more sophisticated. Organizations, particularly financial institutions, should ensure that their personnel are vigilant on an individual level by implementing regular and thorough training on this issue. On an institutional level, businesses should ensure that their policies and practices respecting fraud prevention and detection are adequate, regularly tested, practical, and enforced. Training and awareness on corporate policies—especially relating to live confirmations of wire transfer instructions—may need to be more frequent to offset the well-meaning instinct of many employees to follow customer instructions and close transactions quickly.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2024 by Torys LLP.
All rights reserved.