Banking fraud by hacking: the importance of not being idle when suing the bank28 September 2018 By Nicolas Ollivier, Valentine Bagnoud
In a recent decision the Swiss Supreme Court rejected a claim filed by a client following the execution of a fraudulent order on the grounds that the client failed to prove the hacking of its email account.
In 2005, a holding company and its subsidiary (the “Client”) opened accounts with a bank based in Geneva. The Client signed the bank’s general terms and conditions providing that “any damage that may result from undetected defects in legitimation or falsification is the responsibility of the account holder.” The opening account documents contained also a discharge authorizing the bank to execute orders given by any agreed means of telecommunication. Between 2005 and 2013, the clients ordered numerous transactions by email via a Russian email address, while using a @gmail.com address for general communication with the bank. On 17 and 20 December 2013, the bank received two transfer orders for USD 600,000 and USD 900,000 from the @gmail email address. Several discrepancies appeared in the emails sent to the bank, such as (i) the transfer orders written in the name of the holding company and payment invoices sent to the same, while the account number to be debited was that of the other company, (ii) the invoices – supposed to justify the ordered transfers – were not signed, (iii) the @gmail.com account was used for the first time to order transfers, (iv) some parts of the orders were written in a different font from the one usually used.
After having received via the @gmail address confirmation of the account number to be debited, the bank executed the wire transfers.
On 24 December 2013, the bank received a call from the Client challenging the validity of the payments and invoking the hacking of its email account. The Client filed a claim against the bank to return the transferred amounts. The bank lodged a criminal complaint in Korea (place of incorporation of the recipient of the funds) and in Geneva.
Banks’ general terms and conditions typically contain a contractual clause providing that the Client shall be liable for any damage or loss arising from a failure in the Client’s identification as a result of forgery, legal incapacity or any other cause. However, according to Swiss statutory law, in the event of gross misconduct by the bank, the latter cannot exclude its liability. As a result, the rule is that a bank has only a duty to verify the orders in accordance with the agreed terms and conditions or practice. It does not have to take extraordinary measures, incompatible with a rapid liquidation of operations.
However, the bank must carry out additional verifications if there is a serious indication of falsification or if the order relates to an unusual transaction that is usually not requested or if there are particular circumstances giving rise to doubt. For instance, this is typically the case when there are discrepancies (between the fraudster and the client) of quality of the language used to interact with the bank, their voice, or when there is an obvious copy/paste of signatures, exotic and atypical (for the banking relationship) beneficiaries and/or countries where is located the recipient bank, a sudden emergency without any reason to execute the request wire transfer, order(s) that empty suddenly the account while the funds have been deposited for years without outgoing transfers, etc.
In the case at hand, the Swiss Supreme Court considered that the Client failed to prove the hacking of its email account and that no evidence in this respect was provided. The Swiss Supreme Court mentioned in particular that the Client had not contacted the relevant police authorities and had refused to cooperate fully with the criminal investigation initiated by the bank in Korea, failing to provide formal confirmation that there was no link between it and the recipient company holding the bank account in Korea. The Swiss Supreme Court considered among others that it is required from the client to take steps to identify the hacker and to produce evidence of fraudulent use of the email address in question, particularly from a technical point of view, which it had not done in the case at hand.
In conclusion, the Swiss Supreme Court requires the plaintiff to be more and more accurate and proactive when suing a bank in relation to fraudulent orders and must first take all necessary measures to support its claim, in particular in case of fraudulent transfer the hacking of their email accounts. The plaintiff should lodge a criminal complaint against the fraudster and the recipient of the funds, so that the hacking can be proven. But simple and inexpensive actions can also rapidly be taken in this perspective, like keeping record of the gmail tool’s notification “Detecting suspicious activity on your account” or requesting the services of an IT expert to establish an analysis report, which is then produced before the courts. Last but not least, when clients are victim of fraudulent transfers, they should not forget to immediately object to the contested transactions in writing. In case the client fails to submit a timely complaint, he may be deemed having ratified the fraudulent transactions.