In another stark reminder of the risks of cybercrime for professional advisors and the dangers associated with not taking appropriate measures to guard against such crime, the Johannesburg Division of the High Court in the matter of Lester Connock Commemoration Fund v Brough Capital (Pty) Ltd and Another ([2023] ZAGPJHC 1329) recently ordered a Financial Service Provider to pay R3.1 million to a client after it succumbed to a Business Email Compromise. 

Business Email Compromise is a rapidly emerging type of fraud facilitated by the hacking of emails. In this case, the threat actors exploited Business Email Compromise by sending withdrawal requests purporting to come from the client of the Financial Service Provider. The Financial Service Provider processed those requests without any additional verification. 

It was held that the Financial Service Provider was grossly negligent in its failure to authenticate the withdrawal requests received, in circumstances which involved several red flags regarding their authenticity. 

Background

  1. Imara Asset Management South Africa (Pty) Ltd, later renamed Brough Capital (Pty) Ltd (“Brough”), concluded an Investment Management Mandate with the Rotary Club of Rosebank, in terms of which Brough was to administer certain funds on behalf of the Rotary Club of Rosebank. 
  2. Brough was an authorised Financial Services Provider as contemplated by the Financial Advisory and Intermediary Services Act, 37 of 2002. Mr Botha, the sole director of Brough, established a Segregated Share Portfolio (“Share Portfolio”) administered by Momentum Securities (Pty) Ltd (“Momentum”) and certain funds of the Rotary Club of Rosebank were transferred into the Share Portfolio from time to time. 
  3. Members of the Rotary Club of Rosebank discovered that in five separate transactions a total of R3.1 million, which had been deposited into the Share Portfolio on behalf of the Rotary Club of Rosebank, was subsequently withdrawn and transferred into an unknown bank account. 
  4. As it turned out, this was a result of a Business Email Compromise, in which unknown threat actors (“Threat Actors”) had gained access to the email account of Mr Franklin, the authorised manager of the Rotary Club of Rosebank. 
  5. The Rotary Club of Rosebank ceded its claims against Brough and Mr Botha to the Lester Connock Commemoration Fund. 
  6. The Threat Actors exploited their access to Mr Franklin’s email account by sending withdrawal requests along with a purported change in banking details of the Rotary Club of Rosebank to Brough and Mr Botha, who in turn, requested the withdrawals from Momentum (“Unauthorised Withdrawal Requests”). 
  7. The Investment Management Mandate included a provision indemnifying Brough and its employees from among others, any claims, damages and liabilities by “reason of the operations of the [Rotary Club of Rosebank’s] account, unless the claims are attributable to fraud, bad faith, dishonesty or gross negligence…”. 
  8. The issues in dispute were whether Brough and Mr Botha were: 
    1. Grossly negligent; and 
    2. Under a legal duty to authenticate the Unauthorised Withdrawal Requests. 

Evidence

  1. On behalf of the Lester Connock Commemoration Fund, the evidence presented was that: 
    1. Withdrawal requests usually ranged from R20 000.00 to R100 000.00 and never exceeded that amount; 
    2. The Unauthorised Withdrawal Requests were unusual in their pattern and regularity - for example, in the space of two days one withdrawal request for R500 000.00 was made followed by two separate withdrawal requests for R1 000 000.00; 
    3. The Unauthorised Withdrawal Requests included a noticeable spelling error by incorrectly referencing the Rotary Club of Rosebank as simply “The Rotary Club”, and the purported change in banking details did not include an official bank stamp; and 
    4. The usual procedure was for Mr Botha to authenticate withdrawal requests with representatives of the Rotary Club of Rosebank by contacting them and that after the withdrawal requests are processed, Mr Botha was to verify that the Rotary Club of Rosebank received payment. 
  2. On behalf of Brough and Mr Botha, the evidence presented was that, inter alia:
    1. Mr Botha believed the Unauthorised Withdrawal Requests were genuine, as they followed the same tone and wording as previous requests; 
    2. Insurance cover had been procured, however, the claim under the policy was rejected; and 
    3. The duty to authenticate banking details actually laid with Momentum. 

Judgement 

  1. It was noted that an implied term of the Investment Management Mandate was that Brough, the Authorised Service Provider, would “exercise the skill, adequate knowledge and diligence of a Financial Services Provider”. 
  2. With reference to the matter of Atwealth (Pty) Ltd v Kernick (Pty) Ltd (2019 (4) SA 420 (SCA)), the court held that in assessing whether a Financial Service Provider acted negligently, the level of skill and knowledge required of a Financial Service Provider in a particular position must be considered. It must then be determined whether such a Financial Service Provider would have acted differently. 
  3. On the facts the court concluded that the simple reference to “the Rotary Club” and the unusual pattern and quantum of the Unauthorised Payment Requests would have placed a reasonably vigilant Financial Services Provider on alert and triggered additional queries. This was especially so in light of section 11 of the General Code of Conduct for Authorised Financial Service Providers, which requires Financial Service Providers to “…at all times have and effectively employ the resources, procedures and appropriate technological systems that can be reasonably expected to eliminate as far as possible, the risk that clients … will suffer financial loss through theft, fraud, other dishonest acts ... or culpable omissions”. 
  4. In particular, the court held that in light of the fact that the letter from the bank described the bank account simply as “The Rotary Club” and excluded the name Rosebank, this alone should have triggered Brough to make enquiries by telephoning Mr Franklin to verify. 
  5. The history of withdrawals by the Rotary Club of Rosebank was also well known by Brough and Mr Botha, and the sudden requests drawing huge and unusual sums at short intervals was another factor that should have triggered an enquiry and further verification. 
  6. Interestingly, Brough attempted to argue that in view of the inherent risk associated with Business Email Compromise, Mr Franklin was equally under a duty to guard against the loss suffered. The court held, based upon the principle set out in in Gerber v PSG Wealth Financial Planning (Pty) Ltd (2023 JDR 0899 GJ), that even if it is shown that the client was negligent, this does not absolve the professional of his admitted contractual obligations. The proximate cause of the loss was not the hacking itself, but rather the failure to explore the necessary and contractually prescribed vigilance when monies held in trust were sought to be paid into a different account. 
  7. Accordingly, in the circumstances the court found that the conduct of Brough and Mr Botha was grossly negligent. Given that the Investment Management Mandate only indemnified Brough and Mr Botha from negligence and not gross negligence, it was held that the indemnity did not find application. 
  8. Brough and Mr Botha were therefore ordered to pay R3.1 million to the Lester Connock Commemoration Fund, plus interest and costs. 

Comment

  1. In an increasingly threatening cyber-crime environment, the import of the judgment is significant. 
  2. A request for the transfer of funds on behalf of a client will need to be carefully scrutinised and authenticated – careful attention must be paid to any red flags and unusual factors or circumstances. This is particularly important in the context of Financial Service Providers due to the additional duties imposed upon them by the Code of Conduct. 
  3. Simple and cost-effective steps such as telephonically verifying payment requests or changes in banking details, will go a long way to mitigating the risks of Business Email Compromise. 
  4. Professionals would also be well advised to procure adequate insurance cover for protection from the effects of falling victim to the ever increasingly sophisticated attacks from cyber threat actors. 
  5. The judgment can be accessed here.