SCA affirms limits of delictual liability and principles of wrongfulness in BEC fraud case, Daniel Le Roux, Justine Mitchley, Christopher MacRoberts, Reece Martin

In Edward Nathan Sonnenberg Inc. v Hawarden, the Supreme Court of Appeal (“SCA”) overturned a controversial High Court decision which held ENS liable to a third party with whom it had no contractual mandate following a business email compromise (BEC) fraud.

Wim Trengove and Rashad Ismail represented ENS on instructions from Clyde and Co.

We are delighted by the outcome of the Appeal.

In focusing on the wrongfulness element of Mrs Hawarden’s claim, the SCA found that ENS was not liable for pure economic loss suffered by Mrs Hawarden as a result of the fraud.

This is a significant decision in the face of evolving and widespread BEC fraud risks. The SCA judgment offers welcome clarity on the limits of delictual liability for such claims.

On Monday, 1 July 2024 Mrs Hawarden applied to the Constitutional Court for leave to appeal the SCA decision, which ENS is opposing.

Background

On 23 May 2019, Mrs Hawarden entered into an offer to purchase agreement for the purchase of a property. ENS was appointed by the seller as the conveyancing attorneys. Importantly, there was no client relationship between Mrs Hawarden and ENS.

The purchase price of the property was R6 million which was payable by way of a deposit of R500,000.00 (‘the deposit”). The balance of R5,5 million was payable either by bank guarantee or direct deposit into ENS’ trust account.

The seller’s estate agent, Pam Golding Properties, warned Mrs Hawarden in writing about the risks of relying on banking details sent to her by email. They advised Mrs Hawarden to confirm the seller’s banking details via telephone before making any payments. Mrs Hawarden followed this recommendation and verified these banking details telephonically before making payment of the deposit.

In August 2019, the balance of the purchase price for the property became due and needed to be paid into the trust account of ENS, as conveyancing attorneys appointed by the seller. ENS sent Mrs Hawarden a letter setting out the bank guarantee requirements (being the method of payment detailed in the offer to purchase) as well as an FNB bank letter confirming the ENS trust account details, which included a fraud warning.

Unfortunately for Mrs Hawarden, this email and the FNB bank account confirmation letter were intercepted by an unknown third party who had gained access to Mrs Hawarden’s email account. The fraudster removed the fraud warning from the FNB bank letter and altered the trust account bank account number without the knowledge of ENS or Mrs Hawarden.

Mrs Hawarden decided to make a direct deposit into the ENS trust account rather than providing a bank guarantee. Mrs Hawarden went to a branch of Standard Bank and from there she transferred the outstanding balance of R5,5 million into the fraudulently altered bank account which she thought was the trust account of ENS.

Prior to making the direct deposit payment, Mrs Hawarden spoke with two ENS employees in the conveyancing department. She did not ask either of them to confirm the ENS trust account details that she received via email. Mrs Hawarden also did not ask Standard Bank to verify the recipient bank account as the ENS trust account, and Standard Bank did not do this of its own accord.

As a result, the R5,5 million balance was paid to an account held by the fraudster and could not be recovered. Mrs Hawarden instituted action against ENS. She alleged that ENS’ conduct was wrongful in that they had omitted to warn or advise her of the risks of BEC, which are particularly prevalent in the property and conveyancing sector.

High Court decision

On 16 January 2023, Judge Mudau of the Gauteng Division, Johannesburg gave judgment in favour of Mrs Hawarden. The High Court held that ENS owed Mrs Hawarden a general duty of care as a purchaser of property who, although not a client of ENS, was vulnerable to the risk of BEC.

The High Court found that ENS had a legal duty towards Mrs Hawarden to act positively by warning her against the risk of BEC. This included that ENS had a duty to implement adequate cybersecurity measures, such as a secure communication platform when sending invoices, to prevent counterparties such as Mrs Hawarden from suffering the loss.

As a reputable law firm and conveyancer, ENS ought to have understood and conveyed the risks of BEC. The High Court recognised that it is a “near-universal practice” for law firms, and most businesses, to send their banking details via email. In the opinion of the High Court, that did not absolve ENS from using more secure methods to transmit its trust account details.

The High Court found that Mrs Hawarden was vulnerable to the risk of BEC, which was foreseeable to ENS, and that there was no risk of indeterminate liability since “the plaintiff’s loss in a case of this nature is both quantifiable and determinate”.

The High Court found that but for the (negligent) transmission by ENS of its bank account details via email, together with its failure to inform Mrs Hawarden of the dangers of BEC, she would not have suffered the loss. ENS was found to be the proximate cause of Mrs Hawarden’s loss in that it provided its trust account details and was responsible for the accuracy thereof.

ENS’ conduct was held to be negligent and wrongful in the circumstances and the High Court held in favour of Mrs Hawarden.

Left unchallenged, the High Court judgment carries significant implications for businesses which conduct business over email and would amplify the risk of legal liability in BEC fraud cases where a party may have no control over the instigation of cyber fraud against its counterparty.

Supreme Court of Appeal judgment

ENS was granted leave to appeal from the High Court to the SCA on the basis that the High Court erred in its finding that ENS' conduct was wrongful.

On 10 June 2024, the SCA upheld ENS’ appeal and set aside the order of the High Court on the following grounds:

Mrs Hawarden’s claim was for pure economic loss caused by an alleged wrongful omission. South African law does not generally impose liability in delict for pure economic loss caused to others by omission.
There is a real danger of indeterminate liability if the ratio of the High Court is upheld, in that all creditors in the position of ENS would owe a legal duty to their debtors to protect them against the risk of interception of their payments. In Country Cloud Trading CC, the Constitutional Court recognised the risk of indeterminate liability as the main policy consideration that militates against the recognition of liability for a pure economic loss.
‘Vulnerability to risk’ is an important criterion for the determination of wrongfulness in claims for pure economic loss. In this case there was more than adequate protection against the risk of BEC available to Mrs Hawarden, who had been warned of that risk by the estate agent. This included her ability to verify the ENS trust account details (as she had done for the deposit payment) or to seek assistance from her bank prior to making the payment.

The SCA determined that Mrs Hawarden must bear the loss because of her failure to protect herself against the known risk of BEC. In the circumstances there is no reason to depart from established delictual principles to establish wrongfulness and impose liability on ENS.

Key takeaways

Mrs Hawarden was not a client of ENS and did not have a contractual right to claim for breach of mandate. The recognition of her delictual claim would have extended ENS’ potential liability to non-clients, such as third parties with whom it has no contractual relationship.
In assessing the element of wrongfulness for a delictual action, a Court will balance factors such as the vulnerability of risk to the claimant and the risk of indeterminate liability.
Under South African law a debtor is responsible for seeking out their creditor. In circumstances where a debtor chooses to make an electronic payment, it should take steps to verify the bank account details. It is prudent to use a secondary verification method, such as a telephone or oral confirmation of bank details, to mitigate against the risk of BEC fraud.
BEC fraud is increasingly prevalent in South Africa. These forms of cyber-attack produce legal disputes where innocent victims who have been defrauded are forced to litigate to determine liability for alleged failures to prevent or warn of fraud risk. It is prudent to implement multi-factor authentication and preferably to use secure and verifiable methods of sending sensitive information such as banking details and payment information.