Customer assumes risk of loss from hacker wire transfer fraud says Ontario court

You’re a bank and receive instructions by e-mail to wire transfer funds from someone purporting to be your customer. But, the customer’s account was hacked and the e-mail was sent by a fraudster. You, the bank, have no reason to suspect any fraud and act in accordance with your account terms which require you to accept electronic instructions and pursuant to which the customer agreed to secure his account against hackers. Who bears the loss, the bank or the customer? An Ontario court recently examined this question in Du v Jameson Bank, 2017 ONSC 2422 and ruled in favor of the bank on common law and contract grounds.

The customer was found to have agreed to Jameson Bank’s terms which included the following:

2.2 Reliance on Instructions. Jameson may rely and act upon telephone, facsimile transmission and any other electronically transmitted instructions from or purporting to be from you (including an authorized person) and which Jameson believes in good faith to be genuine.

5. Wire transfers Absent gross negligence or wilful misconduct by Jameson or any of its employees, Jameson shall not be responsible or liable for any damages, losses, expenses or the like that you may directly or indirectly incur or arising from or in connection with any wire transfer…

7. Limitation of Liability

7.3 Your Responsibility …You agree to maintain security systems, procedures and controls to prevent and detect (i) the theft of funds; ii) forged, fraudulent and unauthorized instructions and electronic transfer of funds by anyone who is not an Authorized Person; (iii) losses due to fraud or unauthorized access to the service by anyone who is not an Authorized Person…

You agree to keep any keys, access codes, security devices and verification procedures safe and confidential, and change them at least as often as the service materials specify…We may act on instructions that contain the verification routine without checking the authority.

8.6 Electronic Communications. …You agree with Jameson that notwithstanding the risks associated with electronic communications, you hereby authorize Jameson to provide such services in compliance with the procedures established by Jameson from time to time. Any electronic communication that Jameson receives from you or in your name will be considered to be duly authorized and binding upon you…

The court found that Jameson had a common law obligation to honour its customer’s instructions and was entitled to treat its customer’s mandate at its face value. It also found that the bank had a contractual obligation to honour instructions it received and was not obligated to question any transaction which was in accordance with its mandate or the instructions received.

In interpreting the bank’s terms, the court stated the following:

The terms of the application and the account agreement are clear. Du was entitled to provide instructions to Jameson by email address and he did so without complaint to effect a wire transfer to a US account shortly after his opening of the foreign exchange account. Jameson was contractually entitled to rely on those instructions. Du had the sole ability and responsibility to control the security of the email account which was the source of the impugned transactions.

There was no obligation in law for Jameson to question the purported transfer. Jameson’s compliance with the instructions received from Du’s email address did not breach any internal policy or any term of the agreement. The money value of the wire transfers did not require Jameson to obtain his further authorization and confirmation.

In addition, there is no liability because of the contractual exclusion contained in the agreement. Du has failed to establish that Jameson was “grossly negligent” or that it acted with “wilful misconduct.” Jameson complied with the instructions received from Du’s email address; an email address he included in the application and which he had used to communicate with Jameson from the time his account was opened.

The questioned email communications contained information with respect to Du’s personal banker and the delivery of a certified cheque, and as such, Jameson had no reason to doubt the authenticity of the email communications. The fact that a customer is a victim of fraud does not result in an automatic transfer of liability to the customer’s bank.

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: