In the recent case of
Gerber,1 the High Court found that the defendant was liable for the losses suffered by the plaintiff when hackers deceived the defendant into making various payments from the plaintiff's account.
In terms of an agreement between the parties, the defendant managed the plaintiff's share portfolio on a discretionary basis. In October 2019, the defendant received an email, ostensibly from the plaintiff, requesting the liquidation and payment of ZAR 250 000 of his portfolio. The plaintiff indicated that his banking details (which had remained the same for 10+ years) had changed from Nedbank to FNB.
As part of the defendant's verification processes, it requested its Bank Verification Panel to verify the plaintiff's new account so that payment could be made. The verification report stated that (i) the identity details attached to the account did not match the client details; (ii) the account was not more than three months old; and (iii) neither the phone number nor email address attached to the account was valid.
Despite these red flags, the plaintiff's new account details were loaded onto the defendant's system. Payments were made by the defendant to the "plaintiff" on several occasions. It was only realised later that the parties had been conned.
A subsequent investigation by the plaintiff revealed that the plaintiff’s email account had been hacked and a rule had been created to divert the fraudulent emails to a separate folder on the plaintiff's email so that it remained hidden until it was too late.
The defendant argued,
inter alia, that since the fraud resulted from the hacking of the plaintiff’s system and not the defendant’s, the plaintiff should bear the loss. In deciding against the defendant, the court held that the proximate cause of the loss was not the hacking, it was the failure to apply the necessary and contractually-prescribed vigilance when monies held in trust had to be paid into a different account.
In deciding that the defendant was liable for the losses suffered by the plaintiff, the court held that
"the contractual obligation of the defendant to the plaintiff was to have and effectively employ the resources, procedures and appropriate technological systems that can reasonably be expected to eliminate as far as reasonably possible, the risk that the clients will suffer financial loss through theft or fraud". In this case, the plaintiff had failed to fulfil its obligation.
This case has reiterated the position in our law that the party making the payment bears the risk of ensuring that payment is made into the correct account.