A recent High Court decision once again highlights the need for financial services providers and their supervised individuals to be extra vigilant amid widespread cybercrime.
In the fourth such case this year, an entity was found liable for client losses that arose because of business email compromise. Brough Capital (Pty) Ltd and Chris Botha were found jointly liable to pay Rosebank Rotary Club (RRC) R3.1 million, plus interest of 10.5% a year, plus costs.
Read: Financial services firm caught in email fraud must reimburse client
Read: Cybercrime judgment has implications for FSPs that email bank details to clients
Read: Conveyancing attorney liable for R1.4m after fraudster intercepts email
Under the FAIS Act, Botha, a director and key individual at Brough Capital, has a fiduciary duty to perform duties with care and diligence. The FAIS Act and the General Code of Conduct mandate that FSPs implement effective technological systems to minimise risks such as fraud or negligence.
The dispute between RRC and Botha stems from the misappropriation of R3.1m in 2019, resulting from fraudulent emails posing as withdrawal instructions from RRC to Brough Capital.
The core issue before the Court was whether Brough Capital, through Botha, was grossly negligent or merely negligent in failing to take adequate steps to prevent the RRC’s loss. Additionally, whether the defendants were legally obliged to authenticate instructions received via fraudulent emails before acting on them.
Investment management mandate
In 2003, Imara Asset Management South Africa (Pty) Ltd entered an investment mandate with the RRC. This agreement obliged Imara to manage specified funds for the RRC.
In 2017, Botha acquired Imara and changed its name to Brough Capital, gaining all of Imara’s clients, including the RRC. Although the exact start date of Botha’s direct dealings with the RRC is unclear from court records, it predates Botha’s acquisition of Imara.
The investment management mandate granted Botha the authority to deposit and, when applicable, withdraw money related to the RRC’s investment management into Botha’s trust account at First National Bank (FNB). Brough Capital was authorised to invest the RRC’s entrusted funds on its behalf.
Around March 2019, Botha established a segregated share portfolio administered by Momentum. The RRC transferred funds to Brough Capital for Botha to invest on its behalf. Botha then forwarded these funds to Momentum for administration in the segregated portfolio.
The modus operandi
Mark Franklin, the authorised manager of the RRC, first became aware of the fraudulent withdrawals on 16 August 2019. These included:
- R89 000 on 18 July 2019;
- R411 000 on 19 July 2019;
- R1m on 26 July 2019;
- R1m on 02 August 2019; and
- R600 000 on 14 August 2019.
The fraudulent transactions were facilitated by hackers who gained access to Franklin’s email. The scheme involved fake emails, appearing to be from Franklin to Botha, who would then relay payment requests to Momentum for the RRC’s Standard Bank account. Unbeknown to Franklin, the hackers changed the RRC’s bank details to FNB and later Nedbank.
As a result, when Momentum received instructions from the second defendant, it made payment not into the RRC’s bank account but to the fraudulent bank account.
Franklin passed away in November 2020. In his affidavit presented before the court, Franklin testified that the RRC’s past withdrawals usually ranged between R20 000 and R100 000.
In his affidavit, Franklin highlighted unusual patterns in the withdrawals, such as R500 000 followed by two withdrawals of R1m each within two days – a departure from his usual withdrawal instructions to Brough Capital.
Franklin also pointed out discrepancies in the fraudulent emails, including spelling errors and an incorrect Rotary Club name and address. Notably, the letter from Nedbank lacked an official stamp. In the investment management mandate, the investor is specified as “The Rotary Club of Rosebank”, but the forged bank letters from FNB and Nedbank simply mention “The Rotary Club”’.
Negligence vs gross negligence
Clause 12 of the investment management mandate deals with indemnity and reads as follows:
“The client hereby indemnifies the investment manager and or any of the members/employees acting within the course and scope of their employment with the investment manager and holds it and/or any aforementioned members employees harmless from and against any claims, damages, liabilities, costs and expenses, including reasonable attorney’s fees on the attorney and own client scale (the claims) which may be brought by the client by reason of the operations of the clients account, unless the claims are attributable to fraud, bad faith, dishonesty or gross negligence on the part of this investment manager and on its members/employees.”
Botha argued that the indemnity clause was enforceable and exempted him from liability.
Second, he argued that the mandate was subject to a further tacit term that Momentum would be responsible for all the verification, authentication, and authorisation of payments.
When giving testimony, Botha held that the responsibility for banking details and authentication lay with Momentum, not him or his staff. He asserted that Momentum had been tasked with managing the RRC’s banking details and should have authenticated them before processing payments.
Delivering judgment, Judge Motsamai Makume said, that in terms of the mandate, Botha had a duty to protect the RRC against gross negligence and fraud.
“The defendants plead that at no stage in the past did they ever utilise authentication security checks when acting on the instructions from Mr Franklin to withdraw money from the plaintiff’s investments held with the defendants. This statement is not supported by evidence in the face of the overwhelming prevalence of cybercrime in the financial services sector,” Judge Makume said.
As to Botha’s “attempt to shift blame for their lack of diligence” in not checking the authenticity of the RRC’s bank account prior to making payments, the judge said that statement was not supported by any written agreement nor was it implied by the mandate.
“There is no contractual nexus between the plaintiff and Momentum. Such contractual relationship exists between Brough Capital and Momentum,” Judge Makume said.
The judgment
The Court, in considering the matter, found that Brough did not take adequate measures to prevent the misappropriation from occurring, nor did Botha, both being bound by the legislation and guidelines governing the conduct of intermediary service providers.
Of particular relevance was the fact that the defendants:
- Ignored errors on the change of bank account letters, including that RRC’s name was not written in full, and the logo of the respective bank was missing from the letter; and
- Ignored the unusual nature of the withdrawals, which were large sums of money drawn in short succession and without notice.
The Court considered the fact that if Botha had paid careful attention to the purported letter from the bank, it would have revealed that it was not the plaintiff’s bank account but that of a “Rotary Club” with no name.
The Court also noted that Botha should have considered the history of the withdrawals from his client and taken time to understand their business insofar as enquiring what the funds were for. The judgment noted that the defendants had failed to exercise the necessary skills, care, and diligence, as well as their contractual obligation to be vigilant.
The Court found the defendants had failed to comply with the duties of an FSP and were guilty of gross negligence.
Key take-away
The judgment places great importance on implementing functioning internal controls, such as two-step verification processes, to avoid, as far as possible, the promulgation of cybercrimes and to prevent gross negligence, said Darryl Bernstein, partner and head at Baker McKenzie, which represented the RRC pro bono.
“The judgment is also a reminder to intermediary service providers that, even in instances where the funds are administered by a third party, the proverbial buck stops with the FSP with whom the client has a contractual relationship,” Bernstein said.
I will check if the courts does the same with the latest hacking scandal targeting TransUnion and Experian as reported on NEWS24 on23/11/2023. Its seems the st1 line of defense is no there is no evidence, we are not breached. No smaller FSP will take the burden.
Any claim against the defendants will ultimately rely on the confiscation of assets and similar cases have produced little reward.
South Africa is legally responsible but doesn’t follow through.
It doesn’t follow from this article that 2FA would have saved either the investor or the intermediary (as commented by Darryl Bernstein). This can be complicated and expensive to set up, especially for the smaller FSP’s. Rather there should have been a simple independant confirmation sought of the investor following each instruction – a phone call or a Whatsapp or an sms. More crucially, when the banking details were changed, direct contact should have been made to confirm. Even sending out invoices as PDF’s can be intercepted – always have and use an alternative way to contact your client.
Basics should be followed by companies in possession of Clients bank details and the instructions they receive. If the instruction is given and bank details are not the same the instruction should be halted and clarity requested. If an institution finds that a transaction has different name or account numbers to the ones on their records it should automatically be flagged.