The Financial Intelligence Centre Act (FICA) does not impose a private law duty on a bank to prevent financial losses to parties that are not its customers, according to a High Court judgment handed down this month.
The plaintiffs in the matter brought a claim against Nedbank, arguing that the bank had a duty to prevent the fraudulent transaction under FICA.
Ian Craig Ross and Annelie Ross were victims of email fraud when they paid money for a property purchase to the conveyancing attorneys in February 2019. Instead of the money being paid into the trust account, it was paid to Bheka Joseph Nkomane, who held a Pay as You Use account with Nedbank.
The Rosses contended that Nedbank either knew or should have reasonably suspected that Nkomane’s account was involved in fraud.
They argued that because of Nkomane’s financial profile – he was unemployed, not a provisional taxpayer, and had no regular income – Nedbank should have imposed transaction limits on his account; flagged the large deposits into the account as unusual or suspicious; and acted promptly to monitor, report, and investigate the source and legality of the large deposits and transfers.
The Rosses claimed that by allowing withdrawals from the account, Nedbank acted negligently, directly causing their financial loss.
Nedbank froze Nkomane’s account when it was alerted to the fraud. However, several transactions had already been performed. Nedbank managed to recover R843 000 from Nkomane’s account, and Capitec recovered R433 600. These amounts were returned to the Rosses.
With the original intended payment totalling R2.94 million, the outstanding amount of R1 663 400 plus interest formed the basis of the Rosses’ claim.
‘Duty under common law and FICA’
The High Court in Johannesburg addressed whether Nedbank had a legal duty to prevent the plaintiffs’ economic loss – whether its conduct should be considered wrongful under the law of delict.
The judgment noted it is an established principle of South African law that conduct causing pure economic loss is regarded as wrongful only if public or legal policy considerations require that such conduct, if negligent, should attract legal liability for the resulting damages. There is no general right not to be caused pure economic loss.
The Constitutional Court has held that in cases of pure economic loss, the courts are reluctant to recognise claims that would constitute an extension of delictual claims. This is particularly the case if there is the risk of “liability in an indeterminate amount for an indeterminate time to an indeterminate class”.
The Rosses argued that Nedbank did not only have a common law duty but also statutory duty in terms of FICA to monitor accounts or transactions and to identify peculiarities or irregularities on an account. They contended that:
- Nedbank was aware of the widespread issue of email interception fraud, a fact not disputed by the bank.
- FICA provides specific guidance for recognising and reporting suspicious transactions to the Financial Intelligence Centre. The plaintiffs argued that Nedbank, by virtue of this obligation, should have preventive measures in place to detect and prevent potential fraud.
- Monitoring measures are implemented systematically and do not require a significant number of employees or high costs, suggesting that sufficient account monitoring was feasible for Nedbank.
- Nedbank declined to provide evidence regarding its monitoring practices. The plaintiffs suggested that the court should infer from this refusal that Nedbank’s monitoring measures were either non-existent, inadequate, or did not align with FICA’s requirements.
- Nedbank’s Pay as You Use accounts, which lack deposit or transaction limits, posed a high risk to the public because of potential fraud and money laundering activities. Nedbank had implicitly accepted the risk associated with these accounts.
No duty of care towards third parties
The court acknowledged that these contentions raised the crucial question of whether the statutory duties imposed by FICA create private law duties on the part of a bank to parties that are not its customers.
The court emphasised that simply breaching a statutory duty does not inherently create a legal duty for damages under private law. However, it acknowledged two exceptions where a statutory duty breach could create a legal duty:
- If the statute, upon proper interpretation, implies an obligation to pay damages.
- If the statute, viewed alongside constitutional norms and relevant facts, suggests a common law duty actionable in delict.
The court said that interpreting statutory duties for private claims requires assessing whether it is “just and reasonable” to grant a remedy. The assessment should consider the statute’s overall purpose, the context of its enactment, and the harm it seeks to prevent. If a duty aligns with community justice or constitutional values, it may justify a private claim.
Acting Judge Aslam Moosajee concluded that, considering the purpose and public policy underlying FICA, imposing a civil duty on banks to protect non-customers from financial harm is inappropriate. FICA does not imply a duty of care in favour of third parties, and the statutory obligations under FICA are not meant to be enforced through private lawsuits for damages.
“In my view, FICA was intended for the public good and to deal with the combating of money-laundering activities and the financing of terrorist and related activities. It creates obligations in favour of the state. It does not give rise to private law duties owed to third parties. This view is supported by a number of cases in which our courts have refused to recognise a common law claim for breach of fiduciary duty,” Moosajee AJ said.
Absence of preventative measures
Moosajee AJ said even if he were wrong with respect to his conclusions about FICA, the following factors also led him to conclude that the Rosses had not discharged the onus resting on them to prove wrongfulness:
- Recognising a private law duty based on the facts of this case could lead to an indeterminate scope of liability, because any party that is defrauded could pursue a claim for damages. The creditors of such a party could also do so if they, by virtue of the fraud, were unable to recover what is due to them from the victim of the fraud. Nedbank deals with about 10 million transactions a day, and it is therefore impossible for the bank manually to monitor the accounts of each account-holder.
- The Rosses’ expert witness had general banking experience but was not familiar with the specific systems and rules Nedbank uses to monitor suspicious transactions.
- The plaintiffs argued that Nedbank did not lead any evidence on the measures it takes to prevent loss to members of the public and therefore the inference should be drawn that the measures are non-existent or do not comply with FICA. This argument “put the cart before the horse”. The plaintiffs would first need to establish that FICA creates a common law right to damages before requiring Nedbank to provide such evidence.
- The Rosses could have taken steps to prevent the fraud, such as verifying the authenticity of the email or contacting the relevant parties.
- The plaintiffs tried to justify their failure to take preventive steps by claiming that Ms Ross was unaware of the prevalence of email interception fraud. However, the court found this hard to believe, given their background in the import-export business and the fact that warnings about cybercrime had been available for several years prior.
The court therefore found that the Rosses were “best placed” to prevent the risk of payment into the bank account of someone other than the conveyancer’s account, and “they are the architects of their own misfortune”.
No proof of loss
Moosajee AJ said even if his conclusions on wrongfulness were incorrect, the Rosses’ case still failed because they did not provide evidence to prove that they suffered a loss as a result of the payments made into the fraudulent account.
The Rosses did not provide sufficient evidence about whether the property had been transferred or whether they were required to raise separately the R2.94m to make the payment. Additionally, the Rosses did not offer evidence that they held the conveyancing attorneys liable for their loss, despite the fraudulent emails originating from one its employee’s correct email address.
The court dismissed the plaintiffs’ claim.
