Chairman’s fraud: liability of a victim company’s bank for breach of its duty of care
Cour d’appel de Paris – Pôle 5 Chambre 6 – November 22, 2023 RG n°22/04074
To characterize a breach of due diligence on the part of the bank of a company that had been the victim of a “president fraud”, the Paris Court of Appeal based its decision on a series of clues, specifying in particular that a simple counter-appeal to the company’s accounting manager was not sufficient.
The “president fraud” that emerged in the 2010s is a payment fraud that affects all types of companies, whatever their size, importance or local or national dimension.
In this case, the swindler assumes the identity of a third party, usually the director or representative of a company, and asks an employee of the company, usually a member of the accounting department, to make one or more transfers to a bank account under the guise of an urgent and strictly confidential transaction.
In the case submitted to the Paris Court of Appeal, a company was the victim of a scam of this type in 2015, in which the fraudsters contacted the company’s accounting director via a false email address imitating that of the company’s legal representative, informing her of a strictly confidential matter that she was not to reveal under any circumstances.
The identity theft working, the swindlers convinced the company’s accounting manager to exchange information via a personal messaging system, and succeeded in getting information from her about the company’s cash position in order to organize the setting up of transfer orders bearing a false signature of the company’s representative.
Under these conditions, on December 21, 2015, the accounting manager sent the company’s bank a transfer order for the sum of €426,000, then on December 23, 2015 three transfer orders for the sums of €485,000, €489,000 and €486,000, making a total of transfer orders for the sum of €1,886,000 in two days to bank accounts located in Bulgaria.
When the fraud was discovered, the company notified its bank and filed a complaint. Only the last transfer of €486,000 was recovered. The company then decided to request that its bank be ordered to repay the sums, citing a breach of its duty of care.
While the bank is bound by an obligation of non-interference in its customer’s affairs, regardless of the customer’s status, and is not required to investigate the origin or size of funds deposited in the customer’s account, nor to question the existence of large-scale movements, this obligation is limited by the duty of vigilance to which it is subject.
As soon as the transaction reveals an apparent anomaly, whether material or intellectual, either in the documents provided, or in the nature of the transaction itself, or in the operation of the account, the payment service provider must exercise prudence and diligence.
To establish that the bank had breached its duty of care, the Court of Appeal relied on a number of indicators.
1°/ Firstly, the Court of Appeal noted an apparent material anomaly affecting the payer’s signature. In this case, this anomaly had attracted the attention of the bank, which had indicated it in documents as “signature not found” or “non conforme”.
2°/ Secondly, the Court of Appeal looked at the amount of the transfer orders and their destination, and concluded that the account was operating abnormally.
It considered that the repetition of the transfer orders in question, for large and comparable amounts, given over a short period of time, characterized abnormal operation of the account.
This position had already been taken by the Grenoble Court of Appeal, which, in a decision dated November 9, 2023, had taken into account the amount of the transfer orders, which in this case represented twelve times the average monthly debit amount of the victim company, to characterize a breach by the bank. (Grenoble Court of Appeal – Commercial Division – November 9, 2023 RG n°22/03433).
As for the destination of the transfer orders, the Court of Appeal, in its ruling dated November 22, noted that the transfer orders were for the benefit of recipients in Bulgaria.
3°/ Thirdly, the Court of Appeal reiterates the need for the bank to verify the authenticity of the transfer order and whether it comes from a person authorized to give it. In this case, the company’s accounting manager did not have the power to move the account, but only to transmit payment orders to the bank, subject to a validation limit of €150,000 per day. As a result, the disputed transfers exceeded this ceiling.
Although the bank made counter-calls to the company’s accounting manager in order to carry out verifications, the Court of Appeal considered that this approach was insufficient and superficial, as the control carried out was devoid of any effectiveness since the counter-call was not made to the person authorized to give and sign the payment order.
HoweverThe Court of Appeal found that the accounting manager had not exercised due caution when transmitting the transfer orders, by failing to express surprise at the content of the messages sent to her, by providing the material elements of the fraud to the swindlers, and by indicating to the Bank that the purpose of the transfers was “cash movements” (a false motive designed to reassure the Bank), whereas they were supposed to finance the purchase of a listed company.
Consequently, the Court of Appeal confirmed the existence of a breach of duty of care on the part of the bank, but nonetheless took into account the imprudence committed by the company’s employee in concluding that responsibility for the transfers not recovered by the company should be shared 80% by the bank and 20% by the company.