On 18 March 2020 the Supreme Court of Appeal found that funds were improperly transferred by a financial services provider (FSP) when it received fraudulent instructions from a hacker posing as its client because there was no signature on the instruction as required by the mandate. The FSP therefore acted without receiving proper instructions and contrary to its mandate.
This decision is a warning signal to FSPs whose clients may be targeted by hackers and social engineers. Everyone must be vigilant to the possibility of hackers emulating clients for financial gain. It is clear that FSPs must carefully assess every instruction for authenticity and strictly comply with any agreed conditions. This responsibility lies with the FSP. If instructions do not fully conform to the mandate, the FSP will be liable to pay back the money unlawfully transferred.
The client’s claim arose out of amounts transferred by the FSP in response to fraudulent email instructions ostensibly sent by the client. In terms of the client’s written mandate to the FSP, the FSP was engaged to act as the client’s agent and invest money on his instructions, provided that such instructions would be sent by fax or email ‘with client’s signature’. The client’s email account was hacked by fraudsters. The fraudsters sent three separate emails to the FSP instructing that amounts be transferred to specified accounts. Two of the emails ended with the words ‘Regards, Nick’, and the third email ended with the words ‘Thanks, Nick’.
The liability of the FSP turned on the court’s interpretation of whether these instructing emails met the ‘signature’ requirement of the written mandate. The FSP argued that it acted within the terms of its mandate by relying on section 13(3) of the Electronic Communications and Transaction Act 2002 (ECTA). The FSP argued that ‘Nick’ constituted an electronic signature as it is the ordinary manner in which the client signed off his emails.
The court correctly rejected the FSP’s argument, and took into account the following:
- Section 13(3) of the ECTA applies when an electronic signature is specifically ‘required’ by the parties.
- The mandate did not require an electronic signature. The ECTA was accordingly not applicable.
- A handwritten signature in every day and commercial context serves an authentication and verification purpose even when electronically sent.
The court held that any email instruction from the client to the FSP would have to include a signature in the ordinary sense, being manuscript form. As the instructions were not accompanied with the client’s manuscript signature, the funds had been transferred by the FSP without proper instruction and contrary to the mandate.
What should FSPs do?
- FSPs should have standardised processes to which a client must adhere.
- FSPs should insist on detailed arrangements for email instructions, including a list of authorised email addresses from which the instruction may originate.
- The mandate must be explicit as to what is meant by ‘signature’ or any other evidence of authorisation so that there can be no confusion when determining whether a client’s instruction is lawfully issued.
- Staff acting on client instructions must be trained to pick up inconsistencies that may alert someone to a phishing or fraudulent email.
- Staff should verify instructions telephonically and record such calls in circumstances where there is any doubt.
This decision is relevant to anyone handling a third party’s money.