In Hartog v Daly, the court held Hartog liable for monies that he paid into a fraudster’s bank account. The fraudster unlawfully intercepted an email communication between Hartog and his client by sending Hartog an email with instructions to pay the monies into the fraudster’s account. The email appeared to have come from Hartog’s client, so he paid monies into the fraudster’s account believing it to be his client’s account. Hartog tried to hold the bank accountable for letting a fraudster open an account that the fraudster later used to steal funds. The court held that the bank was not negligent because they complied with the legal requirements to allow someone to open a bank account. The court also said that it was not reasonable for Hartog to expect the bank to monitor an electronic fund transfer.

Who should care about this judgment and why?

  • Organisations that use email to communicate banking details because you could receive a compromised email from a criminal.
  • Banks and other financial institutions because business email compromise and information security are a business concern.
  • The Fidelity Fund because there will be more claims like the one in this judgment as cybercrime increases.

What could you do about it?

Our insights on the judgment

This judgment is not about a Business Email Compromise! Remember, a fraudster intercepted Hartog’s client’s email. This judgment was less about the email compromise and more about whether the bank was negligent in its processes.

The judgment raises some important issues about due diligence. For example, Hartog could have avoided paying money to a fraudster by confirming his client’s banking details with a good old fashioned phone call. Hartog did not exercise proper due diligence because he overlooked that his client’s banking details suddenly changed.

It can happen to anyone! And it will!

Millions of people transact online daily. People often exchange banking details with each other over various platforms to conclude financial transactions. As cybercrime increases, we all have a duty of care to be extra vigilant when we transact online. Organisations that use email or any other channel to communicate banking details should implement additional security measures to verify payment information. Organisations should adopt a risk-based approach when they transfer large amounts of funds. Set a limit for yourselves to flag certain amounts. For example, they should not rely on one communication channel alone but multiple channels to authenticate transactions.

Digest

Facts

Hartog practices as a conveyancer. His clients gave him a sole mandate to transfer property they were selling. There were three parties involved in the property sale:

  1. Bridgitte Daly
  2. Karin Foulkes-Jones (deceased)
  3. Patrick Daly

Bridgitte Daly and Karin Foulkes-Jones jointly owned the property that Bridgitte was now selling. Patrick and Bridgitte Daly are spouses. Bridgitte and Karin gave Hartog an oral mandate to act as the conveyancer to transfer the property when it was sold. After the property was sold, Hartog paid R100 000 into Karin’s deceased estate. He had to pay the balance of about R1.4 million into Patrick Daly’s account.

The dispute between Hartog and his clients began when a fraudster intercepted an email communication between Hartog and his clients. The fraudster changed the banking details on the email and sent Hartog instructions to pay the balance of the monies into the fraudster’s account. The email appeared to have come from Patrick Daly, so Hartog paid monies into the fraudster’s account believing it to be Patrick Daly’s account. The fraudster immediately withdrew the money from the account, so the bank was not able to recover the money. Hartog’s clients approached the court to try and recover the stolen funds from the property sale.

Liability for the monetary loss

The clients tried to recover the stolen funds from Hartog, and Hartog claimed that the court should hold the bank liable for the stolen funds. Hartog asked the court to consider whether it could refer his two claims to trial:

  1. The first was his mandate terms, and who should be liable for the Daly’s monetary loss when a fraudster intercepted Patrick Daly’s email.
  2. Whether the bank owed Hartog a duty of care and if so, then the bank should be liable for the Daly’s loss.

The court looked at the sequence of events on the papers and made a few important observations. For example:

  • Although the parties didn’t expressly agree that they would exchange information over email, Hartog was already communicating with Bridgitte and Karin on email.
  • When the sale was completed, Hartog asked Patrick Daly for his banking details by email.
  • Patrick sent his banking details to Hartog who then asked him to confirm that they were correct.
  • When Patrick responded to Hartog, the fraudster intercepted Patrick’s email to Hartog and changed the banking details to reflect the fraudster’s banking details.
  • Hartog did not ask Patrick why his banking details suddenly changed.

Hartog told the court that the email from Patrick had an account confirmation letter from the bank attached. The letter also had the bank’s stamp on it, so he believed it to be authentic.

Did the Bank owe Hartog a duty of care?

Hartog argued that the bank owed him a duty of care and therefore ought to be liable for the loss that the Daly’s suffered. He raised three points before the court and accused the bank of being negligent:

  1. He argued that the bank did not follow FICA rules. Hartog accused the bank of incorrectly opening the account with Patrick Daly’s name. He also told the court that according to the FICA, an accountable institution must conduct ongoing due diligence in respect of a business relationship.
  2. Hartog argued that the bank ought to check account numbers against the name linked to that account. The bank told the court that although it is possible to cross reference account numbers to an account holder’s name, this is not a common practice in South Africa. The court accepted the bank’s explanation that it is a general practice in South Africa that EFTs are done with account numbers only and not necessarily with an account name.
  3. Lastly, Hartog told the court that the bank ought to have monitored the account to prevent the criminal from withdrawing the money. The court held that the bank did not have a duty of care to monitor the account.

The court’s finding

The court held:

  • That the bank complied with the FICA requirements because the bank proved that A Mr. Simelane (not Patrick Daly) opened an account at the bank and provided all documents for FICA purposes. The bank did not know that a fraudster would use the account to commit fraud.
  • That Hartog could not prove that the bank was negligent or wrongful in its process. The court found the bank’s payment process to be in line with the Payment Association of South Africa Rules. Therefore, the court held that the bank did not have a duty to match an account name with an account number.
  • There was no merit to Hartog’s argument about the bank’s duty to monitor an account. Even if the bank did have this duty, the criminal withdrew the money soon after Hartog deposited it. Furthermore, Hartog could not provide any evidence to show the court how the bank could have avoided the withdrawal.
  • That since Hartog brought a claim in delict, he had to produce evidence to show that the bank ought to have taken affordable and practical measures to guard against a loss of this nature.

Order

  • The court dismissed the appeal with costs.

Details of Hartog v Daly

  • Universal citation: ZAGPJHC 40
  • Case number: A5012/2022
  • Full name: Hartog v Daly and Others

Please note: The summary of this judgment is not intended for a general audience. It is specifically drafted for the members of the Michalsons Programmes.