Who Bears the Loss When a Cybercrimal Diverts Funds?

Print Friendly, PDF & Email

The Issue

What happens when two innocent parties to a settlement agreement are victims of cybercrime resulting in settlement funds being misdirected to a fraudster? The recent Ontario Small Claims Court decision St. Lawrence Test & Inspection Co. Ltd v. Lanark Leeds Distribution Ltd. And Mark Schokking, 2019 CanLII 69697 (ON SCSM) (“St. Lawrence“) considered this issue. As Kelford, DJ succinctly states:

The Plaintiff and Defendant were both innocent victims of a “cybercrime” which resulted in the loss of funds which were paid by the Defendants to settle the Plaintiff’s claim. Both parties are innocent. Unfortunately, one of them must bear the loss.

The Facts

The Defendants had agreed, under the terms of a settlement agreement, to send the Plaintiff $7000, by way of electronic funds transfer, as full and final settlement of a claim.  Unfortunately for both parties, one of the Plaintiff’s email accounts was hacked (that of the paralegal handling the claim), and a fraudster began sending the Defendant emails that appeared to be from the Plaintiff. One of these emails sent revised payment instructions to the Defendants, asking that the funds be transferred to an individual’s Alberta-based credit union account, rather than to the Plaintiff’s trust account, held at a bank.

The Defendant (Schokking) did not question these transfer instructions, and in fact sent a follow-up email (redirected to the fraudster) asking for additional information to complete the transfer. The fraudster then repeatedly delayed sending a receipt of funds confirmation, presumably to allow for the payment to clear his account at the credit union. After more than a month of confusion, the Plaintiff finally reported the fraud to both the credit union and the local police. To date, the funds have not been recovered and are presumed to be unrecoverable.

The Deputy Judge noted that there are few Ontario decisions that deal with this type of issue. The Defendant relied almost exclusively on an Ontario Superior Court decision[1] involving a customer who had a foreign currency account at a bank. The customer’s email address was hacked and two separate emails authorizing wire transfers from the customer’s account were sent. The Court found in favour of the bank, dismissing the customer’s claim. In so doing, the Court relied primarily on the terms of the customer’s account agreement and stated that the customer had failed to establish “gross negligence” or “willful misconduct” on the part of the bank.

In the facts at hand, there was no express agreement governing the transfer of funds between the parties. The issue before the Deputy Judge was therefore “whether… the Defendants were entitled to rely on revised email instructions which came from a fraudster, who had seized control of Baker’s computer emails and was impersonating [the Plaintiff].” Or put another way: “Where a computer fraudster assumes control of Victim A’s email account and, impersonating Victim A, issues instructions to Victim B, who then transfers funds intended for Victim A (or a third party) to the fraudster’s account, is Victim A liable for the loss?”

In the Deputy Judge’s opinion, the answer to that question is “no,” unless:

  • the Victims are parties to a contract that both authorizes Victim B to rely on email instructions from Victim A and shifts liability for a loss resulting from fraudulent payment instructions to Victim A;
  • Victim A is dishonest, or there is evidence of willful misconduct on their part; or
  • Victim A is negligent.

The Decision

In ruling in favour of the Plaintiff, the Deputy Judge found no evidence supporting an affirmative answer to any of these questions and found that the Defendants failed to follow the terms of the settlement agreement in sending funds to the credit union. Further, neither the Plaintiff nor the Plaintiff’s paralegal were negligent with respect to their email security systems. The Defendants were ordered to pay the Plaintiff $7000 in full and final settlement of the Plaintiff’s claim.

The Deputy Judge also commented that legislation establishing clear principles and guidelines for allocating liability in instances of computer fraud would be helpful. He noted that in the United States the Uniform Commercial Code (UCC) has provisions explicitly dealing with wire transfer fraud. The UCC generally indicates that the originator of the payment is in the best position to recognize (and therefore manage) potentially fraudulent payment instructions.

Canada has no similar legal framework in place. While Payments Canada’s[2] rules address some instances of potential fraud (e.g. when the intended payee of a cheque never receives payment), they do not extend to consumer remedies for misdirected electronic payments, sent by either the Large Value Transfer System (LVTS) – a domestic “wire”, or by way of electronic funds transfer (via the Automated Clearing and Settlement System – the ACSS). Indeed, with few exceptions, Payments Canada only establishes rules that impact its members[4] and does not have the authority to establish a fulsome liability framework like the one set out in the UCC. Developing such a framework in Canada would likely fall to provincial regulators, which could result in uneven consumer protection across the country. In other words, mirroring the framework established by the UCC would present a challenge in Canada.

Takeways for Business

From a practical perspective, this decisions suggests that businesses, whether the originator or recipient of a payment, may wish to consider taking steps to: (a) prevent funds from going astray; and (b) protect themselves if funds do go astray:

  • Regardless of the reason for a payment being made, it may be helpful for parties to an agreement include terms relating to electronic payments, including:
    • how payment instructions will be provided;
    • whom to contact in the event that initial payment instructions are “amended” (a telephone call to the appropriate contact may be preferable to sending an email message), or otherwise suspicious (in this case, the Defendant was asked to send funds to a credit union located in Alberta when the Plaintiff was located in Ontario. The account was also not a trust account, as would be expected);
    • what payment methods are permissible by the parties (e.g. will the parties accept payment via e-transfer? Cheque? Money order?) (Note that each payment method has pros and cons. For example, e-transfer is low-cost virtually immediate but relies solely on having an email address for the intended recipient. Funds sent by e-transfer can also be easily directed to the recipient’s other bank accounts); and
    • how liability for a misdirected payment will be allocated between the parties.
  • Be vigilant when making electronic payments. As the speed of digital payments increases, the window between sending and receiving “good” funds shrinks rapidly. With it shrinks the sender’s opportunity to correct payment instruction errors or issue a “stop payment” on funds.
  • Perhaps most importantly, parties should not rely on their financial institution to recall or reverse a payment that has been sent. Similarly, parties should not rely on the receiving financial institution to return or freeze funds a customer has received by way of fraud or error. It is always easier to prevent the misdirected payment before sending it than to correct the error once it has been made.

[1] Du v. Jameson Bank 2017 ONSC 2422 (CanLII).

[2] Payments Canada operates Canada’s key clearing and settlement systems.

[3] Payments Canada members can be thought of as traditional financial institutions like banks.


For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business.