Skip to content

Brought to you by

Dentons logo

Dentons Data

Your trusted advisor for all things digital.

open menu close menu

Dentons Data

  • Home
  • About Us

Who Bears the Loss When a Cybercrimal Diverts Funds?

By Tracy Molino
August 20, 2019
  • Cyber Crime
  • Cybersecurity
Share on Facebook Share on Twitter Share via email Share on LinkedIn

The Issue

What happens when two innocent parties to a settlement agreement are victims of cybercrime resulting in settlement funds being misdirected to a fraudster? The recent Ontario Small Claims Court decision St. Lawrence Test & Inspection Co. Ltd v. Lanark Leeds Distribution Ltd. And Mark Schokking, 2019 CanLII 69697 (ON SCSM) (“St. Lawrence“) considered this issue. As Kelford, DJ succinctly states:

The Plaintiff and Defendant were both innocent victims of a “cybercrime” which resulted in the loss of funds which were paid by the Defendants to settle the Plaintiff’s claim. Both parties are innocent. Unfortunately, one of them must bear the loss.

The Facts

The Defendants had agreed, under the terms of a settlement agreement, to send the Plaintiff $7000, by way of electronic funds transfer, as full and final settlement of a claim.  Unfortunately for both parties, one of the Plaintiff’s email accounts was hacked (that of the paralegal handling the claim), and a fraudster began sending the Defendant emails that appeared to be from the Plaintiff. One of these emails sent revised payment instructions to the Defendants, asking that the funds be transferred to an individual’s Alberta-based credit union account, rather than to the Plaintiff’s trust account, held at a bank.

The Defendant (Schokking) did not question these transfer instructions, and in fact sent a follow-up email (redirected to the fraudster) asking for additional information to complete the transfer. The fraudster then repeatedly delayed sending a receipt of funds confirmation, presumably to allow for the payment to clear his account at the credit union. After more than a month of confusion, the Plaintiff finally reported the fraud to both the credit union and the local police. To date, the funds have not been recovered and are presumed to be unrecoverable.

The Deputy Judge noted that there are few Ontario decisions that deal with this type of issue. The Defendant relied almost exclusively on an Ontario Superior Court decision[1] involving a customer who had a foreign currency account at a bank. The customer’s email address was hacked and two separate emails authorizing wire transfers from the customer’s account were sent. The Court found in favour of the bank, dismissing the customer’s claim. In so doing, the Court relied primarily on the terms of the customer’s account agreement and stated that the customer had failed to establish “gross negligence” or “willful misconduct” on the part of the bank.

In the facts at hand, there was no express agreement governing the transfer of funds between the parties. The issue before the Deputy Judge was therefore “whether… the Defendants were entitled to rely on revised email instructions which came from a fraudster, who had seized control of Baker’s computer emails and was impersonating [the Plaintiff].” Or put another way: “Where a computer fraudster assumes control of Victim A’s email account and, impersonating Victim A, issues instructions to Victim B, who then transfers funds intended for Victim A (or a third party) to the fraudster’s account, is Victim A liable for the loss?”

In the Deputy Judge’s opinion, the answer to that question is “no,” unless:

  • the Victims are parties to a contract that both authorizes Victim B to rely on email instructions from Victim A and shifts liability for a loss resulting from fraudulent payment instructions to Victim A;
  • Victim A is dishonest, or there is evidence of willful misconduct on their part; or
  • Victim A is negligent.

The Decision

In ruling in favour of the Plaintiff, the Deputy Judge found no evidence supporting an affirmative answer to any of these questions and found that the Defendants failed to follow the terms of the settlement agreement in sending funds to the credit union. Further, neither the Plaintiff nor the Plaintiff’s paralegal were negligent with respect to their email security systems. The Defendants were ordered to pay the Plaintiff $7000 in full and final settlement of the Plaintiff’s claim.

The Deputy Judge also commented that legislation establishing clear principles and guidelines for allocating liability in instances of computer fraud would be helpful. He noted that in the United States the Uniform Commercial Code (UCC) has provisions explicitly dealing with wire transfer fraud. The UCC generally indicates that the originator of the payment is in the best position to recognize (and therefore manage) potentially fraudulent payment instructions.

Canada has no similar legal framework in place. While Payments Canada’s[2] rules address some instances of potential fraud (e.g. when the intended payee of a cheque never receives payment), they do not extend to consumer remedies for misdirected electronic payments, sent by either the Large Value Transfer System (LVTS) – a domestic “wire”, or by way of electronic funds transfer (via the Automated Clearing and Settlement System – the ACSS). Indeed, with few exceptions, Payments Canada only establishes rules that impact its members[4] and does not have the authority to establish a fulsome liability framework like the one set out in the UCC. Developing such a framework in Canada would likely fall to provincial regulators, which could result in uneven consumer protection across the country. In other words, mirroring the framework established by the UCC would present a challenge in Canada.

Takeways for Business

From a practical perspective, this decisions suggests that businesses, whether the originator or recipient of a payment, may wish to consider taking steps to: (a) prevent funds from going astray; and (b) protect themselves if funds do go astray:

  • Regardless of the reason for a payment being made, it may be helpful for parties to an agreement include terms relating to electronic payments, including:
    • how payment instructions will be provided;
    • whom to contact in the event that initial payment instructions are “amended” (a telephone call to the appropriate contact may be preferable to sending an email message), or otherwise suspicious (in this case, the Defendant was asked to send funds to a credit union located in Alberta when the Plaintiff was located in Ontario. The account was also not a trust account, as would be expected);
    • what payment methods are permissible by the parties (e.g. will the parties accept payment via e-transfer? Cheque? Money order?) (Note that each payment method has pros and cons. For example, e-transfer is low-cost virtually immediate but relies solely on having an email address for the intended recipient. Funds sent by e-transfer can also be easily directed to the recipient’s other bank accounts); and
    • how liability for a misdirected payment will be allocated between the parties.
  • Be vigilant when making electronic payments. As the speed of digital payments increases, the window between sending and receiving “good” funds shrinks rapidly. With it shrinks the sender’s opportunity to correct payment instruction errors or issue a “stop payment” on funds.
  • Perhaps most importantly, parties should not rely on their financial institution to recall or reverse a payment that has been sent. Similarly, parties should not rely on the receiving financial institution to return or freeze funds a customer has received by way of fraud or error. It is always easier to prevent the misdirected payment before sending it than to correct the error once it has been made.

[1] Du v. Jameson Bank 2017 ONSC 2422 (CanLII).

[2] Payments Canada operates Canada’s key clearing and settlement systems.

[3] Payments Canada members can be thought of as traditional financial institutions like banks.


For more information about Denton’s data expertise and how we can help, please see our Transformative Technologies and Data Strategy page and our unique Dentons Data suite of data solutions for every business.

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
Cyber Crime, Money, Payments
Tracy Molino

About Tracy Molino

Tracy Molino is counsel in our Banking and Finance group. Tracy has extensive experience with payments law and technology, bank regulatory and policy matters, and consumer protection issues.

All posts Full bio

RELATED POSTS

  • Cybersecurity

New York Department of Financial Services Cybersecurity Regulation Requirements Applicable to Third Parties Now in Effect

By Kirsten Thompson
  • Cybersecurity
  • Data
  • Guidance
  • Privacy
  • Technology

Considerations for de-identifying personal health information: Guidance from Ontario’s Information and Privacy Commissioner

By Kirsten Thompson, Sasha Coutu, and Noah Walters
  • Access
  • Blockchain
  • Cybersecurity
  • Data
  • FinTech
  • Privacy

The privacy paradox in blockchain: best practices for data management in crypto

By Noah Walters and Sasha Coutu

About Dentons

Dentons is designed to be different. As the world’s largest law firm with 20,000 professionals in over 200 locations in more than 80 countries, we can help you grow, protect, operate and finance your business. Our polycentric and purpose-driven approach, together with our commitment to inclusion, diversity, equity and ESG, ensures we challenge the status quo to stay focused on what matters most to you. www.dentons.com

Dentons boilerplate image

Twitter

Categories

  • Access
  • Artificial Intelligence
  • BC FIPPA
  • Bill 64 (Quebec)
  • Blockchain
  • CASL
  • Class Actions
  • Competition
  • Consent
  • COVID-19
  • CPPA (Bill C-11)
  • Cryptocurrency
  • Cyber Crime
  • Cybersecurity
  • Data
  • Data Localization
  • Data mobility
  • De-identification
  • Disposal
  • False Light
  • FinTech
  • General
  • Guidance
  • Intrusion upon Seclusion
  • Legislation
  • Litigation
  • Podcast
  • Privacy
  • Privacy Torts
  • Private right of action
  • Public disclosure of private facts
  • Right to be Forgotten
  • Rogue employees
  • Technology
  • Trade
  • Trade and Investment

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2022 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site