High Court rejects claim against receiving bank in APP fraud case.

In the first case of its kind, the High Court in Tecnimont Arabia Ltd v National Westminster Bank Plc [2022] EWHC 1172 (Comm) rejected claims against a bank which received proceeds of an APP fraud. The case emphasises the importance of maintaining robust cyber-resilience infrastructure and, in particular, training for employees to guard against APP fraud risks and follow the correct procedures when processing payments.

Facts and claim

In October 2018, Tecnimont Arabia Ltd ("Tecnimont"), a Saudi subsidiary in the Italian engineering group Maire Tecnimont, intended to make a payment of USD 5 million to an Italian subsidiary in the group. A third party fraudster gained unauthorised access to the email systems of Tecnimont's Italian entity through a phishing email sent to its Finance Director, Mr Fritelli. The fraudster then sent emails which appeared to originate from Mr Fritelli, instructing Tecnimont that the funds should be sent to a bank account at NatWest in London. Tecnimont, in the belief that this was a genuine request, asked its bank to transfer the money to this account.

The transfer was effected from Tecnimont's local bank in Saudi Arabia, via a correspondent bank in the US, to NatWest in London. The fraudster then dissipated the funds from the NatWest account via 28 international payments. By the time the fraud had been discovered, approximately USD 36,000 was left in the account. NatWest acted on two fraud alerts; after investigating, an employee reinstated the account's services. On the second occasion the employee did not follow the correct protocol. Later, NatWest became aware of the fraud, and froze the account after a few hours.

Tecnimont accepted that it was not NatWest's customer, and that NatWest did not owe a duty of care to it. However, Tecnimont brought a claim against NatWest for knowing receipt of property subject to a trust and unjust enrichment. Tecnimont's case was that:

• the monies constituted trust property in which Tecnimont had an equitable proprietary interest and which was unconscionable for NatWest to retain; and
• NatWest had been enriched at Tecnimont's expense and this was unjust.

Knowing receipt of trust property

The Court dismissed Tecnimont's claim for knowing receipt. Tecnimont had paid away the funds acting under a mistake induced by the deceit of a third party. There was no authority for Tecnimont's submission that the transferred funds were trust property because the transfer was procured by fraud. The property was therefore not trust property when it was received by Natwest. Further, Natwest received the money for its customer, not its own account.

Unjust enrichment

Tecnimont's claim for unjust enrichment was similarly rejected. Whether NatWest had been enriched "at the expense of" Tecnimont required a direct "transfer of value" between Tecnimont and NatWest. Here, the Court found that as a result of the funds passing through an intermediary bank before reaching NatWest, there was no direct transfer of value between Tecnimont and NatWest.

Tecnimont sought to argue that the "economic reality" of the transactions from Tecnimont's bank in Saudi, via the US, to NatWest in London should be seen as a single transfer of value, although the Court rejected this approach. The Court described this as a "somewhat fuzzy concept" and one which would be difficult to apply "with any rigour or certainty", following the Supreme Court in Investment Trust Companies v HMRC [2017] UKSC 275. It also found that such an analysis would ignore the established manner in which international bank transfers are made, and would inappropriately extend the class of cases of international bank transfers.

Comment

This decision is a good result for banks. This claim was the first serious attempt to establish liability against the receiving bank of an APP fraud. However, it is not guaranteed that a bank will always escape scrutiny where it receives the proceeds of an APP fraud. In obiter comments, the Court reviewed NatWest's response to receiving the funds and, although finding that its systems were adequate, noted that there were deficiencies in the way NatWest's staff reviewed the fraudster's use of the account.

Importantly, this judgment emphasises the importance of cyber-resilience and the proper training of employees to guard against phishing attacks and follow the proper procedures when effecting payments. Whilst Tecnimont required that such payments were to be authorised by tokens held by 2 individuals, in fact both tokens were held by a single individual, who sent the instruction for the payment to be made without seeking proper authorisation.

As a firm, we have experience in advising on methods to ensure cyber-resilience and offer an experienced team of legal experts to respond quickly in the face of data or cyber-attacks to give you a strategic, controlled response. Visit Data Security Disputes and Cyber to learn more.