Fraudulent transfer orders: the limits of abnormality
The case in a nutshell
On November 6th, 2014, X. opened an account with a securities trading company (new terminology according to FinIA: 'securities firm'). He signed the usual account opening documents, including a hold mail agreement, a risk transfer agreement for communication by telephone, fax and e-mail, as well as the general terms and conditions of the company.
According to the risk transfer agreement, X. expressly authorized the company to accept instructions given by e-mail and to execute them immediately under any circumstances, even if they were not followed by written confirmation. In addition, the general terms and conditions provided that potential damages resulting from the use of e-mail were to be borne by the customer, except in the event of gross negligence on the part of the company.
During the first half of 2015, X. communicated with the company by e-mail, requesting information related to financial investments and giving two transfer orders abroad, one in his favor, the other one in favor of a third-party company.
At the beginning of December 2015, unknown individuals hacked X.'s e-mail account and took control of this access data. Inspired by previous e-mail exchanges between the customer and the company, the hackers followed up on pre-existing e-mail exchanges, requesting and obtaining the execution of eight transfer orders between December 2015 and the start of January 2016.
On January 6th, 2016, the hackers contacted the company again, this time using a slightly different e-mail address (i.e. with an additional letter in the address). Suspecting fraud, the company immediately suspended all transactions on the account and tried to clarify the situation with the customer by contacting him by phone, only reaching him a week later.
Unable to obtain a refund of the amounts debited from his account, X. filed a claim for reimbursement against the company before the Geneva First Instance Court, claiming that the company had violated its duty to verify the legitimacy of the transfer orders.
After the First Instance Court dismissed his claim, X. filed an appeal. The Court of Appeal then partially reversed the first instance decision, considering that six of the eight fraudulent transfers orders showed abnormal characteristics and that their execution had to be regarded as gross negligence on the company's part. The securities trading company, represented by Altenburger Ltd legal + tax throughout the entire proceedings, then lodged an appeal with the Federal Supreme Court.
In a leading decision handed down by a complete panel of judges, our Supreme Court upheld the company's appeal, thus rejecting X.'s claim in its entirety. After a full review of the applicable principles and with convincing reasoning, the federal judges found that the risk transfer clause signed by X. was valid and thus could be fully held against him, insofar as the company could not be accused of gross negligence.
The client must bear the consequences of the risk transfer clause he signs
After first determining that the fraudulent transfers had not been given by X. (which was not disputed), the Federal Supreme Court then examined, in a second step, the validity and effects of the risk transfer clause and determined whether the company had acted in a grossly negligent manner when verifying and executing the fraudulent orders.
In this context, the federal judges noted that risk transfer clauses must be analyzed in light of articles 100 and 101 para. 3 Swiss Code of Obligations (CO), which provide that a risk transfer clause is void if the circumstances reveal gross negligence or fraud on the part of the financial intermediary. The transfer of risk then becomes ineffective and the financial intermediary can no longer rely on it.
In other words, a customer who wishes to communicate his instructions by e-mail bears the consequences of the risk transfer clause he has accepted. He thus bears the risk of any damages he may suffer as a result of wrongdoing, even due to a chance event. It is only in the event of fraud or serious negligence on the part of the bank or financial intermediary that such a clause may not be held against the customer.
The risk transfer clause is ineffective in the event of gross negligence
The risk transfer clause is not a blank cheque given to the financial intermediary. He remains liable for various obligations, in particular with regard to diligence in executing the instructions communicated to him.
The Federal Supreme Court thus recalled that a risk transfer clause cannot be held against the customer in the event of gross negligence on the part of the financial intermediary. Gross negligence means a violation of elementary rules of prudence that any reasonable person put in the same circumstances would be required to observe.
The scope of these elementary rules of prudence, recalled by the Federal Court in its decision, is well established: the bank or the financial intermediary is not obliged to verify the authenticity of the instructions received beyond the contractually agreed terms or the rules of diligence emanating from the law. Similarly, a customer who wishes to communicate by e-mail is presumed to want his banking transactions to be carried out promptly. In this context, the financial intermediary cannot systematically presume that the e-mail received is fraudulent in nature, nor should he take extraordinary measures which would be incompatible with a rapid execution of a client's instructions.
Gross negligence and the limits of abnormality
According to case law, a bank or financial intermediary is guilty of gross negligence if it executes instructions which it should have presumed to be fraudulent, in particular because of serious abnormalities, with regard to the circumstances prevailing at the time of the fraud.
In practice, these are usually referred to as abnormality criteria.
Over the years, Swiss courts have shed light on various elements which make it possible to determine whether the instructions showed such abnormalities that the financial intermediary should have detected fraud.
In the case of fraudulent e-mails, indications of misuse, which the Federal Supreme Court pointed out in its decision, can be found in the e-mail address used, the text or content of the message, the exotic destination of a transfer order or the personal situation of the client. The list of criteria analyzed by the court when determining the seriousness of the financial intermediary's negligence is not exhaustive. Thus, other criteria arising from the business relationship may also be taken into account (e.g. the duration of the contractual relationship between the parties; the pre-existence of a written exchange between the bank and its customer; the customer's language skills; the use of the customer's own phrases; the manner and context in which the order is given).
In addition to these various elements, the Federal Supreme Court also considered other points that had been held to be abnormalities by the Geneva Court of Appeal.
Contrary to the cantonal court, our Supreme Court considered that the mention of a final beneficiary of the transfer order in an e-mail, such beneficiary being unknown to the financial intermediary at the time, could not constitute an abnormal element, a fortiori when the motive for payment appears to be a commercial transaction, which is usually carried out in favor of a third party. Moreover, the sudden increase in the number of transfer orders alone does not constitute an unusual element. As the Supreme Court has already pointed out, it is not the bank's responsibility to ensure that the decisions and choices made by its customers are well-founded.
Finally, the federal judges made a clear distinction between the circumstances of the case in question and those prevailing in the BCGE case (4A_386/2016), in which the financial intermediary was found to have committed gross negligence. While X. had attempted to draw broad conclusions from the above-mentioned case law before the previous instances, the Supreme Court accepted the appellant's argument: by means of thorough explanations, the company was able to demonstrate that the factual circumstances cited by X. were not comparable to those at hand.
Conclusion
In a world where new technologies are increasingly relevant, the temptation to use fast and easily accessible means of communication is great. However, the use of electronic messaging, often free of charge, carries significant risks, particularly with regard to identity theft.
The Swiss Supreme Court has confirmed its practice in the decision commented on herein and pointed out that a customer is free to choose to use such means of communication, even in view of the risks involved. However, in the context of a relationship between a customer and a financial intermediary, the latter may transfer these risks to the customer by means of appropriate contractual clauses.
The decision rendered on July 9, 2020 reaffirmed the scope and effects of such clauses, while reiterating the importance of precise and unequivocal wording. As an essential and customary element of banking relationships, these provisions are vital to enable financial intermediaries to continue to serve their customers efficiently, while preserving them from becoming their contracting parties' guardians.