SCA: purchasers bear the risk of cyber-fraud when paying by EFT

Posted on Leave a comment

The courts will not impose a legal duty on creditors to protect debtors from cyber fraud, and debtors bear the responsibility of ensuring that a payment is made to the correct bank account. These principles were reaffirmed by the Supreme Court of Appeal (SCA) when it handed down judgment this month in a dispute that arose because of email interception fraud.

The central question before the court was: when a buyer transfers payment for goods into the wrong bank account – misled by a fraudulent change in the seller’s account details – has the buyer actually fulfilled its payment obligation?

Background to the proceedings

In October 2018, Intengo Imoto (Pty) Ltd t/a Northcliff Nissan (Intengo) sold two Nissan NP200 vehicles for R145 000 each to Zoutpansberg Motor Wholesalers CC t/a Hyundai Louis Trichardt (Hyundai).

The emailed invoices specified Intengo’s First National Bank (FNB) account as the destination for payment by electronic funds transfer (EFT).

Acting on emailed “proofs of payment” for each vehicle, Intengo released the vehicles on 31 October and 1 November, without verifying its bank statements. It was only on 7 November that Intengo discovered that no funds had landed in its account.

Instead, because of cybercrime involving email interception and the substitution of banking details, Hyundai made payment into a fraudulent FNB account.

Intengo sued in March 2020 in the Louis Trichardt Regional Court for R290 000 plus interest and costs. The court found the transaction was cybercrime but deemed Hyundai negligent for failing to confirm the account details and ordered it to pay.

Hyundai appealed to the Limpopo High Court, which dismissed Intengo’s claim with costs. The High Court reasoned that Intengo had failed to prove breach of contract, and the case was pleaded in contract rather than delict.

Intengo petitioned the SCA, which granted leave to appeal.

Framing the issues correctly

The SCA addressed the critical issue of where liability lies when electronic payment is made into a fraudulent bank account because of cybercrime. As the court put it, the case turned on whether payment into “a bank account other than the account of the seller, without the authority of the seller” could count as performance of the contractual duty to pay.

In its pleadings, Intengo claimed that Hyundai breached its obligations by failing to make payment to the seller. Hyundai countered that it had paid into the bank account described on the invoices and denied owing any sum.

In a judgment written by Judge Phillip Coppin, the SCA found that the High Court had wrongly characterised these competing contentions and wrongly shifted the legal onus. The SCA corrected this error: because Hyundai affirmed that it paid, it bore the legal onus to prove payment on a balance of probabilities. As the court reiterated, “the onus of proof does not shift”, although the evidentiary burden may tentatively shift depending on how the parties adduce their evidence. If Hyundai failed in that task, Intengo was entitled to judgment.

What constitutes a completed EFT payment?

Not all electronic transfers are created equal under the law. Citing Vereins-Und Westbank AG v Veren Investments and Others (2002), the SCA underscored that an EFT payment is incomplete – indeed, “inchoate” – unless and until the payee acquires “the unfettered or unrestricted right to the immediate use of the funds in question”. In other words, it is not enough for the payer’s bank statement to reflect a debit; payment is complete only when the recipient’s account is actually credited and the payee can use the funds without limitation.

In line with this principle, it has been held that “the place of payment in the case of an EFT is when the funds (meant for payment) are actually received by the payee in its bank account”. Thus, Hyundai could discharge its onus only by proving that Intengo’s nominated FNB account was in fact credited with the two R145 000 transfers.

The SCA said this principle is woven into a “golden thread” running through a series of judgments dealing with fraud-induced misdirection of payments. In Mosselbaai Boeredienste (Pty) Ltd t/a Mosselbaai Toyota v OKB Motors CC t/a Bultfontein Toyota (2024), the Full Bench of the High Court in Bloemfontein reviewed multiple authorities and concluded unambiguously that:

“The golden thread … places an obligation on the purchaser to ensure that the bank account details contained in the invoice is in fact correct/verified and that payment is made to the seller and not to an unknown third party. Failure to do so … does not extinguish the purchaser’s obligation and liability to pay the debt.”

Since Mosselbaai, courts across South Africa have repeated and reaffirmed that a purchaser who blindly follows invoice instructions without verification must bear the loss if fraudsters intercept and alter those instructions.

Turning from principle to policy, the SCA drew an analogy with fraudulent cheques. In Mannesman Demag (Pty) Limited v Romatex (1988), the Transvaal Provincial Division held that “the risk is the debtor’s since it is the debtor’s duty to seek out his creditor”.

More recently in Edward Nathan Sonnenberg Inc v Judith Mary Hawarden (2024), the SCA refused to impose on creditors a duty to protect debtors from hacked payments, warning of “the real danger of indeterminate liability” if such a duty were to be extended.

Taken together, these decisions establish that in the EFT context, the payer – the purchaser – bears the risk of email or banking fraud, not the payee, unless the parties expressly agree otherwise.

Putting the evidence on trial

With the legal framework in place, the SCA turned to the record.

Intengo established a prima facie case that sales team leader Marco Sutherland sent the invoices to Hyundai by email. These invoices bore Intengo’s correct banking details, and there was no interception of the email until it left Intengo’s server.

An IT expert testified that the email was intercepted, and an attachment was changed on the email. He explained that, if he had been able to inspect Hyundai’s mail server, he could have pinpointed when and how the fraud occurred.

Hyundai called only one witness, a senior sales executive, Brian Meth. He admitted passing the invoices to Hyundai’s accounts department but lacked personal knowledge of how the EFTs were executed or where they landed. No representative from the accounts department was called to testify.

Meth conceded that Intengo “did not receive the money” in the fraudulent account, yet he insisted that sending “proof-of-payment” emails sufficed to absolve Hyundai.

He blamed Sutherland’s failure to check his bank statement and claimed that, upon receiving the seller’s release of the vehicles, Hyundai presumed payment was complete.

Crucially, the SCA noted that Hyundai produced a third notification of payment emailed on 1 November 2018 showing that Hyundai had transferred R145 000 into Intengo’s correct account, but the notification bore the wrong branch code.

“The fact that this notification emanated from the respondent shows that the respondent was aware of Intengo’s correct banking account details. The anomaly created by that notification called for an answer from Hyundai, but it remained unexplained,” Judge Coppin wrote.

The SCA concluded that Hyundai failed to discharge its onus of proving that it had paid Intengo the purchase price for the two vehicles.

“A payment into a different account, not authorised by Intengo, and without verifying Intengo’s banking details, did not release Hyundai of its payment obligation to Intengo. Hyundai’s contention that Intengo bore the risk in those circumstances is untenable.”

The SCA upheld Intengo’s appeal and found that the Regional Court was correct when it ordered Hyundai to pay the amounts, plus interest and costs.

Click here to download the judgment.

Leave a Reply

Your email address will not be published. Required fields are marked *