Tecnimont Arabia Limited v National Westminster Bank PLC: Recipient bank not liable following APP fraud

Whilst many recent high profile examples of cybercrime have taken the form of significant extortion or encryption incidents, a recent judgment from the English High Court (Tecnimont Arabia Limited v National Westminster Bank PLC [2022] EWHC 1172 (Comm)) provides a reminder that business email compromise incidents, as a precursor to authorised push payment frauds, can be of equal significance to ransomware events for both financial services providers and customers alike, and gives some guidance as to the liability of receiving banks in such instances.

What is business email compromise?

Business email compromise (or BEC) is a form of phishing attack where a criminal sends an email message that appears to come from a known source, often by way of having gained unauthorised access to the known source’s email account. The email message is usually to a budget holder and makes what appears to be a legitimate request, intimating a change of bank payment details of a payee, commonly a supplier, and persuades the innocent payer into making payment to the fraudster’s account.

In many instances, the criminal will have gained access to the inbox of the known source - commonly an employee fulfilling a finance function - through harvesting login details by way of issuing an earlier phishing email to which that employee will have responded. Having gained unauthorised access, the criminal will often study email traffic to identify the relevant "target" and appropriate timings, thereafter setting up diversionary "rules" for certain senders and / or messages pertaining to certain subjects prior to issuing emails with the aim of diverting payment and avoiding detection.

This ensures that the criminal making use of the harvested account will contact the budget holder in the usual "tone" to avoid provoking suspicion. If successful in perpetrating the fraud, an unassuming payer will, in good faith, unknowingly transmit funds to the fraudster in the mistaken belief these will be received by true payee.

Background

Tecnimont Arabia Limited (TAL), part of a multi-national Italian corporation operating in Saudi Arabia, was the victim of an authorised push payment (or APP) fraud.

On 30 October 2018, as a result of deception on the part of a fraudster, TAL was tricked into making a USD5 million payment to a dollar account held at NatWest Bank in the name of a third-party, Asecna Limited.

By way of background, TAL was due to make repayment to Tecnimont SpA (TCM) of monies borrowed earlier in 2018. Shortly before payment was due to be made, TAL received an email purporting to be from TCM's Group Finance Director, providing updated bank details as "our previous bank details given by Andrea is under scrutiny process...".

The Asecna Limited account provided in the updated bank details was controlled by the fraudster, who arranged for the majority of funds to be paid out of the account over the following two days to multiple accounts in an array of jurisdictions.

To what extent do recipient banks have liability in such instances?

To date, the English courts have principally been asked to consider the role of the paying bank in any cases involving fraudulent payments (as per the Quincecare line of decisions). In this case, TAL sought to establish liability on the part of the receiving bank, NatWest, for failing to freeze the receiving account until nearly all the funds had been dissipated.

The parties were in agreement that NatWest owed no duty of care to TAL, which was never its customer.

The main argument pursued by TAL was that NatWest had been unjustly enriched as the recipient of the payment. In its defence, NatWest denied that any enrichment had been at TAL’s expense; alternatively, that if there had been unjust enrichment at the expense of TAL, then the Bank had a defence, namely that it had changed its position in good faith.

HHJ Bird (sitting as a judge of the High Court) agreed with NatWest, and therefore the claim failed.

On the facts of the case, the payment had passed through the various layers of international banking system on its way from TAL to the Asecna Limited account at NatWest, with the judgment recording that this involved “the adjustment of balances” between two pairs of banks: SABB (TAL’s bank in Saudi Arabia) and Citibank (SABB’s correspondent bank); and Citibank and NatWest. The interbank accounts are settled in the normal course of business by a running account and “it is usually unnecessary for either bank to transfer funds to the other”. [para 132]

The court concluded that the law of unjustified enrichment required a less circuitous route for any payment from TAL to NatWest, with the court finding [at para 142]:

"the conclusion that the Bank was enriched “at the expense of” the claimant would be contrary to the decision in ITC [Investment Trust Companies v HMRC [2017] UKSC 275] which recast the law on the point and would fail to recognise the established manner in which international bank transfers are made".

Although this disposed of the claim, the court went on to decide whether NatWest had a defence of change of position in good faith. NatWest argued that the change of position, as is normally the case in bank claims, occurred when it paid the misappropriated funds away on its customer’s instructions. As for good faith, previous case law has regarded this element as amounting, in restitution cases, to whether it would be unconscionable for the bank to be required to return the funds to TAL. In the context of this dispute it turned into a debate about the commercial acceptability of NatWest’s anti-fraud systems.

Whilst TAL sought to persuade the court that NatWest had three opportunities to freeze the funds, the court did not consider that taking action at any of these points would have made it unjust to deny TAL’s claim:

1. When one of NatWest’s anti-fraud systems generated first generated an alert, at 10:10 on 31 October 2018: which the court heard was triggered "because a payment had been attempted to China which [the anti-fraud systems] deemed was sufficiently unusual”. The purpose of that system, however, was to detect possible fraud occasioned against its customers, as opposed to undertaken by its the customer (in this instance, the controller of the Asecna Limited account) in the form of dissipating funds. Whilst TAL's expert sought to argue that NatWest should also have had real-time systems to detect fraud by the customer, the court found that NatWest’s systems followed industry standards and were "perfectly appropriate" [para 90].
2. When a member of NatWest’s fraud team reviewed another alert from the same system, at 13:04 on 31 October 2018: which the court heard was triggered because a payment was attempted “to a particular country which the bank would have identified as having an increased risk of fraud”. Whilst TAL sought to argue this was a failure to follow standard procedure, the court concluded that the relevant bank personnel had acted in good faith, and would not have detected the fraud even if they had followed the correct procedure (which as before was aimed at detecting fraud against the customer), concluding that it was "highly unlikely" that calling the account holder - himself the fraudster - to confirm the validity of the payments would have alerted the bank to any issue [para 92].
3. After NatWest was aware that the payment was the result of a fraud: the court determined that by 11:56 on 1 November 2018 NatWest was aware that money had been paid to the Asecna Limited account as a result of a mistake induced by a fraud. A number of NatWest employees took action following this notification, with the account ultimately frozen at some point between 16:20 and 16:42. The court considered the question of "Would it, in the light of this delay (during which time the Bank was aware of the relevant fraud) be inequitable or unconscionable, and thus unjust, to allow the Bank to deny restitution of the USD33,989.88 paid out at 3.44pm?" The judge held that the delay was relatively short. It was also "perfectly rational" for the employees to focus on recovering the funds that had already been paid away rather than on freezing the much smaller sum - 0.8% of the funds paid away - that remained. Accordingly, even if it was possible to have frozen the account at an early stage, failing to do so did not create liability on the part of NatWest.

In conclusion, the court found that the fundamental question in considering this aspect of the claim "is not whether the defendant has acted in a commercially unacceptable way, has been guilty of sharp practice, has been dishonest, or even if the defendant knew that sums in a bank account had been paid by mistake, it is whether it would be unjust to allow the defendant to deny restitution." [para 168]

Conclusions

For banks, this judgment is good news. This was the first serious attempt to pin liability for an APP fraud on a receiving bank. TAL was represented by a heavyweight legal team who no doubt explored all the available avenues to establish liability but still did not succeed.

There is, however, a small note of caution. The court’s conclusion on whether there had been unjust enrichment at the expense of the claimant effectively means that any APP fraud that involves a correspondent banking relationship fails at the first hurdle; and the underlying reasoning suggests that a domestic transfer may well fail too. The wider implications of such a finding – applicable not just to fraud but to “fat finger” payments by mistake as well – may mean that an appeal will follow.

From a cybercrime perspective, the judgment emphasises the importance of ensuring proactive cyber resilience before an incident arises - including active cyber defence, which seeks to reduce the harm from commodity cyber-attacks by providing tools and services that protect from a range of attacks, including phishing.

In this instance, prevention would most likely have been the cure and have prevented any need for a significant High Court litigation.

Such steps can include ensuring multi-factor authentication is in place across a business; "Phish testing", whereby organisations send a realistic but fake phishing email to employees in order to test responses and gauging cyber awareness; and real life cyber "war gaming" through engagement with legal and forensic specialists to stress test resiliency before an incident arises.