A Dispute Resolution team from Baker McKenzie in Johannesburg, including Darryl Bernstein, Kylie Slambert, Cameron Jeffrey and Landise Banzana, successfully represented the Rosebank Rotary Club (RRC) on a pro bono basis in a precedent-setting case relating to the conduct of financial service providers (FSPs) and their duty of care to safeguard their clients' finances and protect them against cybercrime. The case involved an ongoing dispute involving the RRC and a financial investment firm, Brough Capital (Brough), and its director, Chris Botha (Botha). The decision, which was delivered in the Commercial Court, has implications for all accountable financial institutions.

Botha is a director, Representative and Key Individual of Brough as defined by the Financial Advisory and Intermediary Services Act (FAIS). According to the FAIS Act, Key Individuals have a fiduciary responsibility to ensure that they perform their duties with the necessary care, skill and diligence. FAIS, as well as the General Code of Conduct for Authorised FSPs, requires that FSPs have appropriate technological systems in place that eliminate, as far as reasonably possible, the risk that clients and other FSPs will suffer through, amongst other things, fraud, negligence, or professional misconduct.

The dispute arose out of the misappropriation of funds, totalling ZAR 3.1-million, invested by the RRC via Brough and Botha. The funds were misappropriated as a result of a business email compromise in the form of fraudulent emails sent by unknown hackers purporting to be withdrawal instructions from RRC, to Brough. The Court, in considering the matter, found that Brough did not take adequate measures to prevent the misappropriation from occurring, nor did Botha, both being bound by the legislation and guidelines governing the conduct of intermediary service providers. It was decided that the defendants failed to comply with the duties of an FSP and were guilty of gross negligence, flowing from the manner in which they dealt with the withdrawal instructions from the unknown hackers. Of particular relevance was the fact that the defendants:

Ignored errors on the change of bank account letters, including that RRC’s name was not written in full and that the logo of the respective bank was missing from the letter; and

Ignored the unusual nature of the withdrawals, which were large sums of money drawn in short succession and without notice.

The Court considered the fact that had Botha paid careful attention to the purported letter from the bank, it would have revealed that it was not the plaintiff’s bank account but that of a “Rotary Club” with no name. Further, the Court noted that Botha should have considered the history of the withdrawals from his client and taken time to understand their business insofar as enquiring what the funds were for. The judgment noted that the defendants had failed to exercise the necessary skills, care and diligence, as well as their contractual obligation to be vigilant. The Court found that they had been grossly negligent.

The defendants were found jointly liable to pay the plaintiff ZAR 3.1-million at 10.5% interest per annum, plus costs.

Darryl Bernstein, Partner and Head of the Dispute Resolution Practice in Johannesburg, noted, “This judgment highlights the importance of the responsibility placed on FSPs, as well as those individuals under the supervision of the respective FSPs, to be extra vigilant in an era where cybercrime is rife. It further places great importance on functioning internal controls, such as two-step verification processes, to avoid, as far as possible, the promulgation of cybercrimes and to prevent gross negligence. The judgment is also a reminder to intermediary service providers that, even in instances where the funds are administered by a third party, the proverbial buck stops with the FSP with whom the client has a contractual relationship.”