Claim No. CFI 004/2020
THE DUBAI INTERNATIONAL FINANCIAL CENTRE COURTS
IN THE COURT OF FIRST INSTANCE
BETWEEN
AEGIS RESOURCES DMCC
Claimant
and
UNION BANK OF INDIA (DIFC) BRANCH
Defendant
JUDGMENT OF JUSTICE ROGER GILES
Hearing : | 23 to 27 May 2021 |
---|---|
Counsel : | Stephen Doherty instructed by Holman Fenwick Willan Middle East LLP on behalf of the Claimant Mr Peter Duckworth instructed by Ashish Mehta & Associates on behalf of the Defendant |
Judgment : | 11 July 2021 |
UPONhearing counsel for the Claimant and counsel for the Defendant at trial which took place from 23 until 27 May 2021
AND UPONreviewing all documents recorded on the Court file
IT IS HEREBY ORDERED THAT:
1. The parties shall provide to the Registry within 14 days draft orders in accordance with these reasons.
Issued by:
Nour Hineidi
Registrar
Date of Issue: 11 July 2021
Time: 1pm
SCHEDULE OF REASONS
Introduction
1. This is a case in the emerging realm of cyber fraud. A bank paid out money to a fraudster on emailed payment instructions, purportedly from its customer but in fact from the fraudster who had hacked into the customer’s email system. Who bears the loss, the bank or the customer? If the bank, does the customer recover consequential loss?
2. The answer is fact-specific. On the facts of this case, for the reasons which follow the loss falls upon the bank, and the customer recovers some consequential loss.
The Parties
3. The customer was the Claimant, Aegis Resources DMCC (“Aegis“). It was formed in the UAE in October 2016, and in January 2017 was granted a licence for the activities of trading in “Coal & Firewood”, “Raw Materials”, “Metal Ores”, “Sand, Gravel & Stones” and “Marble & Natural Stones“. It enjoyed a relationship with JSW Steel Limited (“JSW Steel”), India’s largest steel-making company, and its trading was confined to sourcing minerals required as raw materials in steel manufacture (specifically, dolomite, limestone, pyroxenite and coal) from mine owners and selling and transporting the minerals to JSW Steel. The Managing Director and sole owner of Aegis was Mr Girish Agarwal. Mr Agarwal gave evidence in the proceedings, as did Ms Kinga Kuruczova, the International Sales and Executive Assistant in Aegis.
4. The bank was the Defendant, Union Bank of India (the“Bank”). It had a branch in the DIFC with which Aegis, with offices in Dubai, had its dealings. From March 2018 the Senior Executive Officer at the branch was Mr Jithender Maniram. He also gave evidence in the proceedings, as did other members of the branch staff: the Chief Financial Officer, Mr Narendra Kumar; the Compliance Officer and Money Laundering Reporting Officer, Mr Prosenjit Shee; the Operations Head, Mr Puneet Trivedi; and the Operations Assistant, Mr Sangeeth Sebastian.
The Banking Relationship
5. Aegis had been preceded by Aegis Carriers Ltd (“Aegis Carriers”), formed by Mr Agarwal in December 2014/January 2015 to facilitate international commodity trading. The relationship with JSW Steel began with Aegis Carriers, which extended its business to the trading itself. In November 2016, Aegis Carriers obtained the equivalent of an overdraft facility from the Bank, with a limit of USD 5 million, secured by a standby letter of credit issued by ICICI Bank in India in its favour and for the account of JSW Steel. It opened a current account and a trust receipt (“TR”) account with the Bank, the latter functioning as an overdraft facility.
6. Aegis was established to take up the trading business of Aegis Carriers. Following its formation and licensing, on 9 February 2017 it opened a current account with the Bank. The account opening form had a box for describing the customer’s principal activities, which was completed by inserting the number of Aegis’s trading licence and the same activities as stated therein, that is, trading in the particular commodities set out in [3] above. It also had a box for describing “Destination of Payment/Utilisation of Funds”, which was completed with the information, “UAE, Oman, Thailand, Singapore, Hong Kong, Indonesia, South Africa“. A copy of the trading licence was also provided to the Bank.
7. On the same date, a form headed “Application and Indemnity for Facsimile Instructions” (the“Form”) was signed by Mr Agarwal with Aegis’s stamp. (Mr Agarwal said that he did not recall signing the Form, but I do not think it was in dispute that he did and in any event I find that he did). The body of the Form began with space for the entry of an account number, which was completed “CD/TR“. This was not explained, but it appears that an overdraft facility involving a TR account was in contemplation. Whether the Form applied to the credit facility next mentioned was an issue in the proceedings, to which I will return.
8. As a very general description, the Form purported to protect the Bank when it acted on instructions from Aegis. The Bank relied on a number of its provisions in these proceedings. It is in some respects strangely worded, and I will not further describe its terms or provisions at this point and will return to it as appropriate later in these reasons.
9. With Aegis taking over the trading business of Aegis Carriers, the latter’s overdraft facility was not renewed. In due course its accounts with the Bank were closed. Aegis obtained its own overdraft facility.
10. By a letter dated 28 June 2017, the Bank offered Aegis a credit facility “for the general working capital and trade finance requirements“. The credit facility was embodied in a “USD 10,000,000 Facility Agreement” dated 29 June 2017 (the“Facility Agreement”), a substantial document of 57 pages. It provided for a “TR Facility“, also described as an overdraft facility, and for a letter of credit facility. Only the former is relevant in the proceedings. I set out material provisions of the Facility Agreement.
11. Clause 2 is the general provision for availability of the credit facility. It includes:
“2.1 The Lender agrees to make the Facility available to the Borrower during the Availability Period, subject to the terms and conditions of this Agreement. The Facility is to be utilised to meet the working capital requirements of the Borrower.
2.2 Subject to the terms and conditions of this Agreement, the Lender agrees to make the Facility available to the Borrower for an amount up to the Facility Amount and the relevant Facility Limits…
…
2.4 The Lender is not bound to monitor or verify the application of any amount borrowed pursuant to this Agreement.
2.5 …”
12. Clause 4 is concerned with the TR Facility. It provides in cl 4.1 for the drawing of “Advances“ under the TR Facility, and:
“4.2 Any Advance under the TR Facility shall:
(a) be utilised for imports/local purchase under letters of credit for making payment to suppliers for procurement of goods or for making payments under collection documents or by making advance payments against proforma invoice for purchase of goods, provided that the goods are of a nature that the Borrower is authorised to deal in as per its existing and valid trade licence;
(b) …
(c) It is [sic] accompanied by the original documents of title (i.e. invoices, bills of lading, import bills or otherwise received by the Borrow from suppliers) to the goods (the “Documents of Title”);
(d) …”
13. Clause 18 is headed “Notices”. It includes:
“18.1 Any communication to the Borrower to be made under or in connection with this Agreement shall be made in writing and, unless otherwise stated, maybe made by fax, letter or email.
18.2 The address, fax number and telex number (and the department or officer, if any, for whose attention the communication is to be made) of each party for any communication or document to be made or delivered under or in connection with this Agreement is that identified with its name below or any substitute address, fax number, email address or department or officer as the party may notify to the Vendor by not less than five (5) business days’ notice:
(a) The Borrower
AEGIS RESOURCES DMC
Address…
Tel…
Fax…
Email…
Attention: Mr Girish Agarwal
(b) The Lender
Union Bank of India DIFC Branch
Address…
Tel…
Fax…
Email…
Attention: Mr Akhilesh Kumar/ Mr Prasant Kumar Sahoo
18.3…
18.6 The Lender shall have no liability to any other party hereto in respect of any loss suffered by reason of the Lender acting (or omitting to do some act) in accordance with any request or instructions set out in an email or fax sent to it, or appearing on its face to be sent to it, by any other party hereto if the fax includes on a cover sheet or at the head of the first page thereof a reference to the name of any other party hereto and is signed by a person who is so authorised in a board resolution of such party a copy of which has been delivered to the Lender.
18.7 The Lender shall be entitled to act in accordance with any email or fax message such as is referred to in clause 18 and the Borrower shall indemnify the Lender in respect of any liabilities, costs, claims, losses, damages or expenses suffered by the Lender in, or in connection with, so acting provided that the Lender has acted in good faith.”
14. Clause 18.2 contained the addresses, telephone and fax numbers and email addresses, which I have not set out. The email address for Aegis was xxxx-overseas.com (the“Aegis Email Address”).
15. By cl 24.1, the Facility Agreement “and all non-contractual obligations arising from or in connection with” [it] were governed by the laws of the DIFC. It may conveniently be noted that the account opening form did not provide for a governing law, but the parties appeared to assume that the entire banking relationship was governed by DIFC law, and I see no reason to conclude otherwise.
16. The Facility Agreement was for a term of one year. Pursuant to a letter from the Bank dated 27 June 2018, signed by Mr Agarwal on behalf of Aegis by way of acceptance, it was renewed for a further year, to 27 June 2019, subject to the terms and conditions in the letter. They included an undertaking by Aegis, which had not been in the Facility Agreement, that “D & B or any credit report has to be submitted whenever the transaction exceeds more than USD 100,000.00”. They also included the general requirement, which had also not been in the Facility Agreement, “The above facility will be used for the purposes mentioned in the SBLC issued by ICICI Bank, Mumbai (For supply of any goods and services for manufacturing of steel to JSW Steel Limited)”.
17. The standby letter of credit in evidence was issued in June 2017 and expired on 13 June 2018. It was issued by ICICI Bank on the application of JSW Steel, in the amount of USD 10 million. It was available against the presentation of a claim from the Bank, the claim requiring a statement by Aegis “confirming that payment of subject invoice for the delivery of the goods shipped (relevant commodity to be indicated) is legally and properly past and due by JSW Steel Limited”. The “relevant commodity” was indicated by the statement, “Description of Goods: any goods and services for manufacturing of steel“. According to Mr Agarwal, there were multiple versions of the SBLC but the material terms remained unaltered, and it was not in dispute that a standby letter of credit as mentioned in the letter dated 27 June 2018 was in force during the renewed term of the Facility Agreement.
18. The renewal of the Facility Agreement was formalised in a Supplemental Agreement dated 28 June 2018. It recited the letter dated 27 June 2018 and that it had been agreed to enter into the Supplemental Agreement “to modify and bring on record, certain terms of the Facility Agreement“. By clause 1, Aegis agreed to be bound by the terms and conditions contained in the letter and the Supplemental Agreement in addition to the terms in the Facility Agreement, the former to prevail in the event of any inconsistency. By clause 2, it was said that Aegis would be “eligible to avail from the Lender an Overdraft Facility on the terms and conditions contained herein “, elsewhere in the agreement meaning a facility of USD 10 million. Clause 4 made specific the agreed use of the TR facility, providing that it was agreed “that the renewed Facility shall be utilised for the supply of any goods and services for the manufacturing of steel to JSW Steel Limited India”. (In anticipation of later reference in these reasons, see [155], it should be noted that while this referred to services as well as goods, it was necessary that both the services and the goods be supplied to JSW Steel.) Clause 6(2) specifically added to the Facility Agreement an undertaking by Aegis “to provide a D & B report or other credit report acceptable to the Bank for all transactions over USD 100,000”.
The Usual Use Of The TR Facility
19. Aegis had a niche business. It obtained the four commodities from mine owners - dolomite, limestone, pyroxenite and coal, all used in the manufacturing of steel - and on-sold and shipped them to JSW Steel in India. It did not trade in any of the other commodities in its trading licence, and JSW Steel was its only customer for the commodities. It used the TR facility to pay the mine owners for the commodities and to pay for their shipment to JSW Steel in India.
20. When an invoice was received by Aegis, it was first verified by the Aegis sourcing (cargo invoices) or operations (freight invoices) department in India, and in the case of a freight invoice re-verified by the sourcing department. The departments’ electronic signatures were attached, and it was sent by email to Mr Agarwal and usually copied either to Ms Kuruczova or to her assistant Ms Hiba Zuberi. For payment by the Bank, a draft payment instruction would be prepared, using a template provided by the Bank. The payment instruction provided for insertion amongst other things of the amount to be paid, the name and address of the company to be paid and its bank details, and “purpose of the remittance” This last was always completed “payment of invoice no XXX“ in the case of payment for a commodity and “payment of freight invoice” in the case of payment for shipment to JSW Steel.
21. Ms Kuruczova or Ms Zuberi would collate the supporting documents for the payment instruction, being the invoice itself and copies of the relevant bill of lading. These always reflected that the supply was to JSW Steel. The copy of the bill of lading, which was collated together with a cargo invoice as well as together with a freight invoice, necessarily always included a notify address being JSW Steel. In addition, as well as recording the commodity, the tonnage and the invoiced amount, a freight invoice would commonly record the vessel on which the commodity had been loaded and the “notify party“ being JSW Steel. The completed payment instruction and supporting documents would then be emailed to Mr Agarwal.
22. When Mr Agarwal was happy with these documents, he would sign the payment instruction and it and the supporting documents would be emailed to the Bank under a covering email requesting payment. From the spreadsheet next mentioned, they were almost always emailed from the Aegis email address, which was used by Mr Agarwal, but occasionally from an email address used by Ms Kuruczova.
23. The payment instruction and supporting documents would also be faxed to the Bank. There was some dispute, and confusion, in the evidence over whether they were always faxed to the Bank. Because the fraudulent payment instructions were not faxed to the Bank as well as emailed, under the guise of what it “acted on” the Bank was concerned to say that faxing did not always occur and it correctly acted on the email, while Aegis was concerned to say the reverse. The best evidence, better than assertions by the witnesses which I think were rather influenced by the parties’ perceived interests, is a spreadsheet prepared by Ms Kuruczova from Aegis’s records.
24. In the period 3 March 2017 to 28 May 2019 (the first fraudulent payment instruction was on 30 May 2019), there were 178 transactions. There can be left aside a small number without email or fax where it is stated “Original inward documents received by the bank”, explained as meaning an email was not required and the payment request would be submitted when Ms Kuruczova visited the Bank to collect the documents, or internal transfer, which was not explained. Email but no fax is recorded a number of times, 18 up to 6 December 2017, three in September 2018, and one on 28 May 2019, the last with a note of fax error; fax but no email is recorded 15 times, all from 13 February 2019. At a late stage the Bank produced from its own records an email for four of the transactions in the period from 13 February 2019, but that left 11 occasions. Other statistics can be taken from the spreadsheet, but looking at it as a whole, and while allowance must be made for possible incompleteness in the records, the picture is one of a fax and an email being sent, or sometimes a fax only, overwhelmingly so in the later part of the period.
25. Aegis, from late 2018 usually Ms Zuberi, would also telephone Mr Sebastian of the Bank following emailing/faxing the documents. There was a degree of the same dispute as in relation to faxing. From the spreadsheet, this occurred on the vast majority of occasions, and as to occasions not there noted Ms Kuruczova explained that sometimes Ms Zuberi would make calls to the Bank from her personal mobile number and sometimes a call would not be made because the Bank itself telephoned Aegis: she said that “ it was standard customary practice for us to call UBI to confirm the transaction”.
26. These elements in the submission of a payment instruction to the Bank must be taken together. In my view the procedure which became established was not that of simply an email with the payment instruction and supporting documents. There are nine such occasions in the spreadsheet, all prior to 2018. On every other occasion thereafter there was either a fax or a telephone call, and on the vast majority of the occasions both. I note in this regard Mr Agarwal’s evidence that in his initial conversations with the Bank it required original signed instructions as it had no procedure to process payments via email instructions, and in the interests of time it was agreed that payments could be processed on receipt of faxed payment instructions: he characterised the email as “pre-intimation” of the fax so that the Bank could begin its processing. Whether or not that be the origin of emailing and faxing the documents, as seems likely, the faxing of the documents as it became established could not have been or been seen as an empty exercise. It served a purpose, at the least that of verification of an emailed payment instruction.
27. I turn to what happened within the Bank. There was what Mr Maniram described as analysis of the payment request and necessary due diligence on the proposed beneficiary. The payment instruction first went to the Operations Assistant, then to the Operations Head, then to the Compliance Officer, then to the Chief Financial Officer, and finally to the Senior Executive Officer. What happened must be gleaned from different accounts including the cross-examination.
28. Apart from a check that there was sufficient credit in the TR facility. Mr Shee and Mr Trivedi both said (in identical terms) that the bank “determines whether the payment request is in compliance with the terms and conditions of the facility by verifying the purpose of the transaction, the beneficiary, the country the beneficiary is incorporated in, etc”, and I infer that this was done at the Operations level. Mr Sebastian and Mr Maniram agreed that this was done. According to Mr Shee, the Bank also ascertained the veracity of the payment request by making a comparison between the price of the goods or services as mentioned in the copy of the commercial invoice received with the payment request and the price of the same goods or services in the public domain, to determine whether the price as stated in the copy of the commercial invoice was in line with the market price and to identify any case of over invoicing or under invoicing: the other witnesses also agreed with this.
29. The bill of lading was checked to verify whether the vessel was sanctioned or under any regulatory provisions, and the Bank (I infer the Compliance Officer) also addressed whether the transaction was sanctioned because the beneficiary was located in a country subject to regulatory prohibition or in a country considered as a high risk jurisdiction. A check was made of the beneficiary’s status on “World Check”, by search of a database to identify various forms of risk – it seems that considerations such as money laundering and terrorism were here in play. Despite cl 6 (2) of the Supplemental Agreement, Dun & Bradstreet or other credit reports were not always provided by Aegis or requested by the Bank, although the evidence included occasions when they were requested and, perhaps curiously, where the transaction proceeded on an undertaking by Aegis to provide a credit report. The evidence left it unclear when a credit report would or would not be required prior to payment (although one would expect it would be required if the payment was to a new beneficiary).
30. Although some of these checks could be seen as solely in the Bank’s interests, it is quite clear, and was stated in terms by the Bank’s witnesses, that it was concerned to verify the authenticity of the payment instruction - something which, although no doubt in the Bank’s interests, was also for the benefit of its customer Aegis and in accordance with the implied terms of the banking relationship concerning protection of the customer as excepted by the Bank, see [53] below. In that vein, Messrs Trivedi, Shee and Sebastian all agreed that they considered the transaction history of the customer, and the matters in the Bank’s policy and training documents as examples of suspicious activity included that the customer’s transactions were not in line with his business activities and that the customer’s transactions were inconsistent with past transaction patterns. Other grounds for suspicion in those documents were where the transaction was out of the ordinary range of services normally requested or outside the experience of the branch in relation to the customer, and where there were incomplete details in a bill of lading. On occasions the Bank did question a payment instruction for that reason, as in when the name of the invoicing carrier did not appear in the bill of lading, and suspicion because of incomplete details would have to have extended beyond bills of lading.
31. When satisfied, the Bank would give effect to the payment instruction. In addition to the current account opened in February 2017, the TR Facility was conducted through a TR account. The Bank would debit the TR account and credit the relevant amount to the current account, and make payment from the current account in accordance with the banking details in the invoice. Aegis would periodically transfer lump sums from separate sources into the current account, which would be used to reinstate the TR account.
The Fraudulent Payment Instructions
32. There were four fraudulent payment instructions. Payment was made on the first two, in the amounts of USD 826,000 and USD 241,500 respectively. The third was declined as there were insufficient funds in the TR account. The fourth was recognised by the Bank as fraudulent: payment was not made, and Aegis was alerted.
(a) The first Reto payment instruction
33. The payment instruction was emailed on 30 May 2019, the day before the Eid holiday period, from the Aegis email address. In the usual manner, the covering email read “Kindly make T/T payment as per our attached instructions and please revert with the Swift copy at the earliest today”, and bore the name of Mr Agarwal as signatory. Apart from the Bank email addresses, the email addresses to which it was copied in the heading were yyyy-oversea.com and zzzz-oversea.com, being “oversea“ rather than the “overseas“ in the correct email addresses used by Ms Kuruczova and Ms Zuberi to which the genuine emails were copied. The ”Subject” in the heading was “ARD Payout Instr Benf RETO PTE LTD [Mining – March+April]”. The attachments to the email were the payment instruction and an invoice from Reto Pte Ltd (“Reto”). There was no other accompanying document.
34. The payment instruction was completed in the manner of a genuine payment instruction, with an address for Reto in Singapore and providing for payment to Reto’s bank in Singapore, save that the purpose of the remittance was stated as “Payment of mining operations” rather than ”Payment of invoice xxx”. The invoice, which did have an invoice number, described the charge only as “March & April Mining Operations 826,000.00”. To anticipate Aegis’s submissions, see [142], there was nothing on the invoice to indicate that the mining operations, whatever that conveyed, had to do with manufacturing of steel by JSW Steel, and in the absence of a bill of lading with a “notify party” there was no other such indication.
35. Later on 30 May 2019, how much later being uncertain due to apparent differences in email timing, a follow-up email was sent by the fraudster from the Aegis email address and with the same header details. It read, “Kindly send SWIFT copy of this payment made, as we need it urgently”.
36. The payment instruction was processed by the Bank, and USD 826,000 was transferred from the TR account to the current account and payment was sent to the Singapore bank. It is not clear, and I do not think it matters, whether the payment was made before or after the follow-up email. I will come later to the evidence of the Bank’s attention to this and the next payment instruction.
(b) The first Clamour Robotics payment instruction
37. The payment instruction was emailed on 10 June 2019, again from the Aegis address with the usual covering email and with the “oversea“ copy email addresses. 10 June 2019 was the first working day after the Eid holiday period. The “Subject” in the heading was “ARD Payout Instr Benf CLAMOUR ROBOTICS SA DE CV [ Equipment-Tools ]”. Again, the attachments to the email were only the payment instruction and an invoice from Clamour Robotics SA de CV (“Clamour Robotics”), and there was no bill of lading or additional accompanying document.
38. As before, the payment instruction was completed in the manner of a genuine payment instruction, but this time with an address for Clamour Robotics in Mexico and providing for payment to its bank in Mexico, and with the purpose of the remittance stated as “Purchase of mining tools and equipments“. The charge in the invoice was described in boxes across the page, the first signifying one item, the second under the heading “Description“ stating “Mining tools and equipments“, the third under “Country of origin“ stating “United States“, and the final one stating a total price of USD 241,500. As was perhaps appropriate for the sale of such goods, another box was headed “Ship to“: it was completed with the name of Aegis and its address in Jumeirah Lakes Towers in Dubai. Similarly anticipating Aegis’s submissions, see [156], there was nothing to indicate that the mining tools and equipments, whatever they were, had to do with manufacturing of steel by JSW Steel.
39. The payment instruction was also processed by the Bank, and USD 241,500 was sent to the Mexican bank.
40. It may be added that both the Reto invoice and the Clamour Robotics invoice bore digital signatures of Aegis’s sourcing and operations departments, as genuine invoices usually did. The digital signatures were in fact identical with, and apparently taken by a copy and paste process from, a genuine freight invoice issued by Oldendorff GMBH & Co, which had been provided to the Bank on 28 May 2019 as one of the supporting documents for a payment instruction to pay that carrier.
(c) The second Reto payment instruction
41. Later on 10 June 2019, an email was sent from the Aegis email address with a payment instruction and invoice, identical to the email with the first Reto payment instruction both in the email apart from its date and in the payment instruction and the invoice (including that the mining operations were March and April). Mr Sebastian replied to the email, “We are unable to process this transaction due to insufficient funds. Please find the attached statements for your reference.” The hacking of Aegis’s email system was such that the reply was not received by Aegis. The fraudster responded, from the Aegis email address, “Thank you for the information. We would fund the account and process this later. However we sent another TT request for another transaction. I would resend that again for processing.”
42. In the result, no payment was made on this payment instruction. That it was a repeat of the first Reto payment instruction went unnoticed, and neither the sending of the identical payment instruction nor the fraudster’s obscure response excited enquiry by the Bank. It seems that Mr Sebastian‘s first task was to check for funds, and when insufficient funds were available no further attention was paid to the matter.
(d) The second Clamour Robotics payment instruction
43. The payment instruction was emailed on 11 June 2019, from the Aegis email address. It was as for the first Clamour Robotics payment instruction except that the “Subject” in the email referred to “[Equipments – Tools Final Payment]”. The invoice was in the same terms as the previous invoice, including being for “Mining tools and equipments”, but this time for USD 382,000, and the payment instruction continued to state the purpose of the remittance as “Purchase of mining tools and equipments“. Again, no bill of lading or other additional supporting document was provided.
44. On his initial evidence, when in its processing this payment instruction reached Mr Trivedi, the Operations Head, he regarded it as suspicious. Mr Shee, the Compliance Officer, said that he was the one who raised the alarm, and Mr Trivedi later said that it was Mr Shee (which means that the reasons for suspicion now asserted by the Bank had escaped the attention of Mr Sebastian and Mr Trivedi). The suspicion was reported to Mr Maniram, and a meeting was held attended by Messrs Maniram, Narendra Kumar, Shee and Trivedi and a Mr Lawand. According to witness statements of Messrs Maniram, Shee and Trivedi, all in identical terms in this respect, the payment instruction was regarded as suspicious because it was similar to the previous payment request from Clamour Robotics, the payment request was for the same amount, and the payment was requested in quick succession after the previous payment request for the same beneficiary and the same amount, and at the meeting it was decided that Aegis should be contacted to verify its authenticity. (In fact, the payment request was for a different amount, and this was corrected by the witnesses; from Mr Trivedi’s evidence, it was meant that the amounts were similar).
45. Mr Agarwal was contacted by Mr Manish Kumar, the Bank’s Senior Credit Manager. According to Mr Argawal, Mr Manish Kumar indicated a different ground for suspicion. He asked why Aegis was attempting to make payment to Mexico to a company called Clamour Robotics. Mr Argawal said that Aegis had not given those instructions and there must be some sort of mistake. Mr Manish Kumar said that payment instructions had been received, but they were not as per the approved facility usage. When Mr Manish Kumar said that USD 241,500 had already been sent to Clamour Robotics, Mr Agarwal ask why the Bank was only calling at that point, and was told that the Bank had received a second payment request for USD 382,000 but Mr Shee had flagged the transaction as falling outside the terms of the facility.
46. Mr Agarwal told Mr Manish Kumar to ensure that the transactions were stopped, and in the result no payment was made on this payment instruction.
How Did The Fraudster Do It?
47. Aegis was a phishing victim. From later investigation, the likely phishing email was sent to the Aegis email address on 22 May 2019 with an attachment VoiceNote. Thinking there was a voice message, Mr Agarwal open the attachment and was prompted to complete Office 365 log in details in order to open the voice note. He did so. There did not appear to be a voice note message, so he closed the window. At the time he did not think anything of it.
48. By this means, the fraudster obtained access to the email account, and because Mr Agarwal was the administrator was able to gain access to modify the configuration settings. The fraudster could then ascertain how Aegis processed payment instructions, and construct and send the fraudulent emails and their payment instructions and accompanying documents.
Recovery Efforts
49. It is not necessary to give the detail of these efforts. The Bank contacted the Singapore and Mexican banks to recall the funds. Mr Agarwal travelled to Singapore and contacted the nominal resident director of Reto (which was a genuine company, although not at the address in the fraudulent invoice) as ascertained by an ACRA search, the Singapore Police and the Singapore bank to the same end. He filed a complaint with the Dubai Police, and other authorities were also informed. The money sent to the Mexican bank had been withdrawn, and at least so far as the evidence went no more was known. Most of the money sent to the Singapore bank had been transferred to a number of banks and companies in China, and what happened to the rest was not ascertained. Much later, Mr Agarwal was told that the Singapore Police had managed to secure USD 4,000 of the money sent to the Singapore bank. In April/ May 2020 this recovered sum, in fact USD 4,643.31, was received by Aegis. The rest of the funds were lost to Aegis or the Bank, which ever it be that must bear the loss.
The Parties’ Positions In Outline
50. In its skeleton argument and closing submissions, Aegis put its claim on two bases. The first was that the Bank had acted in breach of the terms of the TR Facility by giving effect to payment requests that were unauthorised, fell outside the agreed scope of the TR Facility, and did not conform to the agreed payment process (the“Mandate Basis”). That, in its submission, was sufficient for it to succeed in its claim, because in law the Bank was taken to have assumed the risk of the funds being misappropriated through the fraudster’s actions. The second, to which it said it was unnecessary to go, was that the Bank owed it a duty to exercise reasonable care and skill in executing its instructions, and breached the duty of care (the“Duty of Care Basis”).
51. The Bank’s skeleton argument and closing submissions did not well distinguish between the two bases, but its principal position was that the contractual relationship between the parties was all-determinative and, through the protection in the Form and also provisions in the Facility Agreement, placed the risk of giving effect to the fraudulent payment instructions on Aegis. It denied in any event a duty of care, on the ground that the funds advanced under the TR facility were “the Bank’s money“, and denied negligence. It said that if it did owe a duty of care and breached that duty, Aegis was itself contributorily negligent, or alternatively it was not liable because Aegis had voluntarily assumed the risk of it giving effect to the fraudulent payment instructions. It further submitted that Aegis’s claim failed on causation, because the loss it suffered was not as a result of the fraudulent payment instructions but rather because the Bank subsequently exercised its contractual right to debit its account with the sums paid out.
52. In contesting the Bank’s position, Aegis further submitted that the protective provisions on which the Bank relied were not available to it because they were not reasonable under Articles 37 and 38 of The Implied Terms In Contracts And Unfair Terms Law, DIFC Law No 6 of 2005 (the“Implied Terms Law”), and could not be excluded so far as the duty of care arose under the DIFC Regulatory Law, DIFC Law No 1 of 2004.
53. Save when Aegis unexpectedly fell back on them, see [172], the proceedings were conducted with a healthy disregard of the pleadings. The parties had filed an Agreed List of Issues well prior to the hearing. Only in limited respects did the issues therein correspond with those in the parties’ submissions. No reference at all was made to it in the course of the hearing, and so far as it limited the issues for trial, I join the parties in disregarding it. However, two matters may be noted. First, it was stated as not disputed, amongst other things, that there were implied terms of the contract between the parties that the Bank “would take reasonable steps to safeguard [Aegis’s] bank accounts and to prevent misuse of the account by third parties“, and “would review Payment Instruction Requests provided by [Aegis] to ensure that they had actually been made by [Aegis]”. Secondly, the issue of contributory negligence was confined to where it related to liability of the Bank under Article 17 of the DIFC Law of Obligations, Law No 5 of 2005. Some subsequent reference to these matters will be made, see [113] and [161].
The Mandate Basis
54. The relationship between banker and customer has long been established as essentially one of debtor and creditor. It has also long been established that, unless the customer has authorised the bank to make payments which reduce the indebtedness, the debt remains: seeLondon Joint Stock Bank Ltd v Macmillan [1918] AC 777 (“Macmillan”). Where a forged cheque is presented to the bank, and the bank makes payment, the debt remains. There are limited qualifications: it is otherwise if the customer has failed to take usual and reasonable precautions in drawing the cheque to prevent a fraudulent alteration, or has failed to inform the bank of forgery as soon as the customer becomes aware of it (the“Qualifications”): seeMacmillan; Greenwood v Martins Bank Ltd [1933] AC 51.
55. This was affirmed inTai Hing Cotton Mill Ltd v Liu Chong Hing Bank Ltd [1986] AC 80 (“Tai Hing”), where an attempt to widen the circumstances in which the customer’s default might relieve the bank from liability for unauthorised payment of a forged cheque was rejected. The basis for the bank’s liability was expressed by Lord Scarman, giving the advice of the Privy Council (at 106):
“The business of banking is the business not of the customer but of the bank. They offer a service, which is to honour their customer’s cheques when drawn upon an account in credit or within an agreed overdraft limit. If they pay out upon cheques which are not his, they are acting outside their mandate and cannot plead his authority in justification of their debit to his account. This is a risk of the service which it is their business to offer.“
56. In Aegis’s submission, on the same basis the Bank acted outside its mandate in paying out on the fraudulent payment instructions, and the unauthorised payments could not be debited to its account or otherwise claimed from it. The first Reto and Clamour Robotics payment instructions, on which a total of USD 1,067,500 was paid out, were not authorised payment instructions from Aegis - they came from the fraudster, and were equally forgeries. That, Aegis submitted, was sufficient for its case on the Mandate Basis. As well, it said, the payment instructions were outside the agreed scope of the facility because they were not for payment for goods and services for the manufacturing of steel supplied to JSW Steel, and they did not conform to the agreed payment process because they did not include requisite documents of title, such as contracts for performance of the mining operations or for purchase of the mining tools and equipment. I do not go into those matters at this point; they are of more significance to the Duty of Care Basis.
57. I did not understand the Bank to submit that the payment instructions from Aegis were in a different position from a cheque, such that theTai Hingbasis for liability did not equally apply if it was otherwise in play. In this, in my view it was correct. No authority was cited one way or the other, but there is no reason in principle to distinguish between modes of acting outside a bank’s mandate. A cheque is an instruction to pay money, the payment being accounted for in reduction of the bank’s liability to the customer as debtor or, if the customer is in overdraft, in a debit to the account whereby the customer’s indebtedness to the bank is increased. If the cheque is a forgery, unless one of the Qualifications applies the indebtedness cannot be reduced or the debit cannot be made. That the instruction is in some other form, here a payment instruction, makes no difference in principle: still, if the payment instruction is not the customer’s instruction, but that of a fraudster and equally a forgery, the bank acts outside its mandate in making payment.
58. The Bank appeared to rely on the first qualification, drawing a cheque in a manner facilitating fraud, in that it referred toMacmillanfor a customer’s obligation to take reasonable precautions to guard against forgery. If it meant to submit that the qualification was enlivened through its position that Aegis had been guilty of contributory negligence, I do not agree. As later described, the contributory negligence on which it relied was in the circumstances in which Aegis fell victim to the phishing, at that point the Bank’s submissions being directed to contributory negligence as a partial answer to the Duty of Care Basis. InMacmillanLord Finlay LC emphasised (at 795) that the customer’s negligence “must be in the transaction itself, that is, in the manner in which the cheque is drawn“ (see also Viscount Haldane at 815 and Lord Parmoor at 834), and in Tai Hing the contention that the customer had to take reasonable precautions in the management of its business with the bank to prevent forged cheques being presented to it for payment was rejected as unnecessary to make the contract effective. The decision has not been universally approved, but the law is firmly established Any want of care in succumbing to the phishing and allowing the hacking of Aegis’s email system does not avail the Bank as an answer to the claim on the Mandate Basis.
59. It was not clear whether the Bank submitted that theTai Hingbasis for liability was distinguishable on the ground (as it was put) that the money was not Aegis’s money, but the Bank’s money. A submission on that ground was prominent in relation to theQuincecareduty in the Duty of Care Basis, but does not automatically transpose to the Mandate Basis. The language of property is not appropriate - the Bank was not distributing banknotes, and if it had been the banknotes would always have been its property - and the intended distinction was between payment from funds standing to Aegis’s credit in the current account and payment from funds advanced to Aegis by the Bank under the TR Facility. I deal with the submission on the assumption that it was also made in relation to the Mandate Basis.
60. At one level, the distinction does not arise in this case. The funds advanced to Aegis under the TR Facility were credited to its current account and paid out from the current account, and upon the funds being credited to the current account the Bank was Aegis’s debtor in the ordinary banker/customer relationship and made unauthorised payments from that account. If the matter be viewed more widely, with the payment instructions being seen as instructions fulfilled by (first) advancing funds under the TR Facility, in my view there is no different outcome. It does not matter in principle whether payment out is made from funds owed by a bank to its customer or from funds which the bank had agreed to advance to its customer on overdraft or the equivalent of an overdraft. It is the payment out that matters, and in either case the bank is acting outside its mandate in paying the funds out without the customer’s authority. It cannot debit the current account, or in the case of funds advanced require repayment of the advance, as the case may be.
61. It may be noted that inTai HingLord Scarman referred, in the passage set out above, to cheques “drawn upon an account in creditor within an agreed overdraft limit” (emphasis added). The Bank’s submissions included, although in relation to theQuincecareduty of care, that His Lordship was referring to a current account where the customer was “allowed to go into the red from time to time”, and did not mean “a fully fledged loan facility”. I see no reason to restrict His Lordship’s words in that way, but in either event the funds are advanced and are, in the initial language, the bank’s money. As will be seen, I do not accept the corresponding submission that theQuincecareduty of care does not apply where the money is the bank’s money.
62. A bank can seek to modify the consequences of paying on a forged cheque, or acting on an equivalent payment instruction, by express provision in its contract with the customer: inTai HingLord Scarman referred to this (at 106) as “increas[ing] the severity of their terms of business”. The Bank’s principal submission, although not suggesting severity, was that it did so. The submission rested on provisions in the Form and in the Facility Agreement, which the Bank said displaced any liability for payment out without authority. (Reliance on the provisions was not identifiably pleaded in the Amended Particulars of Defence, and the Agreed List of Issues referred only to those in the Form; no objection was taken. It relied on the same provisions to displace any liability for breach of a duty of care, but for the present I address only liability for payment out without authority.)
63. The Bank referred in particular toDu v Jameson Bank [2017] ONSC 2422 (“Du”), a decision of the Ontario Superior Court of Justice. In that case Du’s conduct of a foreign currency exchange account included giving wire transfer instructions to the bank by email; his email account was hacked, and fraudulent instructions were sent and complied with. It was held that the bank was not in breach of contract because (at [68]):
“The agreement between the parties identified the risks associated with this account, namely operating on the basis of electronic communications. The agreement made it clear that Du assumed the duty of care in relation to that risk. Furthermore, the agreement established standard of care [sic] by which Jameson could be held responsible; namely ‘gross negligence’ or ‘wilful misconduct’.”
64. It is not entirely clear, with respect, what provisions in the agreement between Du and the bank the Judge had in mind. They appear to have been a provision that the bank could rely and act upon “electronically transmitted instructions from or purporting to be from [Du] .. and which [the bank] believes in good faith to be genuine”, and a provision that absent gross negligence or wilful misconduct by the bank, it should not be liable for any loss incurred by Du in connection with any wire transfer. On an alternative claim in negligence, it was held that the bank had not been negligent at all.
65. It is necessary to consider whether, by the allocation of risk in the present case, the Bank took itself out of liability for unauthorised payment. In the course of submissions, nine separate provisions were identified on which the Bank relied. Six are found in the Form, three are found in the Facility Agreement. As I have said, the same provisions were relied on by the Bank as an answer to the Duty of Care Basis, but the question is not the same: it is not whether the Bank is entitled to rely on an unauthorised payment instruction, but whether the duty of care is excluded. It will thus be necessary to come back to the provisions in that connection.
66. I return to the Form, which I have earlier described as in some respects strangely worded. In noting its contents, I will italicise and number in the manner [1] the provisions on which the Bank relied.
67. As earlier stated, the Form was headed “Application and Indemnity for Facsimile Instructions”. But the first paragraph went beyond facsimile instructions, stating:
“I/We the undersigned, hereby request the Bank, as a service to me/us for such time as the Bank considers appropriate, to accept instructions which may from time to time be or purport to be given to the Bank orally in person, by facsimile or by any other electronic communication acceptable to the Bank on my/our behalf relating to the operation of all or any of my/our accounts or credit or other facilities or banking arrangements with the Bank and agree to be bound by the terms of this Application & Indemnity with respect to such instructions. In consideration of the Bank so agreeing to my/our request, I/We hereby irrevocably and unconditionally agree and undertake and covenant as follows:”.
68. By cl 1, the request was for an unlimited period of time until written revocation. By cl 2:
“The Bank is under no obligation to identify the party giving the instructions. However, the Bank may, at its discretion, require additional identification in an attempt to verify the instructions. [1]I/We agree that the Bank is not obligated to enquire as to the purpose of any transfer authorised by any such instruction or the identity of any transferee. It is understood that instructions may authorise any transfer, sale, assignment, exchange or other acts or disposal of the account and its contents. I/We also agree that the Bank may rely on any tape recording, written record, book entries or facsimile copy or a photocopy of a facsimile copy of such instruction, as the case may be, as constituting a final and conclusive evidence of instructions and the transactions thereunder. Should there be any indistinctness, ambiguity or other uncertainty in the contents of any instructions given, the Bank shall be entitled to construe and execute such instructions in the manner in which it has been perceived by the Bank.”
69. Clause 3 further dealt with inconsistency, and with inability to prevent the execution of an instruction. Clause 4 provided:
“I/We will confirm to the Bank in writing, on the same day, any instructions given to it. My/Our failure to do so shall not affect the validity of transactions that have been executed pursuant to those instructions. In the event of any in inconsistency between any instruction and my/our written confirmation [2]I/We further agree not to hold the Bank liable and to hold the Bank harmless and fully indemnified for all transactions executed by the Bank pursuant to either of them.”
70. Clause 5 then provided:
“ I/We agree that all such instructions are fully authorised by and binding upon me/us and the Bank may take such steps in connection with or in reliance upon such instructions as it may consider appropriate, including, without limitation, instructions to pay money or otherwise to debit or credit any of my/our accounts, or to commit me/us to any other type of transaction or arrangement whatsoever, regardless of the nature of the transaction or arrangement or the amount of money involved and [3]I/We agree to bear all risks in relation to any discrepancies or errors in the figures or instructions or messages as a result of any malfunction of the facsimile machines or misunderstanding or lack of clarity of such instructions. [4] I/We further agree that the risk of fraud, forgery or fraudulent impersonation shall be born by me/us.”
71. Passing over cl 6, cl 7 provided:
“ [5] I/We unconditionally agreed to indemnify the Bank and to hold the Bank harmless against any and all actions, claims or demands whatsoever which may arise and any loss, liability or expense (including legal costs on a full indemnity basis) incurred or suffered by the Bank of whatever nature and howsoever arising out of or in connection with such instructions. [6] I/we also agree that the Bank may without further notice to me/us, debit any of my/our accounts with it and reimburse itself in respect of the aforesaid claims, demands, losses, liabilities and expenses.”
72. The further clauses need not be mentioned. Before moving to the Facility Agreement, I note some questions in relation to the application of the Form to the present case.
73. The first question is whether the Form applied to the operation of the facility and the TR account. Aegis submitted that it did not, because the Facility Agreement’s description of itself in the definition of “Agreement“ was “this facility agreement and all attachments and schedules appended hereto and….any subsequent written modifications and amendments thereto…” , and the Form was neither an attachment nor a subsequent document. I do not accept the submission. The definition did not exclude an umbrella agreement in relation to the conduct of Aegis’s accounts with the Bank, and the terms of the Facility Agreement were otherwise not so inconsistent with it as to exclude it (except perhaps in one respect, see [97] below). The Form in its first paragraph stated an application in relation to “the operation of all or any of my/our accounts or credit or other facilities or banking arrangements with the Bank“, and was clearly ambulatory in its operation; and as earlier noted, from the “CD/TR” contemplated a TR account.
74. The second question is the scope of the Form. From the heading, it applies only to facsimile instructions. In the first paragraph, it purports to apply to instructions of all kinds, but from the reference to malfunction of the facsimile machines in cl 5 appears at that point to be confined to facsimile instructions. Clause 2 is obscure: it refers specifically to facsimile, but a written record (for example) may be of an oral or electronic communication. Does the Form apply only to facsimile instructions? It should not readily be thought that the Bank would seek to protect itself, as the Form is intended to do, in relation to facsimile instructions only. Notwithstanding the heading and the unsatisfactory drafting, I consider that the Form extends beyond facsimile instructions and would apply to an electronic communication, including email.
75. Aegis submitted, however, that this was not enough. Noting that the electronic communication had to be “acceptable to the Bank”, it said that for three reasons the payment instructions were not caught. The first was that it was necessary that there be some form of agreement upon what was acceptable, and there was no evidence of such an agreement. The second was that what was acceptable to the Bank called for regard to what was agreed in the Facility Agreement; that the Facility Agreement contained express requirements for an instruction to utilise the facility, relevantly in cl 4.2(c) that an advance be accompanied by the original documents of title; and that an emailed instruction without documents of title could not be said to be acceptable to the Bank. The third was that the communication had to be “relating to the operation of“ an account, and the fraudulent payment instructions were not, either because they did not come from Aegis but were unauthorised, or because the requested drawdown was not within the scope of the facility.
76. Again, I do not accept the submission, in any of its limbs. It is plain that communication by email was acceptable to the Bank, without any express agreement. The Form refers to the nature of the electronic communication, not the particular communication or the requirements for the particular communication. “Relating to” is a wide phrase. Objectively, the fraudulent payment instructions related to the operation of the TR account, the current account and the credit facility, and from cl 5 putting the risk of forgery on the customer a forged payment instruction could relate to them for the purposes of the Form; and they so related even though they could have been refused by the Bank because they were outside the terms of the facility.
77. I move to the Facility Agreement. I have already set out a number of its provisions, and will repeat, again italicised and numbered, those presently relevant.
78. The first is cl 2.4, “[7]The Lender is not bound to monitor or verify the application of any amount borrowed pursuant to this Agreement.”
79. The other two are to be found in cll 18.6 and 18.7. Clause 18 has its own drafting difficulties. It is headed “Notices”, and Aegis submitted that it related only to contractual notices and did not relate to payment requests; however, the sub-clauses show that it is of wider scope and is intended to cover communications generally, see for example “communication or document to be made or delivered under or in connection with this Agreement” in cl 18.2. That clause deals with communications between the parties, giving details for the addressee of the communication although in the first three lines omitting reference to email; it is nonetheless clear from the email addresses and from reference to email in cl 18.3 that email is contemplated.
80. The Bank relied on cl 18.6:
“ [8] The Lender shall have no liability to any other party hereto in respect of any loss suffered by reason of the Lender acting (or omitting to do some act) in accordance with any request or instructions set out in an email or fax sent to it, or appearing on its face to be sent to it, by any other party hereto if the fax includes on a cover sheet or at the head of the first page thereof a reference to the name of any other party hereto and is signed by a person who is so authorised in a board resolution of such party a copy of which has been delivered to the Lender.”
81. And on cl 18.7:
“ [9] The Lender shall be entitled to act in accordance with any email or fax message such as is referred to in clause 18 and the Borrower shall indemnify the Lender in respect of any liabilities, costs, claims, losses, damages or expenses suffered by the Lender in, or in connection with, so acting provided that the Lender has acted in good faith.
82. Aegis submitted that these provisions did not apply because cl 18.2 confined their operation to a communication “made or delivered under or in connection with this Agreement”, and (it said) the payment instructions were not made or delivered under or in connection with the Facility Agreement. It is not clear to me that cl 18.2, or perhaps more relevantly cl 18.1, confines the provisions on which the Bank relied in that way. In any event, the second limb of the submission was not explained, and when the payment instructions involve drawing down under the credit facility the amount to be paid, in my view they were communications under or in connection with it, even if the actual payment was from the current account.
83. In considering the operation of these provisions, it must be recalled that clear words are necessary if they are to exclude valuable rights, here Aegis’s entitlement to have the Bank pay out the money standing to its credit in the current account or advanced to it by the Bank only upon its authority, and to recompense if the Bank pays out without authority. Further, there is the well-known principle inCanada Steamships Lines Ltd v The King [1952] AC 192 (“Canada Steamships”) that general words not explicitly mentioning negligence will generally not exclude or indemnify against negligence unless that is the only possible liability. These are aids to interpretation, not rigid rules, the more so when there is power to strike down unreasonable provisions under The Implied Terms Law, but they have force.
84. I take the provisions in turn.
85. [1]I/We agree that the Bank is not obligated to enquire as to the purpose of any transfer authorised by any such instruction or the identity of any transferee.
86. “Any such instruction“ refers back to the first paragraph in the Form, and would include a payment instruction sent by email, but this provision does not assist the Bank. What is of present relevance is not relief from enquiry as to purpose or transferee’s identity, but relief from the need for authority from Aegis. The provision does not relieve from that need.
87. [2]I/We further agree not to hold the Bank liable and to hold the Bank harmless and fully indemnified for all transactions executed by the Bank pursuant to either of them”.
88. Again, this provision does not assist the Bank. “Either of them“ refers back to instructions given to the Bank by Aegis and written confirmation by Aegis of those instructions. If written confirmation is required, the original instruction must have been oral. The provision is concerned only with the circumstances of an oral instruction and subsequent written confirmation, and with any inconsistency; it is not concerned with an emailed payment instruction such as here in question. Further, the clause is necessarily concerned with genuine instructions, given orally and confirmed in writing. At the least, a transaction in respect of which it is agreed not to hold the Bank liable must be a transaction instructed or confirmed by Aegis. The payments out following the payment instructions were neither instructed nor confirmed by it; as with a forged cheque, they were unauthorised.
89. [3]I/We agreed to bear all risks in relation to any discrepancies or errors in the figures or instructions or messages as a result of any malfunction of the facsimile machines or misunderstanding or lack of clarity of such instructions.
90. This has no operation in the present case. It is not a question of discrepancies or errors in instructions at all, let alone as a result of malfunction of a facsimile machine. Even if the provision goes beyond instructions by facsimile, which I doubt and the payment instructions were not, on no sensible view could it be said that the Bank misunderstood the payment instructions, or was misled by lack of clarity, when it treated them as authority from Aegis when they were not.
91. [4]I/We further agree that the risk of fraud, forgery or fraudulent impersonation shall be born by me/us.
92. The “risk of fraud, forgery or fraudulent impersonation” must relate back to the first sentence of cl 5 and thence the first paragraph of the Form, in which the various clauses are binding “with respect to such instructions”. That is, the fraud, forgery or fraudulent impersonation must be in the giving of instructions. That includes giving a payment instruction by email. At first sight, this purports to be a wholesale allocation of risk to Aegis. But it is a classic case for declining, in accordance with Canada Steamships, to construe a general provision (expressed no more precisely than “risk”) as excluding liability for negligence (which would take away a valuable right) by putting the risk on Aegis even though the Bank was negligent, without clearly doing so by a reference to negligence. In my view, the risk allocation does not exclude the Bank’s liability for acting outside its mandate if it is negligent in acting on a fraudulent or forged instruction or one involving fraudulent impersonation. As earlier noted, that did not arise in Du, where negligence was dealt with in the clauses, with a high bar of gross negligence, and it was held that the bank had not been negligent at all.
93. The Bank’s reliance on this provision turns on the question of negligence, and the Mandate Basis tends to merge with the Duty of Care Basis. As later appears, in my view the Bank was negligent. The provision does not displace the Bank’s liability for payment out without authority.
94. [5]I/We unconditionally agree to indemnify the Bank and to hold the Bank harmless against any and all actions, claims or demands whatsoever which may arise and any loss, liability or expense (including legal costs on a full indemnity basis) incurred or suffered by the Bank of whatever nature and howsoever arising out of or in connection with such instructions.
95. Again, “such instructions“ refers back to instructions referred to in the first paragraph of the Form, and would include email instructions. But the provision does not assist the Bank. It does not entitle the Bank to be indemnified against a claim by Aegis for payment out without authority, negating such a claim by circularity. It is a fairly conventional form of indemnity against liability of the Bank to third parties, and if it was meant to go further and include any liability of the Bank to Aegis - effectively a radical deprivation of rights – that would have to be made clear.
96. It may be that this provision is also unavailable because it is inconsistent with cl 18.7 of the Facility Agreement, provision [9] below, by which the indemnity is qualified by a requirement of good faith. It is not necessary to decide this.
97. [6]I/We also agree that the Bank may without further notice to me/us, debit any of my/our accounts with it and reimburse itself in respect of the aforesaid claims, demands, losses, liabilities and expenses.
98. This provision is consequential on [5], and takes matters no further than it.
99. [7]The Lender is not bound to monitor or verify the application of any amount borrowed pursuant to this Agreement.
100. This provision has nothing to do with acting outside the Bank’s mandate by paying out without authority to do so. The absence of authority is because the payment instructions were not Aegis’s instructions, but from the fraudster; that the Bank is not obliged to be concerned with Aegis’s use of the funds does not mean that it is not concerned with its authority to pay them out.
101. [8]The Lender shall have no liability to any other party hereto in respect of any loss suffered by reason of the Lender acting (or omitting to do some act) in accordance with any request or instructions set out in an email or fax sent to it, or appearing on its face to be sent to it, by any other party hereto if the fax includes on a cover sheet or at the head of the first page thereof a reference to the name of any other party hereto and is signed by a person who is so authorised in a board resolution of such party a copy of which has been delivered to the Vendor.
102. There is an initial question of construction. The provision first refers to any request or instructions in an email or fax, and then adds a qualification referring only to a fax. Should the reference to an email be ignored as an error because there is no qualification where one would be expected as a kind of assurance of authenticity? Or should the provision be read as including an email although without any like kind of assurance of authenticity, with potentially a remarkably harsh operation? I am inclined to the former view: the obscure wording should be construed narrowly, and against the Bank. But it is unnecessary to decide. The short answer to the Bank’s reliance on the provision is that, on the Canada Steamships principle, it does not exclude liability of the Bank where the Bank was negligent. The exclusion of liability is in the most general of terms, and so far as including liability for acting without authority the liability could be without negligence or could be where the Bank was negligent. The Bank cannot say that it is not liable because it acted within its mandate in acting on a payment instruction apparently sent by Aegis, but in fact sent by the fraudster, if it was negligent in doing so.
103. As with provision [4], the Bank’s reliance on this provision turns on the question of negligence. Because in my view the Bank was negligent, the provision does not displace its liability for payment out without authority.
104. [9]The Lender shall be entitled to act in accordance with any email or fax message such as is referred to in clause 18 and the Borrower shall indemnify the Lender in respect of any liabilities, costs, claims, losses, damages or expenses suffered by the Lender in, or in connection with, so acting provided that the Lender has acted in good faith.
105. The scope of “any email or fax message such as is referred to in clause 18“ is not clear. It could be an email or fax to the fax number or email address in cl 18.2, or it could be an email or fax as referred to in cl 18.6 (with its own difficulties). Whatever the scope, the entitlement to act and the agreement to indemnify must be read together, the former being the basis for the latter: there is not an independent and wide-ranging liberty to the Bank. The provision in its entirety is an indemnity provision, and even more clearly than provision [5] it is confined to indemnity against third party claims. It is of no assistance to the Bank in this case.
Conclusion On The Mandate Basis
106. Unless the terms of its contracts with Aegis entitled it to do so, the Bank acted outside its mandate in paying out on the fraudulent payment instructions. The terms of the contracts did not entitle the Bank to do so if it acted negligently, which it did. The loss of the USD 1,067,500, less the small recovery, must be borne by the Bank.
The Duty Of Care Basis
107. In case I am wrong in this conclusion, and in any event because of the question of consequential loss and in deference to the parties’ attention given to it in the proceedings, I go on to consider the Duty of Care Basis. It provides a separate basis for Aegis’s claim. Under theQuincecareduty of care next considered, the Bank would be obliged to protect Aegis against being defrauded by not paying out if it was “put on inquiry“, that is, had reasonable grounds for believing that the payment instruction was an attempt to defraud Aegis.
108. Aegis had pleaded a duty of care as a contractual implied term, in tort and under the Regulatory Law. In closing submissions it focussed on a duty of care as recognised inBarclays Bank plc v Quincecare Ltd [1992] 4 All ER 363 (“Quincecare”).
109. InQuincecarea bank had agreed to lend £400,000 to a company. The Chairman of the company defrauded it by causing the bank to transfer £340,000 to solicitors who then, under prior arrangements, transferred the money to him. The bank claimed repayment of the £340,000 from the company. The company counterclaimed for loss of that sum caused by the bank’s breach of duty to it. The counterclaim failed because on the facts it was held that the bank was not put on inquiry as to the Chairman’s fraudulent instruction to transfer the money, but the judgment of Steyn J carefully considered and expressed (at 366 -7) the bank’s duty of care owed to the company.
110. His Lordship first said that it is an implied term of the contract between the bank and the customer that the bank will observe reasonable skill and care in and about executing the customer’s orders, and that the bank could be sued in tort as well as in contract under a coextensive duty. He noted that the duty must generally be subordinate to the bank’s other conflicting contractual duties, relevantly the duty promptly to execute a valid and proper order. He continued:
“How are these conflicting duties to be reconciled in a case where the customer suffers loss because it is subsequently established that the order to transfer money was an act of misappropriation of money by the director or officer? If the bank execute the order knowing it to be dishonestly given, shutting its eyes to the obvious fact of the dishonesty or acting recklessly in failing to make such inquiries as an honest and reasonable man would make, no problem arises: the bank will clearly be liable. But in real life such a stark situation seldom arises. The critical question is: what lesser state of knowledge on the part of the bank will oblige the bank to make inquiries as to the legitimacy of the order? In judging where the line is to be drawn there are countervailing policy considerations. The law should not impose too burdensome an obligation on bankers, which hampers the effective transacting of banking business unnecessarily. On the other hand, the law should guard against the facilitation of fraud, and exact a reasonable standard of care in order to combat fraud and to protect bank customers and innocent third parties.To hold that a bank is only liable where it has displayed a lack of probity would be much too restrictive an approach. On the other hand, to impose liability whenever speculation might suggest dishonesty would impose wholly impractical standards on bankers. In my judgment the sensible compromise, which strikes a fair balance between competing considerations, is simply to say that a banker must refrain from executing an order if and for as long as the banker is ‘put on inquiry’ in the sense that he has reasonable grounds (although not necessarily proof) for believing that the order is an attempt to misappropriate the funds of the company… “.
111. In that case the instruction on which the bank acted was genuine, that is, one the Chairman was entitled to give, although a fraud by him on the company. The avenue of the Mandate Basis did not arise. TheQuincecareduty has since been recognised in a number of cases, and was relied on successfully inSingularis Holdings Ltd v Daiwa Capital Markets Europe Ltd [2018] EWCA Civ 84 (CA); [2019] UKSC 50 (SC) (“Singularis”). That also was a case of an authorised instruction but in fraud of the company, and the trial judge held that “any reasonable bank would have realised that there were many obvious, even glaring, signs that Mr Al Sanea was perpetrating a fraud on the company when he instructed that money be paid to other parts of his business operations”. In the Supreme Court, Lady Hale succinctly summarisedQuincecare(at [1]):
“….Steyn J held that it was an implied term of the contract between a bank and its customer that the bank would use reasonable skill and care in and about executing the customer’s orders; this was subject to the conflicting duty to execute those orders promptly so as to avoid causing financial loss to the customer; but there would be liability if the bank executed the order knowing it to be dishonesty given, or shut its eyes to the obvious fact of dishonesty, or acted recklessly in failing to make such inquiries as an honest and reasonable man would make; and the bank should refrain from executing an order if in for so long as it was put on inquiry by having reasonable grounds for believing that the order was an attempt to misappropriate funds.”
112. Although it has gained its own name, theQuincecareduty of care can be seen as an application to the particular circumstances of execution of a payment order of the wider duty of care owed by a bank to its customer. It is a more particular statement of the duties of care accepted by the Bank in the Agreed List of Issues as implied terms of its banking relationship with Aegis. There is no hint in the Agreed List of Issues of a submission that these duties of care do not arise when the money is the Bank’s money.
113. While the duty of care is limited in its content, failure in the duty is aptly described as negligence, and has been so described in, for example,Singularis(SC) at [39]. The Bank referred to the decision of Judge Russen QC, sitting as a High Court Judge, inPhillip v Barclays Bank UK plc [2021] EWHC 10 for the propositions that the primary obligation of a bank is to treat its customer’s mandate at face value, it is not required to act as an amateur detective, and if the bank does not have reasonable grounds for believing there is a fraud, it must pay. These propositions, which are in any event consistent with theQuincecareduty of care, must be seen in the light of the facts of that case. The plaintiff was the victim of authorised push payment (“APP”) fraud, having been deceived by a fraudster into making payments from her account, believing that the payments were for a legitimate purpose. She said that theQuincecareduty required the bank to protect her by having APP fraud policies and procedures in place which would have stopped her from making the payments. The Judge declined to extend the duty of care in that manner. The decision does not assist the Bank, and the Bank’s emphasis that there are conflicting duties failed to recognise that the conflict had been resolved in framing the duty of care.
114. I have referred to the Bank’s submission on the ground that the money was not Aegis’s money, but the Bank’s money. It did not submit that aQuincecareduty of care is not part of the law applicable to its operations in the DIFC, and could scarcely do so consistently with the Agreed List Of Issues; indeed, perhaps inconsistently with the submission next mentioned, it acknowledged in its skeleton argument that it was “under any implied duty to carry out at least a few perfunctory checks before paying out to a third party“. Rather, it submitted that aQuincecareduty of care only arose where the bank was holding money deposited on behalf of its customer, and did not arise where the bank granted a borrowing facility to the customer. In the latter case, it said, the money belonged to the bank, and so far from the bank owing a duty of care to the customer, the customer owed a duty of care to the bank “in terms of looking after the borrowed funds for the benefit of the lender”.
115. It is not necessary to consider the rather startling second limb of this submission. As with the Mandate Basis, at one level the distinction between money deposited and money advanced does not arise in this case, because the funds advanced to Aegis under the TR Facility were credited to its current account and paid out from the current account. But in any event, I do not accept that theQuincecareduty of care is limited in the manner suggested.
116. The Bank accepted that there was no authority in favour of the proposition that noQuincecareduty exists where a bank is lending money to its customer. It submitted that there was no authority against the proposition either. That is not correct; inQuincecareitself the £340,000 was loan funds, drawn down and credited to a current account and then paid out. It is in this respect on all fours with the present case. The Bank’s submission that it was a different case because it was concerned with in-house fraud whereas the present case is one of cyberfraud is not to the point - it is not a difference relevant to the proposition. The Bank also submitted that the fact that the source of funds inQuincecarewas a loan from the bank was not material to the decision, because the bank was secured by a third party guarantee and the person who would be directly impacted by the fraud would be the guarantor. The submission is not easy to understand - in one sense, immateriality of the source of the funds is against the Bank’s proposition - but I am unable to see that the ultimate exposure of the guarantor affected the duty of care, let alone detracts from the recognition of the duty of care where the money is loan funds.
117. There is no reason in principle to confine a bank’s obligation to refrain from executing an order if the bank is put on enquiry that the order is an attempt to misappropriate the funds of the company, simply because the funds are being advanced to the company by the bank. The duty bites at the time of compliance with the instruction to the bank to pay out, when the loan funds may in fact be the company’s funds (as in the present case) and in any realistic sense are the company’s funds because, under a loan agreement with the bank, they are at its disposal. As earlier indicated, it is the payment out that matters, and the customer is equally harmed whether the money is “its money“ or “the bank’s money”: in the one case through immediate diminution of its assets by reduction in its current account funds, and in the other case through the incurring of a liability to repay which will upon repayment diminish its assets. It would make no sense if the bank, once put on enquiry, should in the first case hold its hand, but in the second case is free to pay out and require repayment notwithstanding having been put on enquiry. In either case, it is the customer which suffers, not the bank. The policy reasons to which Steyn J refers, guarding against the facilitation of fraud and exacting a reasonable standard of care to combat fraud and protect the bank’s customers and innocent third parties, have equal force, and no additional burden is imposed on the bank.
118. It is then necessary to return to the provisions [1] to [9] on which the Bank relied, at this point relying on them to displace any liability on the Duty of Care Basis. If the duty of care is excluded, it would appear that the Bank, while still reasonably believing that the payment instruction was an attempt to defraud Aegis, was entitled to go ahead and make payment. That is an unattractive conclusion.
119. [1]I/We agree that the Bank is not obligated to enquire as to the purpose of any transfer authorised by any such instruction or the identity of any transferee.
120. At best, this would exclude any liability where the breach of the duty of care lay in failure to enquire as to the purpose of a transfer or the identity of a transferee. While arguably it could catch some of the grounds for breach on which Aegis relies, it would not catch them all.
121. However, I do not think it goes even that far. Professor Burrows QC, sitting as a Judge of the High Court inThe Federal Republic of Nigeria v JP Morgan Chase Bank, N.A. [2019] EWHC 347 (Comm), considered at [46]- [50] clauses stating that the bank was “under no duty to enquire into or investigate the validity, accuracy or content of any instruction or other communication“ and “under no duty to investigate whether any instructions comply with any applicable law, regulation or market practice”. In the Judge’s view, the clauses did not apply at all where the bank had reasonable grounds for believing that the customer was being defrauded, and only applied prior to the point at which the bank had the relevant reasonable grounds for belief; alternatively, if that were incorrect, they were consistent with theQuincecareduty of care and only went so far as excluding any additional positive duty to enquire or investigate once there were reasonable grounds for belief. The Judge’s conclusions were upheld on appeal inJ P Morgan Chase Bank, N.A. V The Federal Republic of Nigeria [2019] EWCA Civ 1641, it being said as to the first clause that it was consistent with theQuincecareduty of care and as to the second that (at [54]) it was “aimed at making clear that the Bank is not taking on any obligation to make inquiries beyond those needed to authenticate the instructions received but it does not state that that is the case even where the Bank is on notice about the suspicious circumstances of the request for payment”.
122. As to provision [1], in like manner if for other reasons, or because it did enquire as to the purpose of the payment instructions or the identity of the transferee although it was not obliged to do so, the Bank had reasonable grounds for believing that the payment instructions were an attempt to misappropriate Aegis’s funds, the provision has no effect towards freeing the Bank from its obligation to refrain from paying; the Bank’s duty of care remains intact. Because the provision is confined to enquiry as to the purpose of any transfer or the identity of any transferee, and does not negate the duty of care, in the present case it does not assist the Bank.
123. [2]I/We further agree not to hold the Bank liable and to hold the Bank harmless and fully indemnified for all transactions executed by the Bank pursuant to either of them”.
124. For reasons previously given, this provision does not assist the Bank. It is also consistent with theQuincecareduty of care; in accordance with Canada Steamships, liability where the Bank is negligent in executing a transaction requires clear words, and the duty of care is not excluded.
125. [3]I/We agree to bear all risks in relation to any discrepancies or errors in the figures or instructions or messages as a result of any malfunction of the facsimile machines or misunderstanding or lack of clarity of such instructions.
126. For the reasons earlier given, this has no operation in the present case.
127. [4]I/We further agree that the risk of fraud, forgery or fraudulent impersonation shall be born by me/us.
128. Again, this is consistent with theQuincecareduty of care. As previously explained, it does not exclude liability for negligence.
129. [5]I/We unconditionally agree to indemnify the Bank and to hold the Bank harmless against any and all actions, claims or demands whatsoever which may arise and any loss, liability or expense (including legal costs on a full indemnity basis) incurred or suffered by the Bank of whatever nature and howsoever arising out of or in connection with such instructions.
130. Again, for like reasons to those earlier given this does not assist the Bank.
131. [6]I/We also agree that the Bank may without further notice to me/us, debit any of my/our accounts with it and reimburse itself in respect of the aforesaid claims, demands, losses, liabilities and expenses.
132. This provision is consequential on [5], and it takes matters no further than it.
133. [7]The Lender is not bound to monitor or verify the application of any amount borrowed pursuant to this Agreement.
134. Similarly to provision [1], at best this would exclude any liability where the breach of the duty of care lay in failure to monitor or verify the application of any amount borrowed. It would be difficult for a breach of the duty of care to arise in that way: the duty of care is concerned with the time of payment, and if there are reasonable grounds for believing that the instruction to pay is an attempt to misappropriate the customer’s funds, the bank should refrain from paying out. Monitoring what is done with the funds after payment out, or verification that the funds were applied in a particular manner, does not enter into it. It does not arise on the facts of this case, and the provision does not assist with the Bank.
[8]The Lender shall have no liability to any other party hereto in respect of any loss suffered by reason of the Lender acting (or omitting to do some act) in accordance with any request or instructions set out in an email or fax sent to it, or appearing on its face to be sent to it, by any other party hereto if the fax includes on a cover sheet or at the head of the first page thereof a reference to the name of any other party hereto and is signed by a person who is so authorised in a board resolution of such party a copy of which has been delivered to the Lender.
135. Again, this is consistent with theQuincecareduty of care. As previously explained, it does not exclude liability for negligence. It is worth repeating that it would be an unattractive conclusion that the Bank could act on an email appearing on its face to be sent to it by Aegis, but which it had reason to believe was an attempt to defraud Aegis, without incurring any liability.
136. [9]The Lender shall be entitled to act in accordance with any email or fax message such as is referred to in clause 18 and the Borrower shall indemnify the Lender in respect of any liabilities, costs, claims, losses, damages or expenses suffered by the Lender in, or in connection with, so acting provided that the Lender has acted in good faith.
137. For reasons earlier given, this provision does not assist the Bank.
138. It is unnecessary to consider the question of reasonableness under the Implied Terms Law. For completeness, I record the Bank’s reliance on Article 55 of the Law of Obligations, in summary excluding liability in negligence where the claimant has voluntarily assumed the risk on which the claim was based. It was submitted, without amplification, that “[t]his is precisely the position of Aegis as a result of [the Form]”. The duty of care is a contractual duty of care, and as with contributory negligence (see [161]), attention was not given to whether the Article applies to a contractual duty of care as well as a tortious duty of care. I doubt that the provisions on which the Bank relied are an area for voluntary assumption of risk at all, but it is sufficient that the provisions do not amount to assumption of the risk of the Bank negligently paying an unauthorised payment instruction.
139. I go then to whether the Bank was put on enquiry that the fraudulent payment instructions were fraudulent: that is, were there reasonable grounds for believing that they were attempts to misappropriate the money the Bank was instructed to pay to Reto and to Clamour Robotics? I remind myself that I should avoid the benefit of hindsight. Aegis relied on many “red flags“ which it said were raised by the emailed payment instructions. It is not necessary to list them all.
140. For all the fraudulent payment instructions, one of the red flags was that they were sent by email without also being faxed and/or the subject of a telephone call. In Aegis’s submission, the absence of an accompanying or follow-up fax or telephone call was out of the established procedure and should have excited suspicion in the Bank. The Bank’s response in evidence was to the effect that it was entitled to act on the emails alone, in that regard seeming to rely on cl 18.2 of the Facility Agreement and the email address for Aegis there set out as providing an “authorised“ email source: for example, Mr Maniram said that the Bank “had a mandate to act on payment requests which came from the Authorised Email ID”, and that the Bank “did not require” a fax or telephone confirmation. The response is not well founded to the extent that cl 18.2 stated an email address for communications to Aegis, not from Aegis, although the email address there stated could be seen as one from which emails could come. But the response misses the point. Even if the Bank was entitled to act on emails alone, that was not the established procedure. The absence of a fax or telephone call was out of the ordinary, and being out of the ordinary was a ground for suspicion.
141. I go to the first Reto payment instruction. Two more red flags were prominent in Aegis’s submissions. One was that the payment instruction was not for the typical “Payment of invoice xxx“ but for “Payment of mining operations”, and correspondingly the invoice was not for any of the commodities in which Aegis was licensed to trade: unlike a typical genuine invoice for (for example) “Limestone (40–80 MM) 10,000 MT)“, it was for “March & April Mining Operations”. The Bank knew that Aegis was not a miner, but more to the point no previous payment instruction had been for anything other than an invoice for one of the licensed commodities or for freight for the commodity - there had been no previous payment by Aegis for the performance of mining operations. The second was not just that there was not the usual bill of lading, which was not unexpected if the invoice was for the performance of mining operations, or other supporting document such as a contract for the performance of the mining operations, but that the invoice made no mention of JSW Steel and, in the absence of the usual bill of lading, there was nothing to indicate that the mining operations had to do with the supply of whatever was being mined for the manufacturing of steel by JSW Steel. For all that appeared in the payment instruction and the invoice, the mining operations could have been to produce diamonds for sale to a jeweller in Amsterdam – an extreme example, but one which makes the point that the Bank could not do what it said it did, that is, make sure that the transaction was in accordance with the terms and conditions of the credit facility.
142. Aegis said that there were other red flags. One was that the email addresses to which the email was copied in the heading said “oversea“ rather than the “overseas“ in the correct email addresses, which may be thought to benefit from hindsight and which I am content to put aside. Another was that the Bank did not ask for the contractually required credit report, more particularly when the beneficiary was a new beneficiary; however, the evidence on this was uncertain and again I’m content to put it aside. Another was that the Bank’s checking on Reto, for which its normal procedure called as a new payee and which it said it did by an ACRA search in Singapore, would have revealed that the business of Reto was “accounting and auditing services including taxation advisory services”, not mining; this does not suffer from hindsight. Another was that the invoice did not have information, and there was no accompanying document such as a contract for the performance of the mining operations, permitting a check on the veracity of the payment request by comparison of the invoiced amount with a market price.
143. The payment instruction was outside Aegis’s transaction history – a new payee, a new transaction not being a purchase of one of the licensed commodities or payment of freight for the commodity. In checking whether the payment request was in compliance with the terms and conditions of the TR facility, it was at the least not clear that the mining operations related to one of the licensed commodities, and it was not possible to determine whether or not the payment was for the supply of goods or services for the manufacturing of steel to JSW Steel. If there be added to this that the Reto search revealed that its business was nothing to do with mining, it is difficult to avoid the conclusion that the Bank did not do what its witnesses said should be done, to “determine whether the payment request was in compliance with the terms and conditions of the facility by verifying the purpose of the transaction….”.
144. What did the Bank’s witnesses say of these matters? The witness statements, more particularly those of these senior Bank officers, were generally prolix, argumentative, and with regrettable uniformity showing “cut and paste“ preparation – I have mentioned some instances, but there were many and in important respects. Both from the witness statements and from the cross-examination of the witnesses, there was an unfortunate air of corporate justification, an impression which the identical or almost identical terms of significant parts of the different witness statements did nothing to dispel. A manifestation is that all of Mr Maniram, Mr Shee and Mr Narendra Kumar referred in their witness statements to a screen shot of a Google search of Aegis showing its activities as shipping, mining and cargo, as part of explaining why the invoicing for mining operations was acceptable. It turned out that the screen shot had been take for the purposes of the trial: as Mr Maniram said, “prior to that, we have never gone through”. In fact, on looking at the website as a whole, it was devoted to Aegis as a trader in commodities. At the time of the payment instructions, the Bank’s knowledge of Aegis’s activities was only trading in the commodities, derived from the current account form and trading licence and the past history of invoicing for commodities.
145. The payment instruction would have first gone to Mr Sebastian. Remarkably, his witness statement said nothing about his attention to its verification. In cross-examination, he said that he would take “the primary check” of a payment instruction. His answers to questions concerning mining operations rather than a commodity, the absence of any reference to JSW Steel, and verification of compliance with the terms and conditions of the facility were scarcely responsive, although he seemed to agree that it could not be checked that the transaction related to JSW Steel; otherwise, his position seem to be that the invoice was acceptable as an advance payment where Aegis was “basically onto this mining business“. He agreed that this was the first occasion on which the Bank had processed a transaction only with the email, but said that could be done “if they are getting from authorised email address“. He volunteered that he checked Reto by an ACRA search, and when it was suggested that the search showed the activities of Reto as “accounting and auditing services including taxation advisory services”, said to the effect that the basic search did not get those details. From evidence of the basic search subsequently given, I am satisfied that that is not correct, nor did Mr Trivedi say so, see below.
146. The payment instruction would have next gone to Mr Trivedi. Again, his witness statement said nothing of his attention to its verification. The cross-examination was marked by his haste to inform the cross-examiner, unresponsively, that the invoices were for services, and to justify payment in accordance with the fraudulent payment instructions. His answers to questions concerning mining operations rather than a commodity, the absence of any reference to JSW Steel, and verification with the terms and conditions of the facility, also were scarcely responsive. He seemed to regard an invoice for mining operations as acceptable because Aegis dealt in limestone, dolomite etc and, although this was unclear, it was a payment for services, presumably the service of producing the commodities; he was, however, constrained to agree that it could not be seen that the transaction was to the benefit of JSW Steel. He also agreed that there had not been a previous invoice relating to payment of mining operations. The less than satisfactory nature of his evidence is illustrated in the answer when he was asked the direct question:
“MR DOHERTY: So given that you will have, when you were looking at this, no doubt had in mind Aegis’s previous business, how could you possibly have satisfied yourself that this was a legitimate transaction within the course of Aegis’s business operations?
MR TRIVEDI: Because, sir, as they are mentioned in this, they are dealing with the rocks, they are dealing with… and also they are dealing in the limestone, dolomite. So it also described that only, so it is similar in nature.”
147. Mr Trivedi agreed that he checked Reto by an ACRA search, and was taken to the description of Reto’s business as accounting and auditing services including taxation advisory services. He said that the check showed that Reto was “in existence there“, but did not question that the search showed that information. His evidence included:
“MR DOHERTY: Well, when you got this report and you read it, did you not ask why on earth are an accountancy firm was providing mining operations?
MR TRIVEDI: Because, sir, it was services, so that was the reason because it was not related to goods and we checked the existence, so existence was there. That’s why.
MR DOHERTY: Right, so it exists and it exists to provide accounting services.
MR TRIVEDI: A beneficiary can be just a business. That is why like mining operations was there so they can provide the services also, so that is the reason.”
148. The payment instruction would have gone next to Mr Shee. In his first witness statement, he did speak of the “due diligence procedure“ in relation to the first Reto payment instruction, but in terms of what “the Defendant“ did. In summary, in cross-examination as to his own part he explained the Reto invoice as advance payment for a service, the service of mining for one of the commodities in which Aegis dealt, although he was constrained to agree that from looking at the invoice he could not be satisfied that the commodity was only for the use of JSW Steel. He agreed that it was “a new pattern of transaction“, but said that it was not very different from what Aegis was doing and “just a step ahead going into mining operations”. He was unaware of any email/fax/telephone call question, which was “out of my purview“.
149. I pass over Mr Narendra Kumar, whose witness statement concerning the fraudulent payment instructions was almost word for word, a repetition of a witness statement of Mr Maniram. As the Senior Executive Officer, Mr Maniram would have had an essentially supervisory role at the time,but took a leading role in the proceeding in justifying the Bank’s payment of the fraudulent payment instructions.
150. In his first witness statement, Mr Maniram said that the Bank made the payment to Reto:
“…based on the following reasons:
a. the payment request came from the Authorised Email ID;
b. the payment request contained signature of Mr Girish Agarwal, the authorised signatory of the Claimant;
c. the payment request was for mining operations, which was related to the Claimant’s business;
d. the World Check did not reveal any adverse reports on the proposed beneficiary;
e. transport documents (like a bill of lading/airway bill) were not necessary since the transaction was not a transhipment.”
151. In the course of a lengthy cross-examination, Mr Maniram’s evidence sought to explain the relationship between mining operations and Aegis’s business. He described the payment for mining operations as invoice financing, “like an advance payment done to the company to procure their goods”, and said that mining operations was a trading activity connected to the procurement of the goods – in context, one of the licensed commodities; he also described it as payment for services, the service of mining or at another point the service to the steel industry of procuring the raw material. He did not really answer how it could be seen that the goods were one of the licensed commodities. The evidence included:
“MR DOHERTY: Mr Maniram, I think what we are doing is looking a long way around the really obvious point here, which is that even at first glance this invoice looks totally different to anything that had preceded it and it is purporting to request payment for something that Aegis had never engaged in. That is right, is it not?
MR MANIRAM: With regarding to Aegis if you see what the trade license says which is regarding to the sand, which is regarding to the limestone procurement, gravel, so that is all part of mining. That’s what the bank has understood.”
152. Mr Maniram agreed that there was no reference to JSW Steel, but seemed to suggest that Aegis would later get a commercial invoice and a bill of lading which would do so. He was unable to indicate any occasion on which the Bank had processed a transaction on email alone, but the effect of one of his answers was that (as the passage from his witness statement set out above suggests) it was sufficient that the email came from what he regarded as the authorised email ID. He said on a number of occasions that the Facility Agreement did not require a fax, which misses the point of departure from the normal procedure, and that it did not require that JSW Steel be mentioned in the invoice or bill of lading, which again misses the point that without some such link the Bank could not be satisfied that the new venture of mining operations was for the supply of goods or services for the manufacturing of steel by JSW Steel.
153. Negligence is to be judged objectively, but I have sought to extract from the evidence at least illustrative parts of the response of the Bank’s witnesses to the complaint of breach of theQuincecareduty in relation to the first Reto payment instruction. I have paid regard to all that they have said, but it did not provide a coherent explanation of the due diligence the Bank professed to have applied. It was not at all persuasive against reasonable grounds to believe that the payment instruction was an attempt to defraud Aegis.
154. In my view, the Bank was clearly put on inquiry, with reasonable grounds to believe that the payment instruction was an attempt to defraud Aegis. Procedurally, it was outside the established procedure in being sent by email without also being faxed and/or the subject of a telephone call. In its content, it was also out of the ordinary in departing from the hitherto universal “Payment of invoice xxx“ or “Payment of freight invoice“ and apparently being payment for a miner to carry out mining operations to produce a commodity rather than the hitherto universal payment for the commodities themselves. The beneficiary was an entity with which Aegis had not previously dealt. There was no way of telling that the commodity was one of the commodities in which Aegis was licenced to trade, which was a requirement under clause 4.2 of the Facility Agreement. There was no way of telling that the mining operations or the commodity were for the manufacturing of steel by JSW Steel. The references by Messrs Maniram, Shee and Trivedi to services appears to me to have been an attempt to pick up the reference to services in the Facility Agreement in order to link the mining operations with JSW Steel; but a flawed attempt, and obviously so, because if the payment be regarded as payment for the services of mining operations, the services were provided to Aegis, not to JSW Steel as the credit facility required. Plainly it could not be determined whether the payment instruction was in compliance with the terms and conditions of the credit facility. This was not just a matter of the Bank’s interests; the Bank would not expect its customer to ask for payment so thoroughly outside the banking arrangements, and that it did so invited inquiry. Even without regard to the ACRA search of Reto (which itself was a startling red flag) or other matters on which Aegis relied, there was breach of theQuincecareduty of care. The other matters add to this conclusion.
155. Drawing on the preceding paragraphs, the first Clamour Robotics payment instruction can be dealt with more briefly. There were the same red flags (except the ACRA search), only waving more strongly. Even on the Bank’s justification of an activity connected to the procurement of the commodities in which Aegis traded, the purchase of mining tools and equipment is a further step away – on that justification, Aegis was not just paying a miner in order to extract the commodities, but providing the tools and equipment for the miner to do so. The mining tools and equipment were not services, but goods, and were to be shipped to an address, but there was no shipping document equivalent to a bill of lading in the case of the commodities. The address was an address for Aegis in Dubai – why was nearly a quarter of a million dollars worth of mining tools and equipment being sent to an office address in Dubai, not to the miner? There was the additional red flag that the destination of the payment, Mexico, was not one of the destinations in the current account opening form, and in this case a veracity check by enquiring into a market price for the mining tools and equipment was possible but there was no information to enable it to be done. As with the first Reto payment instruction, there was nothing to indicate that the purchase of the mining tools and equipment had anything to do with the supply of whatever was to be mined to JSW Steel for the manufacture of steel. Again, there was a breach of theQuincecareduty of care.
156. The explanations of the Bank’s witnesses were no more persuasive then in the case of the first Reto payment instruction. I give examples. When asked how he could be satisfied from the invoice that the transaction fitted with Aegis’s historic transaction pattern, Mr Sebastian said that the invoice was addressed to Aegis and the shipment was also to Aegis, “And we ascertain all we concluded that… We considered that this is for the procurement of mining tools and machinery. Yes, and we have processed this one”. Mr Trivedi said that the mining tools and equipment were “partially related“, meaning to trading in the commodities. One statement of his explanation was, “[b]ecause as they are dealing in the rocks, they have mentioned earlier in their account … so for that purpose they may require it”. Another was, “But for the purpose of like rocks, mining tools are required. Because assembly is there, as assembly is to be set up, machines assembly. So for that mining tools and equipment is required”. How assembly of machines, which was also mentioned by other witnesses, came into it is unclear. He said that he took into account that the countries that Aegis traded in were set out in the “contracting form”, but that “any party can expand business need in other countries…“, which is not to the point: it was outside the nominated countries and out of the ordinary. Mr Shee said that he regarded the invoice as connected with the Reto invoice because tools and equipment were needed for mining, a different explanation from the explanation of an advance payment for the service of mining which he had earlier given. Mr Maniram said that there was an indirect connection to the facility because “mining tools will be provided to some other mining company and the mining company are going to drill the goods and then it is going to be supplying to JSW“, although he agreed that there was no reference to JSW Steel on the invoice: he simply asserted that it was “indirectly connected to the facility”. When asked about the payment to Mexico, he agreed that the location of the beneficiary was part of any compliance check but said that “there could always be a first time for any company to have a transaction in a different geography“; which reduced the compliance check to nothing.
157. It is not necessary to add to the mix the failure, in remarkably blinkered attention to it, to note that the second Reto payment instruction was identical with the first, as an indication that Aegis payment instructions were compromised. But the conclusion of lack of due care in relation to the first two payment instructions is in my view supported by the Bank’s suspicion when it received the second Clamour Robotics payment instruction. On the evidence of Messrs Maniram (initially), Shee and Trivedi in the Bank’s case, the suspicion was because of the similarity to the previous payment request from Clamour Robotics, the payment request was for the same amount, and the payment was requested in quick succession after the previous payment request for the same beneficiary and the same amount. However, from Mr Agarwal’s evidence of what he was told by Mr Manish Kumar, it was because the transaction was flagged as falling outside the terms of the facility. If so, the first two payment instructions should equally have been flagged as falling outside the terms of the facility. Messrs Shee and Trivedi both gave hearsay evidence (in identical terms) that Mr Manish Kumar denied saying this, but Mr Manish Kumar was not called in response to Mr Agarwal‘s evidence and his absence was not explained. Notwithstanding his initial evidence, in cross-examination Mr Maniram agreed that one of the reasons for picking up the second Clamour Robotics payment instruction was that it “did fall outside the use of the facility”, although in re-examination he was led to resile from this. I accept Mr Agarwal’s evidence in this respect.
Conclusion On The Duty Of Care Basis
158. The Bank owed to Aegis a duty, in accordance withQuincecare, to refrain from paying out on the fraudulent payment instructions if it had reasonable grounds for believing that they were an attempt to misappropriate the money. There were such grounds, and the Bank was in breach of the duty: it was negligent. Subject to the question of contributory negligence, Aegis is entitled to relief whereby the Bank bears the loss of the USD 1,067,500, less the small recovery. It is not necessary to consider the Regulatory Law as a source of a duty of care.
Contributory Negligence
159. On the question of contributory negligence, the Bank’s submission in its closing outline was concise:
“The Bank’s submission is that the primary duty, in contract and common law, lay on Aegis/Mr Agarwal to ensure that his email system was secure. This he failed to do, enabling a hacker to gain access and inflict all the subsequent damage. If the Bank was negligent in any way it is arguable that [Aegis’s] contributory negligence was as high as 100% and certainly no less than 75%.”
160. There is no question of a duty lying on Aegis, and in more conventional language the question is one of reduction of damages for its negligence contributing to its loss. The Bank did not identify the source “in contract and common law” for reduction for contributory negligence, but I take it to have been relying on Article 17 (2) of the DIFC Law of Obligations, which provides that the defendant’s liability in negligence the subject of Article 17(1) “shall be reduced by the extent to which the claimant’s negligent acts or omissions contributed to his loss”. No attention was given in submissions to whether contributory negligence was available in partial answer to a claim for breach of a contractual duty of care (which theQuincecareduty of care is, together with the coextensive tortious duty of care although the tortious duty of care may be open to argument) as well as a tortious duty of care: which at first sight the terms of Article 17 does not allow, as it appears to be concerned with a duty of care in tort. No basis was cited for a duty in contract to ensure that the email system was secure, which at first sight is inconsistent withTai Hing. Nor was any attention given to whether contributory negligence was available in relation to liability on the Mandate Basis, when it does not rest on negligence at all andTai Hingdeclines regard to the customer’s default beyond the Qualifications: again at first sight, it would appear not, and in any event from the Agreed List of Issues the Bank relied on contributory negligence only in relation to tortious liability under Article 17. The question of contributory negligence was not well explored by either party.
161. It is unnecessary to take this further, since I consider that Aegis was not contributorily negligent.
162. I have earlier described how the fraudster is thought to have obtained access to the Aegis email account. Evidence concerning the security of the email system, and what might have been done to guard against the phishing, was given by Mr Vikrant Shah, on behalf of the Bank, and Mr Eric Semaan, on behalf of Aegis. Both are experienced in cyber security, and gave their evidence objectively and helpfully. I intend no disrespect in paring it down to the central issues, it must be said without the benefit of anything other than the briefest submissions from the parties.
163. The first issue is the security of Aegis’s email system. It was accepted that Mr Agarwal was not technical, nor was anyone else in the relatively small staff (it was referred to as 8 to 15 persons). Mr Amin’s evidence came down to saying that Aegis should engage someone who was technical, and who audited the system and the emails and provided security features, to put an appropriate system in place. While he identified some security features, such as two factor authentication and notification of unusual access, these would have been features of the responsibility of the person engaged. Aegis had engaged a firm in early 2019, FutureX, described by Mr Semaan as a cyber security focussed IT company, and had purchased from it a managed email system based on Microsoft Office 365 and an endpoint security solution provided by Symantec. In a managed system, FutureX would (in Mr Semaan’s words) “look after the functional side of the solution and the sound security of the solution itself”. In Mr Semaan’s view, the email system so used by Aegis was “consistent with the state of maturity I would expect to find in a small business not specialised in digital technology, financial transactions or critical infrastructure“, and consistent with what was commonly purchased and used by such a small business at the time: in particular, at the time two factor authentication was not prevalent and the Microsoft product did not notify the user of unusual access. He remained of that view when it was suggested in cross-examination that Aegis conducted significant financial transactions.
164. I accept Mr Semaan’s view. In his third witness statement Mr Agarwal had asserted that Aegis had “acted entirely reasonably by acting on the advice and recommendations of FutureX as to how it should protect its IT systems i.e. by buying the package recommended”. He was not cross-examined on that assertion. I am not satisfied that there was any negligence on Aegis’s part in the security of its email system.
165. Perhaps that was anticipated, since the Bank’s brief oral submissions were confined to the second issue of Mr Agarwal’s response to the phishing email. Mr Agarwal was not cross-examined as to that when first called to give evidence. He was recalled on the Bank’s application after the experts had given evidence.
166. Mr Amin pointed to features of the email which he said meant that it did “did not look genuine“, being that it appeared to be one email from two senders, that in the case of a missed call VoiceNote was not the service one would expect, and that Microsoft did not provide a missed call service; it was also “a bit tricky” that the recipient, when already logged in, should be asked to provide log-in details again to open an attachment. He said that Mr Agarwal should have deleted the email, or asked someone with technical knowledge (or if he was getting a service the service provider) whether the email was genuine. Mr Semaan agreed that, as an expert in his line of work, the appearance of two senders raised an alarm, and that it was “becoming now” common knowledge that anyone who wished to protect themselves from phishing should not open an attachment from an unknown sender; but he explained that even in 2021 simulated activities conducted by his company showed that about 30% of people still opened the attachment and provided their password. Inferentially, in 2019 there was less awareness of phishing.
167. In the further cross-examination, Mr Agarwal said that to him the “two senders” was one sender and a tag saying that the email could not be replied to. That is a not unreasonable lay perception. The question and answer were as at the present time, and he was not asked about his notice at the time. When asked about opening an attachment from an unknown sender, he replied that he had received voice messages on another product called Teams and he “presumed maybe somebody tried to call me on Teams and this was an email notification that I missed a call“. He was not further pressed on whether this was foolish, let alone negligent. When asked whether it occurred to him that it was a risky thing to enter his credentials for the Microsoft Office system, he replied no; when asked whether he thought there was anything suspicious when nothing happened, he replied no. Again, he was not further pressed on whether he had been foolish, let alone negligent, in these respects. It was the same with a question whether he got in touch with FutureX to ask what was going on. There was scarcely a serious challenge to his conduct in order to underpin a case of negligence.
168. I am not satisfied that contributory negligence has been made out. Negligence is failure to take reasonable care. As with addressing negligence on the part of the Bank, the benefit of hindsight should be avoided, and the actor need only act reasonably, not as guarantor against the outcome. While there were indications to an expert that the phishing email was not genuine, the standard of an expert is not to be required of a person in Mr Agarwal‘s shoes and I do not think that he unreasonably failed to be alerted to them. Opening an attachment from an unknown sender no doubt would have been seen by many as unwise, but the evidence fell short of it being something no person acting reasonably would do, and Mr Agarwal’s explanation of his thinking provides a plausible basis for doing so – and was not challenged as unreasonable. Indeed, it may be noted that Mr Amin did not clearly say that an attachment from an unknown sender was a known danger, not to be opened.
Consequential Loss
169. In the Amended Particulars of Claim, Aegis alleged and claimed consequential losses:
(a) in the amount of USD 187,024.27, on the ground that the limit of the TR facility had been eroded by payment out of the USD 1,067,500 and it had been unable to use those funds in trading;
(b) in the amount of USD 82,000, as the cost of management time incurred by Mr Agarwal “in seeking to resolve the issues created by [the Bank’s] breaches”; and
(c) in the amount of USD 2,580.52, in travel expenses incurred by Mr Agarwal for the same purpose.
170. Aegis’s skeleton argument globally maintained these claims, but almost nothing was said of them in submissions. No submissions were made on whether consequential loss could be awarded under the Mandate Basis as well as under the Duty of Care Basis, but debiting the customer’s account for a payment without authority would appear to be breach of term necessarily incidental to the contractual relationship, and the Bank did not submit that it was not open to award it. It is clearly open to compensate for consequential loss as damages for breach of theQuincecareduty of care.
(a) Loss of use of the USD 1,067,500
171. The Amended Particulars of Claim appended a two-line “breakdown of consequential loss calculation“, applying a profit margin and rate of return multiplier to the two sums paid out to arrive at the amount claimed. Not a jot of evidence was given to support the claim or its calculation. In submissions, Aegis supported the claim on the ground that the Bank had not denied the pleaded loss from loss of use of the money in its Amended Particulars of Defence, and was taken to have admitted it.
172. The specific pleaded response to the pleaded loss was relevantly that the Bank “submits that it has no liability for the Claimant’s consequential losses (if any) for the following reasons…”, the reasons being Aegis’s alleged contributory negligence and its failure to cooperate in tracing the fraudster. Taken alone, the Interjected “(if any”) indicates a denial of the pleaded loss. But as well, at the commencement of the relevant paragraph in the Amended Particulars of Defence, the Bank said firmly that it “denies all averments made under Part H (paragraphs 106 and 109) of the Amended Particulars and accepts no liability as stated therein”. The allegation of loss was in Part H of the Amended Particulars of Claim, containing paragraphs 106 to 109. It is clear, in my view, that the Bank intended to deny the pleaded loss from loss of use of the money, despite a slip in referring to paragraphs 106 and 109 instead of paragraphs 106 to 109, and it could not reasonably be thought otherwise. Nor, correctly, did counsel for Aegis suggest that the absence of evidence to support the claim and its calculation was because it had been thought that the claim was admitted.
173. It may be added that the unlikelihood of admission of the claim is underlined by the difficulties in establishing a claim of that kind, and the generality of the brief calculation appended to the Amended Particulars of Claim.
(b) Cost of management time
174. The entirety of the evidence was in Mr Agarwal‘s first witness statement:
“Due to (i) UBI’s initial actions in transferring the funds; and (ii) UBI’s subsequent lack of action in seeking to recover the funds, I was required to spend a significant amount of time in seeking to resolve the issues. I am expected to generate approximately 2x my salary in the course of running Aegis Resources’ business. My monthly salary at the relevant time was AED 150,000. Prior to handing the matter over to my legal representatives, I was required to focus my attention on these issues for a period of approximately 60 days (from 11 June 2019). Aegis Resources is therefore claiming consequential losses in the sum of USD 82,000 as compensation for the time that I was required to spend on these issues, during which time I was not able to focus on generating revenue for Aegis Resources.”
175. Mr Agarwal was not cross-examined on this evidence, and the Bank said nothing against the claim in submissions. While I have said that it is not necessary to give the detail of the recovery efforts, from Mr Agarwal‘s witness statement they were extensive, and in addition I accept that he spent a considerable amount of time in communicating with the Bank in order to find out what had happened and what the Bank was doing about it. At least since R+VVershicherung AG v Risk Insurance and Reinsurance Solutions SA [2006] EWHC (Comm) 42 and [2006] EWHC 1705, it has been established that loss of this kind can be recovered although it is not shown that the cost of the management time was an incremental cost. It is wasted expenditure, expenditure which is ordinarily incurred but does not produce the profit it would otherwise have produced, and can be recovered as a loss provided there is a significant diversion of the individual from his usual activities. Particularly when the Bank has not chosen to contest Mr Agarwal’s evidence, I consider that the amount claimed is recoverable by Aegis.
(c) Travel expenses
176. I have referred to Mr Agarwal travelling to Singapore; in his first witness statement he says that this was “[d]ue to UBI’s refusal to take anything other than the bare minimum of action to recall the funds”, and that USD 2,580.52 was incurred in expenses. The Bank was communicating with the Singapore bank, but without success: that bank would only confirm that the funds had been received and credited to Reto’s account. Mr Agarwal thought it necessary for someone to travel to Singapore to try to get information. Mr Maniram declined to send someone from the Bank with him, but gave him a letter of authorisation from the Bank to discuss the matter with the Singapore bank. Again, Mr Agarwal was not cross-examined on this evidence, and the Bank said nothing against the claim in submissions. In my view, it was reasonable for Mr Agarwal to travel to Singapore, and the expenses are recoverable as a loss caused by the Bank’s defaults.
Causation
177. When the fraudulent invoices were paid, the relevant sums were debited to the TR account and credited to the current account and then debited to the current account. At that point, Aegis was left with an increased indebtedness to the Bank under the TR Facility, which it would not have had if the Bank had not paid the fraudulent invoices. The evidence did not detail subsequent movements in the two accounts, but a letter from Mr Agarwal dated 12 September 2019 complained that the two sums of USD 826,000 and USD 241,500 “are still showing as debited in our TR account“. I was informed that the banking relationship had come to an end, and that Aegis had repaid its indebtedness to the Bank under the TR Facility with the exception of these two sums. Perhaps unusually, the Bank had not counterclaimed to recover that indebtedness, but it still claimed repayment. Aegis’s loss in this respect is its liability to the Bank, and it was agreed that the relief would be by way of a declaration that it did or did not, as the case may be, have to repay the Bank.
178. The Bank submitted, however, that there was no causal link between this loss suffered by Aegis and any breach by it in acting outside its mandate or in breach of a Quincecare duty of care. The submission is difficult to understand. It was submitted that, from Mr Agarwal’s complaint above-mentioned, it should be inferred that the Bank had “reversed the two transfers out of the TR account , in part repayment of the TR facility but in diminution of the funds in [the] business account” and that this had “generated ill-will on the part of Aegis, who remonstrated that the Bank should absorb the losses by restoring funds to the current account“. From this, it was said that the proximate cause of Aegis’s loss was not the Bank’s action in paying out to Reto and Clamour Robotics, but the Bank’s decision some time in the third quarter of 2019 “to recoup its losses” from the current account: at another point, that this decision was anovus actus interveniens.
179. Mr Agarwal was not asked anything to underpin the submission or which might clarify it. It appeared to treat Aegis’s loss as a loss arising when in September 2019 the Bank debited the current account in order to repay the amount advanced from the TR account, with the event of debiting the current account the cause of the loss because it was then that Aegis lost money.
180. Factually, the submission lacks the foundation of a September 2019 debiting of the current account. First, the suggested inference is awry: if the Bank had just debited the current account and credited the TR account, causing discontent because the current account had been debited, Mr Agarwal’s complaint would not have been that the sums werestilldebitedto the TR account. Nor would the Bank now be claiming repayment of the two sums, as owing on the TR account, if it had recouped them from the current account. Secondly, on the evidence of Mr Agarwal in June 2019 the Bank debited the current account with USD 241,500 and credited that sum to the TR account, then after complaint by Aegis reversed this in September 2019 so that the entire USD 1,067,500 was owing on the TR account. There was a crediting of the current account, not a debiting. It is difficult to see how the submission could have been made.
181. The submission is also unsound. The Bank’s present claim to repayment stems from the initial increased indebtedness under the TR Facility. That was a loss. If by the Bank’s act the indebtedness became an indebtedness on the current account, that act was part of causation and not a “new” cause or intervening event. No doubt there were intermediate movements in the accounts, but it does not matter. When the Bank says that Aegis has to repay to it the money which had been paid out on the fraudulent payment instructions, on whatever account, the loss to Aegis is caused by the Bank’s breaches.
The Result
182. It follows from these reasons that a declaration should be made that Aegis does not have to repay the Bank the USD 1,067,500 paid out, save for the recovered amount of USD 4,643.31. I do not know whether or not the outstanding indebtedness under the TR Facility has borne and is bearing interest. It follows from these reasons that any interest referable to the USD 1,067,500 also does not have to be paid. The Bank must pay Aegis USD 84,580.52 as damages, and interest on that sum. The USD 4,643.31 can be set off against the amount payable by the Bank. As to costs, as at present advised I consider that Aegis has been wholly successful (the fate of the claim for loss of use of the USD 1,067,500 notwithstanding, particularly as it occupied no time to speak of), and that the Bank should pay its costs; but I have not heard the parties on costs, and if the Bank wishes to submit that some other order should be made, directions can be given for submissions on costs.
183. The only order at present is to direct that the parties provide to the Registry within 14 days draft orders in accordance with these reasons.