From CompliNEWS | Financial Service Intelligence Watch

High Court orders financial service provider to pay R3.1m due to negligence in cybercrime case

Johannesburg High Court

The Johannesburg High Court ruled against a Financial Service Provider (FSP), ordering them to pay R3.1 million due to negligence in a Business Email Compromise (BEC) case.

This case underlines the dangers of cybercrime and the necessity for professional advisors to implement effective safeguards.

Details of the case

BEC fraud occurred when threat actors sent fake withdrawal requests from a client’s email to the FSP, which processed these without further checks. The FSP, Brough Capital (Pty) Ltd, failed to authenticate withdrawal requests, showing gross negligence amidst various red flags.

Background information

Brough, an authorised FSP, managed funds for the Rotary Club of Rosebank under an Investment Management Mandate. R3.1 million was illicitly withdrawn from the Rotary Club’s account and transferred to an unknown account due to the BEC. The Rotary Club’s claim against Brough was transferred to the Lester Connock Commemoration Fund.

Evidence presented

The Fund’s evidence highlighted unusual patterns and amounts in the withdrawal requests and procedural discrepancies. Brough’s defence claimed the requests seemed legitimate and shifted the authentication responsibility to Momentum Securities.

Decision and order

The court ruled Brough failed to act with the expected diligence of an FSP, especially in light of the General Code of Conduct. Brough’s attempt to deflect responsibility onto the Rotary Club was dismissed, with the court focusing on Brough’s failure to verify unusual transactions.

The court ordered Brough to pay R3.1 million plus interest and costs to the Fund.

Commentary

The judgment stresses the importance of vigilance against cybercrime for FSPs; emphasises the need for careful scrutiny and authentication of fund transfer requests; highlighting the importance of simple verification steps and advises professionals to obtain adequate insurance cover against cybercrime risks.

Read the Judgment here