Sadly, legal firms undertaking conveyancing work are very desirable targets for payment diversion fraud due to the significant sums held in their client account. Sam Moore of Caytons provides commentary on the legal considerations relevant to how a court might decide whether the firm or the client should bear responsibility for the monies lost, and top tips on how to avoid liability attaching to your firm in the event of this type of fraud.

What is payment diversion fraud?

Payment diversion fraud is a form of fraud where criminals impersonate others and cause payments to be diverted to the bank account controlled by the criminals. Often this fraud can be perpetrated by criminals gaining access to a business’ IT systems and sending emails stating that monies need to be sent to the account which they control. 

Where these frauds succeed, the consequences can be catastrophic. As an example, in October 2021, The Law Society Gazette reported that a homebuyer was scammed into handing over £640,000 to criminals after emails to the firm they had retained were intercepted.

The CLC has very sensibly given advice that firms should:

“Advise clients in initial, and ideally all, correspondence that bank details will not be changed, or if they are, communication will not be sent by email on this matter.”

Legal considerations – who is responsible for the diverted monies?

The issue of who should bear the loss for monies which are diverted due to the acts of criminals is still a developing area of law. However, there has been some case law involving these issues and there is clearly scope for traditional legal principles to be applied. 

The Contract

The relationship between a firm of conveyancers and its client is primarily one borne out the contract between them pursuant to which the firm agrees to provide conveyancing services in consideration of the payment of fees. It follows that the question of whom should bear responsibility for loss arising from a payment diversion fraud where criminals have gained access to a firm’s IT systems and/or intercepted emails should, in our view, primarily be considered by reference to the terms of the contract between them.

J Brazil Road Contractors v Belectric Solar Ltd [2018] was a case concerning payment diversion fraud. It was a county court case and, therefore, is not binding authority. However, it is nonetheless interesting to understand how the court dealt with the issue of who should bear responsibility for the loss caused by the fraud. The case concerned a dispute between a building contractor and its customer. The building contractor had undertaken works, which the building contract required the customer to pay him for.

Unfortunately, criminals hacked the building contractor’s email account and caused the customer to pay the sums owed to the bank account controlled by the criminals. There followed a dispute between the building contractor and the customer as to whether the customer had to pay the building contractor “again”. The court found that the customer did indeed have to pay the building contractor “again” because the email interception did not absolve the customer of its contractual responsibility to actually make payment to the building contractor. Whilst this is of course not a case involving conveyancers, it does highlight the importance of the contractual relationship in determining the issue of liability in these circumstances.

Section 13 of the Supply of Goods and Services Act 1982 can imply a term into a contract between a firm and its client that the firm will carry out their services with “reasonable care and skill”. We consider that a court could find that the implied term could potentially require a firm to take “reasonable” precautions to see that their IT system protections were reasonably robust and that staff were aware of the risk of this type of fraud. Therefore, we consider that it would be helpful, from a defence perspective, if firms could evidence that they had taken steps to seek to ensure that their IT systems were robust, and that staff were aware of, and had been trained in relation to payment diversion fraud including risk mitigation steps that could be taken in relation to it. This could be done by firms maintaining logs recording actions taken as regards to protecting its IT systems and when training was given to staff in relation to these types of issues. 

It may be a court could find that the client should be adequately warned about the threat of these types of fraud, including that any changes to the firm’s bank details would not be confirmed via email. That is particularly the case where there is guidance from the CLC to this effect. 

However, it seems to us that it is possible to seek to allocate who should bear responsibility for loss in the event this form of fraud is perpetrated. For example, a firm’s terms of business could clearly highlight that these types of fraud are prevalent and that the firm will never communicate changes to its bank account details by email and include a provision that the firm will not be liable if this type of fraud is perpetrated. Any attempt to limit or exclude liability would have to be reasonable and clearly brought to the client’s attention.

Causation 

It is possible to raise causation defences to claims against firms where the client was warned by their bank that the new account details may be suspicious and/or the name of the account doesn’t match the name of the firm.

Contributory negligence 

Even if there is not a complete causation defence to a claim, it may be that any failure on the part of the client could give rise to a contributory negligence defence, which if successful would reduce any damages payable. 

Top tips

Of course, it is never possible to guarantee that a firm can avoid liability in the event a client is subject to this type of fraud. However, we consider that the following practical steps would assist firms in the defence of claims arising from these types of fraud being perpetrated.

  1. Seek to ensure that the firm’s IT systems are sufficiently protected.
  2. Keep a log of actions taken as regards to protecting the firm’s IT systems.
  3. Ensure that all staff are trained / alert to the issue of payment diversion fraud and keep a training log recording this. 
  4. At the outset of a matter, highlight to the client the risk of payment diversion frauds.
  5. Include provisions in terms of business seeking to exclude liability for claims where there has been a payment diversion fraud and ensure that provision is clearly brought to the client’s attention. 
  6. Include notices on all correspondence that changes of bank details will never be communicated by email. 

Further information

Given the generality of the note it should not be treated as specific advice in relation to a matter as other considerations may apply. Therefore, no liability is accepted for reliance on this note. 

If specific advice is required, please contact Miller’s Phil Limb or Sam Moore of Caytons who will be happy to help.