Cass. com., 2 October 2024, no. 23-13282
In a ruling dated 2 October 2024, the Court of Cassation reiterated the scope of the duty of vigilance incumbent upon banks in matters of CEO fraud. This sophisticated fraud technique, involving the impersonation of company executives, raises crucial legal questions for banking institutions. This article details the facts, the court decisions, and the consequences for banks.
What is CEO fraud?
CEO fraud is a form of cybercrime in which fraudsters impersonate executives in order to convince employees to carry out fraudulent wire transfers. In this case, an accountant at a company transferred over two million euros to a company based in Hong Kong, based on orders apparently emanating from the managing director.
Between 11 and 22 December 2017, seven wire transfers were made from the bank account of the victim company, held at CIC NORD OUEST, for a total amount of 2,121,903.81 euros in favor of a company based in Hong Kong. The fraud was carried out through the impersonation of the company’s managing director.
The victim company then sued its bank to obtain reimbursement of the transferred sums.
The decision of the lower courts
The Douai Court of Appeal, in a ruling dated 12 January 2023 (CA Douai, ch. 2 sect. 1, 12 Jan. 2023, no. 21/00022), classified these wire transfers as “authorized transactions,” thereby excluding the application of articles L. 133-18 and L. 133-24 of the French Monetary and Financial Code. However, the bank was found liable for breach of its duty of vigilance, based on the general principles of civil liability. The Court of Appeal considered that the victim company had contributed to its own loss to the extent of 50%.
Legal analysis: the bank’s duty of vigilance
The Court of Cassation reiterates certain principles of the bank’s duty of vigilance.
1. Criteria for identifying apparent anomalies
The judges highlighted anomalies in the payment orders: high amounts, unusual frequency, and a recipient located abroad.
In detail, the Court of Cassation noted that “the company established that it had made almost no wire transfers exceeding 100,000 euros and did not make wire transfers to companies located in China; the ruling found that the disputed wire transfer orders, by their close and repeated nature, by the time of year at which they occurred, their high amounts compared to the orders usually given, and by the fact that they were made in favor of companies that were not part of the company’s business relationships and located outside the usual scope of its activity, should have prompted the bank to inquire about their validity directly with the supposed managing director.”
These elements should have prompted the bank to carry out additional verifications.
2. Obligation to confirm with the managing director
In this case, the bank had merely called the accountant, who was the direct point of contact for the fraudsters, which could not be sufficient, as she was not the person authorized to validate the wire transfers.
The Court of Cassation considers that the bank should have verified the orders directly with the managing director, the only person authorized to validate them. The mere consultation of an unauthorized employee is considered negligent conduct on the part of the bank.
Lessons for companies that are victims of CEO fraud
For a company, the consequences of CEO fraud can be devastating. Here are the key lessons to draw from in the context of their legal action against their bank:
– it is important to demonstrate the characteristics of the account’s usual operating patterns, by producing statements and, if necessary, establishing a statistical analysis that provides the judge with an analytical framework for their assessment,
– if the victim company invokes unauthorized transactions and, consequently, the application of the specific provisions of the French Monetary and Financial Code, it is essential to provide an alternative argument based on the bank’s duty of vigilance. However, it should be borne in mind that, unlike the restitution mechanism provided for by the provisions of the French Monetary and Financial Code, application of the duty of vigilance framework may lead to a sharing of liability.
Furthermore, the other lesson from this decision for victim companies is that it is crucial to establish clear processes within their accounting department and to precisely define, both internally and in their contractual relationships with their banks, the role and authorization of each person involved in the preparation and transmission of wire transfer orders, so that the bank contacts the relevant person in the event of fraud.
