CEO fraud

Bank not liable after CEO fraud

Acquitted by the Supreme Court

The Norwegian Supreme Court has recently passed a judgement in the liability case where the CEO of an energy company was induced by scammers into transferring approximately NOK 130 million. The company claimed that the bank was liable, which was upheld by both the District Court and Court of Appeal.

The bank was, however, recently acquitted from the claim by the Supreme Court. The judgment contains key statements relating to the threshold for liability for authorized transactions.

CEO fraud is a specialized form of fraud, where the key factor is social manipulation. The extent of damage caused by CEO fraud can be existentially threatening for businesses. Fraud where banks are held reliable occurs in several forms.

One example is when a fraudster pretends to be in a management position in an organization in order to seek financial gain. This can lead to an unauthorized payment transaction, for which the bank is generally liable.

Another example is when a fraudster pretends to be someone else within the company or corporation to deceive them into carrying out a transaction that they were authorized to perform. In this case, the transaction would be authorized or approved by the leader themselves. The bank is not responsible for such transactions as the person in a leadership position typically has the authority to carry out the transaction. This is especially true for consumer regulations.

Serious consequences

CEO fraud can cause major financial consequences, first and foremost, for the company itself. Depending on the circumstances, it can also seriously impact the bank. The bank's liability is impacted by whether or not the payment is regarded as an authorized transaction.

In the question of the bank's liability for approved transactions, key assessment factors are what is regulated in the agreement, if the bank has complied with its duty of loyalty, and whether there is a standard within the sector that gives the bank's customers an expectation of protection.

New decision by the Supreme Court

The liablity question caused by CEO fraud was recently addressed by the Supreme Court in the judgment of May 31st, 2024.

The question was whether the bank could be held reliable for damages of approximately NOK 130 million, caused by a transfer the CEO of a Norwegian company was induced to make. The CEO had received an inquiry from what he believed to be the group's CEO, requesting assistance in an acquisition of a company in China. The CEO organized the raising of capital from the parent company, and settled the transaction from the company's bank connection to the alledged seller in China.

In this specific case, the previous Norwegian Financial Contract Act was applicable. As this act only regulated liability for unauthorized transactions, the question was whether the bank was liable for damages under non-statutory law.

The Supreme Court ruled that during the time of the damage, the law, regulations, and directives did not mandate the bank to implement systematic measures against the risk of fraud in authorized transactions.

Additionally, it was discovered that the framework agreement governing the banking relationship did not place any specific obligations on the bank to monitor payment decisions made by customers to prevent internal or external fraud.

Lastly, the Supreme Court concluded that there was no evidence of an industry standard that would hold the bank liable in this particular case.

The bank's duty to its customers – Strict professional standards

In general, a customer can manage their funds and accounts as they wish. However, banks are required to have systems and control mechanisms for operational and security risks associated with the provision of payment services.

There is a strict non-statutory standard of care for professionals, which also applies to payment services.

The company's responsibilities

One consequence of the judgment is that companies that are victims of fraud, will be liable to cover the loss. This is true, even if the bank has been able to stop the transactions by exercising additional due diligence.

Even if the bank were to be liable for damages, the claim is likely to have been reduced as a result of the injured party's involvement. Therefore, it is of great importance for companies to organize themselves in the best possible way, in order to detect and reduce the extent of fraud caused damages.

FAQ

Stipulate contractual liability in cases where legislation does not regulate the relationship.
Incorporate good routines and processes that can detect fraud attempts, including solid KYC processes that ensure that deviations in the customer's expected patterns are quickly picked up.
Invest in electronic monitoring systems that can detect deviations in customer behaviour.
Ensure good internal and external communication around fraud indicators, as well as providing information to the customer about who to contact when an incident occurs.
If fraud is suspected, contact the customer and obtain the necessary information to remove the suspicion.

The Supreme Court ruled that a bank customer who was the victim of fraud, could not base a claim for damages on a breach of the anti-money laundering rules alone. The Anti-Money Laundering Act is meant to prevent and detect money laundering and terrorist financing, and cannot be used as an independent basis for liability for fraud.

However, the regulations could potentially impact the due diligence assessment in combination with other breaches. The Court of Appeal was divided on this issue, with the majority finding that banks subject to the Anti-Money Laundering Act had a special responsibility to prevent crime. The Supreme Court's clarification provides guidance for banks facing similar situations.

Comply with legal requirements when establishing customers and ensure that the necessary KYC information is obtained.
Ensure that the business-oriented risk assessment is up to date and correctly identifies the risk in the business.
Implement risk-based customer measures and ongoing follow-up in accordance with legal requirements and criteria identified in the business-oriented risk assessment.
Incorporate proper routines that ensure risk-based customer measures and have electronic monitoring systems that detect deviations in customer behaviour.

Because artificial intelligence (AI) is making it increasingly difficult to distinguish between reality and fiction, the most important thing a company can do, is revert to the very basic principles of online behavior.

Be aware of what information is openly available online, e.g. email addresses and phone numbers on the company's website. This information can be misused if publically available.

One form of abuse, is targeted attacks against a single person. Another is through "typosquatting", where the email address is changed to be almost indistinguishable from the original. A third form, is "spoofing" of phone numbers.

The company should ensure awareness of the security hole generated by employees being present and active on social media. Who has access to see the profiles of key positions in the company on social media, their education, background and experiences, or other information related to the company? All information that is openly available online, can be compiled and used in a regime of social manipulation through email, phone og other media formats.

Another thing important for raising the level of real preparedness in a day-to-day operation, is to practice real situations and discuss ways in which the company can be exposed for incidents. Our professionals offer customized and interactive exercises, where your company can practice and discuss real scenarios based on actual events.

The exercises are supplemented by insights into global trends and topics, relevant to your company. This provides you with the prerequisites necessary for identifying future attacks.

The single, most important factor, is knowledge, and being aware of what can be manipulated. This helps you switch on the warning lights, once the manipulated phone call or email comes your way.

Based on experience, it is common for individuals who have been manipulated to have had a sense that something was not quite right. This highlights the importance of discussing the available options and expected behavioral patterns in situations where time pressure is perceived. Social manipulation is often difficult to detect until it has already taken hold of an individual's beliefs. Therefore, regular exercises tailored to the specific work areas of a company are crucial in preventing such situations.

The cross-border and decentralised nature of virtual currency makes it a preferred tool for fraud. Large sums of money can quickly cross national borders and at the same time create challenges for police and the judiciary in terms of tracking and seizing the funds.

The Association of Certified Fraud Examiners recently published "Occupational Fraud: A report to the Nations 2024". The report surveyed companies that have been victims of financial crime, and the results showed that 4% were involved in cryptocurrency.

Of these, 47% were related to embezzlement/financial cheating and 33% to corruption. It is unclear the extent of fraud related to cryptocurrency in businesses in Norway, other than to assume that there are large unreported figures due to its inherent properties.

Not every fraud can be detected. Sooner or later, incidents will occur, which needs to be dealt with, and when it happens, it will most likely be necessary to seek assistance. We have a large team of specialists with a broad spectre of expertise from incident management in the aftermath of security breaches.

We can help you detect what has happened, and identify how your company's data and day-to-day operations can be restored as quickly as possible. We will also help you uncover what information has gone astray, and manage it in line with applicable data protection requirements.

A clear trend shows that companies must increase their preparedness to avoud fraud. The requirements for companies to prevent and detect fraud and similar crime, are also being tightened outside Norway's borders. The latest in a series of so-called ‘failure to prevent’ frameworks that will come into force in the UK as a result of last autumn's adoption of the Economic Crime and Corporate Transparency Act 2023.

More about the framework

Under this legislation, large companies could be penalised if a connected person (such as an employee, agent or subsidiary) commits an act of fraud that is intended to benefit the company or others to whom the connected person provides services on behalf of the company. This will apply regardless of whether the management of the company has or has had knowledge of the act. The Act also applies even if the company and the associated person are based outside the UK, and consequently the regulations may have an impact on Norwegian businesses.

In order to avoid prosecution under the regulations, the company must be able to show that there is a ‘reasonable procedures defence’ - i.e., that at the time of the fraud there were reasonable procedures in the company to prevent this type of fraud from occurring. The UK government is expected to publish guidance that will clarify the term before the law comes into force.