Gerber v PSG Wealth Financial Planning (Pty) Ltd (36447/2021) [2023] ZAGPJHC 270 (23 March 2023)

80 Reportability
Contract Law

Brief Summary

Contract — Cybercrime — Duty of care — Plaintiff suffered financial loss due to fraudulent email instructions resulting in the transfer of funds to a fraudster's account — Defendant, an investment company, failed to verify the legitimacy of the new bank account despite clear warning signs from verification checks — Court held that the defendant had a duty to employ reasonable procedures to protect against cybercrime and was liable for the loss sustained by the plaintiff.

Comprehensive Summary

Summary of Judgment


Introduction


The proceedings were an action for contractual damages arising from the electronic transfer of investment funds from the plaintiff’s portfolio (managed and administered by the defendant) into a bank account controlled by a fraudster following a Business Email Compromise (BEC) / hacking incident.


The parties were Jan Jacobus Gerber (plaintiff), an investor whose share portfolio was managed by the defendant, and PSG Wealth Financial Planning (Pty) Ltd (defendant), a financial services provider operating through a representative, Mr Jonathan Fisher, and his personal assistant, Ms Jocelyn van Stavel.


The matter proceeded as a trial in the Gauteng Local Division, Johannesburg, before Fisher J, with the hearing on 17 January 2023 and judgment delivered on 23 March 2023. The plaintiff claimed repayment of amounts transferred to the fraudster together with associated charges and interest. The defendant opposed the claim on the basis of contractual defences (including an alleged tacit term) and an alternative defence of estoppel.


The general subject-matter concerned the allocation of loss where both contracting parties are victims of cybercrime, specifically whether the defendant had complied with its contractual duties (including duties incorporated via the General Code of Conduct) to protect the plaintiff against fraud when effecting payments on instructions received by email.


Material Facts


The plaintiff had maintained a share portfolio with the defendant for more than a decade. By September 2019, his investments held with the defendant totalled R855 413, consisting of shares and cash. Although capable of liquidation on request, the portfolio’s purpose was to serve as a retirement fund for the plaintiff and his wife. The account was a discretionary account, meaning the defendant’s representative could conduct ordinary buying and selling and reinvest dividends, while the plaintiff’s direct interaction with the defendant was infrequent.


The relationship was uneventful until a sequence of emails sent between 3 October 2019 and 5 November 2019. On 3 October 2019, an email that appeared to originate from the plaintiff requested an unusual withdrawal: liquidation and payment of R250 000, being more than a quarter of the portfolio, which was inconsistent with the plaintiff’s historical conduct. The same email stream also sought a change of banking details from the plaintiff’s longstanding Nedbank account to an FNB account.


Mr Fisher responded by return email and noted that the bank account differed from that on record. He requested a current FNB bank statement as verification. In reply, an email provided not a bank statement but a document purporting to be an FNB letter dated 30 September 2019, apparently stamped, asserting that the account belonged to the plaintiff and stating (incorrectly, as later became relevant) that the account had been opened in 2002.


Within the defendant’s business structure, central client services were available (including bank-account verification, account control and payments), described as functioning materially to protect against BEC fraud. On 4 October 2019, Ms van Stavel, on Mr Fisher’s instruction, asked central client services to verify and load the “new” account. The verification process failed. The information disclosed to Mr Fisher and Ms van Stavel included that the identity linked to the account did not match the client details, that the account was not more than three months old, and that the phone number and email address linked to the account were not “valid”. Central client services also reported that FNB was not willing to confirm telephonically that the account belonged to the plaintiff. It further stated that it had identified a risk and would not accept liability for payment into the account, requiring confirmation from Ms van Stavel that payment should nevertheless be made at the defendant’s risk.


Despite these warnings, the defendant proceeded. Ms van Stavel emailed the plaintiff’s email address seeking confirmation that the account belonged to him, and the response from the hijacked email account confirmed that payment should be made into the nominated account. A telephone call occurred on 8 October 2019, in which Ms van Stavel informed the plaintiff that “the money” would be paid into his account that day. The plaintiff responded “goed so”, but it was common cause that he did not know what she referred to, and that he had no knowledge of the payment instruction or payment. The first payment of R250 000 was then made into the fraudulent FNB account.


The fraud continued. On 15 October 2019 a further email from the plaintiff’s address thanked Ms van Stavel and requested an additional payment. On 18 October 2019, payment was again made into the fraudulent account, wiping out most of the plaintiff’s investment. The judgment records that the total paid into the fraudulent account was R800 000 (comprising R250 000 and R550 000).


Subsequent email requests were made for investment statements and then for withdrawal of R400 000 from the plaintiff’s wife’s investment account, accompanied by a similar purported bank confirmation letter. Ms van Stavel testified that this later email “didn’t look right” due to language and syntax. Mr Fisher, having also heard from a colleague about a similar hacking incident, contacted Mrs Gerber, who denied knowledge of the transaction and referred him to the plaintiff. The plaintiff similarly confirmed he knew nothing of the transactions. It then became apparent that the parties had been duped.


A later investigation revealed that the plaintiff’s Microsoft Outlook email account had been hacked, with the relevant correspondence diverted into a separate file so that it did not appear in the inbox and outbox.


As to quantum, the plaintiff initially included a claim relating to dividends lost due to liquidation of shares, but during proceedings conceded that he would seek only the amount paid into the fraudulent account together with the defendant’s commission and fees and interest.


Legal Issues


The central legal questions were whether the defendant was contractually liable for the loss sustained after it paid out the plaintiff’s funds to a fraudster, and whether any contractual or equitable defences excused that liability.


Within contract, the principal issues were whether a tacit term formed part of the parties’ agreements to the effect that the defendant would not be liable where hacking occurred due to the plaintiff’s negligence, and (if no such term existed) whether the defendant had complied with its express contractual obligations, including obligations incorporated via the General Code of Conduct for Financial Service Providers and Representatives, in particular section 11.


In the alternative, the defendant raised estoppel, relying on two alleged grounds: first, that the plaintiff’s negligence facilitated the fraud because his system was hacked; and second, that the plaintiff’s response (or non-response) during the 8 October 2019 telephone call created an impression that the payment instruction was authorised.


The dispute therefore involved questions of law (the requirements for importing tacit terms; the doctrinal limits of estoppel by negligence), and the application of law to largely common-cause facts (whether the defendant’s conduct met contractual standards; whether the factual elements of estoppel were established).


Court’s Reasoning


The court located the claim primarily in contract. It accepted as common cause that the contractual relationship consisted of two written agreements (an Advice Agreement and a Product Agreement) governing management of the portfolio and financial advice. It was also not in dispute that the agreements imposed a duty on the defendant to protect the plaintiff against gross negligence and fraud, and that the General Code of Conduct was expressly incorporated into the contractual relationship. The court emphasised section 11 of the Code, requiring a provider to have and effectively employ resources, procedures, and appropriate technological systems reasonably expected to eliminate, as far as reasonably possible, the risk of financial loss through theft, fraud, negligent administration, and related misconduct or omissions.


Tacit term


The court treated the alleged tacit term as pivotal because it sought to qualify the defendant’s admitted fraud-protection obligation by shifting the risk of cybercrime to the client where hacking occurred through the client’s negligence. The court restated that a tacit term must derive from the parties’ common intention inferred from express terms and surrounding circumstances, and that a tacit term cannot be imported where the parties have made express provision on the question.


Applying the officious bystander test, and considering the surrounding context of widespread cybercrime in financial services, the court concluded that importing a proviso that the client carries the duty to prevent hacking would be counter-intuitive given the express contractual protection and the nature of the services for which the defendant was remunerated. The court also applied the principle that the proposed tacit term must be capable of precise formulation, and held that, given the technical complexity of hacking and the evolving nature of cybercrime, the defendant’s proposed term lacked the required clarity and precision.


On the evidence, the court further held that it was not for the plaintiff to prove he took all steps to protect his email. Since the defendant relied on the tacit term, the burden rested on it to formulate the term and establish the steps required by it and their breach. The court found the discrepancy between the plaintiff and his wife’s evidence about where a password was kept to be immaterial, because the hacking was not alleged to be physical access but rather remote, virtual compromise.


The court therefore found that the defendant failed to prove the tacit term, making it unnecessary to consider breach and causation under that alleged implied obligation.


Compliance with express contractual obligations


Having rejected the tacit term, the court turned to whether the defendant complied with its express duties. On the facts, it held that the defendant did not. The court stressed that the defendant’s own checking machinery produced a failed verification result and clear risk indicators, and that central client services expressly declined to bear the risk and required the defendant to accept responsibility if it insisted on payment.


The court found it significant that the defendant proceeded notwithstanding these warnings, and notwithstanding that Mr Fisher’s request for a bank statement was not complied with. The court stated that the information conveyed by client services should have triggered more careful scrutiny of the purported verification letter. A key anomaly was that verification indicated the account was less than three months old, while the letter claimed it was opened in 2002. The failure to detect and respond to this discrepancy demonstrated insufficient care, and the court held that taking the letter at face value, in the face of contradictory verification information, did not constitute taking steps to protect the funds against fraud.


The court treated the proximate cause of the loss not as the mere fact of hacking, but the defendant’s failure to apply the contractually required vigilance and systems when asked to make payments into a new account.


Estoppel


The court then considered estoppel. It restated the general requirements: a representation by words or conduct, reliance by the representee, action on that representation, and prejudice if the representor is permitted to deny its truth.


On the first basis (plaintiff’s negligence facilitating hacking), the court held that this amounted to reliance on the facilitation theory, which has long been rejected as too broad. It relied on authority stating that such matters must be decided under ordinary principles of estoppel by negligence, with fraudulent intervention as a factor in assessing proximate causation and foreseeability, rather than as a dispositive rule that whichever innocent party “enabled” the fraud must bear the loss.


The court considered the defendant’s reliance on Mosselbaai Boeredienste (Pty) Ltd v OKB Motors CC but distinguished it. In that case there was direct evidence of internal compromise and poor password practices on the relevant system, and there was no contractual protection comparable to the present case. The court held that Mosselbaai was not authority for a general rule that the party from whose system the fraud emanated must bear the loss. In the present case the court held that the defendant did not establish that the plaintiff did or failed to do anything that resulted in the hacking, and it was at least equally probable that relevant information could have been obtained from the defendant’s side. The court also reasoned that the plaintiff owed no duty, within this contractual setting, to protect his system in the manner contended for; rather, the contract placed the anti-fraud duty on the defendant.


On the second basis (the 8 October 2019 telephone call), the court rejected the characterisation of the call as a confirmation call for new banking details. On the evidence, the call was described as a courtesy call, in which the plaintiff was told money would be paid into his account. The court held that this could not reasonably be construed as the plaintiff making a clear and unequivocal representation that a withdrawal and payment into new FNB account details was authorised. The court also applied principles relating to representation by conduct, focusing on whether the representor should reasonably have expected the representee to be misled and whether the representee acted reasonably in construing the conduct as a representation. The defendant did not satisfy these requirements on the facts.


Accordingly, both estoppel defences failed.


Outcome and Relief


The court upheld the plaintiff’s contractual claim and rejected the defendant’s defences based on a tacit term and estoppel.


The defendant was ordered to pay R811 488.98 to the plaintiff, comprising the amounts paid into the fraudulent FNB account and the commission and fees charged by the defendant. The defendant was further held liable for interest at the statutorily prescribed rate on R250 000.00 from 8 October 2019 (the date of the first payment) and on R561 488.98 from 18 October 2019 (the date of the second payment, with the latter amount comprising the second payment and commission/fees as stated in the order).


The defendant was ordered to pay the costs of suit.


Cases Cited


Hawarden v ENS (case number 13849/2020, Gauteng Local Division, Johannesburg, judgment delivered 16 January 2023)


Jurgens and Another v Volschenk (4067/18) [2019] ZAECPEHC 41 (27 June 2019)


Fourie v Van der Spuy and De Jongh Inc. and Others [2019] JOL 45848 (GP)


Alfred McAlpine & Son (Pty) Ltd v Transvaal Provincial Administration 1977 (4) SA 310 (T)


Airways Inc v South African Fire and Accident Insurance Co Ltd 1965 (3) SA 150 (A)


South African Mutual Aid Society v Cape Town Chamber of Commerce 1962 (1) SA 598 (A)


Alfred McAlpine & Son (Pty) Ltd v Transvaal Provincial Administration 1974 (3) SA 506 (A)


Wilkins NO v Voges [1994] ZASCA 53; 1994 (3) SA 130 (A)


Techni-Pak Sales (Pty) Ltd v Hall 1968 (3) SA 231 (W)


Reigate v Union Manufacturing Co (Ramsbottom) Ltd and Elton Cap Dyeing Co Ltd [1918] 1 KB 592 (CA)


Desai and Others v Greyridge Investments (Pty) Ltd 1974 (1) SA 509 (A)


Maartens v Pope 1992 (4) SA 883 (N)


Oakland Nominees (Pty) Ltd v Gelria Mining & Investment Co (Pty) Ltd 1976 (1) SA 441 (A)


Union Government v National Bank of South Africa Ltd 1921 AD 121


Grosvenor Motors (Potchefstroom) Ltd v Douglas 1956 (3) SA 420 (A)


Connock’s (S.A.) Motor Co Ltd v Sentraal Westelike Ko-operatiewe Maatskappy Bpk 1964 (2) SA 47 (T)


O K Bazaars (1929) Ltd v Universal Stores Ltd 1973 (2) SA 281 (C)


Mosselbaai Boeredienste (Pty) Ltd v OKB Motors CC 2021 3DR 3059 (FB)


Lillicrap, Wassenaar and Partners v Pilkington Brothers (SA) (Pty) Ltd 1985 (1) SA 475 (A)


Southern Life Association Ltd v Beyleveld NO 1989 (1) SA 496 (A)


Concor Holdings (Pty) Ltd t/a Concor Technicrete v Potgieter 2004 (6) SA 491 (SCA)


Legislation Cited


General Code of Conduct for Financial Service Providers and Representatives, section 11


Rules of Court Cited


No rules of court were cited in the judgment.


Held


The court held that the defendant’s contractual obligations, including those arising from the incorporation of the General Code of Conduct, required it to have and effectively employ adequate procedures and technological systems to eliminate, as far as reasonably possible, the risk of client financial loss through fraud. On the facts, the defendant failed to meet these obligations when it proceeded with payment into a newly nominated bank account despite failed verification checks, identified risk indicators, and the refusal of central client services to accept liability.


The court held further that the defendant failed to prove the alleged tacit term that would shift responsibility to the plaintiff to prevent hacking of his system, and that there was no basis to import such a proviso into express fraud-protection provisions, particularly in a context where cybercrime was a known risk contemplated by the contractual framework.


The court also held that the defendant’s estoppel defences were not established. The “facilitation” approach was rejected as too broad, and the defendant did not prove that the plaintiff’s conduct or negligence caused the hacking or that the plaintiff owed a duty to prevent it within the contractual scheme. The telephone call did not amount to a clear and unequivocal representation authorising the withdrawals or confirming the new banking details.


LEGAL PRINCIPLES


A tacit term forms part of a contract only where it can be inferred from the common intention of the parties as derived from the express terms and the surrounding circumstances. A tacit term cannot be implied where the parties have made express provision on the subject-matter sought to be covered by implication.


The officious bystander test is applied to determine whether a tacit term may be implied, requiring that the term be so obvious that both parties would have agreed to it as a matter of course had it been raised at the time of contracting. In addition, any proposed tacit term must be capable of precise formulation, and where there is difficulty or doubt about its content or extent, the inference of common intention fails.


Where contractual obligations expressly require a party (here, a financial services provider) to employ resources, procedures, and technological systems to reduce the risk of fraud-related loss, the relevant inquiry is whether the party’s conduct demonstrates effective employment of those safeguards in response to risk indicators, including failed verification results and anomalies in purported supporting documentation.


In estoppel by negligence cases involving fraud by a third party, the broadly framed “facilitation theory” (that the party who enabled the fraud must bear the loss) is not a rule of South African law. Estoppel must be determined under ordinary requirements, including whether the conduct of the party sought to be estopped proximately caused the other party’s mistaken belief and whether such result was reasonably foreseeable.


A representation for purposes of estoppel must be clear and unequivocal, and in cases of representation by conduct the assessment includes whether the representor should reasonably have expected the representee to be misled and whether the representee acted reasonably in construing the conduct as a representation.

About SAFLII
Databases
Search
Terms of Use
RSS Feeds
South Africa: South Gauteng High Court, Johannesburg
SAFLII
>>
Databases
>>
South Africa: South Gauteng High Court, Johannesburg
>>
2023
>>
[2023] ZAGPJHC 270
|

|

Gerber v PSG Wealth Financial Planning (Pty) Ltd (36447/2021) [2023] ZAGPJHC 270 (23 March 2023)

Links to summary

FLYNOTES:
DUTY TO PROTECT AGAINST CYBERCRIME
CONTRACT
– Financial loss – Cybercrime – Universally
recognised as a scourge – Contractual obligations
to clients
– Client’s email hacked and funds paid out to
fraudster’s account – Duty to employ procedures
and
technological systems to eliminate threats as far as reasonably
possible – No scope to import a proviso that the
client has
the duty to prevent hacking – Investment company liable.
IN THE HIGH COURT OF
SOUTH AFRICA
GAUTENG LOCAL
DIVISION, JOHANNESBURG
Case No:
36447/2021
NOT
REPORTABLE
OF
INTEREST TO OTHER JUDGES
NOT
REVISED
In the matter between:
JAN
JACOBUS
GERBER
Plaintiff
And
PSG
WEALTH FINANCIAL PLANNING (PTY) LTD
Defendant
Coram:
FISHER J
Heard
:
17 January 2023
Delivered
:
23 March 2023
ORDER
I
make an order which reads as follows:
1.
The defendant is to pay the plaintiff the amount of R811 488.98;
2.
The defendant is liable for interest on such amount at the
statutorily prescribe rate on the amount of R250 000.00 from 8
October 2019 (being the date of the first payment) and on the amount

of R561 488.98 (which comprises the second payment of R550 000.00 and
the commission and fees of R11 488.96 charged by the defendant)
from
18 October 2019 (being the date of the second payment);
3.
The defendant is to pay the costs of suit.
JUDGMENT
Fisher J
[1]
This case involves a
claim in contract for loss sustained due to the electronic
transfer
of the plaintiff’s funds which were under the control of the
defendant into the bank account of a fraudster.
[2]
In this
technological age the regulation of financial relationships routinely

takes place by way of email. It has become common for these emails to
be accessed remotely by fraudsters and for the victim’s

computer system to be hijacked. This has become known as ‘hacking’
and the persons who commit this type of crime as
‘hackers.’
[3]
Types of hacking
include crude extortion using sophisticated destructive software

(known as malware) which is installed on the computer system remotely
with ransom then being sought the hackers for its removal;
corporate
espionage and money transfer fraud.
[4]
It has been
recognised by this court and others that this latter type of fraud,
which has become known as Business Email Compromise
(BEC) fraud, is
rife.
[1]
[5]
The crime is
typically committed in anonymity by means of remote engagement
using
the internet and other systems. It is usually of the nature of a
confidence trick – the perpetrators trick the person
who has
control over the transfer of rights in the money into believing that
the transfer into the account controlled by the fraudster
is in
accordance with legitimate instructions. Both parties are victims of
the fraud. The question is: Who should bear the loss
which it
occasions?
[6]
The application of
the settled legal principles in relation to determining
negligence in
claims in delict and the nature and scope of contractual
relationships can be complex in this esoteric cyberspace
where what
can and should have been be done to prevent the hacking of the system
is often difficult to determine.
[7]
It is helpful to
discuss the applicable principles with the material facts
in mind. I
thus move to deal first with these facts.
Material
facts
[8]
The plaintiff has a
share portfolio which has been managed by the defendant
for in excess
of a decade. The portfolio was managed by Mr Jonathan Fisher in his
capacity of representative of the defendant for
some years prior to
the events which led to this case.
[9]
As at September 2019
the plaintiff held investments with the defendant in a
total amount
of R 855 413. This amount was held in shares and cash and these
amounts could be liquidated and paid out in cash
to the plaintiff on
his request. The aim was however that the investment serves as
retirement fund for the plaintiff and his wife.
She also held a
portfolio in her own name.
[10]
Until the hacking incident, which took
place, over the period 03 October 2019 to 05 November
2019, the
relationship had been uneventful.
[11]
The account was a discretionary
account, meaning that the plaintiff put funds at the disposal
of Mr
Fisher who could operate on the account as he saw fit as far as the
reinvestment of dividends and the usual buying and selling
of shares
was concerned. The aim was obviously to get as high a return on these
share trades as possible so that the investment
grew.
[12]
It was thus not necessary that the
plaintiff have much, if any, personal contact with the defendant’s

staff or Mr Fisher. Such contact was rare. The dealings between the
parties entailed no more than a monthly statement being sent
via
email to the plaintiff setting out details of the brokerage activity
on the account.
[13]
On 03 October 2019 there was a
somewhat unusual request which appeared to emanate from the
plaintiff; the plaintiff sought the liquidation and payment of more
than a quarter of his portfolio. This was something that he
had never
sought in all the years that the account had been managed by the
defendant. As I have said, the purpose of the investment
was to fund
retirement.   The amount sought to be liquidated was R
250 000.
[14]
There was a further change alluded to
in the email; a change of bank details from the plaintiff’s

Nedbank account which had been on record for years to an account at
First National Bank (FNB).
[15]
Mr Fisher wrote back obligingly by
return email. He said all was in order with the withdrawal
and that
it would take three days for the funds to be made available. Mr
Fisher’s email was carbon copied to his personal
assistant Ms
Jocelyn van Stavel.
[16]
Mr Fisher noted pertinently in the
return email that the bank account mentioned was different
from that
which the defendant had on record for the plaintiff. He asked that a
current FNB statement be sent showing the new details.
Presumably
this was an attempt to verify that the account was not fraudulent.
[17]
An email was then forthcoming in
response. It did not contain a bank statement as requested.
Instead,
it contained a letter – ostensibly from FNB. The letter is
dated 30 September 2019 and appears to bear an official
bank stamp
reflecting that date. It purports to provide details of a bank
account held in the name of the plaintiff. It reflects
that the bank
account was opened in 2002 which would make it 17 years old. It
states that, if the reader, has any queries the writer
can be
contacted at a mobile telephone number provided. Ms van Stavel was
again copied in this response.
[18]
The PSG branches such as the plaintiff
are run on a franchise system. As part of the franchise
arrangement,
they are afforded the use of central client services provided by the
main PSG entity.  The central services include
bank account
verification checks and account control and payments. This facility
clearly has, as a main function, the protection
against BEC fraud.
[19]
On 04 October 2019 Ms van Stavel,
instructed by Mr Fisher, sent an email to central client services

asking that the plaintiff’s ‘new account’ be
verified and loaded so that payment could be made thereto.
[20]
A document which is indicated as being
from the Bank Verification Panel of PSG shows that the
search failed.
Details of the verification check disclosed to Mr Fisher and Ms van
Stavel inform that (i) the identity attached
to the account did not
match the client details; (ii) the account was not more than three
months old and (iii) neither the phone
number nor email address
attached to the account was ‘valid’.
[21]
This information notwithstanding,
there was a persistence as to the loading of the bank details.
Mr
Fisher and Ms van Stavel testified that these verification reports
were often unreliable and that thus that they were not regarded
as
conclusive evidence of a fraudulent account.
[22]
Client services furthermore conveyed
that, when asked, FNB was not willing to confirm telephonically
that
the account belonged to the plaintiff.
[23]
It was made clear that client
services had identified a risk attached to the account and
that
consequently it would not accept any liability which arose from
payment into the account. It thus required confirmation from
Ms van
Stavel that payment could indeed be made into the account at the risk
of the defendant.
[24]
Ms van Stavel, duly instructed by Mr
Fisher was undeterred. She next sent an email to the plaintiff’s

email address asking for his confirmation that the account was indeed
his and that payment could be made into his account. Unsurprisingly,

came the response from the hijacked email account that the payment
should indeed be made into the nominated account.
[25]
The first personal communication
between the parties occurred on 08 October 2019. Ms van Stavel

telephoned the plaintiff on his mobile phone. He was driving at the
time and on his way to a mining site where he was working.
She
merely informed him that ‘the money’ would be paid into
his account that day. He responded ‘goed so’
(‘that’s
fine’) – although he did not know to what she was
referring.
[26]
Ms van Stavel testified that
this was a ‘courtesy call’ to let him know that
the money
had been paid.
[27]
Later that day an email was sent from
the hijacked email account asking for proof of payment.
[28]
It is common cause that the plaintiff
had no knowledge of the payment.
[29]
The hackers had thus successfully
achieved payment of R250 000 of the funds from the plaintiff’s

account into the fraudulent account. They decided to continue with
the deceit.
[30]
On 15 October 2019, there was further
activity from the email address. An email was sent to
Ms van Stavel
thanking her for the previous successful transaction and requesting
an additional payment to the FNB account. The
email was copied to Mr
Fisher.
[31]
It was confirmed by Ms van Stavel per
return email that this would be done.
[32]
On 18 October 2019 there was a
communication from the plaintiff’s email address asking
when
payment would be made. The reply came from Ms van Stavel that it
would be forthcoming that same day.
[33]
Payment was again duly made into the
fraudulent account, thus wiping out most of the plaintiff’s

investment.
[34]
Emboldened by the success, the hacker
sought a further source of payment.   Ms van
Stavel was
asked for a statement for all the plaintiff’s investments. This
was duly forwarded.
[35]
Ms van Stavel, trying to be
helpful, inquired if the plaintiff wanted a statement relating
to his
wife’s portfolio as well. The answer came back in the
affirmative. There followed a request for a withdrawal of R400 000

from Mrs Gerber’s investment account.
[36]
On 05 November 2019, an email
was sent under cover of which a letter purporting to be
confirmation
of details of a banking account for the payment to Mrs Gerber. It had
a similar get-up to the previous letter.
[37]
Ms van Stavel testified that the email
of 05 November 2019 ‘didn’t look right’.
She
indicated that the language and syntax of the covering email was not
grammatically correct in Afrikaans, which she spoke fluently.
[38]
She thus approached Mr Fisher, who was
in his office, and indicated her disquiet. Mr Fisher
testified that
he had, by this stage, had a conversation with a colleague in the
same brokerage field who had related that hacking
had taken place in
relation to one of his clients in a similar way.
[39]
This insecurity led to a call being
made by Mr Fisher to Mrs Gerber. He asked her about the
liquidation
of the R400 000 investment of her portfolio. She indicated that
she knew nothing about it and referred Mr Fisher
to her husband.
[40]
In the meantime, telephonic contact
had been made with the plaintiff and he had confirmed that
he too
knew nothing of the requested transaction.
[41]
It finally dawned on all
concerned that they had been duped.
[42]
A subsequent investigation conducted
by the plaintiff some months later revealed that the plaintiff’s

Microsoft Outlook email account had been hacked. The emails to and
from PSG were diverted by the hacker to a separate file on the

account and thus did not feature in the inbox and outbox files. In
this way the selected correspondence remained hidden until it
was too
late.
[43]
Against this background I now turn to
examine the claim and the defences raised thereto.
[44]
The defendant seeks to import a tacit
term into the contract which it contends excludes its
liability. It
also denies, in any event, that it breached the express terms of the
contracts.
[45]
The defendant pleads an
alternative claim of estoppel. I will deal with the contractual

defences and the estoppel defence in turn.
The
claim and defences raised in contract
[46]
The claim is based on the alleged
breach of written contracts in terms of which the defendant
undertook
to manage the plaintiff’s share portfolio and provide financial
advice. The contractual relationship between the
parties comprises
two written agreements, an ‘Advice Agreement’ and a
‘Product Agreement’.
[47]
It is not in dispute that under the
express terms of these agreements the plaintiff had the
duty to
protect the plaintiff against gross negligence and fraud.
[48]
It is also not in dispute that under
the General Code of Conduct for  Financial Service
Providers and
Representatives ("the Code’) which was expressly imported
into the contractual relationship and specifically
Section 11 of the
Code,  the defendant was obliged to ‘at all times have and
effectively employ the resources, procedures
and appropriate
technological systems that can reasonably be expected to eliminate as
far as reasonably possible, the risk that
clients, product suppliers
and other providers or representatives will suffer financial loss
through theft, fraud, other dishonest
acts, poor administration,
negligence, professional misconduct or culpable omissions.’
[49]
The plaintiff thus pleads generally
that the defendant was obliged to exercise the necessary
skill, care
and diligence to ensure that the monies held by it in trust did not
fall prey to fraud, that it breached this obligation
and that such
breach led to his loss.
[50]
It was furthermore a term of the
agreements that the plaintiff was obliged to provide all instructions

to the defendant in writing via email or fax. The reference to a fax
would appear to be an anachronism as they are no longer in
common
usage having been supplanted by the email.
[51]
The defendant accepts that it had the
duty to protect the plaintiff’s money against fraud
but pleads
a tacit term to the effect that the plaintiff would not be liable for
loss under circumstances where the plaintiff’s
computer system
was hacked due to the plaintiff’s negligence. It alleges that
the plaintiff was negligent in that he did
not take all reasonable
steps to protect his computer system against hacking.
[52]
In essence, the
defendant admits liability to protect against fraud, save fraud
perpetrated by means of cybercrime where the plaintiff
failed to take
reasonable steps to protect his computer system from being hacked.
[53]
The defendant
must prove the tacit term. If it fails, it is left with a case in
contract that it took reasonable steps to prevent
the fraud.
[54]
I now deal with
the tacit term.
The
tacit term
[55]
The obligation of the defendant to
protect against fraud is express. As I have said, the background
and
context to such obligation must be seen to include the prevalence of
cybercrime in the financial service industry. In the face
of this
express term, the plaintiff seeks to imply a tacit term to the effect
that the client had a duty to prevent hacking of
his system.
[56]
A tacit
term is an unexpressed provision of the contract which derives from
the common intention of the parties as inferred by the
court from the
express terms of the contract and the surrounding circumstances.
[2]
[57]
A tacit
term cannot be imported into a contract on any question to which the
parties have applied their minds and for which they
have made express
provision in the contract.
[3]
[58]
Thus, the defendant would have to show
that the express duty of the defendant to protect its
client against
fraud is conditional on the client taking certain steps. These steps
are not specifically pleaded.
[59]
The defendant, on the other hand, was
obliged to have and effectively employ the resources,
procedures and
appropriate technological systems that can reasonably be expected to
eliminate the risk that its clients will suffer
financial loss
through fraud.
[60]
Clearly, that there was a risk
of hacking taking place is contemplated by this term.
[61]
It makes sense that hackers will focus
their efforts on infiltrating   areas of commercial

enterprise that involve large money transfers. Professions such as
attorneys and financial services have started warning clients
that
bank account numbers will never change without specific human
interventions from the firm. These warnings are often a standard

message on all correspondence.
[62]
In
Hawarden
v ENS
[4]
,
claim in contract on the basis of an implicit term
in favour of the client, it was found by this court that
precautions
which the defendant attorney was obliged to take would have prevented
the fraud regardless of how or why the plaintiff’s
email was
hacked. In my view, the same position holds sway on the facts of this
case.
[63]
A test
commonly applied by our courts
[5]
to determine the basis of which a tacit term can be imported into a
contract is known as the ‘officious bystander test.’
It emerges
from the following famous
dictum
of
Scrutton LJ in
Reigate
v Union Manufacturing Co (Ramsbottom) Ltd and Elton Cap Dyeing Co
Ltd
[6]
'A
term can only be implied if . . . it is such a term that it can
confidently be said that if at the time the contract was being

negotiated someone had said to the parties, ''What will happen in
such a case'' they would both have replied, ''Of course so and

so I will happen; we did not trouble to say that; it is too
clear.'' Unless the Court comes to some such conclusion as
that, it
ought not to imply a term which the parties have not expressed.'
[64]
In applying the officious bystander
test to determine the existence of tacit term, the express
provisions
of the agreement, the circumstances surrounding the conclusion of the
agreement and the conduct of the parties subsequent
thereto must be
considered.
[65]
The defendant, in effect, seeks to
import a proviso into the fraud protection. It would have
the term
read that the defendant must protect the funds and not pay them to an
illegitimate source provided that, if the client
does not take
reasonable steps to make his computer system inviolable to hacking,
the protection will not apply.
[66]
To my mind, to import such a proviso
into these protections would be counter-intuitive. The
protection
against technological fraud would be meaningless if the client had to
assume an obligation to prevent hacking of its
system. After all, the
defendant is paid handsomely for the services provided, which include
the providing of fraud protection.
[67]
An important gloss of the bystander
test is that the tacit term contended for must be capable
of precise
formulation.
[68]
Trollip JA
in
Desai
and Others v Greyridge Investments (Pty) Ltd
[7]
in
dealing with a proposed tacit term said the following:
'I do not think that it
is either clear or obvious which of those forms of the term should
prevail, and hence that none can be implied.   The

reason is that the implication of a term depends upon the inferred or
imputed intention of the parties to the contract . . . and
once there
is difficulty and doubt as to what the term should be or how far it
should be taken it is obviously difficult to say
that the parties
clearly intended anything at all to be implied.'
[69]
On this score, it is difficult, in the
absence of an expert understanding of the technicalities
of hacking,
to determine precisely what needs to be done to protect the system.
This difficulty is exacerbated by the fact that
it is notorious that
cyber-criminals develop their technologies and tactics to meet
preventative measures as they evolve.
[70]
I thus find that the defendant has not
established the tacit term contended for. It is thus
not necessary to
consider whether a breach of such clause has been established by the
defendant and whether such breach was causative
of the loss.
[71]
In any event, there is no
evidence that the plaintiff did anything or failed to do anything
to
protect his system from hacking. He testified that his system was
password protected and that he had an effective virus protection

software installed. This was not challenged.
[72]
The defendant contends that the
plaintiff must show that he did all he could to protect his
email.
This is not so. Defendant relies on the tacit term and the breach
thereof. It is thus for the defendant to formulate the
term, to show
what steps should have been taken in compliance with the term and
that these steps were not taken.
[73]
Counsel for the defendant points out
that there was some contradiction in the evidence of the
plaintiff
and his wife as to whether the passwords were physically accessible.
He says this is relevant to the plaintiff’s
failure to comply
with his obligations to keep his system safe. In this regard Mrs
Gerber testified that the password was kept
in a file in the
plaintiff’s study while the plaintiff testified that it was
kept in a safe. This discrepancy is not material;
it is not in the
contemplation of either side that the email was physically sourced
from study or safe. It is not in dispute that
this was a virtual
hacking. This evidence is thus irrelevant.
[74]
Furthermore, and merely as an aside,
it is not beyond the realm of possibility or even probability
that
the plaintiff’s email was sourced from a hacking of the
defendant’s system and that the process started there.
As was
testified to by Mr Fisher, his colleague alerted him to similar
fraudulent activity in relation to one of his client’s

portfolios.
[75]
The upshot
of these speculations may be that without firm evidence that either
one or the other of the parties allowed the infiltration
of one or
the other of their systems, hacking must be regarded as an inevitable
and intractable scourge. It is also not irrelevant
that the contracts
dictated that the manner in which the instructions had to be given
was via email. Arguably, the defendant thus
assumed the risk of
employing this system of communication
[8]
.
[76]
Having
failed in establishing the tacit term, the defendant is thus left
with the defence in contract that it complied with
the express terms
of the agreement.
[77]
Clearly, on the
facts, it did not. The deficiencies in the checking process were
clear. The defendant ignored its own protocols.
The checking
machinery yielded the result that the account was not verified as
being legitimate. The defendant however took the
decision to override
this information. This was notwithstanding that PSG client services
pertinently pointed out that it had identified
a risk that the
account was not that of the plaintiff and that it would not bear this
risk. I am informed from the Bar that there
is no insurance for the
fraud in issue and that loss resulting therefrom will be borne by the
defendant if it does not succeed
in its defences.
[78]
At very least, one would expect that
the information relating to the bank account which was
conveyed by
client services would have triggered a further and more careful
scrutiny of the letter provided as verification of
the account. This
is more so the case as Mr Fisher’s own request for a bank
statement was not complied with. A bank statement
would have afforded
greater detail as to the veracity of the account. The fact that it
was not provided should have raised a concern
in the first place.
[79]
Responsible and careful attention to
the purported letter as against the bank account check
would have
revealed that the account was less than three months old whereas the
letter states that the account in question was
opened in 2002 –
i.e. that it had been held by the plaintiff for more than fifteen
years.  This is a glaring anomaly.
[80]
The fact that the account was newly
opened would, to my mind, be an indicator that it may have
been
opened for a nefarious purpose. The bank account verification process
was specifically directed at whether the account was
less than three
months old. The fact that the discrepancy was not picked up shows
that there was a lack of attention to the purported
proof of the new
account as being that of the plaintiff. The letter was simply taken
at face value. This, to my mind, does not
amount to the taking of
steps to protect the investment against fraud. In fact, on the
contrary.
The
estoppel
[81]
When a
person (the representor) has by words or conduct made a
representation to another person (the representee) and the latter,

believing the representation to be true, acted thereon and would
suffer prejudice if the representor were permitted to deny the
truth
of the representation made by him, the representor may be precluded
(estopped) from denying the truth of the representation.
[9]
[82]
The estoppel in this case is raised on
two bases: first, that the plaintiff’s system was
hacked and
thus the plaintiff through his negligence allowed the
misrepresentations to be made; second, that the defendant when

telephoned by Ms van Stavel failed to question the statement that
monies were to be paid into his account thus creating the impression

that he had sought such payment.
[83]
I deal with each basis in turn.
The
plaintiff’s negligence facilitated the fraud.
[84]
This basis
entails reliance on what is known in our law as the facilitation
theory. This theory absent proof of calculated deception
on the part
of the defendant has long been discredited in our law
[10]
.
[85]
This was
succinctly declared by Corbett J in
O
K Bazaars
at 287H-288B as follows:

As
in the present instance, cases of estoppel by negligence often
involve the fraudulent conduct of a third party and the complaint

against the person sought to be estopped is that his negligence
permitted or facilitated the fraud. In this situation our Courts
have
rejected, as being too broadly stated, the so-called “facilitation
theory”, viz. that where-ever one of two innocent
parties must
suffer by the acts of a third, he who has enabled such third person
to occasion the loss must sustain it (see
Grosvenor
Motors’
case,
supra
at
p.425; see also
Connock’s
(S.A.) Motor Co. Ltd v Sentraal Westelike Ko-operatiewe Maatskappy
Bpk.,
1964
(2) S.A. 47
(T)
at p.48). It has, on the contrary, been held that such cases must be
adjudged by the ordinary general principles relating to
estoppel by
negligence; and, of course, the fraudulent intervention of a third
party is an important factor in determining whether
the conduct of
the person sought to be estopped proximately caused the other’s
mistaken belief and resultant loss; and whether
this result was
reasonably foreseeable.”
[86]
The
defendant relies on
Mosselbaai
Boeredienste
(Pty) Ltd v OKB Motors
CC
[11]
, a  judgement of
the Full Bench of the Free State Division. That case involved a sale
transaction between two dealers in motor
vehicles. Payment was made
by the respondent into a fraudulent bank account, the payment details
having emanated from a fraudulent
invoice sent from the appellant’s
computer system. The appellant argued that the respondent was
negligent in paying the purchase
price into a bank account without
verifying that such account was that of the appellant and that, in
these circumstances, the defendant
should bear the consequences of
its negligence. The respondent, argued that the security in respect
of the appellant's computer
system was compromised through the
negligence of the appellant, enabling the false invoice to be sent to
the respondent. The respondent
thus raised an estoppel which
succeeded in the trial court and was upheld on appeal by the Full
Court.
[87]
It is argued on this authority that as
the indications are that the fraud emanated from the
hacking of the
plaintiff’s system and not that of the defendant, the plaintiff
should bear the loss.
[88]
Apart from the fact that
Mosselbaai
cannot be construed as being authority for the
general proposition that if the fraud emanates from one party’s
system, that
party must bear the loss, the facts of that case are
distinguishable.  In
Mosselbaai
there was direct evidence
that the fraud had been perpetrated
internally
on the
appellant’s system in that the password and user-names were not
changed for years and were widely known by current
and ex-staff
members. There was no outside or remote accessing of the system.
There was also no contractual protection accorded
to either party.
[89]
On general principles, the case for
estoppel by facilitation must fail on two bases. First,
the defendant
has not established that anything the plaintiff did or failed to do
resulted in the hacking and it is just as probable
that the details
of the email addresses of clients were obtained from the defendant’s
system. Second, the plaintiff had no
duty to protect his email
system. On the contrary, the plaintiff was protected by a contract
which put the duty to prevent fraud
of this nature on the defendant.
[90]
Even if it had been shown by the
defendant that the plaintiff was negligent, this does not absolve
the
defendant of his admitted contractual obligations. The proximate
cause of the loss was not the hacking, it was the failure
to employ
the necessary and contractually prescribed vigilance when monies held
in trust were sought to be paid into a different
account.
[91]
In the circumstances the defendant
cannot succeed on the estoppel defence on the first basis.
The
telephone call
[92]
Mr Fisher attempted to suggest that
his systems and protocols went further than merely the bank
account
checks. He indicated that it was part of the defendant’s
protocol that the client be spoken to personally when payment
was to
be made so that it could be confirmed that payment was being made
into the correct account. He testified that the plaintiff

misrepresented the position in the face of this protocol.
[93]
Ms van Stavel however
characterised the call she made as a ‘courtesy call’.
On
any basis the call cannot be construed as seeking confirmation that
monies were to be transferred from the investment account
of the
plaintiff into a different bank account from the one on record with
the defendant. The information given by Ms van Stavel
was that
payment would be made
into
the plaintiff’s account. The
plaintiff was not alarmed by this as he probably would have been had
he been told that payment
was to be made out of his investment
account into a FNB account. This stands to reason. To the extent that
the telephone call was
meant to confirm that the account was a valid
account such inquiry would have been express. The defendant explains
that he believed
the reference to be to internal transactions in his
investment account. He concedes that such a call was never made
previously
but he explains that this did not concern him. He had no
knowledge of the internal processes of the defendant and no reason to
question the call.
[94]
The plaintiff’s confirmation on
a query from his financial service provider that money
could be paid
into his account cannot, to my mind, be construed as a
representation.
[95]
The
situation would be different if the telephone communication was
directed at confirming the plaintiff’s new bank
account
details. Had this been done and the plaintiff, for some reason,
confirmed the account to be his, it would arguably be the
case that
the defendant must be found to have taken all reasonable steps to
verify the account and that it was thus not in breach
of its
contract. The case would thus not be decided on the question of the
plaintiff’s negligent misrepresentation but in
contract.
[12]
[96]
In any
event, on the estoppel, it was the defendant’s onus to show
that the representation was clear and unequivocal and that
Ms van
Stavel reasonably understood the representation to mean that payment
of the plaintiff’s monies held by the defendant
could be made
into a new bank account.
[13]
The test for representation by conduct is whether the representor
should reasonably have expected that the representee may be misled

and whether the representee acted reasonably in construing the
representation.
[14]
The
defendant failed to establish these aspects on the facts.
[97]
As I have said, on Ms van Stavel’s
evidence, the call made by her was merely a courtesy
call. It was not
directed at confirming the bank account details or the instruction to
pay. It is common cause that there was no
indication given that
information was being sought from the plaintiff. He was simply
informed that payment would be made to him
by his financial service
provider. He had no reason to question this information. Dividend
payments were made to his account in
the normal course of the share
brokerage that took place in terms of the agreements. The purpose of
his investment was that it
grows in, inter alia, this manner.
[98]
Thus, the defendant has not made out a
case for estoppel on the second basis either.
Conclusion
[99]
The contractual obligation of the
defendant to its clients was to have and effectively employ
the
resources, procedures and appropriate technological systems that can
reasonably be expected to eliminate as far as reasonably
possible,
the risk that the clients will suffer financial loss through theft or
fraud.
[100]
The assumption of these contractual obligations
must be construed in the context that cybercrime is universally

recognised as a scourge. There is no scope to import a proviso into
the term to the effect that the plaintiff has the duty to prevent

hacking. This would be counter-intuitive. A major and arguably the
main reason for the protection under the agreement is cybercrime.
Why
would the plaintiff then assume responsibility for cybercrime?
[101]
The defendant has not established that it complied with
its contractual obligations to protect the plaintiff
against
cybercrime.
[102]
The defendant has furthermore not established the
estoppel defences raised.
[103]
In relation to the quantum, the plaintiff's claim
initially consisted of a claim relation to the loss of dividends

as a result of the fact that shares were sold to obtain the liquid
funds. However, during the proceedings the plaintiff conceded
that it
would seek only the loss as at date of the breaches contended for
which is the total paid by the defendant into the FNB
account - being
R 800 000 and with commission and fees charged by the defendant
in the amount of R11 488.98 and interest
on such amounts at the
prescribed rate.
Order
In
the circumstances I make the following order:
4.
The defendant is to pay the plaintiff the amount of R811 488.98;
5.
The defendant is liable for interest on such amount at the
statutorily prescribe rate on the amount of R250
000.00 from 8
October 2019 (being the date of the first payment) and on the amount
of R561 488.98 (which comprises the second payment
of R550 000.00 and
the commission and fees of R11 488.96 charged by the defendant) from
18 October 2019 (being the date of the
second payment);
6.
The defendant is to pay the costs of suit.
D
FISHER
JUDGE
OF THE HIGH COURT
APPEARANCES
For
the Plaintiff:
Adv.
R. Bekker
Instructed
by
:
Cox Yeats
Attorneys
For
the 1
st
Respondent:
Adv. P Van der
Berg SC
Instructed
by
:
Thyne Jacobs Incorporated
[1]
See for example
Harwarden
v ENS
handed down in this court by Mudau J on 16 January 2023 under case
number 13849/2020 ,
Jurgens
and Another v Volschenk
(4067/18) [2019] ZAECPEHC 41 (27 June 2019);
Fourie
v Van der Spuy and De jongh Inc. and others
[2019] JOL 45848 (GP).
[2]
Alfred
McAlpine & Son (Pty) Ltd Transvaal Provincial Administration
1977(4)
SA 310 T 327.
[3]
See
Airways
Inc v SA Fire and Accident Insurance Co Ltd
1965(3) SA 150 (A) 175 C
[4]
Op cit, n 1
[5]
See for e.g. :
South
African Mutual Aid Society v Cape Town Chamber of Commerce
1962
(1) SA 598
(A)
at
606
;
Alfred
McAlpine & Son (Pty) Ltd v Transvaal Provincial
Administration
1974
(3) SA 506
(A)
op
533A - B ;
Wilkins
NO v Voges
[1994] ZASCA 53
;
1994
(3) SA 130
(A)
at
137A – D;
Techni-Pak
Sales (Pty) Ltd v Hall
1968
(3) SA 231
(W) at 236H - 237
[6]
1918] 1 KB 592
(CA)
(118 LT 479
at 483)
[7]
Desai
and Others v Greyridge Investments (Pty) Ltd
[7]
1974
(1) SA 509
(A)
at
522H - 523A
[8]
See
Maartens
v Pope
1992 (4) SA 883 (N)
[9]
Oakland
Nominees (Pty) Ltd v Gelria Mining 8 Investment Co (Pty) Ltd
1976
(1) SA 441
(A) 452A-H
[10]
cf,
for e.g,
Union
Government v National Bank of South Africa Ltd
1921
AD 121
131
138; and
Grosvenor
Motors (Potchefstroom) Ltd v Douglas
1956
(3) SA 420
(A)
425F-H).
O
K Bazaars (1929) Ltd v Universal Stores Ltd
1973
(2) SA 281
(C)
(Ok Bazaars):
[11]
Mosselbaai
Boredienste (Pty) Ltd v OKB Motors cc 2021  3DR 3059 (FB).
[12]
See
Lillicrap,
Wassenaar and Partners v Pilkington Brothers (SA) (Pty) Ltd
1985
(1) SA 475 (A).
[13]
Southern
Life Association ltd v Beyleveld
NO 1989(1) SA 496 (A).
[14]
Concor
Holdings (Pty)Ltd t/a Concor Technicrete v Potgieter
2004(6) SA 491 (SCA)