How to deal with Online Banking Mistakes or Cyber Fraud

11 Apr 2024


On 29 February 2024, the Minister of Commerce and Consumer Affairs published an 'open letter' to the New Zealand banking industry, in response to "an increase in the prevalence and sophistication of online scams and fraud".

  • The letter expressed the Minister's view that banks are well placed to address banking scams and online fraud. The letter also set out a number of the Minister's expectations of the industry. Some of these "expectations" are already being considered, including a 'confirmation of payee' system (which matches account names and numbers before payment is made).
  • The letter also proposes a voluntary reimbursement scheme for victims of 'authorised push payment' (APP) fraud. APP fraud occurs when a bank customer is fraudulently persuaded into authorising a transfer to a third party (as opposed to a fraudster obtaining unauthorised access to a bank account). The UK will soon be implementing a reimbursement scheme for victims of APP fraud.

Legislative reform and/or voluntary banking industry regulation is likely to assist in this difficult area, but civil remedies may also be available. In this article, we analyse two such remedies, highlighted in recent High Court judgments (one of the New Zealand High Court and one of the English High Court). Both decisions highlight possible and actual avenues for recovery, in cases where online banking or cyber-related fraud has caused or contributed to loss:

  • Habitat Hotels & Apartments v BNZ (4 March 2024) [i] was a 'mistaken payment' case (not involving fraud). The New Zealand High Court confirmed that ancillary disclosure orders (in support of prospective freezing orders) may be available where an innocent recipient of a mistaken transfer refuses to return the funds.  These orders assist to identify where money is currently located, so that freezing orders (which prevent dissipation of assets), and an eventual judgment, can be directed at the right party and assets.
  • CPP Graduate School v NatWest Bank (14 March 2024) involved APP fraud.  The English High Court provided further detail about a possible 'recovery' duty on banks whose accounts are used to transfer funds sourced from APP fraud.  If recognised, this duty might allow a person to sue their bank (and other banks into which money is transferred), if those banks do not take adequate and timely steps to recover the funds.

Habitat Hotels & Apartments v BNZ: Disclosure orders where mistaken payment not returned

Habitat Hotels & Apartments v BNZ [2024] NZHC 429 was not a fraud case.   It was a case of a significant mistaken payment, which was not fully returned until after Court orders were obtained.  In that case, the Court made ancillary orders (in support of prospective freezing orders), which required disclosure of the recipient's bank statements.  This in turn enabled the applicant to ascertain the location of its funds for the purpose of a potential freezing order.

Ancillary disclosure orders are commonly made in conjunction with freezing orders, but they are rarely made in advance in respect of prospective freezing orders.  The same standard has to be met for ancillary orders as prospective freezing orders, namely: (i) a good arguable case (where a payment is mistaken, but not fraudulent, the legal claim is 'money had and received'); (ii) assets to which the orders can apply; and (iii) a risk that the defendant will dissipate its assets. [ii] An example of an unsuccessful application for ancillary orders (without a freezing order) is IAG New Zealand Ltd v H Construction Ltd [2018] NZHC 620, where there was insufficient evidence of dissipation risk, and the Court considered that the applicant was in truth attempting to obtain a form of security.

These orders are also available to victims of APP fraud (or any kind of fraud)[iii] who can identify a defendant with assets.  In fraud cases, evidence of dissipation can normally be inferred (although identifying a defendant with assets is not always possible - especially in APP fraud, where criminal gangs often transfer the funds away from common law jurisdictions).   Alternatively, Bankers Trust [iv] orders may be available if the specific criteria are not met for ancillary/freezing orders.  These orders are similar, in that they provide for disclosure in support of an equitable tracing claim.

The biggest problem for victims of fraud (or improper retention of funds) remains the cost/benefit exercise required to decide whether to throw 'good money after bad' by initiating civil proceedings.  Habitat Hotels & Apartments v BNZ is a useful illustration of an available remedy (assuming the high standard can be met) and ultimately successful outcome.

CPP Graduate School v NatWest Bank: Banks' (arguable) 'recovery' duty

CPP Graduate School v NatWest Bank plc [2024] EWHC 581 concerned APP fraud.  This decision of the English High Court is the first case to consider the existence of potential 'duty of recovery', which was left open after Philipp v Barclays Bank PLC.

To recap, in Philipp, the UK Supreme Court held that:

  • A bank does not owe a general 'duty of care' when executing their customer's instructions, for example to enquire whether the customer might be acting under the influence of fraud.  A previous decision of the English Court of Appeal (Barclays Bank v Quincecare) was sometimes thought to require banks not to execute a transaction (without making inquiries) if the bank had reasonable grounds to believe its customer was being defrauded.  In Philipp, the Supreme Court held that no such general duty exists: the bank's primary obligation arises pursuant to the customer's contractual mandate, which generally requires execution of the customer's instructions.
  • However, the Supreme Court left open the possibility that a bank could be sued for not taking adequate steps to recover a customer's funds (i.e., the 'recovery duty').

In CPP Graduate School v NatWest Bank the claimant had paid, in several transactions from its NatWest account, the total sum of £415,909.67 into an account at Santander.  The Santander account was then emptied by the fraudsters.  Unfortunately, like Philipp, this decision was a defendant's application for summary judgment and strike out, meaning there is no final judgment.  However, one of the pleaded claims was based on the recovery duty.  The duty was pleaded both against the claimant's bank (NatWest), and the bank controlled by the fraudsters (the Santander account).

The Court held that the recovery duty was arguable, including against Santander (which was not the customer's bank):[v]

  • The Court reviewed evidence of the payment retrieval system between banks, which involves a series of indemnities given by banks when attempting to recover their customers' funds.  It stated in respect of NatWest (the customer's bank) that (at 54): "it appears that perhaps the most obvious step, if not the principal step, that could be taken by a bank which is on notice of a fraudulent scheme such as the one alleged here, is to offer an indemnity to the bank receiving payment. Such an indemnity, I am told by counsel, is against liability which the receiving bank might incur to its customer (and, possibly, others) when preventing any further payment out and as I understand it, allows the account to be effectively frozen."  The Court accepted that, to effect recovery, this indemnity must be passed along promptly from the first recipient bank (the 'first generation bank') to second and subsequent 'generation' banks.
  • The Court acknowledged (at [85]) that various issues will arise about banks' potential exposure if a recovery duty was recognised.  However, because a recovery and indemnity system already exists, the Court considered it may well be fair and reasonable to impose a duty (ultimately, a matter for trial and full argument).
  • It was also relevant that Lloyds Bank (which was not a party) managed to recover £14,000 of the claimant's funds.  That is because a Lloyds fraud investigator noted the unusual account activity of the criminal gang and froze the relevant accounts. [vi]

The precise scope of any recovery duty remains to be seen.  If found to exist, it may provide an avenue of recovery for victims of fraud (and a headache for banks).  It is also unclear how the scope of the possible common law duty will develop alongside the UK's reimbursement scheme (and New Zealand's possible future scheme).

[i] Martelli McKegg (Jacque Lethbridge and Michael Mabbett) acted for the applicant in that case.
[ii] HCR 32.2.  Where orders are sought 'without notice' (as in this case), further requirements apply.
[ii] In fact, fraud is not necessary for freezing orders - but they are commonly obtained in cases of fraud, given the obvious dissipation risk.
[iv] Bankers Trust Co v Shapira [1980] 3 All ER 353 (which is rarely cited in New Zealand, but is referred to in relevant commentary and ought to apply here).
[v] The claim against NatWest was time barred (the claimant waited 6 years since the payments were made to commence proceedings).  However, the claim against Santander was arguable, since it could be shown that there were still funds in the Santander account within the relevant time period (which could have been recovered).
[vi] This might concern non-traditional banks, which don't always have the same infrastructure as traditional banks, but can therefore often provide a more efficient (i.e. cheaper) service.


Dispute Resolution
Jacque Lethbridge

Posted by

Jacque Lethbridge

See bio
Michael Mabbett

Posted by

Michael Mabbett

See bio

Got a question?

Here's how to get in touch:

If you have any legal queries or need the expert advice of our team then call us on +64 9 379 7333 or leave us a message below.