On 23 November 2015, Mr Fouché, a mining consultant, gave Global & Local Investments Advisors (Pty) Ltd (Global), a financial services provider, a written mandate to invest and manage money on his behalf with Investec Bank in a Corporate Cash Manager (CCM) account. The mandate stipulated that 'All instructions must be sent by fax to 011 486 2915 or by email to [email protected] with client's signature.' In August 2016, fraudsters hacked Mr Fouché's gmail account and, using his authentic email credentials, sent three emails to Global on 15, 18 and 24 August 2016 instructing transfers of specified amounts to third party accounts at FNB. The emails ended with 'Regards, Nick' or 'Thanks, Nick' and contained no attachments. In response, Global transferred a total of R804,000 from Mr Fouché's CCM account to unknown third parties in three tranches: R100,000 on 15 August 2016, R375,000 on 18 August 2016, and R329,000 on 24 August 2016. Mr Fouché subsequently became aware of the transfers and notified Global that he had not sent the emails. He claimed reimbursement on the basis that Global had acted contrary to the written mandate.
The appeal was dismissed with costs. The High Court's order in favour of Mr Fouché, requiring Global to reimburse R804,000 plus costs, was upheld.
Where a written mandate governing a financial services relationship requires instructions to be sent 'with client's signature', this requirement refers to a signature in the ordinary sense (manuscript signature) for purposes of authentication and verification, even if the instruction is transmitted electronically by email or fax. Section 13(3) of the Electronic Communications and Transactions Act 25 of 2002 only applies where the parties have agreed that an electronic signature is required; it cannot be invoked to validate instructions where the mandate does not expressly contemplate electronic signatures. A typewritten name at the foot of an email does not constitute a valid signature under a mandate requiring the client's signature, where no agreement exists between the parties to accept such a mark as an electronic signature. A financial services provider who releases funds based on fraudulent email instructions that do not comply with the signature requirements of the mandate acts in breach of that mandate and is liable to reimburse the client, notwithstanding that the emails originated from the client's legitimate email account as a result of hacking.
The Court made observations on the nature and purpose of signatures in commercial and legal contexts, noting that signatures serve established purposes as a basis to determine authority and can be checked for authenticity. The Court observed that in the financial services sector, instructions relating to transfers of money require particular authentication safeguards. The Court noted that the mandate's requirement that instructions be sent to a specified email address, without specifying an authenticated source email address, was significant in that the dispatching gmail address together with the name at the end of the email could not serve a reliable authentication purpose. The Court commented that the contention that these elements served an authentication purpose 'appears contrived'. The Court observed that the mandate required a mechanism 'aimed at avoiding precisely the unlawful activity which caused the damage' to Mr Fouché, suggesting that proper authentication procedures are essential to protect against fraud.
This case establishes important principles regarding mandate requirements in financial services and the application of the Electronic Communications and Transactions Act 25 of 2002. It clarifies that section 13(3) of the ECT Act only applies where the parties have agreed to an electronic signature requirement. The judgment emphasizes that in the absence of express agreement to accept electronic signatures, a requirement for a 'signature' in a mandate refers to a traditional manuscript signature, even if transmitted electronically. The case is significant for financial institutions and service providers in determining their obligations when executing client instructions, particularly regarding authentication and verification procedures. It reinforces the importance of proper authentication mechanisms to protect clients from fraud and clarifies that merely receiving instructions from a legitimate email address, without proper signature verification as required by the mandate, does not absolve a financial services provider from liability when funds are fraudulently transferred. The case provides guidance on the interpretation of mandates in the context of electronic communications and cyber fraud.
Explore 1 related case • Click to navigate