Lester Connock Commemoration Fund v Brough Capital (Pty) Ltd and Another (28646/2020) [2023] ZAGPJHC 1370 (16 November 2023)

REPUBLIC OF SOUTH AFRICA

 

 

IN THE HIGH COURT OF SOUTH AFRICA

GAUTENG LOCAL DIVISION, JOHANNESBURG

 

 

Case Number: 28646/2020

(1) REPORTABLE: YES/NO

(2) OF INTEREST TO OTHER JUDGES: YES/NO

(3) REVISED: NO

 

1. __________________

2. DATE SIGNATURE

 

 

 

 

In the matter between:

 

 

 

 

 

In the matter between:

 

 

LESTER CONNOCK COMMEMORATION FUND Plaintiff

 

And

 

BROUGH CAPITAL (PTY) LTD First Defendant

 

CHRISTIAAN LOURENS BOTHA Second Defendant

 

Financial institution – Financial service provider – Duty to protect client against business email compromise – Remedies – Damages – Alleged breach of written mandate under which defendant undertook to manage plaintiff's investment portfolio and provide financial advice – Transfer of funds to fraudster – Duty to protect plaintiff against fraud – Defendants failed to establish that they complied with statutory and contractual obligations to protect plaintiff against cybercrime – Failed to prove indemnity defence – Defendants liable to client

 

JUDGMENT

MAKUME, J:

 

The Parties

[1] The plaintiff, Lester Connock Commemoration Fund is a voluntary association duly constituted in terms of a constitution adopted on 12 June 2020 by its members. It is a Universitas with powers to sue and be sued. It operates from Wanderers Club in Illovo, Johannesburg within the jurisdiction of this Court.

[2] The first defendant, Brough Capital (Pty) Ltd is a private company duly incorporated in accordance with the company laws of the Republic of South Africa with its principal place of business and registered address at 28 Peter Place, Lyme Park Sandton.

[3] The first defendant conducts business and trade as an authorised financial service provider (FSP) as defined in section 1 of the Financial Advisory and Intermediary Services Act.1 It has been registered with the Financial Sector Conduct Authority since 2004.

[4] The second defendant is Christiaan Lourens Botha, an adult male person and sole director of the first defendant. He is the key individual of the first defendant as defined in section 1 of FAIS. At all material times hereto, the second defendant acted within the course and scope of his employment with the first defendant.

The Agreement

[5] On or about 19 December 2003 and in Johannesburg, a company called Imara Asset Management South Africa (Pty) Ltd (“Imara”) that was later renamed Brough Capital (Pty) Ltd concluded an investment mandate with the Rotary Club of Rosebank (“Rotary Club”) in terms of which Imara undertook to administer specified funds of the Rotary Club. The names Imara or Brough Capital will be used interchangeably in this judgment.

[6] The agreement which is referred to as the Investment Management Mandate amongst others, authorised the second defendant in his capacity as the Investment Manager to receive funds from the Rotary Club and in terms of clause 8 to -

a. Deposit, and where applicable withdraw money received in connection with the management of investment to the credit of the Rotary Club into the Trust Account of the first defendant held at First National Bank.

b. Cash accruals that the second defendant receives on behalf of the Rotary Club and re-invest same in securities.

[7] During or about March 2019 the second defendant, in his capacity as an intermediary service provider as contemplated under section 1 of FAIS established a Segregated Share Portfolio administered by Momentum Securities (Pty) Ltd (“Momentum”).

[8] The Rotary Club transferred funds to the first defendant for investment by the second defendant on its behalf in terms of the Investment Management Mandate. The second defendant in turn paid over to Momentum the said funds for administration in the Segregated Share Portfolio.

[9] The Mandate authorised Brough Capital to manage the funds entrusted to it by the Rotary Club by investing those funds on the Rotary Club’s behalf. The Rotary Club held its account at Standard Bank of South Africa Limited into which it would receive proceeds of its investments.

[10] During or about 2018, some members of the Board of the Rotary Club held a meeting with the second defendant at which meeting they expressed their dissatisfaction in respect of the defendant’s failure to trade out equities in the face of known adverse negative conditions - resulting in a plunging share price. As a result, during or about May 2019 the Committee of the Rotary Club took a decision to terminate the mandate with the defendant and started the search for a new Investment Fund Manager.

[11] It was shortly thereafter that it came to the knowledge of the members of the Rotary Club that an amount of R 3.1 million was transferred from Momentum into the bank account/s of unknown persons or entities.

 

[12] It later turned out that the fraudulent transactions were made possible by fraudsters having hacked into the email address of Mr Mark Franklin, the authorised manager of the Rotary Club. It was only on the 16th of August 2019 that Mr Franklin became aware of the withdrawals which took place on the following dates -

a. R 89 000.00 on 18 July 2019;

b. R 411 000.00 on 19 July 2019;

c. R 1 000 000.00 on 26 July 2019;

d. R 1 000 000.00 on 02 August 2019; and

e. R 600 000.00 on 14 August 2019.

[13] On 12 June 2020, the Rotary Club of Rosebank ceded their claim against the defendants to the plaintiff.

Breach of the Tacit Terms of the Agreement

[14] The modus operandi used to siphon the funds was by an email from the Rotary Club, purportedly sent by Mr Franklin addressed to the defendants who would then pass on the request to Momentum to make payment to the Rotary Club’s bank account held at Standard Bank.

[15] Unbeknown to Mr Franklin, an unknown entity who had managed to hack into his email changed the bank details of the Rotary Club from Standard Bank to FNB, and later to Nedbank. As a result, when Momentum received instructions from the second defendant, it made payment not into the Rotary Club’s bank account but to the fraudulent bank account.

[16] It is the plaintiff’s case that the defendant breached the agreement by not verifying the authenticity of the instructions in each of the five instances that resulted in the total amount paid to unknown entities in the sum of R 3.1 million. In the result, the plaintiff requests that the defendants be held liable to pay the plaintiff the loss incurred.

The Investment Management Mandate (the Mandate)

[17] Clause 1.4.1 read with clause 3.1 of the Mandate grants the Investment Manager full discretion in the management of the funds and investments of the plaintiff in order to achieve the investment objectives specified, taking into account the plaintiff’s risk profile and constraints.

[18] It is to be noted that in the Mandate, the risk profile of the Rotary Club was expressed to be low and Imara was specifically instructed not to sell at a loss whenever dealing with the Rotary Club’s equities and share portfolio.

[19] Clause 10 of the Mandate in particular enjoined the Investment Manager to on a monthly basis, furnish the client with a statement of account showing details of any changes in the investments held, including any cash holdings at the date of the statement of account.

[20] Clause 12 of the Mandate which forms the basis defendants’ plea, dealt with indemnity and reads as follows -

“The client hereby indemnifies the Investment Manager and or any of the members/employees acting within the course and scope of their employment with the Investment Manager and holds it and/or any aforementioned members employees harmless from and against any claims, damages, liabilities, costs and expenses, including reasonable attorney’s fees on the attorney and own client scale (the claims) which may be brought by the client by reason of the operations of the clients account, unless the claims are attributable to fraud, bad faith, dishonesty or gross negligence on the part of this Investment Manager and on its members/employees.”

 

[21] The plaintiff attributes its loss of the R 3.1 million to gross negligence by the first defendant’s employees in the persons of Mr Chris Botha and Mrs Sharon Botha.

Common Cause Facts

[22] It is common cause that at all times since about 2017, instructions to transact on the plaintiff’s investment emanated by email from Mr Franklin, an official of the Rotary Club.

[23] Mr Franklin’s personal email address was sextant@mweb.co.za and the Rotary Club’s bank account into which proceeds had to be paid was at Standard Bank, being account number 00021442.

[24] During April 2017 the Rotary Club informed the defendants that it had a new bank account at Nedbank, Sandton and that the new account number was 1147012004.

[25] On the 26th of January 2018 Imara sent to the Rotary Club the monthly statement of account showing details of investments and cash holdings which indicate that as at that date, the total value of the club’s investment was the sum of R 3 844 189.29.

[26] On the 1st of June 2018, Mr Franklin addressed an email to Patricia Nkgahle at Imara informing her of Rotary Club’s new bank account at Nedbank, being account number 1126437778. In that email he attached a confirmation letter from Nedbank Corporate and Investment Banking Division dated the 6 February 2018.

[27] On 15 April 2019 Mr Franklin addressed another email to Patricia Nkgahle with the following words: “[H]i Patricia please transfer R 29 300.00 to our usual bank account.” Mr Franklin did not indicate the account number but it is presumed it would have been the account number at Nedbank, being 1126437778.

[28] It is also common cause that the Investment Manager paid the client’s funds over to Momentum who administered the Segregated Share Portfolio.

The Fraudulent email instruction

[29] The fraudulent email instructions were preceded by an email dated 10 July 2019 from Sharon Botha to Mr Franklin in which she said the following:

“Dear Mr Franklin, hope you are well. I have taken over the admin and assisting Chris. Please can you confirm if you have received your most recent statement.”

[30] Mr Franklin purportedly responded on the same day about 3 minutes later and said that he has indeed received the June 2019 statement.

[31] On 16 July 2019 at 3:24pm an email ostensibly from Mr Franklin is addressed to Sharon Botha with the following words:

“Please note that I shall probably have to draw some funds from my investments about R500 000.00 for the club building project. What is the process to withdraw from my investment?”

[32] Sharon Botha responded at about 3:43pm and said the following -

“The (sic) is R90 000.00 cash in your portfolio currently. Chris will place orders today to sell the balance. Will let you know when the balance is available.

She followed up at 3:44:17pm with the following, ostensibly to Mr Franklin -

“Chris has placed orders and the funds will be available in 2 days’ time.”

[33] What is strange about these emails is that firstly, “Mr Franklin” talks about “my investment” and not the investment of the Rotary Club. Secondly, the fraudsters asked for R 90 000.00 and yet R 89 000.00 is paid on the 18th of July 2019 into an FNB account when in fact at that time, the Rotary bank account was held at Nedbank and had been confirmed by Mr Franklin to Patricia at Imara.

The Central Issue

[34] It is so that the crux of the dispute in this matter is whether Brough Capital, acting through Sharon and Chris Botha, was grossly negligent or merely negligent in failing to take adequate steps to prevent the Rotary Club suffering a loss of R 3.1 million. Secondly, the question to be answered is whether the defendants were under a legal duty to authenticate the instruction which they received via email prior to acting on them.

The Evidence

[35] The plaintiff presented evidence first by the admitted affidavit of the late Mr Franklin who passed away in November 2020 after he had deposed to the affidavit setting out the relationship between the Rotary Club and Brough Capital and disputed any knowledge of the emails that resulted in the illegal withdrawal of the club’s funds.

[36] Mr Franklin’s testimony is that he is the only person who communicated with the defendants to give them instructions to withdraw funds. His evidence is that withdrawals ranged between R 20 000.00 and R 100 000.00.

[37] Members of the Rotary Club were not happy with the service of Mr Botha and his company, as a result, a meeting was arranged towards the end of 2018 at which meeting the club informed Mr Botha that it was unhappy and later took a decision to terminate the Mandate and look for another service provider. That decision was taken in May 2019.

[38] It was shortly after that decision had been taken and Mr Botha being informed that suddenly the fraudulent emails were sent to Sharon Botha and not to Chris Botha, who then activated withdrawals of amounts totalling R 3.1 million between the 18th of July 2019 and the 14th of August 2019. During that time, the club’s bank account was purportedly changed twice within a space of one month.

[39] In his affidavit Mr Franklin noted that the withdrawals followed an unusual pattern in respect of the amounts and the regularity, for instance, in a space of two days an amount of R 500 000.00 had been withdrawn and thereafter two amounts of R 1 million each were withdrawn. This, according to Mr Franklin was unusual and not how he, during his lifetime communicated withdrawal instructions to the first defendant.

[40] Mr Franklin also noted that not only did the fraudulent emails contain spelling errors but they also had an incorrect name and address of the Rotary Club and what is more obvious, is that the letter from Nedbank changing the bank account had no official stamp authenticating that letter.

[41] In the Investment Management Mandate, the name of the investor is clearly described as “The Rotary Club of Rosebank”, however, the letters purportedly from the two banks, being FNB and Nedbank, describe the account holder simply as “The Rotary Club”. Those two forged bank letters omit the name “of Rosebank”.

[42] Ms Jean Ellen Bernado testified that she was the President of Rotary Club of Rosebank. As such she was also a member of the Rotary Club’s Investment committee which had established the Lester Connock Commemoration Fund. Mr Franklin was the designated member of the club who at all times dealt with Brough Capital after having received instructions from the Board.

[43] She testified that the process was firstly a resolution from the Board approved by the Investment Committee and the main Board of the Rotary Club, then Mr Franklin would be given instructions to liaise with Mr Botha for withdrawal of a specified amount as per the Board resolution.

[44] Her further evidence was that amounts withdrawn in the past never exceeded R 100 000.00 and that whenever Mr Franklin gave instructions per email to Brough Capital, he would copy her in the email.

[45] As a result of poor returns, the Board took a decision during May 2019 to terminate the instruction to Brough Capital and move the investment to Allan Gray. It was whilst in the process of finalising the move that the illegal transaction took place in respect of the club’s funds.

[46] She testified that the withdrawals were not authorised by the Board nor by the Investment Committee. Further, that the amounts withdrawn exceeded amounts that were ordinarily authorised by the Board and the Investment Committee. The bank account into which the impugned amounts were paid were not the nominated bank accounts as set out in clause 8.1 and 8.2 of the Agreement.

[47] According to Ms Bernado the procedure had always been that prior to payment, Mr Botha had a duty to authenticate instructions with the Rotary Club by contacting Mr Franklin or herself and that after such payment having been made, to verify with Rotary Club and Mr Franklin that indeed such payment had been received.

[48] Importantly, when answering questions under cross-examination Ms Bernado confirmed that she as well as the rest of the members of the Board of Rotary Club only became aware of unauthorised withdrawals totalling R 1 500 000.00 on the 16th of August 2019 when they met and received a statement, and when they contacted Mr Botha about the unauthorised R 1.5 million. Mr Botha failed to inform them that three further withdrawals totalling R 2.6 million had already taken place between the 26 July 2019 and 14 August 2019. Ms Bernado’s exact words under cross-examination were as follows: “[o]nly on the 16th of August 2019 when we requested a statement, we saw that there was R 1.5 million missing and we then contacted Chris and he told us well we asked for a statement and that is when we saw and we contacted him and he failed to tell us that all the money was gone. We only discovered that later when we met him after that there was only R 270 000.00 left”.

[49] Ms Bernado testified further that Mr Franklin always communicated instructions to Mr Chris Botha directly and never dealt with his wife. In the fraudulent withdrawals, instructions were sent to Mrs Botha. As the President of the Rotary Club Ms Bernado was not copied as had been the procedure.

[50] When Ms Bernado was confronted with the question why the plaintiff did not join Momentum in this matter as it was Momentum that made payments, she responded as follows:

“No because he was the person responsible for our investment. The fact that it was with Momentum, it is just the investment platform, he was the person responsible for our investment and interaction with us. We did not deal with Momentum.”

[51] The next witness was Mr Richard Lesley George Tonkin who is a member of the Rotary Club’s Investment Committee. His evidence was captured in an answer under cross-examination to the effect that Momentum was purely acting in an administrative capacity and that it was defendants’ (Brough Capital) duty to do the stock picking and give instruction to buy and sell the shares, and from the plaintiff’s point of view, shares were sold following instructions that emanated from a fraudulent email which resulted in the plaintiff’s funds being paid into a bank account which did not belong to the Rotary Club.

[52] Mr Dawn Pretorius an expert on Governance, Enterprise Risk Management and Risk Compliance testified on behalf of the plaintiff. She holds a certificate in Money Laundering Control, FAIS Regulatory Examination REI, a Masters’ Degree in Commerce and a B. Tech in Banking.

[53] She testified that Chris Botha was appointed as the Financial Advisor by the plaintiff and he and his company, Brough Capital, were mandated to manage the plaintiff’s fund, not Momentum.

[54] She emphasised that Momentum was not the issue in this matter and that the issue started with Brough Capital, as the intermediary and according to her, that is where the process started going wrong in various ways listed in her summary of evidence.

[55] The crux of her evidence was that Mrs Botha was not a fit and proper person to handle the financial decisions on behalf of the Rotary Club, save for administrative duties. It is only her husband, Mr Botha who in his capacity as the key individual was authorised to make such decisions.

[56] Mrs Dawn Pretorius concluded by saying that administrative tasks like doing accounting, being a typist, secretary and working on the database of details is not considered to be an approved representative’s job and that one does not have to be a fit and proper person for that duty.

[57] The plaintiff closed its case and the defendants’ witnesses testified. The first witness was Mr Christiaan Lourens Botha followed by his wife Mrs Sharon Botha.

[58] Mr Botha is the CEO of Brough Capital which is registered as an asset management company with FICSA. He acquired the company from Imara in the year 2017 and changed its name to Brough Capital. He acquired all the clients of Imara amongst them the Rotary Club of Rosebank.

[59] He testified that once they have enlisted a client, they as Brough Capital engage with Momentum to administer the funds. In other words, Momentum does all the processing of transactions and prepares statements for clients.

[60] The procedure that has been followed between Brough Capital and its clients, including the Rotary Club is that whenever the client needs money, an email is sent to him, or such a client will call him. He then places an order through securities to do changes in the portfolio of such a client. All they as Brough Capital do is to place the request with Momentum, who then attends to payments into the bank account of the client.

[61] Brough Capital has a service level agreement since 2013 with Momentum in terms of which they outsource all administration to Momentum. He first met with the members of the Rotary Club shortly after taking over from Imara when the member of the Rotary Club expressed their dissatisfaction about how their investment or portfolio was being managed and the second time was after the fraudulent transactions had taken place.

[62] Since the times when the Rotary Club’s account was with Imara, he dealt with Mr Franklin in respect of accessing funds. Mr Franklin always sent him instructions via his own personal email. The emails that resulted in the withdrawal of the R 3.1 million emanated from Mr Franklin’s email.

[63] He believed that the payment instructions were from Mr Franklin because the email was the same in tone and the wording was very much like what Mr Franklin used when communicating. He testified that he had no doubt that the emails were genuinely from Mr Franklin.

[64] He did not deem it necessary to phone Mr Franklin to verify the instructions because that is not how they dealt with each other in the past, he did not see any need. He says according to him, the Rotary Club had many bank accounts which they opened and closed over the period. He estimated about five to six bank accounts with different banks, mostly Nedbank, Standard Bank and FNB.

[65] In this instance, the email requesting him to place an order came to him from his wife Sharon Botha whom he had employed as an administrative clerk. After the incident involving the fraudulent transaction(s), he did not communicate with Mr Franklin but spoke to other members of the Rotary Club.

[66] He testified further that they relied on Momentum to verify and confirm the bank details of the client because bank details were on Momentum’s system.

[67] He confirmed further that he as an asset manager or FSP has to take out professional indemnity cover. In this instance, when he placed a claim with the indemnity insurance, same was declined. He then referred to clause 8 of the agreement with the Rotary Club in which the Rotary Club indemnified the defendant against claims.

[68] In cross-examination he testified that he as CEO and sole director of Brough Capital entered into a consultancy agreement with his wife Sharon Botha on the 1st of May 2019 just about 2 months before the fraudulent emails surfaced which resulted in the unauthorised withdrawal of the amount of R 3.1 million.

[69] In that consultancy agreement Mrs Botha was expected to do administrative duties and to “immediately inform Brough upon becoming aware of any information, either positive or negative regarding Brough”. Mrs Botha was paid on an ad hoc basis as and when her services were required by Brough Capital. No actual monthly fee was agreed upon. This clearly means that she was like an independent contractor because the consultancy agreement did not make her an employee of Brough Capital despite the agreement being titled a consultancy one.

[70] Mr Botha conceded that when he bought Imara in 2017/2018 it was a loss-making company having regard to its audited financial. His explanation why he made the purchase was in my view not easy to understand, and in the final analysis, it is safe to say it was a reckless decision to purchase a loss-making company and depend on shareholders and guarantees that could not be realised.

[71] Mr Botha became evasive when questioned about the insurance cover he had for the company. In the end it turned out that he was not telling the Court the truth when he said the company had R 1 million insurance cover when in fact it was only R 250 000.00. This explains why his claim was rejected on this score. This points to some reckless commitment to the business of Brough Capital. His explanation regarding the insurance policy was that he had been advised by Moonstone Compliance about the policy and because Moonstone was happy, he accepted that it was a good policy of insurance. Once more, he shifted responsibility to a third party.

[72] When Mr Botha was asked to explain why his insurance repudiated the claim of the Rotary Club, his explanation was dubious and not straight forward. In the ultimate result, the claim was repudiated because the policy had lapsed due to non-payment of premiums for 2 months.

[73] During cross-examination, when questioned on the wording of the consultancy contract between Brough Capital and Mrs Botha which read “Brough wishes to engage the consultant to provide advisory services” - and asked if indeed this is what Mrs Botha had to do, he quickly said the contract was incorrect and apologised for that.

[74] The highlight of Mr Botha’s evidence is his contention that the particulars of banking details and authentication thereof lay with Momentum, not him and his staff. He maintained that Momentum handled the banking details of the Rotary Club and it was their duty to have authenticated them prior to making payments.

[75] In response to a direct question that it was his duty in view of an email indicating a different bank detail to have first phoned Mr Franklin about the changes, he did not answer the question directly and eventually, once more shifted responsibility to Momentum. He could not answer the question in view of his position as an intermediary.

[76] He confirmed that the “the new bank account” was not loaded on the books of Momentum and what Momentum should have done was to call or confirm that with him as the intermediary, and not call Mr Franklin because Momentum knew and dealt with him at all instances and never with Mr Franklin or any of the officials of the Rotary Club.

[77] When it was put to him that the requests from the fraudulent emails indicated amounts that were not normally requested by the Rotary Club, he responded that he was not sure and would have to go back in history to check that. In the final analyses he said that he relied on Momentum to have done the authentication of the banking details prior to payment.

[78] It was put to Mr Botha that the request to pay out R 1 million was unusual and required higher care. He for the first time said he does not know the Rotary Club’s business. The strange thing is that these are clients he had been dealing with since the time of Imara and took them on when he became the sole director at Brough Capital. It is disingenuous of him to now plead ignorance of his own client’s affairs.

[79] When it was put to Mr Botha that it was unusual for the Club to virtually in a matter of days’, request to clean out its funds, his response once more was “I would like Momentum to answer that because they do the payments.”

[80] Mr Botha was then referred to the Mandate between his company and the Rotary Club wherein it was specifically agreed that he as the Club’s intermediary should “try not to sell the shares at a loss.” He was told that one of the reasons why his mandate was being terminated was because of his actions trading out the Club’s equities at a loss. His response was most unconvincing, he stated that he sold because the clients needed money and when asked to explain what the client needed money for, he said “[i]t is not my business to ask them.” I find that response at most surprising, and at the very least, unprofessional.

[81] Mrs Sharon Colleen Botha testified that her role and duties at Brough Capital was to send clients statements and to receive requests from clients which requests she then passed on to her husband, Mr Botha for action.

[82] In her evidence it became clear that she would attempt at all costs to corroborate her husband’s evidence, that it was the duty of Momentum to verify the bank details of the Rotary Club and not her or her husband. She, in her own email introduced herself to Mr Franklin on the 10th of July 2019 notwithstanding the fact that she had assumed duties on the 1st of May 2019. It was shortly after she had sent the introductory letter to Mr Franklin that suddenly, the fraudulent emails emerged.

[83] She testified that she was neither a representative nor an advice giver at Brough Capital. All she did was to send clients their statements as she received them from Momentum. All that happened is that clients would communicate with her and she would make sure that Mr Botha was aware of clients’ requests.

[84] She does not receive a fixed salary but says she is employed by Brough Capital. Her husband would normally tell her when he needed her to do something but she checks emails on a daily basis and when a client needs cash from shares, she will pass that on to Mr Botha to sell.

[85] She testified further that her husband told her that Mr Franklin was a difficult person and that whenever he calls or sends an email she must react immediately and should make sure that he is well looked after.

[86] She believed that the email indicating changed banking details was from Mr Franklin because that is what had been happening in the past. The first time she communicated with Mr Franklin was when she sent him the introductory email on the 10th of July 2019. She had never spoken to him over the phone.

[87] The first fraudulent email sent to her is dated 16 July 2019 and in it, Mr Franklin speaks about “his investments” not the investment of the Club. This did not alert her of something queer and she did not bother to call Mr Franklin. All she did was to call Mr Botha. When confronted with a contradiction between her evidence and that of her husband to the effect that Mr Botha never testified that she called him after receiving that fraudulent email, she had no response. She later changed her version by saying she cannot remember that discussion.

[88] When the second or third email reached her advising her of a new bank account at FNB into which the funds were to be paid, she did not call Mr Franklin to authenticate the bank details.

[89] Mrs Botha as already indicated tried to introduce evidence to the effect that this was not the first time that the Rotary Club was changing bank accounts. When it was indicated that it only happened once in 2017 when she had not even started working for Brough Capital, she became evasive and said she wants to go and check the information. She eventually had to concede that she is unable to produce the so-called five or six previous bank accounts of the Rotary Club.

[90] The fraudulent email which supposedly had an attachment of a letter from FNB also had a telephone number to be called should there be any query. Mrs Botha told the Court that she did not call that number.

[91] On the further emails that she responded to from the fraudster Mrs Botha states she called Momentum who confirmed to her that payment had been made. This evidence is in contradiction to what she had earlier told the Court, namely that she only sends clients their statements. She never indicated that she also telephoned Momentum about payments since she made this Court understand that it was the work of her husband to liaise with Momentum.

[92] Mrs Botha continued with her evidence in the same vein that she did not regard it necessary to authenticate the changed banking details as her husband had told her that all is in order and that she should go ahead and inform Momentum to make payment.

[93] Her further evidence is that all that she has on her system is the ability to access clients’ statements and nothing else as the entire system is with Momentum.

[94] When Mrs Botha was asked if it is not one of her administrative duties to check correspondence is correctly addressed, she stated it was not - that her job is only to send statements. That question was asked in view of the fact the fraudulent letter from FNB referred to “the Rotary Club” and not the “Rotary Club of Rosebank”. She was also not able to explain why no action was taken to authenticate the new Nedbank account which gave the address of the Rotary Club as Bryanston and did not even have an official stamp.

The Plaintiff’s and Defendants’ Case

[95] The plaintiff’s case is that Brough Capital and Mr Chris Botha in their capacities as duly registered Financial Services Provider (FSP) failed to comply with the legal duties of a Financial Advisor and were thus grossly negligent in the conduct of the affairs of the plaintiff and should be held liable for the economic loss suffered by the plaintiff.

[96] On the other hand, the defendants whilst not admitting any contravention of the FAIS Act and General Code of Conduct for Financial Services Providers and Representatives2 (the Code) rely on the contractual provisions governing the relationship between Brough Capital and the plaintiff, in particular, that in terms of clause 12 which indemnifies the defendants against any claim for loss suffered by the plaintiff unless there is proof that the defendants acted in a grossly negligent manner, not just negligently.

The Statutory Provisions

[97] The FAIS Act defines a Financial Services Provider (FSP) as -

“Any person, other than a representative, who as a regular feature of the business of such person -

a) furnishes advice; or

b) furnishes advice and renders any intermediary service; or

c) renders an intermediary service.”

[98] Advice is defined in the FAIS Act as follows:

“Subject to subsection (3) (a), any recommendation, guidance or proposal of a financial nature furnished, by any means or medium, to any client or group of clients: -

(a) in respect of the purchase of any financial product; or

(b) in respect of the investment in any financial product; or

(c) on the conclusion of any other transaction, including a loan or cession, aimed at the incurring of any liability or the acquisition of any right or benefit in respect of any financial product; or

(d) on the variation of any term or condition applying to a financial product, on the replacement of any such product, or on the termination of any purchase of or investment in any such product, and irrespective of whether or not such advice -

i) is furnished in the course of or incidental to financial planning in connection with the affairs of the client; or

ii) results in any such purchase, investment, transaction, variation, replacement or termination as the case may be, being affected.”

[99] It is common cause in casu that the second defendant, Mr Chris Botha was the only licenced Financial Service Provider not his wife, Mrs Sharon Botha.

The Facts and Analysis of the Facts

[100] It is not in dispute that an amount of R 3.1 million belonging to the Rotary Club of Rosebank was erroneously paid into an account not belonging to the Rotary Club by Momentum. The second defendant in his capacity as the duly authorised and licenced Financial Services Provider rendered professional services to the plaintiff as required by the FAIS Act.

[101] The instruction that previously emanated from the Rotary Club were transmitted by Mr Franklin to the second defendant via email. This matter pertains to cybercrime in that Mr Franklin’s email was hacked into with the hacker “assuming” the position of Mr Franklin and transmitting instructions to the defendant which in fact did not emanate from Mr Franklin.

[102] It is common cause that the relationship between Brough Capital and the Rotary Club is based on a mandate titled “Investment Management Mandate.” That contract imposes financial obligations on Brough Capital and Chris Botha which obligation includes a duty of care in dealing with the plaintiff’s investments.

[103] Clause 11.8 of the Mandate reads as follows -

“You acknowledge that the Investment Manager is authorised to visit or telephone you to discuss investments without having been expressly invited by you to do so.”

[104] At the same time the Indemnity clause which forms the basis of the defendants’ responses exonerates the defendants from and against any or all claims, damages, liabilities, costs and expenses unless such claims are attributable to fraud, bad faith, dishonesty or gross negligence on the part of the Investment Manager.

[105] There is no contractual nexus between the plaintiff and Momentum. Such contractual relationship exists between Brough Capital and Momentum. It is an implied term of the Investment Manager Mandate that the Authorised Services Provider will exercise the skill, adequate knowledge and diligence expected of a Financial Services Provider.

[106] On the duty to execute a professional mandate with diligence, skill and care especially where client monies are involved, the court in Fourie v Van der Spuy and De Jongh Inc. and Others3 held as follows -

“The applicant was obliged as a practicing attorney to account to his client for the funds and as such did so as principal. It would not be a defence to a claim by the attorney to submit that he/she had paid as was instructed when he/she did not verify the instructions.”4

[107] In this matter both Mr and Mrs Botha in their evidence claim that there was no duty on them to verify the banking details of the plaintiff when they received instructions. They instead say it is Momentum who had to do the verification. Well, they are wrong, Momentum has no contract with the plaintiff.

[108] The court in Fourie concluded as follows -

“[24] It cannot be disputed by the respondents that had the second respondent confirmed or verified the new bank details with the applicant, the fraud simply would not have occurred. It is abundantly clear from the facts that no verification process was followed and that the firm would have to carry the loss, not the applicant.

[25] The rate at which cybercrime occurs makes the internet a very unsafe working area. Perhaps a time will come when the moneys will be transferred in the presence of a client, and the client will have to waive the nicely of EFTs being done without the client being present, alternatively the client being phoned. However, this is not the function of the court to make plans how the curtail the absolute low-minded, yet deceptive, cyber criminals.”

[109] In Atwealth (Pty) Ltd v Kernick (Pty) Ltd5 the court held that in assessing whether the FSP acted negligently or not, it had to consider the level of skill and knowledge required of an FSP in a particular position and assess whether someone with the requisite skill and knowledge would have acted differently in the context of the present dispute.

[110] It has been held in previous matters before this Court and elsewhere that a type of fraud which is facilitated by the hacking of emails has become trite and has assumed the name Business Email Compromise (BEC). Fisher J in Gerber v PSG Wealth Financial Planning (Pty) Ltd6 held that this type of crime is typically committed in anonymity by means of remote engagement using the internet and other systems. The court in Gerber concluded with a question as to who should bear the loss as both parties in that matter were victims of the fraud.

[111] This is the question to be answered in this matter. The plaintiff has submitted evidence pointing out the gross negligence by Mr and Mrs Botha by failing to exercise the necessary skill and diligence in the face of unusual instructions. The defendants do not dispute that the plaintiff has suffered a loss, they claim indemnity - that they did not act negligent or gross-negligence and cannot be held liable.

[112] The similarities of the facts in Gerber to this matter are to be found in paragraphs 77 and 78 of that judgment wherein Fisher J concluded as follows -

“[77] The deficiencies in the checking process were clear. The defendant ignored its own protocols. The checking machinery yielded the result that the account was not verified as being legitimate…

[78] At the very least one would expect that the information relating to the bank account which was conveyed by client services would have triggered a further and more careful scrutiny of the letter provided as verification of the account…”

[113] In the present matter, the letter from the bank described the account name simply as “The Rotary Club.” It excluded the name Rosebank. This alone should in my view have triggered Mr Botha to make enquiries by telephoning Mr Franklin to verify. He and his wife failed to do so and were thus grossly negligent.

[114] The history of withdrawals by the Rotary Club of Rosebank are well known by Mr Botha and when there were sudden requests drawing huge and unusual sums at short intervals is another factor that should have triggered the Bothas to make an enquiry and verification.

[115] It is not in dispute that under the Code, the defendants were obliged to -

“at all times have and effectively employ the resources, procedures and appropriate technological systems that can reasonably be expected to eliminate as far as possible, the risk that clients, product suppliers and other providers or representatives will suffer financial loss through theft, fraud, other dishonest acts, poor administration, negligence professional misconduct or culpable omissions.”7

[116] Mr and Mrs Botha failed to exercise the necessary skill, care and diligence to ensure that the money held by Momentum is paid into the correct account. It is as a result of this lack of diligence that the plaintiff suffered loss.

[117] In their heads of argument the defendants argue that the indemnity clause is enforceable and exempts them from liability. Secondly, they argue that the Investment Management Mandate was subject to a further tacit term that Momentum would be responsible for all the verification, authentication and authorisation of payments.

[118] It is not in dispute that in terms of an express term of the agreement, the defendants had a duty to protect the plaintiff against gross negligence and fraud.

[119] In their plea to paragraph 12.5 of the plaintiff’s particulars of claim, the defendants plead that at no stage in the past did they ever utilise an authentication security checks when acting on the instructions from Mr Franklin to withdraw money from the plaintiff’s investments held with the defendants. This statement is not supported by evidence in the face of overwhelming prevalence of cybercrime in the financial services sector.

[120] In an attempt to shift blame for their lack of diligence the defendants raise a tacit defence that Momentum is responsible to check the authenticity of the plaintiff’s bank account prior to making payments. That statement is not supported by any written agreement nor is it an implied term of the Mandate.

[121] In Hawarden v Edward Nathan Sonnenbergs Inc8 Mudau J held as follows at para 127 -

“In my view, the plaintiff’s case established clearly that sending bank details by email is inherently dangerous, and so must either be avoided in favour of, for example, a secure portal or it must be accompanied by other precautionary measures like telephonic confirmation or appropriate warnings which are securely communicated.”

[122] Had Mr Botha paid careful attention to the purported letter from FNB, it would have revealed that it was not the plaintiff’s bank account but that of a “Rotary Club” with no name. That alone would have prevented the loss.

[123] The defendants’ attempt to rely on a tacit term regarding authentication, and verification is in my view incorrect. It was the defendants’ duty to prove the existence of such tacit term of the Mandate and they failed to do so.

[124] In Alfred McAlpine & Son (Pty) Ltd v Transvaal Provincial Administration9 Corbett AJA as he then was described a tacit term as -

“[a]n unexpressed provision of the contract which derives from the common intention of the parties as inferred by the court from the express terms of the contract and the surrounding circumstances. In supplying such an implied term the court, in truth, declares the whole contract entered into by the parties.”10

[125] The defendants deny that the Bothas were grossly negligent and in fact blame Mr Franklin for being negligent by not changing his email when he had previously been hacked. It is argued that in view of the inherent risk associated with BEC, Mr Franklin was equally under a duty to guard against the loss taking place. This statement was said in a vacuum and no evidence was presented to prove the previous hacking of Mr Franklin’s email. Similarly, it was argued that the Rotary Club had changed its bank account about five or six times. Such allegations were never proved.

[126] In Gerber11 Fisher J concluded as follows at para 90:

“Even if it had been shown by the defendant that the plaintiff was negligent, this does not absolve the defendant of his admitted contractual obligations. The proximate cause of the loss was not the hacking, it was the failure to exploring the necessary and contractually prescribed vigilance when monies held in trust were sought to be paid into a different account.”

[127] The defendants’ penultimate defence is that the exemption clause restricting liability only in the event of fraud or gross negligence exonerates them from liability.

[128] It has been held in the case of Essa v Divaris12 that courts at all times endeavour to confine exemption clauses within reasonable bounds by interpreting them narrowly.

[129] The term gross negligence has been considered in several decisions, for instance in Transnet Ltd t/a Portnet v MV ‘Stella Tingas’ and Another13 at para 7 the Supreme Court of Appeal observed:

“It follows, I think, that to qualify as gross negligence the conduct in question, although falling short of dolus eventualis, must involve a departure from the standard of the reasonable person to such an extent that it may properly be categorised as extreme; it must demonstrate, where there is found to be conscious risk-taking, a complete obtuseness of mind or, where there is no conscious risk-taking, a total failure to take care. If something less were required, the distinction between ordinary and gross negligence would lose its validity.”

[130] The defendants are only exempted from ordinary negligence not gross negligence. The fact that the bank letter did not describe the Rotary Club in full, secondly, that it was unusual for the Rotary Club to make large withdrawals at short notice, should have raised eyebrows to a vigilant intermediary. I am therefore persuaded that the acts of Mr and Mrs Botha amounted to gross negligence which caused loss to the Rotary Club.

Order

[131] In the circumstances, the following order is made -

1. The defendants are directed jointly and severally, to pay the plaintiff the sum of R 3 100 000.00 plus interest of said amount at the rate of 10,5% per annum a tempore morae the one paying the other to be absolved.

2. The defendants are ordered to pay the taxed party and party costs of suit which shall include the costs of two Counsel.

 

 

___________________________

MA MAKUME

JUDGE OF THE HIGH COURT

JOHANNESBURG

 

 

Delivered: This judgment and order were prepared and authored by the Judge whose name is reflected and is handed down electronically by circulation to Parties / their legal representatives by email and by uploading it to the electronic file of this matter on CaseLines. The date of the order is deemed to be __ November 2023

 

APPEARANCES

 

For the Plaintiff: Adv. Morrison SC & Adv. T Scott

 

Instructed by: Baker and McKenzie Inc.

 

 

For the Defendants: Adv. L Mbale

 

Instructed by: LM & Company Attorneys

 

Date of Hearing: __ June 2023

 

Date of Judgment: __ November 2023