The introduction of electronic banking in Nigeria has been a worthy development in our banking system. From Automated Teller Machines (ATM), Internet Banking, Mobile Applications to the use of Unstructured Supplementary Service Data (USSD) codes. Banking has been all exciting in recent years. You can initiate transactions outside the banking halls with ease, while being in full control of the process.

The demerits of electronic banking include issues relating to transaction failures due to network hitches or the malfunctioning of the technological facilities enabling the process. Usually, the banks have complaints treatment procedures for such issues and can readily resolve them within a few hours or days. It is only on a few occasions that you may witness more delays. This is mostly related to interbank electronic transactions. Banks have internal protocols by which they interact with other banks to resolve cases. In extreme cases where the banks are unable to resolve the issues, they would often heap the blame on their third-party service providers who are behind the technology that services the electronic banking system. 

Nevertheless, none of these issues could be as traumatizing as when fraudulent activities are executed using the electronic banking platforms. The banks may be unable to help you if you lose your money through cyber fraud. This accounts for the reason the banks often provide caveats and tips on how to secure your account, PINs or passwords. Other tips include how to avoid falling prey to phishing (“Phishing is a method of trying to gather personal information using deceptive e-mails and websites”). 

In most of the forms you will fill and sign before you can use your ATM cards and other electronic platforms, you will find standard form contracts containing the terms and conditions for the use of the service. Part of the terms and conditions (which are often in tiny prints) include exclusion clauses and limitation of liability clauses. By this, the banks move to shield themselves from any liability flowing from your use of the service or limit their liabilities to certain amount.

Notwithstanding these provisions, where you suffer any financial fraud on any of the electronic banking platforms and the court finds the bank “guilty” of negligence in not providing the necessary safeguards, the bank will be liable. The Court of Appeal was recently called upon to resolve a dispute relating to electronic banking fraud involving United Bank for Africa Plc (UBA) – UBA Plc v. Vertex Agro Ltd [2020] 17 NWLR (Pt. 1754) 467. Decided on 13 June 2019.

UBA v. Vertex Agro Ltd

The facts of the case are that the Respondent (Vertex Agro Ltd) maintained a current account with the Appellant (UBA). On a certain date, Vertex received several SMS alerts of the unauthorized withdrawal of over N9 Million (in installments) from its account. The SMS alerts were received through the cell phone of the Managing Director of the company via an MTN line (the only telephone number linked to the account). The withdrawals were effected through UBA’s online banking platform.

On noticing the withdrawals, Vertex contacted UBA demanding an immediate reversal of the debits. UBA failed. Vertex subsequently issued a cheque in the sum of N8 Million. UBA dishonoured the cheque for lack of sufficient funds. Aggrieved, Vertex sued UBA claiming reversal of the funds and damages. 

The evidence established before the court was that Vertex never used the hardware token device issued to it by UBA. A token device is an extra security device that produces number codes needed to conclude transactions. Also, the MD never received any One Time Pin (OTP) SMS on the hardware token device or on his designated telephone number in respect of the unauthorized transactions. 

In its defence, UBA made certain points and these should interest you even more. The Bank claimed that the withdrawals were made by means of a software token because the MD of Vertex allegedly compromised his email profile and thereby gave the perpetrators of the fraud access to his email where they accessed the U-token activation OTP and password, either through physical access or social engineering. 

Furthermore, the Bank stated that it was able to recover about N4.692 Million of the amount withdrawn and would credit Vertex’s account with it. The Bank relied on its indemnity and exclusion clauses to contend that it was not liable for the unrecovered amount.

Evidence by Police Inspector

So, it happened that UBA made internal investigations and found one Ejike Nwabara to be behind the fraud. UBA had submitted a petition against Ejike Nwabara. The Police Inspector was called as a witness in the case. He testified that Ejike admitted maintaining an account with UBA but denied knowing Vertex. The Police Inspector told the Court that UBA failed to give the Police evidence to aid its investigation and prosecution of Ejike. So, the Police had no option but to release Ejike from detention. 

Evidence by Fraud Analyst

Another witness called by Vertex was a fraud analyst and an employee of MTN who gave expert evidence. His unchallenged testimony was that Vertex’s telephone number was taken off the UBA database at the time the fraudulent transactions were done to avoid detection of the transactions at the time they were being done. He also testified about a similar case in another bank which showed that such a transaction was done by the bank’s employees.

Court decides

The trial Court decided against UBA as it found that the case of Vertex was established. The Court held that the Bank was negligent in allowing the withdrawal from Vertex’s account,and that the Bank acted wrongfully in dishonouring the Company’s cheque.

UBA appealed to the Court of Appeal challenging the decision of the trial Court. The Court of Appeal held that the Bank was indeed liable in negligence for failure to safeguard the Company’s account. The Court held that the Bank failed to prove its assertions that the email of the MD of Vertex was compromised as claimed. The Bank never demonstrated how this happened. 

Banks bound to reverse unauthorized debits within 72 hours

The Court of Appeal held that by virtue of Section 37(3) of the Cybercrimes Act 2015, UBA was bound to reverse the debits within 72 hours. The Section provides that a financial institution that makes an unauthorized debit on a customer’s account shall, upon written notification by the customer, provide clear legal authorization for such debit to the customer or reverse such debit within 72 hours without delay. It is an offence to fail. The punishment is restitution of the debit and a fine of N5 Million. 

UBA hiding info on Ejike Nwabara

Regarding the evidence of the Police Inspector, Agim JCA (at p. 497 of the report) reasoned as follows:

The Appellant [UBA] did not elicit any evidence to explain why it took Ejike Nwabara and handed him over to the Police as the perpetrator of the fraud and why it refused to cooperate with the Police to investigate the matter conclusively, and, if need be, prosecute the suspect it took to the Police. The obvious and necessary implication of the Appellant arresting Ejike Nwabara and taking him to the Police as the perpetrator of the fraud is that they knew how the fraud was committed and that he did it. Yet the Appellant’s officers refused to make a statement to the Police concerning the matter and refused to help the Police investigate the matter. The Police were forced to release the said Nwabara Ejike on bail as they could not continue to detain him without investigation and trial. 

UBA staff responsible for fraud

The Court of Appeal also believed the evidence of the expert witness when it held that:

Only persons that have access to banks database can take off a number from it and restore it later to avoid detection of such unauthorized withdrawals and the identity of the person that did it. It is obvious that only the Appellant’s staff can have such access.

Reliance on Indemnity/Exclusion Clauses unhelpful

UBA tried to rely on indemnity and exclusion clauses to escape from liability but the Court of Appeal blocked the door. To activate electronic banking, customers like Vertex signed a couple of standard forms. One of them was an Indemnity Form (Exhibit L). By this Form, Vertex agreed to indemnify UBA for any loss that may arise from its use of the electronic payment options. This was signed after Vertex had signed the U-Direct Token Activation Request Form (Exhibit H). The other form was UBA Virtual Enrollment Form. 

The Court of Appeal held that the Bank could not rely on the indemnity and exclusion clauses for the following reasons:

1. The Indemnity Form executed in 2015 did not incorporate the earlier agreement in Exhibit H (U-Direct Token Activation Request Form) executed in 2008 or any other agreement. More so, the indemnity cannot be extended to all electronic banking packages subscribed to by the company in a sweeping fashion.

2. By Exhibit H, the Company subscribed to the use of hard token and not the software token as claimed by the Bank as being the avenue used for the fraud. Courts are generally hostile to exclusion clauses as they must be strictly proven and shown to cover the liability complained of.

3. For being liable in negligence in discharging its contractual duties, UBA cannot be protected from liability through indemnity/exemption clauses.

4. The nature of the indemnity/exemption clauses relied upon by the Bank is against the general and particular provisions of the Guidelines on Electronic Banking in Nigeria 2003 made pursuant to the Central Bank of Nigeria Act. The Guidelines are generally tailored to protect end users of electronic or internet banking having in mind the complexity and fragility of that area of banking. The Court was of the view that UBA ought to have taken cover under the insurance policy as provided for by the Guidelines in Article 3.0 (F) instead of accusing the Company of negligence.