The increasing sophistication of cybercrime continues to expose Financial Service Providers (FSPs) to significant financial and operational risks. A recent ruling by the National Financial Ombud Scheme (NFO) highlights how a seemingly routine international payment became the centre of a costly fraud incident, resulting in a loss exceeding R1 million. While the complaint focused on whether a bank should bear responsibility for the loss, the ruling ultimately reinforced a broader message in that cybersecurity awareness remains one of the most critical defences against financial fraud.
The case involved a complainant who rendered media and public relations services to an international client. The client, acting as the remitter, was required to make payment of R1,072,895.45 to the complainant. Unknown to both parties, cybercriminals intercepted email communications between them and executed a change of banking details scam. As a result, the remitter paid the funds into a fraudulent beneficiary account instead of the complainant’s legitimate account.
The complainant argued that the bank failed to conduct adequate due diligence on the beneficiary account since the account was recently opened and there appeared to be a mismatch between the nature of the payment and the beneficiary’s business activities. While the payment related to media and public relations services, the beneficiary account was reportedly linked to a construction business.
In assessing the matter, the NFO considered the relationship between the parties and the bank’s obligations. It was found that the funds were not paid into an account belonging to the complainant. In relation to the transaction, no bank-customer relationship existed. The NFO therefore concluded that the bank did not owe the complainant a duty of care regarding the processing of the payment.
The Ombud further noted that the bank complied with all relevant regulatory and operational requirements. This included adherence to the Financial Intelligence Centre Act (FIC Act), the Currency and Exchanges Manual for Authorised Dealers (CEMAD), and standard due diligence procedures applicable to international inward payments. The bank verified account names, account numbers, invoice references, remitter details and the stated purpose of the foreign payment. There was no evidence to suggest that the information available to the bank should have raised suspicion of fraudulent activity.
As a result, the complaint was dismissed. The NFO ruled that the bank acted correctly and fulfilled all regulatory obligations. Responsibility for the loss did not rest with the bank but rather arose from the fraudulent misrepresentation that caused the remitter to transfer funds to the wrong account. The complainant’s claim therefore lay against the remitter, who remained responsible for ensuring that payment was made to the correct beneficiary.
While the legal outcome provides clarity on liability, the case also serves as a powerful reminder of the growing threat posed by business email compromise and related cyber-enabled fraud. Criminals increasingly target organisations by infiltrating email systems, monitoring communications and manipulating payment instructions.
This ruling demonstrates that regulatory compliance alone cannot eliminate cyber risk. FSPs must complement compliance measures with a proactive cybersecurity culture. Employees at every level should understand how cybercriminals operate and how seemingly minor lapses in vigilance can lead to substantial financial losses.
As cyber threats continue to evolve, FSPs should view cybersecurity awareness not merely as an IT responsibility but as a critical component of risk management and corporate governance. Investing in cybersecurity training equips employees with the knowledge and practical skills needed to identify threats before they become costly incidents. In today’s digital environment, awareness is often the first and most effective line of defence against fraud.
