Home | Databases | WorldLII | Search | Feedback National Court of Papua New Guinea

Kitoro No.33 Ltd (trading as PNG Gardener) v Westpac Bank PNG Ltd [2023] PGNC 73; N10199 (24 March 2023)

N10199

PAPUA NEW GUINEA
[IN THE NATIONAL COURT OF JUSTICE]

WS NO. 261 OF 2020 (IECMS)(CC1)

BETWEEN:
KITORO NO.33 LIMITED trading as PNG GARDENER
Plaintiff

AND:
WESTPAC BANK -PNG- LIMITED
Defendant/Cross Claimant

AND:
HEDWICK CAMILUS
First Cross Defendant

AND:
MICHAEL ELUH
Second Cross Defendant

AND:
KUNSEI AINUI
Third Cross Defendant

AND:
DAVID JACOB
Fourth Cross Defendant

AND:
NAKIKUS TION
Fifth Cross Defendant

AND:
NOPE SAMUEL WAMALA
Sixth Cross Defendant

Waigani: Tamade AJ
2022: 3^rd October
2023: 24^th March

BANKS AND CUSTOMERS – internet banking – various unauthorised transactions done by one user – plaintiff claims for bank’s negligence – bank states that the users credentials were accessed by several people – frequent login and transfer in short space of time – reasonable banker – login done by authorised user – suspicious transfers – unauthorised transfers resulting in unrecovered sum

NEGLIGENCE – bank can only act on reasonable suspicion of fraud- bank was entitled to have the presumption that first set of transactions were done using a known user’s credentials- Plaintiff had a duty to understand internet banking functions- Plaintiff had a duty to keep safe and secure it’s internet banking credentials- Plaintiff had a duty to register and activate Westpac Protect as an added layer of protection for internet banking- Bank’s duty should not be an onerous task in regard to internet banking

Cases Cited:
Papua New Guinean Cases

The following cases are cited in the judgment:

Asivo v Bank of South Pacific Ltd [2016] PGNC 318; N6518

Pija Grannies Ltd v Rural Development Bank Ltd [2011] PGSC 64; SC1327
Richard Manui v ANZ Banking Group [2008] PGNC 99; N3405
Papua New Guinea Institute of Medical Research v Papua New Guinea Banking Corporation [1999] PGNC 85; N1934

Overseas Cases

London Joint Stock Ltd v Macmillan [1919] UKHL 367
Greenwood v Martins Bank Limited [1933] AC 51

Counsel:

Ms. Eunice Parua and Mr. Gideon Pogla, for the Plaintiff
Mr. Wilson Mininga and Ms. Sharon Perry, for the Defendant/Cross Claimants

24^th March, 2023

1. TAMADE, AJ: The trial of this matter was heard on 22 September 2022 with closing submissions heard on 3 October 2022. This is the decision on liability on the matter.

2. The Plaintiff is the customer of the bank operating a cheque account with an overdraft facility to the sum of K1.5 million. The overdraft facility is tied to the Plaintiff’s various assets as security. In 2010, the Plaintiff applied for internet banking with the Defendant bank. Three users were created for the Plaintiff to access this internet banking account. These were Justin Tkatchenko, Catherine Tkatchenko and Jacque Ware who was the former Corporate Manager of the Plaintiff. The Plaintiff claims that the internet banking account was created for the sole purpose of accessing the account and inspecting the financial statements of the account and not for any transactions.

3. Between 26 February 2020 and 16 March 2020, the Plaintiff claims that a total of 8 unauthorized transfers were made on their account through online internet banking to unknown third-party accounts. The following are details of the transfers from the Plaintiff’s account to third-party accounts:

4. On 17 March 2020, the Plaintiff queried these transactions by sending an email to the Defendant’s bank. The Bank responded on 26 March 2021 that user Justin Tkatchenko was the user that had done the various transactions. The Plaintiff then responded by stating that:

1. The Plaintiff had no access to the function to do an online transfer,
2. The Plaintiff only had access to bank statements on their internet Banking Account,

100. The Plaintiff conducted payments via cheque payments or standing orders,

4. The Plaintiff only noticed the online payments recently and wanted to know how these online payments were done,
5. The Plaintiff referred the bank to its account history that it had never done transfers since it obtained access to internet banking,
6. If the function to do online transfer was done recently and or added to the Plaintiff’s internet banking access, the Plaintiff was never notified of this.
7. The Plaintiff was not given tokens or access etc for making online payments
8. The Plaintiff requested the bank to seek clarification from their electronic banking section.
   

5. It is the Bank’s position that at the time these email correspondences were sent between the Plaintiff notifying the Bank about these unauthorized transactions, there was no specific request from the Plaintiff to stop their internet banking access. The Plaintiff on the other hand claims that as it had notified the bank about these unauthorized transactions, the Bank should have acted swiftly to stop the access to their internet banking account.

6. Between 18 March 2020 to 26 March 2020, another 22 fraudulent transactions were conducted on the Plaintiff’s account totaling K202 802. Below are details of those transactions:

7. Again, between 26 March 2020 to 6 April 2020, additional unauthorized transactions were made on the Plaintiff’s account.

8. On 6 April 2020, the Bank picked up on suspicious payments from the Plaintiff’s account which consisted of 9 transactions totaling K90 850 and notified the Plaintiff. The Plaintiff then requested for a stop to its internet banking. On 7 April 2020, the Bank deactivated the Plaintiff’s users, both Justin and Catherine Tkatchenko.

9. The Bank discovered that there were 48 alleged fraudulent transactions or unauthorized transactions totaling K529 652.00 from the Plaintiff’s account.

10. The Plaintiff claims that the Defendant Bank continued to charge interest on their account during the material period when these unauthorized transactions occurred. The Plaintiff claims that from the K529, 657.00 which was unlawfully transferred from their account, a total of K393 331.97 was lost and unrecovered. An interest of K23 198.30 was charged by the Defendant Bank. The Bank has claimed that they have recovered a total sum of K112 433.60 from these unauthorized transactions made to accounts held by the Defendant bank and other banks. The Plaintiff claims that the Defendant Bank has kept charging interest on their account on the unauthorized transfers and their total loss due to the alleged fraudulent transfers is K416, 540. 27. The Plaintiff claims that the bank should not have charged them interest on the overdraft facility as from the material period, they had not done any transactions on their account pending the determination of these issues in Court. The Bank insists that it is acting upon the contractual agreement between the parties as to a term of the overdraft facility as to its monthly interest.

11. The Plaintiff therefore claims that the unauthorized transactions from its account was caused by the negligence of the Defendant Bank in failing to ensure these transactions did not happen by allowing other unauthorized persons from accessing the Plaintiff’s account through internet banking.

Is the Defendant Bank liable to the Plaintiff for negligence for the unauthorized transactions accessed through its account via internet banking?

Plaintiff’s case

12. The Plaintiff claims that when they first notified the Defendant about the first 8 unauthorized transactions on 17 March 2020, they enquired with the Defendant as to where these transactions were from and who authorized these transactions as they had not authorized these transactions. On 18 March 2020, the Defendant’s employees informed the Plaintiff that they had forwarded the call to their call center to investigate. A follow up email was sent by the Plaintiff on 26 March 2020. The Bank on that same day noticed unfamiliar transactions under the name of Justin Tkachenko and informed the Plaintiff.

13. The Plaintiff perhaps does not understand how internet banking works. It says that it wanted to have access to internet banking but says that it only requested for the function to only access internet banking to check it’s statement but never requested for the function to transfer money or make a payment through internet banking. This is therefore the Plaintiff’s case that as it only accesses internet banking to check it’s balance or view it’s statement, it was not possible for it to perform the alleged unauthorized transfers.

Defendant Bank’s case

14. The Bank’s case is that the Plaintiff has an overdraft facility with the bank with a limit of K1.5 million.

15. The Bank also says that in 2010, the Plaintiff applied for internet banking and three users were created. Each user was given a customer number and a password to access the internet banking. Justin Tkachenko and Catherine Tkachenko had full access to all the functions of internet banking whilst the third user, Jacque Ware had restricted access to the Plaintiff’s internet banking, Jacque could not make payment to others and or transfer funds between accounts.

16. Since 2010 when the Plaintiff had access to internet banking, the bank states that the Plaintiff never requested to change the access of these three users. It is the Bank’s case that at some stage in 2020, someone with internet access to the Plaintiff’s account being an employee of the Plaintiff or someone who had access to Justin Tkachenko’s credentials made those fraudulent transfers. As the credentials of these three users was within the knowledge of the Plaintiff’s employees, this information was somehow leaked to someone who accessed the Plaintiff’s account through the internet banking and did those transactions.

17. The Bank also states that in all the alleged fraudulent transfers done via internet banking on the Plaintiff’s account, Justin Tkachenko’s customer number and password was quoted for all the unauthorized transactions.

The law in relation to customer and bank relationships

18. The Court in Asivo v Bank of South Pacific Ltd[1] found that in addition to the elements of a contract, the Court said this:

“To establish a cause of action in negligence a plaintiff must prove the elements of the tort:

(a) the defendant owed a duty of care to the plaintiff;

(b) the defendant breached that duty (acted negligently);

(c) the breach of duty caused damage to the plaintiff; and

(d) the type of damage was not too remote.

The bank owed a duty of care to the plaintiff, its customer, to take reasonable care in the conduct of the banker-customer relationship...”

19. Ms Parua has referred the Court to the case of Barclays Bank plc v Quincecare Ltd^[2] where the High Court of England and Wales found the “Quincare duty”. This is in relation to the duty on banks when customers give instructions to banks for payments which the banks ought to be diligent to prevent fraud.

20. The Supreme Court has also expressed the Bank’s duty to its customers to act fairly. This is what the Supreme Court said in Pija Grannies Ltd v Rural Development Bank Ltd^[3]:

“4. Allowing ourselves to be guided by the decision of the Supreme Court in Rage Augerea & Maureen Augerea v Bank South Pacific Limited (2007) SC869 and many decisions that have followed that decision and other decisions like the one in Otto Benal Magiten v Rural Development Bank Ltd (WS No 938 of 1999, 2006 (unreported) and David Nelson v Credit Corporation (PNG) Ltd (2011) N4368, we are firmly of the view that banks owe a duty of care to their customers to act reasonably and with much care. Contrary to the learned trial Judge's view on this point in this matter, we are of the firm view that, in addition to the banks' general duty of care, where the banks have an agreement, they have a duty to act fairly and in accordance with the terms of the agreement. That is in addition to ensuring at the first place that the terms of the agreement are fair and reasonable and are capable of standing up against any challenge under the Fairness of Transaction Act or a similar challenge going into the fairness and reasonableness of the terms of the agreement.

5. Having said that, however, we are also of the firm view that, parties who claim a breach of the duty of care owed to them by the banks have a duty to properly and clearly articulate their claims and demonstrate the basis for their allegations in due compliance of the rules relating to pleadings. They should exercise care to ensure that there is a proper factual and legal foundation for their claims in order to succeed against the banks. A mere claim of negligence or a breach of contract will not suffice.”

21. As to what standard the bank’s duty is, that is to be decided upon as per the following excerpt taken from Richard Manui v ANZ Banking Group^[4] with emphasis underlined where the Court said:

“Whether the defendant was negligent or not is to be decided subjectively from the standard of a reasonable man carrying on business of banking and endeavouring to do so in such manner as is calculated to protect itself and its customers against fraud. See Lloyds Bank v. Savory (1933) A.C. 201 at 221 per Lord Warrington. This entails the duty owed by every bank to its customers.

30 In Orbit Mining & Trading Co. Limited v. Westminster Bank Limited [1963] 1 Q.B. 794 at 824, Harlan L.J in discussing the term "negligence" said "negligence, I think, is equivalent to carelessness."

31 In the same case, Sellers L. J. at 813 said:

"A Bank’s decision as to whether it can properly accept a cheque has to be made at the time when the cheque is handed in at the counter or when it is received by post or soon after that before the cheque and paying-in slip are separated and the cheque is sent forward to the clearing house. This may involve the bank and its officials taking reasonable care to acquaint themselves and those of their servants who will handle a customer’s transactions with the character and position of a customer at the opening of an account and thereafter, and of the subsequent manner of using the account."

32 These principles were reiterated by Diplock L.J in Marfani v. Midland Bank Limited [1968] 1 W.L.R. 956 at 972 where his Lordship said:

"What facts ought to be known to the bank, i.e. what inquiries he should make, and what facts are sufficient to cause him reasonably to suspect that the customer is not the true owner, must depend upon current banking practice changes."

33 The principles expressed in these cases would in my respectful opinion apply generally to any banking document that may be used to access funds

held in a customer’s Account; such as cheques, withdrawal slips, deposit slips and so on.

34 Thus, generally, it is expected that where there is something either on the face or back of a document including a cheque, taken in relation to a customer for whom it is collected or made, which should put the bank to query, the bank would ignore it at its own peril. In cases where inquiries have to be made, such inquiries should be made in light of circumstances antecedent and present, See Midland Banking Limited v. Reckitt [1933] A.C. 1 and Commissioner of Taxation v. English, Scottish & Australian Bank [1920] A.C 683. Needless to say that it is always incumbent on the bank to take every precaution necessary to protect the interest of the true owner of the document. See Lloyds Bank v. Savory (supra). See, also London Bank of Australia v. Kendall [1920] HCA 53; (1920) 28 C.L.R. 401; Commercial Bank of Australia v. Flannagan [1932] HCA 51; (1932) 47 C.L.R. 461 and Saving Bank of South Australia v. Wallman (1935) 54. C.L.R 688.

22. As to the customer’s duty to the bank, the Court said in Papua New Guinea Institute of Medical Research v Papua New Guinea Banking Corporation[5] the following:

“The duty of the customer to take all necessary precautions in the general course of running his business has been expounded on in many decided cases and one of the leading authorities on the law on this duty prevailing upon the customer is the case of THE KEPITIGALLA RUBBER ESTATES LTD v THE NATIONAL BANK OF INDIA LTD [1908] UKLawRpAC 15; [1909] 2 KB 1010. The principle expressed in this case is that:

‘It is the duty of a customer of a bank in issuing mandates to the bank to take reasonable care so as not to mislead the bank; but beyond the care that must be taken in or immediately connected with the transaction itself, there is no duty on the part of the customer to take precautions in the general course of carrying on his business to prevent forgeries on the part of his servants’.

23. In London Joint Stock Ltd v Macmillan^[6], it discusses the duty by a customer to take care as not to draw cheques that will facilitate fraud. In Greenwood v Martins Bank Limited^[7], a wife forged her husband’s signature to withdraw money from his account however the husband did not inform the bank upon discovery until later. This case discusses the duty on customers to inform the bank of any forged payment from their account as soon as they became aware of it.

24. Parties to these proceedings have not cited any PNG case on internet banking fraud and perhaps this is a novel area in PNG.

Findings of the Court

Access to internet banking by JT and CT

25. What has been gnawing at the back of my mind probing it is this, the Plaintiff opened an internet banking account with the Defendant in 2010. With the opening of the internet banking account, all parties agree that there were three users created for the Plaintiff to access this internet banking account. This was Justin Tkatchenko (JT), Catherine Tkachenko (CT) and Jacque Ware (JW) who was previously employed as the Plaintiff’s Corporate Manager. Justin and Catherine had full access to the internet banking account meaning they could check the account to see the account transaction history or statement and they could also perform transactions on the account by transferring money to other accounts or make payments to other accounts etc. Jacque on the other hand had restricted access to the internet banking account. She could not perform any transaction on the account.

26. In the Affidavit of Sharon-Kupp Tengdui as Exhibit D4 of the Bank, she attaches letters dated 24 November 2010 which were sent to Justin, Catherine and Jacque. Mrs Tengdui states that as the accounts were opened in 2010, all the originals of the letters were destroyed as they were not kept for more than 7 years. One can reasonably conclude this perhaps from the document retention policy of the bank as is the case with many companies where documents are usually retained for up to 6 or 7 years maximum. The letters to the three users of the Plaintiff were extracted from the Bank’s system. These letters show that the letters to JT and CT were similar, it gave access to the user as approved by the employer or the Plaintiff that the following function could be performed as stated in the letter:

ACCOUNT INFORMATION, ORDER DEPOSIT BOOKS, STOP PAYMENT OF CHEQUES, ORDER COPY OF STATEMENTS, INITIATE/AUTHORISE TRANSFER BETWEEN OWN A/CS, INITIATE/AUTHORISE PAY OTHERS AND MESSAGES.

27. The letter also informed the user as to how to use the internet banking and gave the user a Customer Number and a password for initial access to internet banking. The letter also informs the user that once they log in using the given password, they will be prompted to change their password which only they will know. The letter also cautions the user as to what to keep in mind when choosing a password and how to keep the password safe. The letter also warns the user that if the password is forgotten, they can call the Customer Service Representative to issue a fresh password and it will be sent to a customer’s Service Centre for collection as passwords can-not be given over the telephone.

28. In the letter by the Defendant bank to JW, she was only given the following function as is approved by the employer being the Plaintiff:

Account Information, Order Deposit Books, Stop Payment of Cheques and Order Copy of Statements

29. JW therefore had no access to transfer funds or make payments using internet banking on the Plaintiff’s account.

30. In the Affidavit of Elizabeth Auo referred to as Exhibit D3 of the Defendant’s evidence, Ms Auo who is the Manager Technological Services with the Defendant states that all the transactions the subject of the Plaintiff’s claim as unauthorised transactions were done on JT’s customer number and password. She also states that from the Plaintiff’s internet banking log, the user JT accessed the Plaintiff’s account multiple times in one day suggesting that more than one person was using the user JT’s credentials to access the Defendant’s internet banking.

31. Ms Auo referred to a particular date on 14 July 2015 between 9:30am and 9:40am, the user JT logged in 9 times that is 9 times in a space of 60 seconds. She further states that there are many other instances that the same user JT would access the account numerous times. Ms Auo also provides a summary of the Plaintiff’s internet banking log. In 2013, the maximum times the Plaintiff’s internet banking was logged in was 170 times in one day.

32. I find from this evidence that the Plaintiff’s internet banking account through the user JT’s username and password was compromised in 2013, prior to 2020 when the alleged fraudulent transactions happened. This was 13 years after the Plaintiff had access to internet banking and had within its possession and knowledge it’s user’s customer number and new password that it had changed after its first log in. At no time did the Plaintiff report to the Defendant that JT’s credentials were compromised. Perhaps it had no knowledge that JT’s credentials were compromised as early as 2013. There is no evidence that point to the Bank or its employees having access to JT’s credentials to log in to the Plaintiff’s internet banking account. It is reasonable therefore to conclude that JT’s customer number and password was known only to him and or the employees of the Plaintiff and or shared voluntarily and or stolen by unknown persons who shared it to more than one person to access the Plaintiff’s internet banking account numerous times within a day.

33. From reading the Affidavit of Justin Tkatchenko as Exhibit P3, he states that in 2010, Jacque Ware the former corporate manager of the Plaintiff who has since left employment with the Plaintiff in early 2020 had organized with the Defendant to set up the Plaintiff’s internet banking account. Mr Tkatchenko states that since the creation of the Plaintiff’s internet banking account, he only accessed the internet banking account to view the account statement. He states that the sole purpose of setting up the internet account was to access and inspect the financial statement in respect to the account and he was never aware that he could access the function to do online transfers. Mr Tkatchenko never stated how many times in a month or year he accesses the internet banking to check the Plaintiff’s financial statement. Mr Tkatchenko also never stated how or where he keeps his customer number and password to the internet banking account and or whom in the employ of the Plaintiff would likely have access to his password and username. He simply denies the allegation that he disclosed his internet banking credentials to others but gives no explanation as to the possibility of someone else apart from him having knowledge of his internet banking credentials and or where he keeps such information that would have the possibility of it being accessed. For example, if he keeps the information on his phone and the phone was stolen etc. He provides no such explanation. Mr Tkatchenko states that he only became aware when he was informed of the unauthorised transfers on the Plaintiff’s account on 16 March 2020.

34. I find that JT’s customer number and password were known by him, and it is reasonable to infer that he shared his credentials with one other or some others who accessed the Plaintiff’s internet banking account and or that his credentials were stolen by one other or others which was shared to more than one person who accessed the Plaintiff’s account on numerous times. His credentials were compromised back in 2013 as shown by the Internet Banking log.

35. I also find that JT and CT as users to the internet banking of the Plaintiff had knowledge and or are presumed to have knowledge of the functions allowed to them to operate the internet banking account. They were informed by way of letters from the bank when they first got their credentials to access the internet banking and after a decade from 2010 when they first opened their internet banking account, they raised no query as to what they can and not do regarding their access to the internet banking account. Every time they log in to check the Plaintiff’s account, they can see the availability of the functions to transfer money or make and authorise payments. The defence that JT and CT had no knowledge that they could do payments using their credentials cannot be believed as they had this knowledge since 2010 by way of letters and information from the bank. The internet functions come in a basket so to speak. The function to check your account statement, transfer money, make payment etc. Some of these functions can be restricted as in JW’s case where she had restricted access and could not perform transfers or payments. The Bank was therefore entitled to presume that the transfers using JT’s credentials was proper and therefore if it was slow to act, the presumption is that no one could access JT’s credential except himself or unless he has shared it with others either willingly or unwillingly.

36. In regard to the Plaintiff’s allegations that the Bank never provided the IP addresses to allow tracking of these fraudulent payments as requested by the Plaintiff, the Defendant responds through the Affidavit of Elizabeth Auo as follows:

1. Westpac’s internet banking system is such that they do not capture the IP address of those performing internet banking transactions on a particular account as IP address is not always definitive and banks are not required to capture them.
2. If the purpose for wanting to confirm an IP Address is to locate where a hacker might have conducted the unauthorized transactions, the exercise would be futile as hackers would usually change the original address to a fake one by IP spoofing.
3. The possible ways in which a hacker would be able to obtain a customer’s internet banking password and customer number is;
   1. The characters of the password and customer number were shared by the customer either through a phishing email; or
   2. Through the hacker hacking the customer’s email and inside their inbox or sent message was able to locate an email that was sent or received containing the customer password or user access; or
   100. If the password and customer number were saved on a device and the device was compromised.
        

37. Ms Auo states that “a hacker cannot get into a customer’s internet banking without the customer’s password and customer number.” I accept this explanation by Ms Auo and find it reasonable as the Plaintiff has not counter argued these explanations by evidence and or contrary explanations. It is reasonable to conclude that after the first login by JT into the internet banking account and after he changed his password, only he would have known his password and those whom he allows to have this information and or those who have stolen this information to use it. The allegation against the bank or its employees having access to this information cannot be sustained. The allegations that a hacker could have accessed the account cannot also be sustained in my view.

38. I therefore find that in regard to the first 8 fraudulent transfers from the Plaintiff’s account in 2020, the Bank is not liable as the presumption is that those transfers were authorised through the credentials of JT either with or without his knowledge. JT’s credentials were only known to him and those whom he gave access to knowingly and unknowingly. The Defendant’s estoppel shall therefore be upheld that Westpac’s Terms and Conditions for Internet banking is that it will not be liable where the customer’s credentials have been disclosed to another person whether intentionally or due to lack of care.

Further Transactions to the Plaintiff’s internet banking account after the Plaintiff notified the Bank of alleged unauthorized transactions.

39. The Plaintiff states through the Affidavit of Ranjith Ravikumar who is the Corporate Service Manager of the Plaintiff that on 16 March 2020, they became aware of several unauthorised transactions on the Plaintiff’s internet banking account as the Plaintiff never made any payments using internet banking but only used internet banking to check its financial statement. On 17 March 2020, an email was sent to the Defendant querying these unauthorised transfers. The email is restated below from Mark Charope, Accounts of the Plaintiff:

“Hi Elly,

With regard to the above, could you please confirm where these transactions which are highlighted on this printout of our Kitoro Ac # 6001871624 are from and who authorised as we have not raised any payment or made any transfers for these amounts listed.”

40. The Bank responded that their Call Centre Team would investigate and provide details. Mr Ravikumar states in his affidavit that the Plaintiff assumed that the account would be ceased so there could not be any more transactions done. The Plaintiff later was notified of further transactions to their account after the first 8 fraudulent transfers. The Plaintiff claims that from 17 March 2020 (after it had reported the matter to the Plaintiff) to 2 April 2020 a total amount of K247 333.87 was transferred from the Plaintiff’s account to other third-party accounts.

41. On 6 April 2020, the Defendant picked up on further transfers to the Plaintiff’s internet banking account and contacted the Plaintiff to confirm these transactions. It was only then that the Plaintiff expressly told the Defendant to put a stop to the Plaintiff’s internet banking account as those transactions were not authorised.

42. In the Affidavit of Sharon-Kup Tengdui referred to as Exhibit D2, she states that Westpac deactivated User JT and CT’s internet banking online access on 7 April 2020. From the chain of emails between the Plaintiff and the Defendant, on 6 April 2020, after receiving instructions to place a restriction on the Plaintiff’s internet account, the Defendant responded through Elly Raki the Relationship Officer that she was advised by Helen from Call Centre that due to the internet banking system outage that morning, she was unable to deactivate the Plaintiff’s internet account however this was temporary until the internet banking system was back up. This saw 9 transactions totalling K90 850 go through.

43. On 7 April 2020, the Defendant conducted its own investigations and found out the number of unauthorised transactions done to the Plaintiff’s internet account. There is a Table of Events attached as annexure I to the Affidavit of Mrs Tengdui sworn on 22 September 2021 that the Plaintiff submits contains admissions as to the Defendant failing to put a stop to the Plaintiff’s account which resulted in unauthorised transfers after 17 March 2020 when it had first reported on the first set of unauthorised transfers to its account. Mrs Tengdui follows up her evidence in another Affidavit filed on 10 December 2021 and denies any admissions by the Defendant.

44. I find that the said Table of Events attached to the Affidavit of Mrs Tengdui sworn on 22 September 2021 was premised on the fact that the Plaintiff never conducted any transfers on its account as it says that it only specifically asked to have access to only read their financial statements. The internal investigation in the Table of Events stated that the Bank could have done more to investigate the transaction as the language in the email was enough to raise alarm that the customer was disputing the transactions. This is someone else’s opinion in Westpac as Mrs Tengdui has disputed this admission. I am of the view that any reasonable employee in the Bank getting an email querying a set of payments after finding out that those alleged 8 transactions were done using an authorised user, JT’s credentials would have no sense of alarm and presume that these transactions were authorised by JT and were legitimate. I am also of the view that the language in the email from the Plaintiff only queried the first set of transactions. It did exactly that- ask an enquiry but did not raise an alarm. A reasonable employee of the Defendant bank when getting that query and after confirming that the transactions were done using JT’s credentials would presume that those transactions were done by an authorised user being JT. At that point, there was no reason for the Bank to be alarmed as the presumption is that it was by JT an authorised user.

45. It was only when the bank picked up the other transactions that they notified the Plaintiff. As can be seen in the Affidavit of Sharon-Kupp Tengdui filed on 22 September 2021 as Exhibit D2, annexure I contains the email exchanges between the Plaintiff’s employees and the Defendant’s employees. On 6 April 2020, Helen G Mea of the CSR-Call Centre emailed Elly also of the Defendant Bank and flagged a set of transactions on the Plaintiff’s account asking to confirm whether the Plaintiff had done those transactions as they were done the day before on 5 April 2020. The details of those transactions are as follows:

46. The Bank states that all the above transactions were done using JT’s credentials. If one looks at the timing of these transactions, they were done in minutes if not seconds. The first transaction transferred a sum of K10 000 at 10:49:56, the second transferred a sum of K11 000 at 10:51:27 and so forth. A reasonable banker would then at that stage be alarmed that it is not possible for one user to make all those transfers in the timing shown. The reasonable conclusion is that more than one person had access to JT’s credentials to do those transactions. This is the point in time that the Bank is duty bound to act as there is reasonable suspicion of fraud raised. The Bank did so by bringing this to the attention of the Plaintiff who authorised the Bank to place a restriction on these transactions and their internet account as they had not authorised those transactions. The Bank acted on the instructions of the Plaintiff and placed restrictions on the account.

47. In a letter dated 30 July 2020, the Defendant wrote to the Plaintiff regarding the alleged fraud and informed the Plaintiff that after their internal investigations, the Bank stated that the fraudulent transfers were external, and the Bank played no part in it. The Bank provided particulars of those transactions and the recipients of those funds and stated that this information be sent to the police to assist with police investigations.

48. In a letter dated 6 October 2020 from the Defendant to the Plaintiff’s Lawyers marked as annexure K in Exhibit D2, the Defendant informed the Plaintiff that as soon as the Plaintiff had sent the list of disputed transactions to the Defendant, the Defendant then set up restricting the Westpac mule accounts. Again, the bank can only act after the Plaintiff confirms which transections were unauthorized as all the alleged fraudulent transactions were done using JT’s credentials. The Defendant sought assistance from BSP and Kina to have the mule accounts of the beneficiaries of those fraudulent transfers restricted and funds were in credit were returned to Westpac. The Defendant therefore managed to recover a total of K89 965.04 from the mule accounts at BSP, Kina Bank had no funds in credit from the mule accounts and from the mule accounts at Westpac, a total of K22 468.56 was recovered. The Defendant therefore managed to recover a total of K112 433.60 from the mule accounts. The Defendant informed the Plaintiff that unfortunately, the balance of the fraudulent transfers was removed from the accounts by the mules before the Defendant was able to recover them.

49. I find that the bank acted accordingly with diligence after it reasonably became aware that more than one person was accessing the Plaintiff’s internet banking account using JT’s credentials after the second set of alleged transactions were done on 5 April 2020 and placed restrictions on the Plaintiff’s internet banking account. The Defendant then attempted recovery efforts to salvage whatever funds left in the beneficiary mule accounts.

Westpac’s Internet Banking- Westpac Protect

50. In Exhibit D5, Mrs Tengdui in her Affidavit explains the security features of the Defendant’s internet banking. She states that the Bank has a secure connection built between the banking systems and the internet to ensure that all the customers personal information is kept safe. This connection is secured by a firewall. She also states that the Defendant constantly monitors its systems for suspicious activity. Mrs Tengdui also explains about the internet and the customer’s computer in regard to a customer’s account details, it's customer number and its password. The customer number is first given to the customer when they first sign up for internet banking. The customer is also given a temporary password that at the first sign in, the customer is required to change that password so that only that user is privy to the password and not the bank or anyone else. This is what happened when the Plaintiff first opened its internet banking account with the Defendant in 2010.

51. Mrs Tengdui states that in or around October 2019, the Defendant informed all its internet banking customers including the Plaintiff that it had introduced the Westpac Protect which is an added security feature to enhance the security feature of the customer’s internet banking. The Defendant states that with the new added feature, customers are issued with a Westpac Protect Token Device which is convenient and safeguards against fraud. The token is therefore a small device that a customer has to use to generate a password to complete an internet transaction. After a customer logs in to their internet banking account using his/her password and username, certain transactions would require a 6 digit code one time password (OTP). A transaction therefore cannot be completed unless the customer uses the token to generate the OTP. The OTP only exists for 30 seconds and changes. If for example the OTP entered the first time does not go through or is extinguished, the customer will press the token device again to generate a new OTP in order for the customer to enter the new OTP again to complete the transaction. With this new added layer of protection, it would not be possible for anyone having access to the user’s internet banking credentials to transfer money. If someone has in this case JT’s username and password, they would still need the Westpac Protect Token Device to generate an OTP to complete a particular transaction.

52. Mrs Tengdui and Ms Elizabeth Auo states in their evidence that the Plaintiff was informed as well as other customers of this new added security feature on Westpac’s internet banking. They also state in their evidence that the Plaintiff never collected the Westpac Protect Token Device from their branch and they never applied for the activation of this added security protection. This added security feature using the Westpac Protect Token Device has to be activated on the customer’s account. From the evidence, the Plaintiff’s internet banking was still using the old internet banking way and was clearly susceptible to fraud.

53. I find that the Plaintiff’s employees and even their lawyers did not understand the basic knowledge about internet banking by corporate users and the use of the Westpac Protect. The Bank in this case had discharged its duty to keep the customer’s internet banking accounts safe from fraud by offering the Westpac Protect. It was the duty of the Plaintiff as the customer to pick up the Westpac Protect Token Device from their branch and ask Westpac to activate that security feature. If only the Plaintiff had done that in 2019, it would have prevented all the unauthorised transactions on their account in 2020 as those users of JT’s credentials cannot complete those transactions without the Westpac Protect Token Device that will generate OTP’s or one-time passwords. The Plaintiff as a customer failed to ask the Bank to activate Westpac Protect on its internet bank account and therefore it was susceptible to fraud. The Bank had removed itself from any liability in my view by offering the added security protection. The alleged fraudulent activities on the Plaintiff’s account in 2020 happened because the Plaintiff contributed to its own negligence, it failed to understand the functions of internet banking on its account, and it failed to take action to utilise the added security protection offered by the bank.

Interest charges on the Plaintiff’s overdraft account

54. The Plaintiff claims that the Defendant was wrong to charge interest on the account on the stolen funds from 2 February 2020 to 5 April 2020 and after the account was dormant. The Plaintiff claims that as it had not used the account since the fraudulent transfers, it should not meet the monthly interest charged on the account.

55. The Defendant on the other hand states that it was entitled to charge interest on the overdraft facility as it was a term of the contract between the parties regarding the overdraft facility.

56. Having found that the fraudulent transfers on the Plaintiff’s internet banking account was caused by the negligence of the Plaintiff in not securing the username and password of JT which was accessed by more than one person to transfer funds from the Plaintiff’s account and that the Plaintiff contributed to its own loss by not collecting the Westpac Protect Token Device and asking for activation of the Westpac Protect, the Bank is entitled to charge interest as per the term of the Business Finance Agreement (BFA) between the parties on the agreed rates. This aspect of the Plaintiff’s claim not to pay interest on its overdraft account is also denied.

57. The Plaintiff’s claim for negligence and breach of contract against the Defendant is therefore denied.

Conclusion

58. The Plaintiff as a customer in alleging negligence against its bank that it failed to keep its internet banking account free from fraud from third parties has to show the following as per the case of Asivo v Bank of South Pacific Ltd^[8]:

1. The Plaintiff has the onus to show that the Defendant bank owed to them a duty to keep their internet account safe from fraudulent access by third parties.
2. A breach of that duty caused loss or damage to the Plaintiff.

100. The type of loss was not too remote.
     

59. The Plaintiff failed to show that the Defendant breached a duty to keep their internet banking account safe when it failed to understand the functions of internet banking from the time it first signed up. Ten years after it first signed up for internet banking in 2010 and in 2020 when the fraudulent activities occurred, it never queried whether it had access to transfer funds if it was still unsure. There is a presumption therefore from the opening of the account in 2010 to the date of the fraudulent transfers in 2020 that JT and CT knew they had access to do transfers and not only checking the financial statements as they were informed by way of letters from the bank as is the usual practice when a customer signs up for an account with the bank, the customer is informed precisely of what function they can operate on their account. The bank has discharged this duty accordingly in 2010.

60. I adopt Stein J’s remarks in the case of Barclays Bank plc v Quincecare Ltd^[9] which the Court said:

“The law should not impose too burdensome an obligation on bankers, which hampers the effective transacting of banking business unnecessarily. On the other hand, the law should guard against the facilitation of fraud, and exact a reasonable standard of care in order to combat fraud and to protect bank customers and innocent third parties. To hold that a bank is only liable when it has displayed a lack of probity would be much too restrictive an approach. On the other hand, to impose liability whenever speculation might suggest dishonesty would impose wholly impractical standards on bankers. In my judgment the sensible compromise, which strikes a fair balance between competing considerations, is simply to say that a banker must refrain from executing an order if and for as long as the banker is 'put on inquiry' in the sense that he has reasonable grounds (although not necessarily proof) for believing that the order is an attempt to misappropriate the funds of the company (see proposition (3) in Lipkin Gorman v Karpnale Ltd (1986) [1992] 4 All ER 331 at 349, [1987] 1 WLR 987 at 1006). And, the external standard of the likely perception of an ordinary prudent banker is the governing one...”

61. It is unreasonable to impose an onerous task on the bank to keep track of every internet transaction made on a customer’s internet banking account by tracking IP addresses. There are numerous transactions happening over the internet in one day. The bank already has in place safety mechanisms to prevent internet banking fraud. The bank has a duty to ensure that upon it being reasonably aware that an act of fraud was impending, it can take precaution. In this case, the Plaintiff raised a query as to certain transactions and wanted verification as to who did those transactions. (The first 8 fraudulent transactions). The Defendant checked and found that it was done using JT’s credentials and reported back to the customer. It was reasonable for the bank to presume that they were authorised transactions as it was done by an authorised user’s credentials. In the second lot of transactions, the bank noticed that the timing of those transactions using JT’s credentials were too close and therefore it was reasonable to suspect that more than one person was accessing the Plaintiff’s account using JT’s credentials. This was when an alarm was raised, and the Plaintiff specifically instructed for a stop to their access to the account.

62. The Plaintiff has failed to prove negligence against the Defendant bank in the safe keeping of funds in their internet banking account.

63. The Plaintiff therefore as a customer has the following duty in this case;

1. In 2010 when it opened its internet banking account with the Bank, it should have ensured that it understood how to use the internet banking account, what restrictions it can have the bank impose on its access to the account and understand security measures as to where and how to keep safe their password and username information.
2. The Plaintiff, specifically the user JT had the duty to ensure his password and username were kept confidential and safe.

100. If the Plaintiff became aware that it’s password and username could have been stolen or accessed by third parties, it had a duty to inform the bank accordingly to put a stop to those users.

4. If the user JT was a non-executive member of the company and therefore not involved in the daily management of the affairs of the company, he should have assigned the access to the internet banking account to an active member of the management team of the company to carry out diligent checks on its account.
5. The Plaintiff should have picked up the Westpac Tokens from the Bank and asked for activation of Westpac Protect to ensure that they are covered under the added layer of security to avoid fraudulent payments on their internet banking account.
   

64. I therefore make the following orders:

1. The Plaintiff’s claim is refused and these proceedings are dismissed in its entirety.
   
2. The Plaintiff shall meet the Defendant’s costs of these proceedings to be taxed if not agreed.
   
3. The Defendant’s Cross Claim shall be listed for directions hearing to be pursued to a hearing proper.
   

65. Orders accordingly.
________________________________________________________________
Leahy Lewin Lowing Sullivan Lawyers: Lawyers for the Plaintiff
Bradshaw Lawyers : Lawyers for the Defendant/Cross Claimant

[1] [2016] PGNC 318; N6518 (11 November 2016)

^[2] [1992] 4 All ER 363

[3] [2011] PGSC 64; SC1327 (2 September 2011)
[4] [2008] PGNC 99; N3405 (1 July 2008)
[5] [1999] PGNC 85; N1934 (24 September 1999)
[6] [1919] UKHL 367 (21 June 1919)

^[7] [1933]A.C 51
^[8] Supra N1.
^[9] Supra N2