The fallout from Friday afternoon fraud

Friday afternoon fraud is nothing new. The SRA has been warning firms about the risk of this type of fraud since before 2015. However, the case of R v Oliva (2019) (unreported) has provided a reminder of the legal and regulatory issues which arise when law firms find themselves mixed up in these scams. Friday afternoon fraud typically involves a fraudster impersonating a client or solicitor in a conveyancing transaction. Here we focus on the scenario in which the fraudster impersonates the client. On the day of completion, usually a Friday, the fraudster sends an email requesting the completion monies to be sent to a bank account which is different to the one provided at the start of the transaction. Any solicitor receiving such an email should treat it with suspicion and not proceed until they have taken steps to confirm their client’s instructions through a secure channel.

CONNED

The facts of the Oliva case provide a perfect illustration of the warning signs typically present in such frauds. The client was selling her property in Fulham for £1.9m in February 2017 and had instructed a local firm to act for her in the sale. The fraudsters created an email account with one letter different from the client’s email address. They then sent an email to the solicitors on the morning of completion requesting that one half of the completion proceeds be sent to the existing bank details on file, with the remaining half being sent to an account with Metro Bank. The email was poorly written and contained a number of spelling and grammatical errors. Upon receipt of the email, the solicitors called the client to confirm her instructions – which was clearly the correct and appropriate response in the circumstances. At the time of the call, the client was busy packing and could not remember the details of her sort code and account number, but did confirm to the solicitors that she had a Metro Bank account. Seemingly happy with this, the solicitors transferred just over £600,000 to the fraudster’s Metro Bank account upon completion. The fraud was promptly discovered and the recipient of the funds, Giuseppe Oliva, was arrested by the police. However, by the time he was caught, most of the funds had been dissipated and only £150,000 was recovered. The balance of the monies owed to the client was repaid by her solicitors’ professional indemnity insurers. On 8 April 2019, Oliva was found guilty of converting criminal property and sentenced to five years in jail. A client whose solicitor has paid away their completion proceeds has a range of legal remedies they can pursue. Where the solicitor has failed to pick up on the warning signs, as in the above case, or has taken insufficient steps to verify the client’s instructions, they are likely to be found to have acted without reasonable skill and care, either in breach of their duty of care in tort (negligence) or in breach of an express or implied term in the retainer to act with such skill and care. In defending professional negligence claims, allegations of contributory negligence can be raised if it can be established that the client’s conduct has, in some way, contributed to the fraud.

BREACH OF TRUST

A more practical and straightforward approach is for the client to plead that their solicitor has committed a breach of trust (raising the other claims in the alternative). The premise of such a claim is that a solicitor holding their client’s money in the client account does so on trust for their client, and in paying completion proceeds to someone other than the client without express instructions to do so, has breached the terms of that trust. If breach of trust is established, then the solicitor is required to fully compensate the client for the loss suffered and is unable to allege contributory negligence. Section 61 of the Trustee Act 1925 enables a trustee to apply for relief from personal liability for breach of trust. Where the court considers that they have acted honestly and reasonably, in all the circumstances of the case, they ought fairly to be excused from the consequences of their breach. However, in Friday afternoon fraud cases there will usually be some element of the solicitor’s conduct, which means it is unlikely they will be able to demonstrate to the court that they have acted reasonably. Indeed, given the requirement for solicitors to treat emails requesting payments to a different bank account with suspicion and to verify the client’s instructions, it is hard to conceive of circumstances in which the fraud could succeed without some failure on the solicitor’s part. However, even in the hypothetical scenario where a solicitor is able to establish that they acted honestly and reasonably, this still may not be enough for the court to grant relief, given that the court will also consider all the circumstances of the case – which includes the parties’ respective financial positions and whether one of them has insurance. The court may, therefore, consider that the loss should be borne by the solicitors rather than the client who has lost their sale proceeds. The starting point for the solicitors will be to notify their professional indemnity insurers who may, in conjunction with the law firm, be willing to fund the costs of civil proceedings seeking interim relief (eg. freezing orders, Norwich Pharmacal orders) to attempt to recover the misappropriated funds.

REGULATORY CONSEQUENCES

The solicitors should also report the matter to the regulator, the Solicitors Regulation Authority (SRA). A failure to do so may amount to a breach of Rule 10.1/10.3 of the SRA Handbook 2011 which requires solicitors and firms to report matters to the regulator where required and where there has been a serious financial loss. Rule 20 of the Solicitors Accounts Rules 2011 sets out the circumstances in which solicitors are able to make payments from a client account. Unsurprisingly, making payments to fraudsters is not one of them. A payment to a fraudster will accordingly represent a breach of Rule 20 and will also create a deficiency on the client account. Rule 7.1 provides that any breach of the rules shall be remedied promptly upon discovery, including the replacement of any money improperly withheld or withdrawn. Rule 7.2 provides that in a private practice, the duty to remedy breaches rests on the principals in the firm and applies irrespective of whether a claim is subsequently made on the firm’s insurance. On being informed of a deficiency on client account, the SRA will invariably require a firm to replace the money promptly, within 48 hours. Where the firm delays in doing so it can be subject to rebuke, reprimand and, in the most serious cases involving substantial delay and an apparent unwillingness/inability to repay, intervention. The SRA will also want to understand how the fraud occurred and what steps the firm is taking and has taken to reduce the risk of any further incidents in the future. Most firms will have an internal policy in place setting out the steps that should be taken to verify client instructions and will have provided relevant training to fee earners. In those instances, it is able to attribute the conduct giving rise to the loss as human error rather than anything more systemic. However, where a firm does not have such a policy and has not provided training, this may amount to a breach of Outcome 7.3 of the SRA Handbook. This provides that firms maintain systems and controls for monitoring its financial stability and risks to money and assets entrusted to it by clients.

THE RISKS CONTINUE

Cybercrime continues to represent a serious risk to clients and to the profession. A recent SRA report stated that £9.4m of client money was reported as lost to cybercrime in 2016, increasing to £10.7m in 2017; and that email modification fraud accounted for 80 per cent of all cybercrime reports in the second quarter of 2018. The large sums of money involved and high volume of conveyancing transactions mean that Friday afternoon fraud will always be seen as attractive for potential fraudsters. Thankfully, the Law Society’s review of professional indemnity claims for 2017 to 2018 demonstrates that the vast majority of cybercrimes do fail. However, for the reasons set out above, the consequences of successful attacks for both clients and solicitors’ firms remain very serious.