Payment Diversion Fraud

Part 1 of 2

Setting the Scene

Your finance department receives an email, or worse you receive a legal notice that you have an outstanding liability for the payment of invoices. The sender claims that invoices are way past the due dates and remain unpaid.

Upon a quick check with your finance department, “the payment has already been made”.

What is the law?

Whose fault is it?

Who is liable?

Is the contractual liability discharged or dissolved? Does it even matter?


This is the ply of a large number of corporate entities in the UAE, a number bigger than what comes to your mind. This is an incident of a Mandate Fraud.

We will guide the reader on the useful, cost-effective and easier to implement solutions. The easy and cost-effective solutions are a spot-on case of “prevention is better than cure”.

However, if you, as a reader, have already been a victim of cyber fraud, you probably are rushed to learn of your post-incident legal position, and then may accept a ‘lecture’ on could’ve should’ve would’ve.

What is the liability vis-a-vis you and your contractor, the genuine party to whom payment (was/is) due?

From a default legal standpoint, the mandate fraud issue is entirely separate from contractual rights and corresponding contractual obligations under the terms of Agreement.

Even though this is an important issue for a corporate investigation, it is not relevant in respect of claims under the contract. As a matter of law, an incident of fund diversion fraud is separate from claims under the contract.

Given the dearth of case law on liabilities arising from mandate frauds, the reader may take guidance from cases reported in other jurisdictions. In some of these cases, plaintiffs’ claims for non-payment were granted in summarily i.e. without trial, because the defence that “payment has already been made” was considered too irrelevant to be afforded a trial. In a case between a client and contractor, the court found that although both the client and the contractor were innocent victims of the scam, the client was still liable to pay the contractor.

Here is the logic:

  • In a bilateral contract, the performance of a contractual duty can only be withheld if the obligor’s corresponding right is not satisfied.
  • The fact that you, in your version of the truth, made the payment, is good proof that the contractor’s corresponding obligation was satisfied. If the obligation of the contractor is undisputedly fulfilled, you have no legal cause to withhold or refuse to pay the invoices, which as a matter of fact remain unpaid to the contractor.

Not too, unfortunately, whereas you have no legal cause to evade its liability to pay contractor’s dues, you have plenty of armour to get your retribution.

Your sword should be facing the following parties in the order of listing:

  1. your own system and employees:
    • rule out internal fraud,
    • employee collusion, and
    • verify the veracity of your tech security, investigatory outcomes by using outsourced forensic and financial investigators.
  2. the receiving bank, i.e. the one who accepted the funds transferred by your bank.
    • receiving bank has duties to carry out Client Due Diligence or regionally known as “Know your Client”
    • receiving banks have duty to monitor account activity.
    • Clues are everywhere, the value, frequency and source of incoming funds.
    • Frequency, pattern and destination of outward transfers
  3. Based on the conclusions of your technology forensic investigators, review the following documents:
    • Your contract with the contractor – did he contractually undertake the duty to protect third-party data?
    • Your cybercrime insurance policy.

The liability under part (3) is subject to extremely time-sensitive, conclusive, and highly technical investigations. There are many ifs and buts before a possible claim can be established. In Part II we will cover the knickknack of liabilities that can arise under (3) above.

Leave a Reply

Your email address will not be published. Required fields are marked *