Financial institutions -and service providers, under the Financial Supervision Act and the Money Laundering and Terrorist Financing Prevention Act, monitor their customers’ transactions. Unusual (proposed) transactions indicating money laundering, terrorist financing and/or fraud must be flagged and reported to the Financial Intelligence Unit. Failure to fulfill these obligations means that the regulator or prosecutor’s office can impose hefty fines. However, there is also a third party in the game that can come forward; victims of fraudulent customer transactions! Their claim for damages is not based directly on the Wft or Wwft but on the broad concept of “duty of care.” The reasoning is that by failing to identify unusual transactions in a timely manner, the duty of care was breached and therefore “the bank” is liable for the damages suffered. To what extent is this reasoning correct? What can we learn from the most recently published rulings?
Let us first reflect on the concept of duty of care. Duty of care in financial services has been stretched quite a bit in recent years. The basis of the duty of care is the premise that a provider and/or adviser of a financial product or service is more knowledgeable than the buyer of that product or service. Duty of care initially covered
who are customers
of the financial service provider/institution. Several Supreme Court decisions have created the dynamic concept of “special duty of care.” Based on the various rulings, special duty of care has been further fleshed out. An important element of the special duty of care is the obligation to warn the customer of special risks associated with the service. Because of a bank’s social function, the Supreme Court believes that the bank also has a special duty of care to third parties but that depending on the specific situation and circumstances, this should be handled in different ways. The special duty of care also covers not only consumers but also business relationships.
In the final months of 2022, a number of judgments were published regarding possible liability as a result of a “lax approach to fraud” by banks. The various judgments suggest that the bank is liable only when it has knowledge of the unusual activities and the associated danger to third parties (Yilmaz, 2022). Failure to notice an unusual transaction is not necessarily a breach of the duty of care. Of course, that is not a license to just omit transaction monitoring “in the context of don’t know what , what doesn’t hurt.”
Unusual transactions are determined using an established transaction profile that incorporates expected transaction patterns based on risk analysis. According to the court, if there is no evidence of any wrongful acts by customers, then a bank cannot be expected to investigate every transaction (ECLI:NLRBAMS:2022:5397). Companies are primarily responsible for adequate risk management.
It is also clear from the various rulings that when there is an “alert,” there must be demonstrably energetic action by the institution to prevent (further) harm. The systematic and traceable recording and follow-up of the alert handling and reporting process and its monitoring is therefore crucial to demonstrate compliance with any obligation to investigate under the special duty of care.