Liability of a Credit/Debit Card Company for Fraudulent E-Transactions Involving Cards

ǼLEX

The adoption of e-payment channels as a preferred means for commercial transactions has also led to an increase in cases of e-payment frauds, particularly through obtaining the Automated Teller Machine (“ATM”) card information of unsuspecting cardholders and using the information to carry out illegal transactions on the bank accounts of the cardholders. In this situation, it is important to determine the party that will bear liability for the fraud. 

This article analyses the recent case of Abolade Bode v. First Bank of Nigeria Plc. & MasterCard West Africa Limited, where the Federal High Court, relying on the doctrine of privacy of contract arising from a banker/customer relationship, held that it is the card holder’s bank and not the card issuer,  that would bear liability for such fraudulent transactions.

Introduction

With the adoption of e-payment channels as a preferred means for commercial transactions in Nigeria, there has been an increase in incidences of e-payment frauds. One of methods employed in perpetrating these frauds is to obtain the Automated Teller Machine (“ATM”) card information of unsuspecting card holders and use the information to carry out illegal transactions on the bank accounts of the card holders. In such a situation, an issue arises as to who bears liability for the fraud. This issue is pertinent because there are certain key players involved in every card transaction. They include; the card holder, the acquiring bank, the issuing bank, and the card company (e.g MasterCard or Visa).

In the recent case of Abolade Bode v. First Bank of Nigeria Plc. & MasterCard West Africa Limited,[1] the Federal High Court, sitting at the Lagos Judicial Division was confronted with this issue of liability for a fraudulent e-transaction on a bank customer’s account involving the MasterCard information of the bank customer. The court relied on the doctrine of privacy of contract arising from a banker/customer relationship to hold that it is the card holder’s bank, and not the card company that should bear liability for such fraudulent transactions.

Facts

The Plaintiff who maintained an account with First Bank of Nigeria Plc (“the 1st Defendant”) asserted that in 2012, unauthorized transactions were carried out on his account, for which the sum of N750, 509.77 (Seven Hundred and Fifty Thousand, Five Hundred and Nine Naira, Seventy-Seven Kobo) was illegally debited from his account. According to the Plaintiff the online fraud committed on his account was not due to his negligence but was perpetrated by compromises to the security of the 1st Defendant and MasterCard West Africa Limited (“2nd Defendant”). Consequently, the Plaintiff claimed from the Defendants jointly and severally, the reimbursement of the deducted sum, as well as compensation in the sum of N10, 000, 000 (Ten Million Naira) with interest, for the constrains and stress experienced as a result of the sudden and unexpected short fall of cash in his account.

Plaintiff’s Submission

Counsel for the Plaintiff submitted that the Plaintiff had through pleadings and testimony, provided sufficient and uncontroverted evidence that a fraud was committed on his bank account with the 1st Defendant, through the compromises and negligence of the 1st and 2nd Defendants. Counsel argued that the 1st Defendant produced and sold the MasterCard to the Plaintiff, and the 2nd Defendant provided the payment technology which was infiltrated by the fraudsters. Counsel for the Plaintiff argued that the fraud was committed by persons who are not parties to the case and as such, proof of fraud beyond reasonable doubt is out of place. Counsel urged the court to discountenance the argument of the Defendants, otherwise the Defendants will continue to deny liability for fraudulent transactions on the ground that the fraud was not proved beyond reasonable doubt, while the victims of fraud will be left uncompensated.

1st Defendant’s Submission

Counsel for the 1st Defendant argued that the Plaintiff’s claim was speculative and contradictory. According to the 1st Defendant’s counsel, an allegation of fraud must be proved beyond reasonable doubt and the Plaintiff has not discharged this burden of proof. The 1st Defendant claimed that by virtue of the debit card agreement signed between the Plaintiff and the 1st Defendant, the Plaintiff undertook to bear responsibility for all transactions made by his card and with his Personal Identification Number (“PIN”). Thus, counsel urged the court to hold the Plainitff liable for the misuse of his PIN.

2nd Defendant’s Submission

Counsel to the 2nd Defendant submitted that the 2nd Defendant is simply a payment technology provider linking banks, customers and merchants, and is not involved in the approval process for any transaction. The 2nd Defendant did not produce the Plaintiff’s MasterCard nor was it ever in possession of the MasterCard; therefore it did not have any interaction or connection with the Plaintiff whatsoever. It was further submitted that there was no fiduciary or contractual relationship between the Plaintiff and the 2nd Defendant. The only contracts alleged by the Plaintiff are the banking contract and debit card agreement between the 1st Defendant and the Plaintiff, to which the 2nd Defendant was not a party to. Also, the 2nd Defendant argued that the Plaintiff had failed to establish negligence on the part of the 2nd Defendant, or that the fraud on his account was as a result of the compromise of the security of the 2nd Defendant and urged the court to dismiss the case of the Plaintiff against the 2nd Defendant.

Decision

In determining the above matter, the court stated that the sole issue for determination in the suit is whether from the fact and circumstances of the case, the Plaintiff’s claim should be granted. The court held that the Plaintiff’s claim against the 2nd Defendant must fail because there is no privity of contract between the Plaintiff and the 2nd Defendant, as the latter is only a technology provider.  The evidence before the court was that the 1st Defendant, not the 2nd Defendant, provided the Master Card to the Plaintiff, and the Plaintiff failed to establish that his account was compromised as a result of a breach of the 2nd Defendant’s security systems owing to the negligence of the 2nd Defendant.

In reaching its conclusion, the court relied on an earlier Court of Appeal decision in Guaranty Trust Bank v. Motunrayo-Tolulope Aloegena (nee Oyesola)[2], a case relating to the breach of a banker/customer relationship arising out of a failed ATM transaction. In that case, the Defendant/Appellant had at the trial stage set up a defense that MasterCard was liable for the failed transaction. However, the trial court rejected this defence and held the Defendant/Appellant liable. The Defendant/Appellant therefore went on appeal. In dismissing the appeal, the Court of Appeal held that there was no contract between the Respondent and MasterCard therefore the Respondent has no cause of action against MasterCard. According to the Court of Appeal, per Ebiowei Tobi, JCA:

“The problem here, however, is that there is no privacy of contract between the Respondent and MasterCard. Indeed, there is no tripartite agreement between the Respondent, the Appellant, and MasterCard. For the purpose of the banking transaction, the agreement or contract is between the Appellant and the Respondent and therefore if there be any breach as it relates to the account, it is the Appellant that the Respondent will hold responsible as there is no contract between her and MasterCard. The law on privacy of contract is clear and cannot be disputed.” 

Considering this decision, the Federal High Court in Abolade Bode v. First Bank of Nigeria Plc. & MasterCard Nigeria Plc. held that the 2nd Defendant was not liable for the fraudulent transaction on the account of the Plaintiff, as there was no privacy of contract between the 2nd Defendant and the Plaintff. The court however found the 1st Defendant liable for the fraudulent transaction on the basis that the 1st Defendant did not do its due diligence by carrying out a detailed investigation of the fraud.

Comments

The implication of the decision in Abolade Bode v. First Bank of Nigeria Plc. & MasterCard Nigeria Plc, in the absence of proof of negligence, is that card companies such as MasterCard and Visa, will not be liable for fraudulent transactions on the bank account of a card holder, as there is no privacy of contract between the card holder and the card company. This is more so because the card companies do not produce the debit/credit cards nor do they provide the card information necessary to operate the payment technology. Indeed it is the customer’s bank that provides the credit/debit cards and generates the initial information required to operate the cards. Usually, the issuance of a credit/debit card is based on a card agreement, or the general banking contract with between the card holder and the bank.  Card companies connect banks and merchants to fast, secure, and reliable electronic payments platforms. Accordingly, through credit or debit cards, a card company’s processing network allows seamless completion of financial transactions conducted via the ATM, laptop, tablet, etc.[3] This means, for instance, that even though the name MasterCard is printed on a vast number of credit and debit cards worldwide, MasterCard is not directly responsible for the cards that are branded under its name. The card companies merely license their payment technology to banks and other financial institutions, to aid payment services.

It is worthy of note that the card companies may nevertheless be liable in negligence if it is proven that they breached their duty of care to users of their payment technology (banks and financial institutions or their customers), by failing to provide sufficient features to ensure that information transmitted on the platform is protected from fraudsters. However, the elements of negligence must be specifically pleaded. Evidence must be led to reveal avoidable gaps in the payment technology system of the card company, which leaves it vulnerable to fraudsters. In the extant case court had found that the Plaintiff could not establish negligence on the part of MasterCard in failing to ensure sufficient security to prevent fraudsters from accessing the technology of the MasterCard.

This decision therefore prevents a potential floodgate of cases against card companies by bank customers, such that card companies need not be joined as parties to actions against banks for fraudulent activities on bank accounts of card holders, except there is sufficient proof of negligence on the part of the card company.


Download the article

[1] Unreported Suit No: FHC/L/CS/405/13, delivered on 10 April 2019.

[2] Guaranty Trust Bank v Motunrayo-Tolulope Aloegena (nee Oyesola), unreported SUIT No: CA/L/461/2016 delivered on 1 March 2019

[3] Christine Thelander, ‘How does MasterCard make money?’, (2016) Available at: https://www.canstar.com.au/credit-cards/how-does-mastercard-make-money Accessed on 27 Aprill 2019


0 0 vote
Article Rating

Share this article

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Related Articles

FinTech in Nigeria

Note: This article was originally published in the 2019 FinTech Nucleus. Over time, the Nigerian economy has been responding...

The Iceberg of FinTech

Note: This article was originally published in the 2019 FinTech Nucleus. The History of FinTech From the invention of...

We are pioneering the growth of innovation law in Africa. Get our latest thinking.

** I have read the Privacy Notice and agree to its terms.

Copyright ©  2020  Innovation Law Club Africa  All rights reserved

We are pioneering the growth of innovation law in Africa. Get our latest thinking.

** I have read the Privacy Notice and agree to its terms.

Copyright ©  2020  Innovation Law Club Africa  All rights reserved

0
Would love your thoughts, please comment.x
()
x