Mistaken Internet payments

Alan L Tyree1

2003

Abstract

Electronic payment systems that require consumers to enter numbers are inherently error-prone. The systems should be designed, both physically and legally, to minimise these problems and to resolve them equitably and inexpensively. This paper examines the legal position and recommends practical measures for consumer protection.

The problem

Modern electronic banking permits direct credit payments to be initiated by a payer. The system requires the payer to enter the account number of the intended recipient. In most cases, the system also permits or requires the entry of the payee’s name. The payments are processed as direct credits through the Bulk Electronic Clearing System (BECS) system and are subject to BECS rules.

Although the systems accept both the account number and the name of the payee, the transfer is done solely on the basis of the account number. As noted in the Australian Banking Industry Ombudsman (ABIO) Bulletin 35 (Bulletin 35), there may be good efficiency reasons for using the account number as the basis for the transaction.

However, while machines just love account numbers, human beings find names more amenable. Also, most systems are designed in way that makes it difficult to determine whether an account number is wrong. To complicate matters further, the payer may or may not have been advised that the account number is definitive (or if advised, the advice may or may not be "sheeted home" to the payer). So, the payer may not realise that there is a mistake in the first place and may not realise that when the payer enters an incorrect account number but the correct name, the payment will be made to the wrong person.

One simple action that might help reduce the incidence of errors is to provide a formatted entry for the account number. As an example, most sites that ask for credit card numbers request the user to enter the 16 digit number as a single entry. However, on the credit card itself, the number is presented as four groups of four digits. Mistakes are much easier for the human eye to discover when the patterns are smaller.2

Several legal issues arise:

Mandate

A mandate is a set of instructions given by the customer to the bank. Unless the web page makes it abundantly clear that the name will not be used and is not required to complete the payment, then the mandate given by the customer necessarily includes the name of the intended payee.

The general rule is that the bank may not debit an account unless it strictly follows its customer’s mandate. A corollary of this general rule is that the customer must exercise care in drafting the mandate. If the mandate is ambiguous, the bank may give a “reasonable” interpretation to it.3

In the problem that we are considering, the name and the account number do not belong to the same person. Since the name and account number differ, the mandate is at the very least “ambiguous”. Simple logic suggests that if the name and the account number disagree then, because the information was entered by a human being, it is more likely that the account number is incorrect. This would suggest that it would not be reasonable for the bank to process the mandate according to the account number.

Although no case directly on point is known, in Dairy Containers Ltd v NZI Bank Ltd4 cheques were misappropriated by a rogue. The cheques were made payable to FCF. The rogue opened an account in the name of FML. When depositing the cheques, he wrote FCF as the name of the account to which the cheques were to be deposited, but he entered the account number of FML. The Court held that the collecting bank was not entitled to rely on the statutory defence to conversion as it had acted negligently in collecting the cheques.

It might be argued that the collecting bank in Dairy Containers had all the information required to check the deposit slips. The paying bank, on the other hand, does not have all the necessary information available to it. There are several solutions to this:

There is no obvious reason why the system and scheme rules should not permit the paying bank to verify the customer’s mandate. Currently this may not be possible but the problem is likely to arise because an existing system (BECS) has been adopted for a purpose for which it was never designed. Systems such as BPAY, which have been designed to serve as consumer systems, have rules to deal with mistaken entry.5

Attempting to throw the loss on the customer may not be effective at law. In order to be effective, the danger must be “sheeted home” to the customer.6 In Australia, the attempt faces further statutory hurdles such as the Contracts Review Act (NSW) 1980, section 74 of the Trade Practices Act 1974, and section 12ED of the Australian Securities and Investment Commission Act 2001.

The current approach seems to be effectively to adopt the third option but to deny that there is any problem, and to reserve the right to throw the problem onto the consumer who will seldom have any idea of how to proceed. The situation of the consumer is further complicated by the fact that the receiving bank, claiming confidentiality obligations, will not voluntarily provide the name of the person who received the payment, thus making it impossible for the consumer to initiate an action against the recipient of the payment without the cost of a suit for preliminary discovery. This is an unsatisfactory approach, and it is in recognition of this that the ABIO raised the issue in Bulletin 35.

However, Bulletin 35 notes:

In a case where the customer advises their bank that they have made a mistake in the entry of the account number, their bank and the recipient bank will be constrained by the law relating to mandate and to privacy laws. The sender and the recipient bank are not entitled unilaterally to reverse the transaction without the authority of the recipient, merely on the assertion that there has been a mistake. This would be a withdrawal on the instructions of a third party, which is a breach of mandate. Principles of privacy and confidentiality do, in many cases, prevent the recipient’s bank unilaterally disclosing the name of the recipient.

It is submitted that the focus on mandate and privacy is misdirected, and that the correct approach is to consider the law of mistaken payments. Before discussing that, it is useful to make a short detour to discuss the effects of the Scheme rules.

Scheme rules

According to Bulletin 35,

The BECS Procedures [clauses 4.18 and 4.19] provide that if the recipient bank has acted in accordance with the account number details provided by the sending bank but the amount has been credited to the wrong account, liability, if any, is the responsibility of the sending bank.

Receiving banks are, apparently, relying on these rules to resist returning mistaken payments.

The effect of scheme rules was discussed in Tyree (Tyree 2002). In short, the BECS rules bind the banks only. They can have no effect on the customer’s right to recover payments made under a mistake of fact.

On a proper interpretation of the BECS rules, it is doubtful if they even purport to say anything about recovery outside the BECS system. A better interpretation is that they are probably rules which assist in determining when payment is complete. They may provide for some indemnity from the paying bank in such circumstances, but that is not the concern of the customer.

In any case, they can provide the receiving bank with no relief from an action for recovery of a payment made under a mistake of fact or law.

Mistaken payments

The law on mistaken payments may be briefly summarised after recent High Court decisions in David Securities v Commonwealth Bank of Australia;7 and Australia and New Zealand Banking Group Ltd v Westpac Banking Corporation8. In a nutshell:

Applying this law to the case of an electronic payment, a payment has been made under a mistake of fact to a person who would not have been paid but for the mistake. As a consequence, the payer has a prima facie right of recovery. The onus is then on the defendant to show why the payment should not be returned.

But who is the defendant? Bulletin 35 seems to assume that it is the ultimate payee, the person who holds the account to which mistaken payment was directed.

However, the payment was initially made to the receiving bank via the electronic payment system. Therefore, the receiving bank is a legitimate defendant. What reasons may the bank give to resist the inference that it has been unjustly enriched? The usual answer is the “agency defence”: an agent who has been mistakenly paid may resist repayment if it has “accounted” to its principal before recovery is demanded.9

The argument, then, is that the receiving bank has received payment on behalf of its customer and has accounted for the funds. But, as defendant, the receiving bank must produce evidence to show this. How does the bank show that it has “accounted” to its customer? Only two things are completely clear:

The first proposition merely accords with common sense and with banking practice. Accounts are often credited as a matter of banking convenience even though the customer is not permitted to draw on the funds so credited. The credit is reversed if certain conditions are not met. There is nothing improper in this since the account is merely evidence of the liability of the parties. It is not an account stated.10

The second proposition is equally obvious. If the customer has withdrawn funds, then there can be no doubt that the receiving bank has “accounted” to the customer since there is no longer a debt owed by the receiving bank to the customer.

There are several points in the process which might be considered the point at which the receiving bank “accounts” to its customer and the customer receives the payment:

There is much to be said for holding that the third or fourth point in the above list is the time at which the receiving bank “accounts”. Until the third point, the funds are still notionally “in the account” of the customer. It can hardly be argued that return of the funds by the receiving bank would leave it in a worse position than it was before the payment since it may reverse the customer account entry on the grounds that it was made by mistake. The same argument may be made, perhaps less forcefully, for the fourth point in the above list.

Choosing the third or fourth point on the list also has the virtue of bringing the “agency” defence into line with more general principles. David Securities established beyond doubt that change of position is a defence. The arguments above are to the effect that the receiving bank has suffered no change of position until the third or fourth point is reached.11

In neither case is there any consideration of withdrawing funds from the ultimate payee’s account on the order of a third party as Bulleting 35 suggests. There is no question of mandate here. The account was credited erroneously and, since it is merely evidence of the liability of the parties, may be corrected when found to be in error.

One further point is worth mentioning. In the Swiss Bank case,12 the Court of Appeal held that in order to establish a change of position defence, it must be established that the money was handed over to the ultimate recipient in reliance upon the instructions of the payer. As argued above, the original payer did not instruct the payment to be made to the person who holds the mistaken account number. However, the instruction from the paying bank clearly does instruct payment to be made to that person. The application of the Swiss Bank principle is not clear, but the onus is on the receiving bank to establish the defence.

The position of the parties when the account is closed is discussed below.

What should banks do?

This brings us to the question asked in Bulletin 35. When notified by a customer that a mistake has been made, how should the paying bank and the receiving bank respond?

The first step is to establish that a mistake has been made. It is assumed that both the account number and the name of the intended payee are available to the paying bank. The paying bank should then ask the receiving bank: “Does this person own this account?”

Bulletin 35 indicates that receiving banks will sometimes refuse to provide the recipient’s name on the grounds of confidentiality. While there may some grounds to such refusal, there are no grounds to refuse answering whether the person owns the account (and hence, whether there has been a mistake). If the account and name do not match, answering the question in the negative does not violate any confidentiality owed to its customers.

If the name and account number do match, then information about one of its customers must be disclosed, but it clearly is in the bank’s interest to disclose this information as a defence against a claim for money received under a mistake of fact. Disclosure in the bank’s interest is one of the recognised exceptions in Tournier v National Provincial and Union Bank of England.13

Nor, generally, will the disclosure breach the National Privacy Principles. NPP 2.1(g) permits disclosure when "authorised" by law14 and NPP 2.1(a) permits disclosure for a secondary purpose related to the primary purpose of collection which the individual would reasonably expect. Most financial institutions have privacy statements which include references to using personal information for the "administration of your account" (or similar wording). In these circumstances it is arguable that the disclosure is a related secondary purpose which the individual would reasonably expect.

Further, since the Tournier case is part of the banker-customer contract, it may be argued that the customer has consented to disclosure in the interest of the bank.

If this procedure is followed, then the paying bank may establish that a mistake has or has not been made. In the event that it does establish mistake, it should request repayment by the receiving bank.

The receiving bank should return the payment and debit the account of its customer unless it believes that it can establish conclusively that it has “accounted” to its customer.

If the customer has closed the account or if it may be shown in some other way that the receiving bank has “accounted” to its customer, then the payer must pursue the customer instead of the receiving bank. Recall that it is the responsibility of the receiving bank to establish the defence. Therefore it must produce evidence that it has accounted to the customer, and this in turn will require disclosure of the customer’s name. Once again, this is clearly within the “own interest” exception of the Tournier case. Armed with this information, the payer may pursue the ultimate payee if he or she so wishes.

Reasonable scheme rules

The approach outlined in the preceding section is sensible since it gives effect to the parties rights without resorting to litigation. Even better would be to incorporate the procedures in the Scheme rules, ensuring that the problem was handled in a uniform way with, hopefully, uniform and consistent outcomes.

Is that idealistic? Not at all. The BPAY Scheme rules were formulated in accordance with this principle. They contain rules for dealing with claims of mistaken payment, and the rules were formulated to parallel the common law rights of the parties.15

Electronic payment systems that require consumers to enter numbers are inherently error-prone. The systems should be designed, both physically and legally, to minimise these problems and to resolve them equitably when they occur.

Bibliography

Tyree, Alan L. 2002. “Riedell Gets a Credit Card.” JBFLP 13 (4): 300–303.
Tyree, Alan L et al. 2003. Tyree’s Banking Law in New Zealand. LexisNexis.
Tyree, Alan L, and Andrea Beatty. 2000. The Law of Payment Systems. Sydney: Butterworths.