When a business falls victim to cheque fraud, it may look to its bank for recovery for allowing the fraudulent cheques to be cashed. In some recent cases, banks have been found liable and have been required to make whole their clients’ losses. However, there have been other cases in which claims against banks have been disallowed or severely limited. This article, although not a legal opinion, examines the circumstances under which liability has been found to be limited, and concludes by providing practical tips for business owners with respect to improving internal controls.
Cheque fraud can come in a variety of forms, including:
- Forging the account holder’s signature;
- Issuing a cheque to a fictitious person or entity; and,
- Issuing a legitimate cheque that is subsequently altered.
Under Section 48 of the Bills of Exchange Act (RSC 1985 c B-4), a forged cheque is “wholly inoperative”; nonetheless, banks can face potential litigation if the forgery is not detected and the cheque is cashed. Banks have successfully limited or eliminated this liability by arguing that the issuing company:
- Had executed a verification agreement, which specifically limited the bank’s liability; or,
- Had weak internal controls, which allowed the fraud to occur or to continue.
A verification agreement is a contract between the bank and its customer, and outlines the responsibilities of both parties. It normally requires the customer to review their bank statements and notify the bank of any fraudulent transactions or errors within a certain time period. If no claim is filed within this time period, the bank cannot be held liable for any losses, even if the losses are only discovered at a later date. Courts have consistently ruled that these agreements are binding, and have allowed banks to use them as a defence in cases involving cheque fraud.
In the landmark case of Arrow Transfer Company Ltd. v The Royal Bank of Canada et al. (1972 CanLII 135), Arrow sued Royal Bank for allowing a former employee to deposit forged cheques. Arrow’s verification agreement required it to notify the bank of any invalid or fraudulent transactions within 30 days. However, the forged cheques were not reported until six years after the fraud commenced.
The trial judge found that the verification agreement limited Royal Bank’s liability to those cheques which had been reported within the 30 day notification period. This decision was upheld on appeal; Justice Martland stated, “The agreement furnishes some protection to the bank in that the customer must check the account and the relevant vouchers and give prompt notice if he is to enforce that liability against the bank.”
In this case, the requirement that Arrow notify the bank of any irregular transactions was treated as a contractual obligation. If the customer fails to fulfill this obligation, courts will likely be unwilling to hold banks responsible for losses that resulted from the fraud. It is therefore important for businesses to ensure they review their verification agreements, and understand what their obligations are with respect to detecting fraudulent cheques, notifying the bank of any suspicious transactions, and implementing internal controls to prevent fraudulent cheques from being created.
Verification agreements often require companies to implement and monitor internal control systems. Manor Windsor Realty Ltd. v. The Bank of Nova Scotia (2011 ONSC 4515) highlights the importance of failing to do so. Manor notified its bank that all cheques required two signatures before they could be cashed. Nonetheless, Manor’s bookkeeper managed to misappropriate more than $400,000 over six years by forging cheques that had been pre-signed by only one of Manor’s owners.
Manor sued its bank on the basis that the bank should have prevented cheques with only one signature from being cashed. The bank used its verification agreement as a defence, since the agreement required the company to maintain internal controls to prevent and detect forged cheques. Manor’s management did not supervise the bookkeeper or regularly review her work. Although monthly bank statements were provided to Manor, the statements were never reviewed and the reasonableness of the fraudulent transactions was never investigated. The bank successfully claimed that had Manor reviewed the bank statements, it would have noticed the forged cheques immediately, and could have avoided further losses, and the trial judge awarded only $7,800 to Manor, stating that “Among the customer’s obligations are the obligations first to maintain security systems to prevent fraud, and second, to advise the Bank promptly of any errors or omissions in each monthly bank statement. These obligations work hand in hand with the Bank’s obligations.”
Even in the absence of a verification agreement, courts may determine the date at which the company should reasonably have discovered the fraud, as was done in Nasrin Khan Professional Corporation v. Bank of Nova Scotia (2004 ABQB 404). In this case, the plaintiff wrote a cheque to purchase the franchise rights for a sandwich business. A fraudulent endorsement was made on the cheque, and the funds were misappropriated. The plaintiff sued her bank for allowing the cheque to be cashed. The trial judge dismissed the case, and this decision was upheld on appeal. Justice O’Leary found that the plaintiff had received ample warning that the funds may have been misappropriated more than two years before a claim was filed with the Bank of Nova Scotia. For example, her attorney discovered that the seller was not a real person, and she had been unable to contact the seller once her cheque had been cashed. The court found that over two years had passed since the plaintiff should reasonably have discovered the fraud, and had therefore missed the limitation period. This illustrates the importance of implementing internal controls within a business of acting in a prudent and expeditious manner once suspicious transactions are discovered.
Internal controls form an important part of minimizing the risk of various types of fraud, including cheque fraud. Failure to implement internal controls can not only lead to fraud, but it can also have a serious impact on the fraud victim’s ability to recover its losses from third parties such as banks. To minimize the risk of cheque fraud, it is important for firms to:
- Review all bank statements and cancelled cheques on a monthly basis. Ensure that all cheques are legitimate, and all cancelled cheques are accounted for.
- Periodically perform an internal control assessment and identify any weaknesses that would allow an individual to misappropriate funds (e.g. access to blank cheques, signing authority, etc.). A forensic accountant can assist in identifying these weaknesses and recommending improvements.
- If cheque fraud is suspected, it is important to act quickly. Hire a forensic accountant to conduct an investigation, and seek legal advice regarding when your bank should be notified.
- Ensure you understand your verification agreement, and the obligations outlined with respect to forged cheques.
- Bank reconciliation should be performed by an individual other than the person who issues the cheques, to ensure that there is adequate separation or division of duties. If this is not possible due to the size of the business, the bank reconciliation process should be supervised by an independent person with management responsibilities.