Atiku v Centenary Rural Development Bank Limited (Civil Suit 754 of 2020) [2022] UGCommC 146 (18 July 2022)

Key Facts

Transaction Type

Issues

• The third issue required the court to assess the remedies available to both parties following the unauthorized withdrawals. This included determining responsibility for losses under the 'imposter rule,' whether the plaintiff's failure to secure her authentication factors (phone and PIN) negated her claim, and if the defendant's security measures absolved it of liability for the account takeover fraud.
• The second issue centered on the defendant's liability for the fraudulent and/or negligent withdrawals made via the CenteMobile platform. The plaintiff argued the bank was negligent in permitting unauthorized transactions, while the defendant contended the withdrawals were authorized by the plaintiff through her mobile phone and USSD code, with no evidence of fraud or negligence on the bank's part.
• The court had to determine whether the plaintiff's account was fraudulently and/or negligently debited by the defendant, including whether the bank failed in its duty of care by not explaining the CenteMobile service and ATM card provisions during account opening, and whether the unauthorized withdrawals occurred due to the bank's negligence or the plaintiff's own oversight.

Holdings

• Regarding remedies, the court applied the 'imposter rule,' which holds that the party best positioned to prevent fraud bears the loss. Since the plaintiff retained control over her two-factor authentication (phone and SIM card), she was responsible for the unauthorized transactions. The defendant was not liable for losses caused by the plaintiff's compromised security, and no remedies were awarded to the plaintiff.
• The court determined that the plaintiff failed to prove the defendant's negligence or fraud in debiting her account. The plaintiff's signature on the account opening form, which included the CenteMobile service, bound her to the terms despite her claim of not understanding the content. The court found no evidence of undue influence, misrepresentation, or the defendant's failure to explain the service adequately. The plaintiff's daughter had access to her phone and could have authorized transactions, and the defendant's security measures were deemed commercially reasonable. The suit was dismissed with costs to the defendant.

Remedies

Legal Principles

• The court acknowledged the bank's duty to implement secure digital systems but held the plaintiff responsible for safeguarding her PIN and phone. The defendant's two-factor authentication was deemed commercially reasonable, shifting liability to the plaintiff for account compromise.
• The court applied the common law principle that a signature on a contract demonstrates consent to its terms, even if not read. Exceptions exist for fraud, duress, or non est factum, but the plaintiff failed to establish these. The bank's standard form contract was deemed binding.
• The court applied the 'imposter rule' from commercial law, determining the plaintiff was in the best position to detect and prevent unauthorized transactions through her control of the phone and PIN. This principle shifted liability to the plaintiff for the loss.
• The court found no evidence of the bank's negligence in implementing CenteMobile or failing to warn the plaintiff. The plaintiff's inability to demonstrate unauthorized access or the bank's breach of duty led to her claim being dismissed.
• The court emphasized the plaintiff's burden to prove, on a balance of probability, that the defendant breached its duty of care by failing to explain contract terms and enabling unauthorized transactions. The plaintiff's failure to demonstrate the bank's negligence or fraud led to dismissal of the claim.

Precedent Name

• Muthuuri v. National Industrial Credit Bank Ltd
• Royal Bank of Scotland v. Etridge (AP)
• L'Estrange v. F Graucob Limited
• Arrow Truck Sales Inc. v. Top Quality Truck & Equipment Inc.
• Evans v. Roe and others
• Beau Townsend Ford Lincoln, Inc. v. Don Hinds Ford, Inc.

Key Disputed Contract Clauses

• The clause in the account opening form requiring the plaintiff to apply for CenteMobile services and agree to terms and conditions. The plaintiff disputed understanding this clause, while the defendant argued her signature bound her to it.
• Provisions in the contract outlining the plaintiff's responsibility to secure her PIN and mobile phone for transactions. The court found the plaintiff's failure to protect these credentials led to unauthorized withdrawals.

Cited Statute

Judge Name

Passage Text

• The court noted that the plaintiff's signature on the CenteMobile declaration binds her to the terms, as there was no evidence of fraud, duress, or undue influence in its execution.
• The court concluded that the defendant's two-factor authentication system was under the plaintiff's control, and the unauthorized transactions likely resulted from her negligence or the actions of her daughter with access to her phone.
• The plaintiff's account was debited through the 'CenteMobile' platform using her officially registered mobile phone number, and the defendant contends that the plaintiff authorized these transactions.

Damages / Relief Type