On July 4, 2017, the Alberta Court of Queen’s Bench released its decision in The Brick Warehouse LP v. Chubb Insurance Company of Canada. The Court found that a vendor impersonation loss did not fall within the terms of a crime policy’s Funds Transfer Fraud coverage. The case represents the first social engineering fraud decision in Canada since the widespread introduction of discrete social engineering fraud coverage, and confirms the principles adopted in several recent American social engineering fraud decisions, including the Ninth Circuit’s decision in Taylor & Lieberman (see our April 3, 2017 post), on which the Court expressly relied.
The Brick is a retailer of furniture, appliances and home electronics. In August 2010, an individual called the Brick’s accounts payable department. The caller indicated that he was calling from Toshiba and that he was missing some payment details. He added that he was new to Toshiba. The Brick employee faxed certain payment documentation to a number provided by the caller.
On August 20, 2010, a different individual in the Brick accounts payable department received an email from an individual purporting to be “R. Silbers”, using the email address email@example.com. The individual claimed to be the controller of Toshiba, and indicated that Toshiba had changed banks from the Bank of Montreal (“BMO”) to the Royal Bank of Canada (“RBC”). The email indicated that all payments should be made to the new RBC account, and provided the necessary information to transfer money into the account.
That Brick employee proceeded to change the bank information for Toshiba in the Brick’s payment system to reflect the RBC account information. The employee simply followed the Brick’s standard practice on changing account information. No one from the Brick took any independent steps to verify the change in bank accounts, nor did anyone contact Toshiba.
As a result of the fraud, the Brick directed payment on 10 Toshiba invoices to the RBC account. The real Toshiba eventually followed up on its outstanding receivables, at which point the fraud came to light. The Brick incurred a net loss of $224,475.
The Brick submitted a claim to Chubb under its Funds Transfer Fraud coverage. Chubb denied the claim on March 15, 2012, on the basis that the Brick’s instructions to its own bank had emanated from an authorized employee of the Brick, and that the instructions were not themselves fraudulent. The matter was tried in 2017.
The Funds Transfer Fraud Coverage
The Chubb policy indemnified for “Funds Transfer Fraud by a Third Party”, and defined Funds Transfer Fraud as:
… the fraudulent written, electronic, telegraphic, cable, teletype or telephone instructions issued to a financial institution directing such institution to transfer, pay or deliver money or securities from any account maintained by an insured at such institution without an insured’s knowledge or consent.
The Court interpreted the insuring agreement as requiring that the Brick demonstrate that its bank transferred funds out of the Brick’s account under instructions from a third party impersonating the Brick. Coverage would not be available if the Brick knew about, or consented to, the instructions given to its bank.
The Court then considered how U.S. decisions such as Taylor & Lieberman had addressed this point:
There is no doubt that funds were transferred out of the Brick’s account. The question really is whether the funds were transferred under instructions from an employee who did not know about or consent to the fraudulent transactions.
In this case, the funds were transferred by a Brick employee as a result of fraudulent emails. [Chubb] seeks to have the court follow [Taylor & Lieberman]. In [that] case, the Ninth Circuit Court of Appeals examined a case with very similar facts. Emails were sent to a company employee who then acted upon them, transferring money out of the insured’s account. The emails were fraudulent. The court held that the insurer was not liable because the Taylor & Lieberman employee requested and knew about the transfers. Although the employee did not know that the email instructions were fraudulent, the employee did know about the transfers. [emphasis added]
The Court further considered the meaning of the terms “knowledge” and “consent” in the definition of Funds Transfer Fraud, noting that:
The Brick contends that the policy provision states that Chubb will pay for direct loss resulting from funds transfer fraud by a third-party, and the focus should be on the fraud itself and not on the fraudulent instructions. While it is true that [the Funds Transfer Fraud insuring agreement] does state that, that clause must be examined in conjunction with the definition of fund transfer fraud contained in the contract. That definition includes the words “insured’s knowledge or consent”. There is no definition in the contract of either the term “knowledge” or “consent”. …
When a word or a term is undefined, the word should be given its “plain, ordinary and popular” meaning, “such as the average policy holder of ordinary intelligence, as well as the insurer, would attach to it”. One of the definitions of consent is “permission for something to happen, or agreement to do something.” Examining the facts, a Brick employee did give instructions to the bank to transfer funds. The employee was permitting the bank to transfer funds out of the Brick’s account. Consequently, the transfer was done with either the Brick’s knowledge or consent. Even applying the contra proferentem rule, the Brick still consented to the funds transfer. [emphasis added]
The Court concluded by noting that, while the fraudulent emails were undoubtedly the work of a Third Party, the actual transfer instructions were issued by a Brick employee; the transfer itself was not effected by a Third Party. Consequently, the requisite elements of the insuring agreement were not made out.
The Brick provides a Canadian counterpart to recent American social engineering fraud decisions such as Taylor & Lieberman and Apache (see our October 24, 2016 post). The decision covers two points of interest to fidelity claims professionals. First, it confirms that the “fraudulent instructions” to a financial institution contemplated by the Funds Transfer Fraud insuring agreement must be instructions which are themselves fraudulent, rather than authorized instructions issued by the insured which contain mistaken information due to an antecedent fraud. Second (and, effectively, a corollary of the first), it confirms that the instructions to the financial institution must emanate from a third party, rather than from the insured or an employee thereof.
The proliferation of social engineering frauds has created new risks for insureds, and fidelity insurers have responded by creating discrete social engineering fraud coverages. Like its American predecessors, The Brick serves as a reminder to businesses (and to their brokers) of how a business may be exposed to an uninsured loss in the event that it does not maintain such coverage.
The Brick Warehouse LP v. Chubb Insurance Company of Canada, 2017 ABQB 413 [Note: this decision does not appear to be accessible online; please contact us if you would like a copy.]