Fraudulent banking orders: Recent case law from the Swiss Federal Supreme Court

A) Judicial approach to fraudulent banking orders

In its landmark decision of December 10, 2019 (ATF 146 III 121), the Swiss Federal Supreme Court established, for the first time, a three-step methodology to assess disputes arising from fraudulent banking orders. This framework, which remains in use today, serves to determine whether losses resulting from unauthorized transfers of funds or securities from a client’s bank account (e.g., through identity theft or hacking) should be borne by the client or the bank.

Since this foundational ruling, the Court has issued several decisions refining this approach in light of the specific facts of each case. The most recent decision on the matter, dated January 8, 2025 (4A_610/2023), will be analyzed in detail below. Legal scholars have also frequently commented on the subject (see, for example: LIEGEOIS, Fabien, HIRSCH, Célian. “Fraudulent Banking Orders: Methodological Reflections,” La Semaine judiciaire, II, Doctrine, 2021, vol. 143, no. 4, pp. 117–156).

The three-step test will be outlined in detail below. For now, a brief overview of the key questions it addresses is as follows:

1. Was the order executed on the client’s instruction?

If yes, the bank has a claim for reimbursement against the client. If not, the analysis proceeds to the second step, since, under Swiss law, the bank is generally liable for losses arising from unauthorized or fraudulent banking orders.

While this initial question may appear straightforward (i.e., whether or not the instruction came from the client), complications arise when the order originates from a third party such as an independent asset manager or a close associate. In such cases, the court must consider both external elements (e.g., could the bank, in good faith, rely on the apparent authority of the representative, or should it have conducted further verification?) and internal factors (e.g., what powers had the client actually granted to the representative?). Additionally, the issue of possible ratification by the client may come into play. The general provisions of the Swiss Code of Obligations (Articles 32 et seq.) apply in this context.

2. Did the parties validly derogate from the legal regime that assigns liability to the bank for unauthorized transactions?

If so, the client must bear the loss. If not, the third step must be considered.

This stage raises several complex issues, such as:

  • What did the bank’s general terms and conditions stipulate? Did they include clauses shifting the risk of fraudulent banking orders to the client?
  • Did the bank (its staff or governing bodies) commit gross negligence—for example, were the fraudulent instructions clearly suspicious at first glance? If the bank acted with mere slight or ordinary negligence, could this still invalidate limitation-of-liability clauses under Articles 100 et seq. CO?
  • Were the parties bound by a notification clause requiring the client to contest bank statements within a set period (typically 30 days), and did the client comply with this? Note that delivery methods—such as hold mail or e-banking—may complicate matters further.
  • Would the bank be acting abusively (Article 2 para. 2 of the Civil Code) in seeking to rely on its contractual provisions?

3. Does the bank have a valid damages claim against the client, which it can offset against the client’s claim for restitution?

At this point, the conditions and exceptions under Article 97 CO are assessed—especially regarding the client’s fault (e.g., failure to adequately protect e-banking access or email accounts) and potential interruptions in the adequate causal link between the damage and the client’s conduct (e.g., contributory negligence).

It is worth noting that the Federal Supreme Court has not always applied this three-step framework consistently. In some cases, it has conflated the client’s restitution claim (based on contract execution) with a damages claim under Article 97 CO (where the bank seeks to reduce or offset liability for fraudulent banking orders).

For example, the Court has held that the client’s contributory negligence should be analyzed at the second step—as a factor interrupting the causal chain or reducing the amount of compensation due (see rulings 4A_161/2020 of July 6, 2020 and 4A_9/2020 of July 9, 2020). However, contributory fault should only be considered under a damages claim pursuant to Article 97 CO—not in the context of a contractual restitution claim. The same applies to the assessment of adequate causation.

B) Relevant facts of the Federal Supreme Court Decision 4A_610/2023 of 8 January 2025

A, a Liechtenstein-based foundation managing the assets of Prince C, held a bank account with Bank B in Geneva. This account was primarily used to cover the day-to-day expenses of the prince and his family.

Upon opening the account, Bank B and the foundation agreed that account statements would be sent to A’s registered office, located at a law firm in Liechtenstein, with copies to Prince C. The contractual documentation provided that A would bear the risk of fraudulent banking orders, unless Bank B was found to have committed gross negligence. It also stipulated that any objections to periodic account statements or portfolio valuations had to be submitted in writing within 30 days, failing which the transactions would be deemed accepted. Finally, the agreement specified that Bank B could process any transaction not transmitted via original signed documentation, in any form, at A’s own risk.

In February 2017, a fraudster gained control over the email accounts of C’s accountant, J. Exploiting this breach, the fraudster used the compromised addresses to issue fraudulent instructions to Bank B. On 5 April 2017, he deceived the lawyer sitting on A’s foundation board and instructed Bank B to transfer USD 650,109.50 to a company in Hong Kong, justifying the transaction as a “purchase of machinery.” Two weeks later, on 27 April 2017, he repeated the fraud and obtained a second transfer of USD 103,530.15 to an account in China, citing the same purpose.

Bank B then sent debit advices for both transactions to A’s registered address, in accordance with the contractual terms. However, no objections were raised within the 30-day period. It was not until 9 August 2017, during a visit to Bank B, that Prince C became aware of the fraud. At that time, he challenged the transactions, but no written objection was submitted.

More than a year later, on 28 August 2018, A submitted a formal written objection and filed a claim before the First Instance Court in Geneva, seeking to recover approximately USD 750,000 from Bank B.

The First Instance Court found that Bank B had acted with gross negligence in executing the fraudulent banking orders without conducting adequate verification. The court held that the transactions were unusual and that Bank B should have carried out a callback procedure to confirm the instructions. Consequently, the risk-shifting clause in the contract could not be invoked by the bank. Furthermore, the court determined that sending the debit advices to the law firm was insufficient to trigger the notification clause; effective knowledge by both Prince C and the lawyer was necessary to start the 30-day objection period. The court concluded that Prince C’s reaction during his August 2017 visit constituted timely notice and ordered Bank B to reimburse the misappropriated funds.

On appeal, however, the Geneva Court of Justice overturned the decision and ruled in favor of Bank B. It found that the delivery of the debit advices to A’s registered office was sufficient, as A—not Prince C—was the bank’s contracting party. The Court emphasized that it was A’s responsibility to organize its internal management so as to ensure that such notifications reached the appropriate persons. Additionally, the Court noted that Prince C’s verbal objection during his visit to the bank did not meet the contractual requirement for a written claim. As such, the formal objection submitted on 28 August 2018 was deemed untimely. The fraudulent transfers were thus considered ratified by A, and Bank B could not be held liable for the resulting loss.

A subsequently filed an appeal with the Federal Supreme Court.

C) Legal assessment by the Swiss Federal Supreme Court concerning fraudulent banking orders

Seized of the foundation’s appeal, the First Civil Law Chamber of the Swiss Federal Supreme Court dismissed the appeal and upheld the judgment of the Geneva Court of Justice.

The Supreme Court reaffirmed its established three-step framework (ATF 146 III 121). The first step involves determining whether the instructions were issued with or without a mandate (client’s instruction)[1]. If the bank executed the orders in accordance with the agreed communication procedures, it is up to the client to prove that a third party impersonated them or otherwise misused the communication channel.

If such proof is provided, the second step is to assess whether the loss is attributable to the bank (as per the default legal regime) or whether, owing to a valid risk transfer clause (Risikotransferklausel), the client must bear the loss[2]. Where the parties have validly agreed to transfer the risk of fraudulent instructions to the client, the analysis does not proceed to the third step—unless the bank is found to have acted with gross negligence. In that event, Article 100(1) CO (and by analogy Article 101(3) CO) prevents the enforcement of exoneration clauses[3].

The Court clarified that an assessment of gross negligence on the part of the bank necessarily involves evaluating the contributory fault of the client. This may either break the chain of adequate causation or justify a reduction in the amount of compensation owed.

In the case at hand, the Court found that the fraudulent banking orders were indeed given without a valid mandate, meaning that the bank could be held liable under the default legal regime. It further acknowledged that the risk transfer clause was validly agreed but could not apply if the bank committed gross negligence—consistent with Article 100(1) CO, which renders null and void any contractual provision that attempts to exclude liability for intent or gross negligence in advance.

The Court confirmed that the bank had in fact committed gross negligence[4] by failing to conduct basic verification measures before executing the clearly unusual transactions. However, it stressed that the contributory fault of the client may break the causal link between the bank’s misconduct and the resulting harm. In other words, when assessing the bank’s failure to verify the authenticity of the orders, the judge must also take into account the client’s own conduct and its contribution to the occurrence or aggravation of the loss. This includes, for instance, the client’s failure to check their hold mail file and/or failure to dispute the bank communications in breach of the notification clause contained in the bank’s general terms and conditions (Federal Supreme Court ruling 4A_161/2020 of 6 July 2020).

According to the Federal Supreme Court, general banking conditions typically require clients to dispute any transaction within a specific timeframe upon receipt of the execution advice or account statement, failing which the transaction is deemed accepted. This type of clause has been consistently upheld by the Court (rulings 4A_161/2020, 4A_119/2018 of 7 January 2019, 4A_471/2017 of 3 September 2018, and 4A_42/2015 of 9 November 2015) as it serves the important purpose of enabling timely correction of errors or fraudulent operations. Indeed, bank communications are not merely informational—they serve as a tool for early detection and rectification of anomalies, before the financial consequences become irreversible. Moreover, the principle of good faith imposes on clients a duty to remain vigilant in reviewing bank correspondence. Absent a timely objection, the client is deemed to have implicitly ratified the transaction, even without express intent.

While gross negligence on the part of the bank may, in some circumstances, prevent it from relying on hold mail or notification clauses, this is not the case when the bank has sent debit advices, account statements, and asset reports through ordinary channels and the client has failed to raise an objection within the agreed period. In such a situation, the transactions are deemed approved (see Federal Supreme Court ruling 4A_386/2016 of 5 December 2016). Moreover, if the client has designated a representative to receive correspondence, that representative is considered the client’s auxiliary within the meaning of Article 101 CO, and service of notice on the representative is deemed equivalent to notice to the client. As such, failure to timely object may break the chain of causation between the bank’s gross negligence and the harm suffered by the client (4A_161/2020).

In this case, the foundation received the account statements but did not object within the 30-day contractual timeframe. The appellant argued that its representative, having been deceived, was unable to raise any objection. However, under the Court’s established case law, knowledge acquired by a corporate body’s representative is imputed to the legal entity itself, even if the information was not properly transmitted to other corporate bodies (4A_488/2022 of 12 May 2023). The Supreme Court held that the bank was under no obligation to verify that the internal transmission of information had occurred; notification sent to the contractually agreed address was sufficient. In other words, it was up to the foundation to ensure proper internal organization.

The foundation’s failure to act was deemed a form of fault that resulted in an implied ratification of the transactions. The Court therefore concluded that the causal link between the bank’s gross negligence and the loss was interrupted, thus releasing the bank from liability.

Finally, the Supreme Court dismissed the foundation’s argument that the bank had committed an abuse of rights by invoking the notification clause. According to the Court, it is only when the strict application of the notification clause—triggering the legal fiction of ratification—leads to shocking consequences that a court may set it aside on the basis of the rules governing abuse of rights (Art. 2 para. 2 Swiss Civil Code (CC)). The fiction of ratification is enforceable against the client only insofar as the bank does not commit an abuse of rights.

An abuse of rights may arise in particular where the bank relies on the fiction of receipt to knowingly act to the detriment of the client; where it intentionally deviates, without warning, from a long-standing practice of managing the account based on the client’s oral instructions (for example, under a discretionary portfolio management agreement); or where it knows that the client does not approve of the transactions communicated via hold mail (for example, when the bank acts without instructions under an execution-only or investment advisory contract).

These situations have been addressed in the Federal Supreme Court’s case law, notably in decisions:

In this case, the Court found that the bank had complied with the contractual terms, that the debit advices had indeed been sent, and that the legal fiction of ratification applied in the absence of a timely objection. The fact that the bank subsequently attempted to clarify the situation did not prove that it suspected fraud, but rather reflected an effort to mitigate potential harm.

D) Critical analysis

The outcome of this decision is in line with established case law and reflects a consistent judicial trend of favoring the protection of the Swiss banking sector’s interests, often to the detriment of clients in liability disputes. In this case, the foundation was indeed notified of the fraudulent banking orders, and its failure to raise a timely objection resulted in the implicit ratification of the transactions. Consequently, the bank was entitled to rely on the notification clause, despite its own gross negligence.

However, the reasoning of the Federal Supreme Court presents a significant shortcoming. In addition to conflating the second and third steps of its own legal framework (see above), the Court too hastily dismissed the foundation’s argument that lodging a complaint would not have prevented the harm. According to the appellant, since the funds had already been transferred to bank accounts in Asia, their recovery was impossible, rendering the loss irreversible. Therefore, the failure to raise an objection could neither have caused nor aggravated the damage.

The Federal Supreme Court nonetheless dismissed this argument, reasoning that the cantonal court had not examined whether the contested transfers were truly irreversible and that the appellant had not explicitly raised the issue before that court. As a result, it remains unclear whether the bank could have prevented or mitigated the loss. By making this argument, the appellant relied on a factual assertion that differed from the findings of the lower court—findings that are binding upon the Federal Supreme Court under Article 105(2) of the Federal Supreme Court Act (LTF).

This position, however, is incorrect, as the foundation had explicitly raised the argument in its reply brief dated 28 September 2020. Moreover, the break in the chain of causation is a legal issue that the Federal Supreme Court is obliged to review ex officio, pursuant to Article 106(1) LTF.

This criticism is further supported by the Court’s own recent decision in 4A_135/2023 of 16 October 2024, in which the judges sitting in Mont-Repos reaffirmed that, under the right to be heard, courts must address all claims duly raised at first instance and on appeal. The Federal Supreme Court’s omission in the present case therefore appears to be inconsistent with this fundamental procedural guarantee. In the absence of a complete set of facts, the Court should have remanded the matter to the lower court for a new decision.

Substantively, it is doubtful whether the client’s contributory fault—which, according to the Federal Supreme Court, must be examined at step two of the analysis—namely the failure to object in time to the fraudulent banking orders (under the notification clause), automatically breaks the causal link between the bank’s gross negligence and the resulting loss.

In this regard, it is important to recall that the notions of factual (natural) and adequate causation require that a sequence of events maintain legal significance unless interrupted by an exceptional and unforeseeable cause. A break in the chain of causation occurs when an external factor—such as a natural event, the intervention of a third party, or the conduct of the victim—constitutes the predominant and unforeseeable cause of harm, thereby relegating all other contributing factors to the background. However, unforeseeability alone is insufficient: the concurrent event must appear as the direct and principal cause of the loss, pushing the initial fault into the background.

In cases involving a breach of a duty of care by omission, the analysis relies on hypothetical causation: the question is whether the action that should have been taken would, in the ordinary course of events, have prevented the damage. This form of causation is only admitted when the omitted act would, with a very high degree of probability, have averted the loss. Conversely, if the expected act probably would not have altered the outcome—or merely might have prevented it—adequate causation is excluded (see Federal Supreme Court decision 6B_244/2019 of 10 April 2019).

In light of the above, the Federal Supreme Court should have examined whether the client’s fault actually contributed to the occurrence of the harm and, accordingly, whether the causal link was truly broken.

E) Other recent case law on fraudulent banking orders

1) Fraudulent banking orders transmitted by Email (Federal Supreme Court decision 4A_9/2020 of 9 July 2020)

Gross negligence is defined as a breach of basic rules of prudence that any reasonable person would have observed under similar circumstances. By contrast, slight negligence is characterized by a lack of caution, without amounting to a violation of fundamental standards of care.

The assessment of negligence is based on the legitimate expectations of the other party, as determined by the contract and prevailing industry practices. The burden of proving that the bank acted with gross negligence lies with the client (Art. 8 CC).

As a general rule, the bank is only required to verify the authenticity of instructions received in accordance with the procedures agreed upon with the client or, where applicable, set out by law.

The Federal Supreme Court has held that, when it comes to verifying signatures, banks are not required to take extraordinary measures that would delay transaction processing, nor must they systematically suspect forgery. Additional checks are only required when there are clear indications of fraud, when the transaction is unusual, or when specific circumstances raise legitimate doubts.

A bank commits gross negligence when it executes fraudulent banking orders despite obvious red flags—such as identical spelling mistakes in documents purportedly from different individuals, or clearly inconsistent signatures. Gross negligence is also established where the bank executes transfers that deplete the account, in circumstances where the person issuing the instructions was not authorized to carry out such transactions.

Where the client is authorized to issue instructions by email, the bank is not required to presume fraud from the outset or to apply overly burdensome controls. A risk allocation clause may shift to the client the responsibility for losses arising from unauthorized intrusions into the client’s IT systems—even in the event of a fortuitous breach.

Accordingly, the bank may only be held liable if a quick and basic review of the situation reveals obvious indicators of identity fraud—such as if the instruction comes from an unusual email address, contains awkward language, refers to a beneficiary based in a high-risk jurisdiction, or departs from the client’s usual transaction patterns.

For example, the Court found gross negligence where a client—whose email account had been hacked—had fraudulent instructions executed despite clear anomalies. The instructions were written in broken English with unusual vocabulary and syntax, involved substantial transfers to Hong Kong and Singapore, and were inconsistent with the client’s known communication style (fluent, precise English) and conservative asset management profile.

2) Fraudulent banking orders and breaks in the chain of causation (Federal Supreme Court decision 4A_539/2021 of 21 February 2023)

According to Swiss case law on civil liability—which also applies to contractual liability (Art. 99 para. 3 CO)—the victim’s fault does not, as a rule, break the adequate causal link between the damage and the conduct of the liable party, even where the client’s fault is more serious than that of the bank.

As long as the bank’s initial misconduct remains a significant contributing factor in the sequence of events, and no exceptional or unforeseeable cause intervenes, the causal link remains intact. The court must examine the relative severity of the parties’ respective faults. If the client’s negligence is so serious that it eclipses the bank’s wrongdoing, then the bank may be released from liability.

However, the client’s fault may lead to a reduction of damages under Article 44 para. 1 CO, in conjunction with Article 99 para. 3 CO, where the client has significantly contributed to the harm, even if this does not break the chain of causation. The reduction is to be assessed based on the comparative gravity of the bank’s and the client’s faults.

Finally, Article 44 para. 1 CO gives the court broad discretion. When ruling ex aequo et bono (based on equity, Art. 4 CC), the judge must consider the specific circumstances of the case.

For more information, please contact us.

[1] Funds deposited into a bank account become the property of the bank, while the client holds a claim in restitution against the bank. When a payment is made to a third party based on the client’s instruction (i.e., a mandate), the bank acquires a reimbursement claim against the client pursuant to Article 402 of the Swiss Code of Obligations (CO). This claim may be asserted by the bank as a set-off against the client’s restitution claim. Conversely, if the bank executes a transfer without the client’s instruction (i.e., in the absence of a mandate), it holds no reimbursement claim and thus cannot invoke set-off. In such cases, the transaction must be reversed, and Article 402 CO does not apply (see ATF 146 III 387; ATF 146 III 121).

[2][2] Banking general terms and conditions often include a so-called risk allocation clause, which shifts to the client the risk that would normally be borne by the bank in cases where instructions are executed by an unauthorized person. According to the case law of the Federal Supreme Court, the validity of such clauses must be assessed by analogy with Articles 100 and 101(3) CO (see 4A_81/2018 of 29 May 2018).

[3] It should be noted that, based on Article 100(2) CO, applied by analogy, the court may—under its discretionary power pursuant to Article 4 of the Swiss Civil Code—invalidate a risk allocation clause where the harm is the result of slight negligence by a corporate organ of the bank (as opposed to an auxiliary; see Art. 101(3) CO).

[4] Gross negligence is defined as a breach of basic rules of diligence that any reasonable person would have observed under the same circumstances (ATF 146 III 326). In general, the bank is required to verify the authenticity of orders only in accordance with the procedures agreed upon by the parties or, where applicable, those prescribed by law. It is not obliged to take extraordinary measures incompatible with the efficient processing of transactions. While the bank must take into account the risk of forgery, it is not required to systematically presume it. However, it must conduct further verifications when there are serious indications of falsification, when the transaction is inconsistent with the contract or past practice, or when specific circumstances raise doubts (see 4A_81/2018 of 29 May 2018; 4A_386/2016 of 5 December 2016).