home / Archivio / Fascicolo / Payment Management and Siphoning Prevention as Directors' duties of care - A study on fake ..

indietro stampa articolo indice fascicolo leggi articolo leggi fascicolo

Payment Management and Siphoning Prevention as Directors' duties of care - A study on fake president fraud

Chris Thomale, Professor of International Corporate and Business Law at the University of Vienna and Professor of Comparative Law at the Università degli Studi Roma Tre

Companies have to protect their assets, especially liquid assets like bank deposits, from unauthorized transfers of any kind. This requires a set of procedural safeguards, conveniently summarized by the term “good payment governance”, comprising, notably, a payment authorization scheme, IT security, staff training and insurance protection. The article explores directors’ duty of care with regard to good payment governance. In doing so, it takes into consideration numerous jurisdictions but with a focus on Europe, notably recent developments in Germany and Austria.


Gestione dei pagamenti e prevenzione delle frodi come dovere di diligenza degli amministratori - Uno studio sulla frode del “falso CEO”

Le aziende devono proteggere i propri beni, soprattutto quelli liquidi come i depositi bancari, da trasferimenti non autorizzati di qualsiasi tipo. Ciò richiede una serie di tutele procedurali, opportunamente riassunte con il termine buona governance dei pagamenti, che comprendono, in particolare, uno schema di autorizzazione dei pagamenti, la sicurezza informatica, la formazione del personale e la protezione assicurativa. L'articolo analizza il dovere di diligenza dei direttori in materia di buona governance dei pagamenti. Nel farlo, prende in considerazione numerose giurisdizioni, ma si concentra sull'Europa, in particolare sui recenti sviluppi in Germania e Austria.

Keywords: fake president fraud – internal control system – payment governance – payment manual – duty of care – business judgment rule.


1. Introduction - 1.2. Fake President Fraud – a closer look - 1.3. Impact on Companies as well as Practical and Academic Relevance - 1.4. Legal Implications and the Prosecution Issue - 1.5. Role of corporate management - 2. Good payment governance – preventing damages efficiently - 2.1. Payment clearance system - 2.2. IT-Security - 2.3. Employee awareness training - 2.4. Insurance Coverage - 3. Payment Governance Obligations and Liability of a Sole Managing Director - 3.1.1. ICS as Substantiation of General Managerial Duties consisting of accounting, insolvency prevention and comprehensive asset protection - The “ICS” as a cipher for asset protection - Payment systems and ICS - 3.1.2. Protective Measures outside of the ICS: Employee awareness training and insurance - 3.2. Management’s general duty of care - 3.2.2. Employee Awareness Training - 3.2.3. Insurance - 4. Conclusion - NOTE

1. Introduction

1.1. Companies as Targets for Criminals Reliable and secure incoming and outgoing payment flows (henceforth: payment governance) are one of the essential responsibilities of good corporate management. With the introduction of electronic banking and digital authentication systems, the essential procedural steps of payment transactions have reverted to the account-holding company. [1] This makes payment transactions vulnerable to fraud and breaches of trust that originate in the sphere of the company itself. The range of potential cases extends from the accountant who authorizes salary payments to her fictitiously employed partner, [2] a deputy accountant, who exploits her electronic authentication to simply “reach into the till,” [3] down to a financial manager who finances private luxury expenses from the companies’ funds. Further problems emanate from a growing field of organized crime: Criminal syndicates identify internal organizational weaknesses and exploit them by means of social engineering schemes in order to induce unauthorized money transfers to their own foreign accounts. [4] A particularly frequently encountered version of such social engineering fraud schemes is the so-called fake president fraud: [5] Here, forged or tampered digital communication, typically under the name of a business manager (“president”), is used by means of e-mail spoofing, [6] e-mail hacking, [7] or even by means of a [continua ..]

» Per l'intero contenuto effettuare il login inizio

1.2. Fake President Fraud – a closer look

Fake President Fraud, also known as CEO Fraud, denotes a scheme in which fraudsters, posing as a member of the management board, approach an employee of the finance or accounting team, usually by long-distance communication like a phone call or an e-mail. They typically demand a large money transfer to a foreign account. The matter is said to be enormously important, strictly confidential, and extremely urgent. The pretext for the transfer may be, e.g., some alleged merger or acquisition. The typical incident can be described as follows: [18] Firstly, a lawyer of a well-known law firm introduces himself and elaborates that he is representing the management in a strictly confidential company acquisition. [19] Often, it is first emphasized that the called employee was chosen because of their longstanding loyalty to the company and integrity in this highly confidential matter. In addition, the employee’s competence in finding solutions is charmingly alleged. Under this pretext, the employee is asked to perfect a short notice money transfer and to maintain strict confidentiality for a breach of that confidentiality would constitute some violation of some made-up legal obligation, like inside-trading, breach of trust or the like. To conclude the first step, the caller typically names another person involved, who will contact the employee later, as the CEO and the caller himself would be tied up in negotiations or other tasks. Secondly, the employee of the [continua ..]

» Per l'intero contenuto effettuare il login inizio

1.3. Impact on Companies as well as Practical and Academic Relevance

The incidence of fake president fraud has increased sharply since 2015. [22] US companies seem to be particularly frequently affected. [23] Due to over 23,000 complaints about email fraud to the FBI Crime Complaint Centre and billions of losses, the FBI named CEO fraud one of the most relevant topics of 2019. [24] CEO fraud has already caused great damage in Europe as well: Among others, German police reported CEO fraud cases more than doubled between 2016 and 2017 in the German state of North Rhine-Westphalia alone. [25] Smaller, high-revenue companies have been particularly targeted since mid-2017. Those often suffer from insufficient professional governance and protection mechanisms. The Austrian Federal Criminal Police Office (Bundeskriminalamt) also warned Austrian companies of the threats posed by CEO fraud back in 2017. In Austria alone, CEO fraud had resulted in the loss of tens of millions of euros in recent years. Moreover, such fraud causes immense uncertainty among affected employees and investors, thus exceeding the actual damage done by successful attacks. [26] Companies that fall victim to such scams not only suffer huge financial losses, but are also damaged in their reputation. Even the disruption of their entire operation is plausible. In addition to the direct costs of the scam, expenses are also incurred during the recovery process, e.g. the costs of hiring forensic investigators or implementing new security measures. Due to [continua ..]

» Per l'intero contenuto effettuare il login inizio

1.4. Legal Implications and the Prosecution Issue

Fake president fraud, like other forms of fraudulent behaviour, is generally illegal. The specific penalties for fraud and other crimes vary by jurisdiction. In Austria [28] for example, fraud is defined as “deception of facts into an act, acquiescence or omission” that leads to damage to the assets of the deceived or a third party. [29] CEO fraud particularly is grouped within the umbrella term “prepayment fraud (Vorauszahlungsbetrug).” Depending on the amount stolen, potential consequences are prison sentences up to ten years [30] or monetary fines. [31] A victim company, however, typically encounters severe enforcement problems in going after the perpetrators themselves. For those are often located in far-away off-shore jurisdictions and stolen funds, too, are quickly transferred beyond the immediate reach of the victim company or its home jurisdiction. Moreover, delinquents are typically hardly traceable, insolvent or difficult to prosecute due to the many confines of international civil and criminal procedure and jurisdiction. [32] Effective criminal or civil prosecution regularly has little chance of success. [33] Therefore, the focus of injured companies shifts to their management directors [34] and employees, [35] as well as to insurance companies [36] and banks [37] involved in the transaction. In other cases, employees, who have been dismissed as a result of a successful fake president [continua ..]

» Per l'intero contenuto effettuare il login inizio

1.5. Role of corporate management

Because of the above-mentioned issues, it appears straightforward for the damaged company to claim compensation from those employees who “allowed” the scam to happen in the first place through deliberate or negligent breaches of due diligence. In this regard, however, many jurisdictions protect ordinary employees, viewing them as vulnerable parties deserving legal privileges. For example, according to Section 2 I of the Austrian Employee Liability Act (Dienstnehmerhaftpflichtgesetz), the court may, for equitable reasons, reduce the company’s claim for compensation in the event of simple negligent conduct on the part of the employee or even waive it in its entirety in the event of only slight negligence. For this reason, in many cases, it is not promising to seek compensation from the company’s frontline employees, not for an amount that even remotely approximates the millions of damage caused by the attack anyway. [39] However, according to rulings e.g. of the Austrian Supreme Court, the above-mentioned employee liability privilege does typically not apply to managing directors, who can thus be held fully liable for damages incurred by the company as a result for their lack of diligence and precaution. [40] This and the fact that managing directors have a broader liability fund and insurance coverage than ordinary employees would typically prompt the injured company to claim damages from the (former) managing director. Therefore, managing [continua ..]

» Per l'intero contenuto effettuare il login inizio

2. Good payment governance – preventing damages efficiently

The general understanding of good payment governance can neither be derived from statutes nor from corporate governance codes or any available guidelines. Rather, it is the result of an overall consideration of the payment governance practised. That practice provides the factual basis for normative reflection, be it in court decisions [41], official guidelines [42] or other legal communication, including business management [43] and jurisprudential studies. The central principle for the doctrinal development of concrete requirements is the principle of economic efficiency: [44] Prima facie, good payment governance could be defined by a comparison, namely that the control costs incurred must be lower than the expectancy value of potential future harm. [45] Thus, good payment governance appears to be an optimisation problem between control costs and security gains. However, taken into account the constant increase of fraudulent social engineering activities as well as the hardly limited damage potential, [46] the security gain is so overwhelmingly more valuable than any reasonable control measures could possibly cost, that [47] – leaving aside completely disproportionate control paranoia – the main focus can be on the effectiveness of certain protective measures in relation to others: The optimisation problem, by approximation, can be treated as a problem of effectiveness. [48] Consequently, the prevalent question is this: [continua ..]

» Per l'intero contenuto effettuare il login inizio

2.1. Payment clearance system

It is a primary task of the management to organize and secure the clearance of payments, by implementing a payment clearance system [49] In such a payment clearance system, internal responsibilities have to be clearly assigned in a manner, that there is no doubt whose authorization is required and in what form, for which payments. [50] Since social engineering attacks typically start with the psycho-manipu­lative isolation of individual employees, it is important to set down this payment clearance system in a written payment manual [51] and to make and keep it available internally, so that employees can ascertain the required authorization procedure and any exceptions at any time [52] To ensure this, the payment manual should be distributed by the managers to all employees involved in the payment processes. [53] It is not sufficient to leave the implementation of the payment clearance system, to the departments and employees who are internally involved in the payment process. Especially not in the form of self-determinated “best-practice” manuals, because this could give rise to the wrongful impression that it is also the departments or employees decision to deviate from said systems in certain situations. Indeed the written manual for the payment clearance system has not only to provide the procedural rules, but also comprehensive rules of exceptions from them. This need rises from the nature of exceptional situations, in which [continua ..]

» Per l'intero contenuto effettuare il login inizio

2.2. IT-Security

Modern social engineering attacks exploit vulnerabilities of the information technology systems used by companies. Therefore the technical implementation of the payment clearance system has to be protected and secured by state of the art measures. [61] Especially the adequate protection and secure storage of payment-related authentication codes, in particular passwords, PINs, TANs etc., is of fundamental importance. Evident safety measures to achieve this are sufficient encryption, digital storage without any connection to the internet, and the secure physical storage of devices used for the authentication of payment authorizations. Needless to say, that the payment manual has to stipulate rules for the storage and management of the codes, and that these rules have to be compatible with the authorization requirements, stated in the payment manual. [62] Under no circumstances should it be possible to interpret or construe the rules for the management and storage of the authentication codes and devices, in a manner that could undermine the authorization requirements: If, for example, a certain threshold is surpassed and hence a personal authorization by superior management personnel via an internal system is required, it must be ensured that a payment without the required personal authorization is impossible. In no case the authentication codes of several members of the management, may be stored in a manner that would allow their simultaneous accessibility by any [continua ..]

» Per l'intero contenuto effettuare il login inizio

2.3. Employee awareness training

The ultimate weak point of any company is the conditio humana. [65] The deterrent effect of criminal law (see above), a careful selection of employees and the implementation of barriers, like the four-eyes-principle, are usually the only available protection from theft, embezzlement and criminal actions. Against social engineering attacks, additional measure are available to companies: Regular training sessions for employees involved in payment processes and simulations of social engineering scenarios in role-playing excerises and guides to identify the hallmarks of forged or copied e-mails, signatures and letterheads, [66] are suitable measure to enhance the resilience and vigilance of employees against attacks. [67] Already a number of specialized consultancies offer to draft security concepts and even simulate [68] fraud attacks on behalf of the company, in order to identify weak points and revise existing security systems. Typical social engineering attacks depend on the isolation of the targeted individual within the company. [69] To this end, scammers try to create the impression that the target is not allowed to talk with anyone about the payment, for legal or other reasons and that the addressed employee is only included because of his or her proven trustworthiness. [70] In case of fake president frauds, the attackers must even avoid that employees contact their superiors outside of communication channels which are controlled by the [continua ..]

» Per l'intero contenuto effettuare il login inizio

2.4. Insurance Coverage

Some degree of residual residual risk of social engineering attacks being successful cannot be eliminated. For this reason, appropriate insurance against such attacks is an obvious complementary measure to good payment governance. [71] Fidelity guarantees (Vertrauensschadensversicherung) could cover intentional damages caused by employees, [72] while negligent damages could be covered by other types of insurances. [73] The details of an adequate insurance coverage of course must be assessed individually, on a case-by-case basis. In general however it is doubtful, whether or not a good payment governance without any complementary insurance coverage could actually offer sufficient protection. On the other hand no company should exclusively rely on insurance coverage, since the lack of a good payment governance may trigger exclusions from the coverage.

» Per l'intero contenuto effettuare il login inizio

3. Payment Governance Obligations and Liability of a Sole Managing Director

3.1. The Managing Director’s Responsibility to establish an Internal Control System The responsibility for the operational compliance with any good payment governance or payment clearance system lies with the management of the company. Especially in smaller and medium sized companies there might exist only a single managing director, in which case this single individual is responsible for the protection of the company against unauthorized transfers of wealth. [74] Accordingly, the director has to implement and monitor internal payment procedures in a manner, which reduces the risk of unauthorized transfers. Additionally protective measures have to be taken against specific threats, arising from the organizational structure. If the organizational structure grows more detailed and complex, a single managing director will not be able to fulfil all these responsibilities by himself. [75] Rather, his duty of care evolves into an organizational duty, to ensure good payment governance. [76] While simple enough in concept, the details of this evolution of obligations, as well as their legal basis and scope remain still open: It seems possible that these obligations result from specific legal norms, like the obligation to set up an internal control system (hereinafter: ICS), [77] or whether they are to be derived from the general duty of care of managing directors. [78]

» Per l'intero contenuto effettuare il login inizio

3.1.1. ICS as Substantiation of General Managerial Duties consisting of accounting, insolvency prevention and comprehensive asset protection Conceptual Origin Some jurisdictions stipulate specific obligations for managing directors, which have direct influence on the directors’ responsibilities and substantiate them, in regard to good payment governance and payment clearance systems. Examples of such provisions are Secs. 22 I of the Austrian Limited Liability Corporation Code (GmbHG) or Sec. 82 Austrian Stock Corporation Code (AktG), which oblige the director to implement an internal control system. The concept of the ICS was legally introduced in Austria in 1997 [79] and was meant to substantiate the rather broadly defined managerial duty of care by stipulating a minimum of organisational responsibility. [80] The ICS is described by the legislator in the explanatory notes as “all coordinated methods and measures in a company which serve to safeguard assets, ensure the accuracy and reliability of accounting data and support compliance with the prescribed business policy. (see WP Handbook 1996 I11 pg. 43)”. [81] This description can be traced back to a 1949 report of the AICPA [82] and a work on internal control cited therein. [83] The AICPA report describes internal control as follows: “Internal control comprises the plan of organization and all of the coordinate methods and measures adopted within a business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to [continua ..]

» Per l'intero contenuto effettuare il login inizio The “ICS” as a cipher for asset protection

In Austria, the vague definition of the ICS by the legislator and the literally translated reference to the AICPA report in the explanatory notes suggest that the ICS was originally not a legal concept, [85] whose transformation into a legal term has not been entirely successful. [86] In fact, the term originates from business administration. [87] The reference to the Handbook of Certified Public Accountants [88] leaves no doubt about its conceptual origin. [89] In business administration, the term ICS comprises of first and foremost all governance measures which ensure the safety and economic efficiency of the company. [90] This gave rise to a similar and common description of the ICS as a package of measures to ensure the safety, regularity and economic efficiency of the company. [91] Safety in this regard is understood as the requirement to establish an economically reasonable package of measures that minimizes the risk of damages to the company. [92] The requirement of regularity comprises the material and formal correctness, completeness and timely execution of internal processes, their documentation and traceability, as well as compliance with statutory regulations. [93] The requirement of economic efficiency addresses the company’s need to act profitable and its charged relationship with the aforementioned safety requirement. [94] The ICS is therefore also concerned with the repressive correction and prevention [continua ..]

» Per l'intero contenuto effettuare il login inizio Payment systems and ICS

The specific requirements for an ICS depend on the size of the company and the industry or fields of business in which it operates. [109] As outlined above, the ICS pursues a tripartite purpose of insolvency prevention, accounting and clearing security as well as general asset protection in regard to neuralgic business processes. It is questionable whether measures of good payment governance are just another part of the ICS or are rather a manifestation of the general duty of care of the management board. [110] If a measure of good payment governance is a requirement for achieving one of the objectives of the ICS, it seems reasonable to see it as part of the ICS. Measures of good payment governance do not only affect neuralgic points of the company, but concern all regulatory objectives of the ICS, insofar as the system generally aims to prevent irregularities and misappropriations in payment transactions. Because of the particular fungibility of liquid assets, these are particularly at risk. [111] However, intentional misappropriations as well as honest incorrect transfers do not only threaten liquid assets. [112] Due to their theoretically unlimited damage volume, [113] malversations may cause insolvency or over-indebtedness of the company. Measures of general malversation and error prevention in payment transactions therefore also serve as an insolvency prevention tool. [114] An unauthorised transfer of liquid assets also affects the [continua ..]

» Per l'intero contenuto effettuare il login inizio

3.1.2. Protective Measures outside of the ICS: Employee awareness training and insurance

Employee trainings, while useful to prevent social engineering attacks from being successful and insurance cover for damages from potential attacks are not part of the ICS: First of all, insurance solutions are not strictly measures to prevent the misappropriation of funds, but rather instruments for damage control. Employee training and other awareness-raising measures to prevent specific threats have a complementary protective function. If payment transactions are protected abstractly against internal and external misappropriations to a minimum extent (payment manual, four eyes principle, staggering of amounts), this already significantly reduces the risk posed by social engineering attacks. Only this minimum standard alone is covered by the ICS; more extensive payment governance obligations arise from the managements’ general duty of care. [126]

» Per l'intero contenuto effettuare il login inizio

3.2. Management’s general duty of care

3.2.1. Duty of Care Standard and Liability of Board Members – Business Judgment Rule The obligations and corresponding liability of Management Directors are not harmonized in Europe, as the European directive on company law [127] neither includes specifications for the liability of board members in stock (stock corporation) nor closed corporations. [128] Even for the supranational European Company Societas Europaea different liability schemes exist, as the SE-Regulation [129] refers to the national provisions of the Member State in which the SÈs registered office is situated (Article 51 SE-Regulation). Both in Austria and Germany members of the Management Board have to act in matters of the company with the due care of a responsible and conscientious manager. This general duty of care includes an organizational duty, which becomes more distinct when the company expands, the division of labour increases and the organizational structure grows more complex. [130] As soon as the company increase its size, the organizational structure has to be further developed, to avert harm. [131] Besides the rules regarding the establishment of a sufficient ICS, there are few specific norms, which substantiate this general duty of care. Rather the members of the management board are entitled to a margin of discretion in entrepreneurial decisions. Even more so if they act within the limits of the Business Judgment Rule. In both jurisdictions a member of [continua ..]

» Per l'intero contenuto effettuare il login inizio

3.2.2. Employee Awareness Training

As already outlined above, employee awareness training and sensitization are crucial to avoid payment malversations because employees pose a weakness insofar as they could be potentially deceived by psychosocially as well as technically. From the company’s point of view, this risk can be efficiently reduced by increasing employees’ awareness and vigilance. In addition to specific information campaigns, trainings are suitable for this purpose. [136] The choice of a specific approach lies within the margin of discretion enjoyed by managing directors in their entrepreneurial decisions. The minimal protection offered by the implementation of an ICS alone however not sufficient, as it only creates a minimum level of protection that is neutral to attacks. A diligent business director would therefore supplement the general measures of loss prevention with specific employee training measures to ward off social engineering activities. [137]

» Per l'intero contenuto effettuare il login inizio

3.2.3. Insurance

As a supplementary measure, insurance can mitigate or completely compensate for the consequences of a successful social engineering attack. Whether the general duty of care can give rise to an obligation to enter into an insurance contract depends on the individual case. The available insurance conditions, in particular the premium amount, deductible and scope of coverage, [138] as well as the specific needs of the company must be weighed up carefully. Outlook. Unfortunately, the next generation of social engineering attacks is already rapidly evolving in the form of “deep fake technology,” i.e., voice and video falsification by artificial intelligence. [139] In Europe, one recent case received particular attention. The mayors of Vienna, Berlin and Madrid were under the impression that they were in video conferences with mayor of Kiev Vitali Klitschko. [140] Later it turned out that it was an imposter using deep fake technology. Because of the rapid spread of video-conferencing in business and board meetings due to the COVID-19 pandemic, there already is a need for additional security measures to combat deep fake enabled frauds in companies. New and more detailed procedures will be needed to shield companies from this variation of frauds, which exploit the conditio humana extremely effectively.

» Per l'intero contenuto effettuare il login inizio

4. Conclusion

The analysis above has shown that the components of good payment governance have to be differentiated from each other: Payment clearance system and general security, especially IT security, are parts of the ICS. Employee awareness trainings as well as the insurance coverage against social engineering attacks are additional protective measures. The obligation to establish them arise from the general managerial duty of care. The specific requirements for a sufficient ICS and the fulfilment of the general duty of care vary according to the industry and size of the company. As a minimum standard, firstly, a written payment manual must be drafted which establishes at least a four-eye principle for outgoing payments and sets thresholds with a corresponding devolutive effect up to including mandatory authorisation by the CEO. Secondly, from the point of (IT) security, an up-to-date Information Security Management System (ISMS) is required. The type and extent of, thirdly, employee awareness training and sensitisation and, fourthly, insurance coverage are difficult to formulate in general terms. However, it seems certain that the complete lack of any awareness-raising measures and an absence of insurance against social-engineering attacks have to be considered a breach of managers’ duty of care.

» Per l'intero contenuto effettuare il login inizio


[1] Previously, this task was assigned to payment service providers outside the company. [2] For example: Higher Regional Court Vienna 30.5.2017, 7 Ra 95/16s. [3] Austrian Supreme Court (OGH) 26.8.2020, 9 ObA 136/19v. [4] Saxony Regional Labor Court 13.6.2017, 3 Sa 556/16 (Recital 148). [5] Heilbronn Regional Court 20.10.2015, Bm 6 O 128/15, jurisPR-BKR 1/2016 (note 4): Transfers of millions by fax transfer order; Saxon Higher Labor Court 13.6.2017, 3 Sa 556/16 (esp. Recital 3); Higher Regional Court Linz 29.7.2020, 12 Ra 42/20p; supplementary on the phenomenon: Deutsches Bundeskriminalamt, Social Engineering / CEO-Fraud (available under: [6] Email spoofing is the creation of email messages with a forged sender address. For an analysis of the phenomenon: Kikerpill/Siibak, Masaryk University Journal of Law and Technology, vol 13, no 1, 2019, 45 (53 seqq.). [7] Cour d’Appel, Saint-Denis (Réunion), ch soc, 6.3.2017, nº15/01838; Cour d’Appel, Paris, Pôle 5, ch 6, 21.11.2018, nº17/00397. [8] Fromme, Süddeutsche Zeitung of 10.9.2019. [9] Higher Regional Court Linz 29.7.2020, 12 Ra 42/20p; see supplementary US Court of Appeals, Principle Solutions Group LLC v Ironshore Indemnity Inc, Case 17-11703, doc 1:15-cv-04130-RWS (2019). [10] Fritzsche, CB 2017, 403 (404). [11] See therefore the Canadian Case Superior Court, Future Electronics Inc (Distribution) Pte [continua ..]

» Per l'intero contenuto effettuare il login inizio