Introduction

Business email compromise and online payment fraud have become increasingly common in South Africa, often leaving victims with devastating financial losses and limited avenues for recovery. One important case that addresses whether a bank can be held liable in such circumstances is Ross v Nedbank Limited. This case is an application for leave to appeal arising from a business email compromise lawsuit. The case raises significant legal questions about pure economic loss, the scope of a bank’s duty of care to non-customers and the extent to which statutory obligations under FICA can give rise to private claims for damages.

Case Law

The applicants, Mr and Mrs Ross, were not Nedbank clients, but they sued the bank for pure economic loss totalling R1,633,400.00. A scammer deceived them into transferring funds to a bank account they believed belonged to the property sellers of the house they wanted to buy, but which in fact was held by an unrelated third party, Bheka Joseph Nkomane at Nedbank.
They brought the application, arguing that the bank had a duty to prevent the fraudulent transaction under FICA. They contended that Nedbank either knew or should have reasonably suspected that Nkomane’s account was involved in fraud. The Rosses argued that Nedbank acted negligently by allowing withdrawals from the account, thus directly causing their financial loss. They argued that because of Nkomane’s financial situation, he was unemployed and had no income, so Nedbank should have imposed transaction limits on his account.
At the first hearing, the court addressed whether Nedank had a legal duty to prevent the Rosses economic loss, and whether its conduct should be considered wrongful under the law of delict. The court held that, in South Africa, under established legal principles, conduct that results in pure economic loss is wrongful only where public or legal policy considerations justify imposing liability for negligent conduct that causes such loss. In other words, there is no general legal right to be free from pure economic loss.
The court ruled against the Rossses. The court held that Nedbank owed them no legal duty, as they were not its customers. FICA does not impose a duty of care in favour of third parties, and the statutory duties under FICA are not meant to be enforced through private lawsuits for damages. To impose such a duty would place an unreasonable and impracticable burden on banks.
The court found that they were the authors of their own misfortune. The court found that they were experienced businesspeople and should have been alert to the risk of cybercrime and taken basic precautions to verify the banking details before making the payment. The court also determined that Nedbank did not owe the Rosses a private law duty to oversee or control the fraudster’s account in a manner that would have averted the loss.

Leave to Appeal

The applicants then filed for leave to appeal, arguing that the judge was biased as he is a partner at a law firm (ENS) that was involved in a similar high-profile case, namely, Hawarden v ENS, where he had expressed firm legal views on similar issues. They also argued that the judge was wrong to find that Nedbank owed them no legal duty.
The judge rejected the leave to appeal on the basis that there was no reasonable apprehension of bias, as he had informed both parties prior to the commencement of the trial of his involvement in the matter. The Rosses did not object at that time. In addition, the legal principles applied were well settled in South African law, and the two cases were factually distinguishable.
The judge also stated that there were no reasonable prospects of success on appeal as another court would likely reach the same conclusion. He also observed that the Rosses expert witness did not possess the requisite expertise to give evidence on the manner in which banks monitor customer accounts.

Conclusion

The key takeaway from this case is that a bank does not have a broad legal obligation to safeguard non-customers from financial losses resulting from its account holders’ fraudulent actions. Put simply, unless the bank knew, or reasonably ought to have known, of suspicious or fraudulent activities, it cannot be held liable for losses caused by its customers. Furthermore, it serves as a reminder for everyone to be more vigilant. Remember to always verify bank account details directly with the intended recipient before transferring funds into an account.
This case highlights the significant legal hurdles faced by victims of cyber fraud who seek to recover their losses from the bank. The court reaffirmed the principle that liability for pure economic loss arises only where public or legal policy considerations justify imposing a duty of care. Because the Rosses were not Nedbank customers, and no specific legal duty was established under FICA or the common law, the bank could not be held liable for their loss.
The judgment ultimately underscores two key points: that banks do not owe a legal duty to protect non-clients from the fraudulent conduct of their account holders, and that individuals and businesses must exercise vigilance when making electronic payments. The case serves as a cautionary reminder that the primary responsibility for verifying banking details before transferring funds rests with the payer.
For further assistance, consult an attorney at SchoemanLaw.

related news & insights.

  • 16/03/2026||Common Law||||6.9 min||

    Disciplinary Warnings and Progressive Discipline in South African Labour Law: Purpose, Application, and Legal Consequences

  • 16/03/2026||Common Law||||5.4 min||

    Cyber Law in South Africa: A Legislative Framework for the Regulation of the Digital Environment