FREE SAMPLE from ‘A Practical Guide to Cyber Fraud Litigation’ by Matthew McGhee



Where a person has been the victim of a fraud, the most obvious target for any civil recovery action is the person who perpetrated that fraud in the first place.

However, one of the primary difficulties in any instance of cyber fraud is that the perpetrators may not be immediately, personally identifiable. Cyber fraudsters can remain largely anonymous, perpetrating the fraud and escaping with the proceeds before anyone is aware of the presence or identity of the fraudster. Taking the example above of a fraudster interfering with a legitimate transaction between a buyer and a seller, the buyer may unwittingly be corresponding with the fraudster (by email, for example) without being aware that the fraudster is not in fact the seller. When the buyer later discovers the fraud, the buyer may have great difficulty in discovering for itself the identity of the (now-escaped) fraudster.

This section considers how claims can be issued and pursued against anonymous fraudsters, explaining how those fraudsters may be identified or alternatively how recovery can be achieved even the fraudster remains stubbornly anonymous.

The options available

Broadly, there are two ways by which a prospective claimant can go about identifying and bringing proceedings against (not necessarily in that order) anonymous fraudsters:

The conventional way is for the claimant to follow a two-step process. First, the claimant will take steps to identify the anonymous fraudster. Assuming that this cannot be done by the prospective claimant’s own investigations, supported as necessary by professional assistance, the prospective claimant can seek assistance from the court. In particular, the claimant can seek disclosure orders against third parties for information which might identify the fraudster. Once the fraudster has been unveiled, the claimant can issue a claim against that named fraudster in the ordinary way.

The alternative approach is for the claimant to simply issue a claim against a class of persons unknown, defined to include the anonymous fraudster, and litigate accordingly. The claimant may proceed all the way to judgment against the persons unknown, but it is also open to the claimant to take steps to identify some or all of the persons unknown in the intervening period between issuing the claim and judgment.

Each of these approaches will be discussed below. Which will be appropriate in any given case will vary on the precise facts. If speed of action is of paramount importance, such as where the fraud has recently been perpetrated, the alternative approach is often best. This is because the claim can be issued immediately and protective relief (such as freezing injunctions) obtained very quickly.

However, the alternative process does involve committing to commencing a full claim and, as will be seen, often making an array of applications. The cost of this, coupled with the inevitable risk of dissipation in cyber fraud cases, may mean that this is not a commercially feasible option for some complainants. In short, the game may not be worth the candle. Equally, where significant sums have been misappropriated, this represents a swift and effective way to take significant steps towards making up lost ground on the fraudsters.

By contrast, the conventional approach first looks at how easy (or not) it is to identify the fraudster and any misappropriated assets. It is more targeted and thus likely to be less costly. The results of the investigation will allow a complainant to make an informed decision about whether it is worth expending further costs in pursuing the fraudster or whether the complainant is better served by considering action against persons other than those responsible for perpetrating the fraud itself. This is particularly appropriate where time is less critical, such as where a significant period of time has elapsed between the fraud itself and its discovery (or, as regrettably can happen, the complainant consulting its legal advisers as to its options on discovery).

A further variation is where the complainant has no real interest in identifying the fraudster. If, for example, the misappropriated sums were paid into a bank account and the bank servicing that account confirms that it has already been frozen, the claimant may have no interest in uncovering the identity of the account holder. The claimant may instead prefer to simply pursue judgment against persons unknown and a proprietary order that the sums paid into the frozen account are the claimant’s property and thus to be repaid.

The conventional approach to piercing anonymity

As stated above, the conventional way to bring proceedings against an anonymous fraudster is to first pierce the cloak of anonymity, before issuing a claim against the fraudster thus-identified. The various claims which may be available against the fraudster are discussed later in this guide. This section focuses on the means by which the fraudster can be identified.

Disclosure pursuant to the Norwich Pharmacal jurisdiction

The equitable jurisdiction of the court to make disclosure orders against third parties who get mixed up in wrongdoing was established in Norwich Pharmacal Co v Customs and Excise Commissioners [1974] AC 133. In that case, HMRC were found to have a duty to disclose the names of patent infringers, whose goods had (innocently) passed through HMRC’s hands. Lord Reid (at 175) explained the principle as follows:

that if through no fault of his own a person gets mixed up in the tortious acts of others so as to facilitate their wrong-doing he may incur no personal liability but he comes under a duty to assist the person who has been wronged by giving him full information and disclosing the identity of the wrongdoers. I do not think that it matters whether he became so mixed up by voluntary action on his part or because it was his duty to do what he did. It may be that if this causes him expense the person seeking the information ought to reimburse him. But justice requires that he should co-operate in righting the wrong if he unwittingly facilitated its perpetration.

As summarised by Lightman J in Mitsui & Co Ltd v Nexen Petroleum UK Ltd [2005] 3 All ER 511 at [21]:

The three conditions to be satisfied for the court to exercise the power to order Norwich Pharmacal relief are:

i) a wrong must have been carried out, or arguably carried out, by an ultimate wrongdoer;

ii) there must be the need for an order to enable action to be brought against the ultimate wrongdoer; and

iii) the person against whom the order is sought must: (a) be mixed up in so as to have facilitated the wrongdoing; and (b) be able or likely to be able to provide the information necessary to enable the ultimate wrongdoer to be sued.

A claim under the Norwich Pharmacal jurisdiction is a claim for equitable relief. The court therefore retains discretion as to whether or not to it. In Rugby Football Union v Consolidated Information Services Ltd [2012] 1 WLR 3333 at [17], Lord Kerr (non-exhaustively) summarised various factors which weigh in the discretion as follows (references omitted):

The essential purpose of the remedy is to do justice. This involves the exercise of discretion by a careful and fair weighing of all relevant factors. Various factors have been identified in the authorities as relevant. These include: (i) the strength of the possible cause of action contemplated by the applicant for the order…; (ii) the strong public interest in allowing an applicant to vindicate his legal rights…; (iii) whether the making of the order will deter similar wrongdoing in the future…; (iv) whether the information could be obtained from another source…; (v) whether the respondent to the application knew or ought to have known that he was facilitating arguable wrongdoing…; (vi) whether the order might reveal the names of innocent persons as well as wrongdoers, and if so whether such innocent persons will suffer any harm as a result…; (vii) the degree of confidentiality of the information sought…; (viii) the privacy rights under article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms of the individuals whose identity is to be disclosed…; (ix) the rights and freedoms under the EU data protection regime of the individuals whose identity is to be disclosed…; (x) the public interest in maintaining the confidentiality of journalistic sources…

On its face, therefore, the Norwich Pharmacal jurisdiction is a broad one. It is often used in cases of cyber fraud to seek disclosure from banks where those banks have become mixed up in the fraud by receipt of its proceeds and are likely to have information about the subsequent whereabouts of those proceeds and the identity of the person controlling the account. However, the jurisdiction is not limited to disclosure of such information. It may also be used to seek further about the wrongdoing and its extent so as to identify the claimant’s causes of action (in P v T Ltd [1997] I WLR 1309, for example, the court made an order for disclosure of certain information which was required for the claimant to ascertain whether it had a cause of action against a third party, and if so what).

That said, there are some limitations on the jurisdiction:

First, the claim will be difficult to make against persons outside of the jurisdiction. Following AB Bank v Abu Dhabi Commercial Bank [2016] EWHC 2082 (Comm), it is not possible to obtain permission to serve the claim for relief out of the jurisdiction. Teare J in AB Bank held that none of the jurisdictional gateways in CPR PD6 para 3.1 were applicable. In particular: the claim is not for an “interim remedy”, as it is final as between the parties; the court is not order for an “act within the jurisdiction” because it is to be performed by the foreign defendant in their own jurisdiction; and the defendant was not a “necessary and proper party” to the claim against the wrongdoer as there would be no claim against the defendant.

The only way in which a claim may be made against a person outside of the jurisdiction is where permission to serve out is not required. For example, in Sabados v Facebook Ireland [2018] EWHC 2369 (QB), Norwich Pharmacal relief was granted against a company based in Ireland.

That said, in cases of fraud, the court has shown a willingness to exercise a broad discretion. In Credit Suisse Trust v Banca Monte Dei Paschi Di Siena [2014] EWHC 1447 (Ch) at [12]-[14], HHJ Waksman QC allowed a claim for Norwich Pharmacal relief against an Italian bank where the case was plainly one of fraud and the information held by the Italian bank could be obtained by the actions of its English branch complying with the court’s order. Although this case predates the decision in AB Bank, it may be argued that no permission to serve out is required (and thus the difficulty in AB Bank) not encountered where the court is able to make orders against a branch which is within the jurisdiction.

Second, conversely, it is not permitted to claim Norwich Pharmacal relief to obtain evidence for the purpose of foreign proceedings. In Ramilos Trading v Buyanovsky [2016] EWHC 3175 (Comm), Flaux J ruled that the existence of the Evidence (Proceedings in Other Jurisdictions) Act 1975 excludes the availability of Norwich Pharmacal relief in such cases. Flaux J followed the approach set out by the Court of Appeal in R (Omar) v Secretary of State for Foreign Affairs [2013] EWCA Civ 118, regarding the Crime (International Co-operation) Act 2003.

However, it is interesting to note that other jurisdictions have declined to follow this approach. In the BVI case of K&S v Z&Z BVIHCM(COM) 2020/0016, the court held that Norwich Pharmacal relief was available notwithstanding that the BVI Evidence (Proceedings in Foreign Jurisdictions) 1988 as materially the same as the UK’s 1975 Act.

Third, relief may be sought against respondents who are not considered to be wholly innocently mixed up in the wrongdoing, though the court will be careful in such cases. As a matter of principle, Norwich Pharmacal relief is not contingent on the respondent being innocent; being innocent merely does not operate as a barrier to relief. Thus, in Ashworth Hospital Authority v MGN Ltd [2002] 1 WLR 2033 at [30], Lord Woolf CJ explained that:

what is required is involvement or participation in the wrongdoing and that if there is the necessary involvement, it does not matter that the person from whom discovery is sought was innocent and in ignorance of the wrongdoing by the person whose identity it is hoped to establish.

The judge confirmed this at [58], stating that the “requirement” is “that the person from whom disclosure is sought must have been involved, whether innocently or otherwise, in the wrongdoing”.

However, care must be taken when seeking Norwich Pharmacal relief against persons who may be legally responsible for the wrongdoing. Although Norwich Pharmacal relief is not a ‘last resort’ route to obtain the required information, the court may consider that relief ought not to be granted against a particular respondent if that are other means by which that information could reasonably be sought. It may be that the respondent also has a privilege against self-incrimination which would operate as a partial defence to any order.

Benhurst Finance Ltd v Colliac [2018] EWHC 2188 (QB) is a recent example of Norwich Pharmacal relief granted against a party who was not said to be innocently involved in the wrongdoing. Norwich Pharmacal relief was sought against an individual who the applicant was seeking to join to separate Swiss arbitration proceedings, with the information sought by the relief being intended for use in that arbitration. The court allowed the claim for relief, ruling that there was no more suitable route to obtain the relief.

Fourth, a potential applicant needs to give consideration as to whether or not to make the application ex parte. Generally, an applicant should give at least short notice to the intended respondent, even if that short notice means that the application will formally be made ex parte with the attendant duties of full and frank disclosure. The alternative would be to seek minimal disclosure at the ex parte hearing, arranging a return date to take place on full notice but relatively shortly after the initial hearing. This latter order was made in Asiya Asset Management (Cayman) Ltd v Dipper Trading Co Ltd [2019] HKCFI 1090, where the Hong Kong court refused to allow the full application to be made ex parte. The claimant was only granted disclosure which was limited to the balance of the target bank account, coupled with a non-disclosure order, pending a return date.

If an applicant does decide to make the application ex parte, it is necessary to demonstrate why that it required, with the court scrutinising any explanation given. In particular, the applicant will need to show either real urgency (in which case any delay in making the application should be explained) or that secrecy is justified on the basis that to make an inter partes application would allow the purpose of the application to be defeated (which is likely to only be applicable where the third party against whom disclosure orders are sought is suspected, on substantial grounds, of being likely to notify the perpetrators of the underlying wrongdoing).

Disclosure pursuant to the Bankers Trust jurisdiction

In addition to the Norwich Pharmacal jurisdiction, the court has an equitable jurisdiction derived from Bankers Trust v Shapira [1980] 1 WLR 1274. There is some uncertainty as to whether these two jurisdictions stem from the same or different sources. It would seem that they are, though similar, separate jurisdictions: Murphy v Murphy [1999] 1 WLR 282. This is affirmed by the divergence between the two jurisdictions as to whether they can be applied to individuals outside of the jurisdiction, as discussed below.

In Bankers Trust, fraudsters presented a forged cheque to Bankers Trust, who on the strength of that document paid money to the fraudsters’ account with Discount Bank. Bankers Trust subsequently brought an action against Discount Bank, claiming that Discount Bank should disclose various documents relating to the fraudsters and their account. Lord Denning MR, giving the lead judgment of the Court of Appeal, held (at 1282, references omitted) that:

So here the Discount Bank incur no personal liability: but they got mixed up, through no fault of their own, in the tortious or wrongful acts of these two men: and they come under a duty to assist the Bankers Trust Co. of New York by giving them and the court full information and disclosing the identity of the wrongdoers. In this case the particular point is “full information.”

This new jurisdiction must, of course, be carefully exercised. It is a strong thing to order a bank to disclose the state of its customer’s account and the documents and correspondence relating to it. It should only be done when there is a good ground for thinking the money in the bank is the plaintiff’s money – as for instance when the customer has got the money by fraud – or other wrongdoing – and paid it into his account at the bank. The plaintiff, who has been defrauded, has a right in equity to follow the money. He is entitled, in Lord Atkin’s words, to lift the latch of the banker’s door… . The customer, who has prima facie been guilty of fraud, cannot bolt the door against him.

Owing to his fraud, he is disentitled from relying on the confidential relationship between him and the bank… . If the plaintiff’s equity is to be of any avail, he must be given access to the bank’s books and documents – for that is the only way of tracing the money or of knowing what has happened to it… . So the court, in order to give effect to equity, will be prepared in a proper case to make an order on the bank for their discovery. The plaintiff must of course give an undertaking in damages to the bank and must pay all and any expenses to which the bank is put in making the discovery: and the documents, once seen, must be used solely for the purpose of following and tracing the money: and not for any other purpose. With these safeguards, I think the new jurisdiction – already exercised in the three unreported cases – should be affirmed by this court.

The principles governing the Bankers Trust principle were discussed by Warby J in Kyriakou v Christie Manson & Woods Ltd [2017] EWHC 487 (QB) at [12]-[19]:

First, there must be good grounds for concluding that the money or assets about which information is sought belonged to the claimant; secondly, there must be a real prospect that the information sought will lead to the location or preservation of such assets; and thirdly, the order should, so far as possible, be directed at uncovering the particular assets which are to be traced. … the fourth principle; namely that interests of the claimant in obtaining the order must be balanced against the possible detriment to the respondent in complying with the order, … Fifthly (and finally), it is established that the applicant must provide undertakings, first of all to pay the expenses of the Respondent in complying with the order; secondly, to compensate the respondent in damages, should loss be suffered as a result of the order; and thirdly, only to use the documents or information obtained for the purpose of tracing the assets or their proceeds.

A particular strength of orders under the Bankers Trust jurisdiction, as compared with Norwich Pharmacal, is that they may be granted against parties outside of the jurisdiction notwithstanding the authority of AB Bank in respect of Norwich Pharmacal orders. In CMOC v Persons Unknown [2018] EWHC 2230 (Comm) (cf. [2017] EWHC 3599 (Comm) at [10]), such orders were made against international banks in foreign jurisdictions (i.e. not their branches within the jurisdiction) to require those banks to provide information about accounts which had received the misappropriated proceeds of a cyber fraud. The jurisdictional basis for this is MacKinnon v Donaldson, Lufkin and Jenrette Securities Corporation [1986] Ch 482 at 498F-499A, which confirms that the Bankers Trust jurisdiction has extra-territorial effect in the following terms:

In Bankers Trust Co. v. Shapira the order was made against an English bank in respect of an account maintained in London. The question of international jurisdiction was not considered. However, in one of the cases cited by the Court of Appeal, London and County Securities Ltd. (In Liquidation) v. Caplan (unreported), 26 May 1978, Templeman J. had ordered an English bank to procure from its foreign banking subsidiaries documents relating to accounts connected with the defendant in order to trace assets which he was said to have embezzled. Templeman J. described the relief which he was granting as “onerous and … to be granted only in the most exceptional circumstances.” The exceptional circumstances were that the case was one of crime and fraud where “unless effective relief is granted, justice may well become impossible because the evidence and the fruits of crime and fraud may disappear.” The foreign subsidiary banks were indemnified against liability in damages under the local law by the cross-undertaking in damages and the infringement of sovereignty was excused by a commercial equivalent of hot pursuit.

In my judgment, the authorities on Bankers Trust Co. v. Shapira [1980] 1 W.L.R. 1274 discovery against a bank are consistent with what seems to me to be correct in principle, namely, that its international jurisdictional limits are the same as those of a subpoena duces tecum or an order under the Bankers’ Books Evidence Act 1879.

The approach taken in CMOC, avoiding the difficulties encountered with regards Norwich Pharmacal orders in AB Bank, in respect of Norwich Pharmacal orders has been doubted. In AA v Persons Unknown [2020] 3 WLR 35 at [44]-[49], Bryan J queried whether the orders were correctly granted in CMOC in the face of the authority of AB Bank, though did not need to determine the matter on that occasion: at [69]. This is a matter which will need to be determined in the future, but at present it would seem that the position in Mackinnon and CMOC may be relied on.

Terms of disclosure orders

Naturally, it is advisable that a party seeking disclosure orders is as specific as reasonably practicable as to the information and documents sought by the order. The claimant should ensure that the terms of the disclosure order sought are clear and specific, targeted at information or documents to which the claimant considers it is entitled and which is reasonably necessary for the order’s purpose (such as discovering the identity of the fraudster, or uncovering details of the fraud as perpetrated).

The claimant may wish to make an allowance for documents which would be disclosable (i.e. meeting the description of documents to be disclosed under the order) but for some other characteristic. A common example of such a characteristic is privilege; it can be good practice to include an express exception to the disclosure obligation imposed by the order where the disclosing party considers that an otherwise-disclosable document is privileged. The order can provide that the disclosing party is permitted to withhold such documents, provided that the party notify the claimant of the general nature of the document and (in broad terms) the reason why the disclosing party considers that it is entitled to withhold disclosure of the same. The claimant can then decide whether it wishes to probe, or challenge, the reason given by the disclosing party.

When dealing with third parties in other jurisdictions, it may be advisable to consider making similar exceptions to accommodate any obligations that third party might owe under their local law. For example, again taking the example of a bank providing disclosure, there are various jurisdictions which have stringent banking secrecy laws. A claimant should avoid, so far as possible, putting the third party in a position where its obligations under an English court order and its local law obligations conflict.

A further protection which an applicant may wish to consider including as part of a disclosure order is imposing confidentiality obligations in respect of material disclosed to the applicant by the disclosing party. To take the common example of a bank giving disclosure in a case of fraud, it may be that the bank’s customer (in respect of whose account the disclosure order is sought) has been innocently caught up in the wrongdoing, as the fraudster may have illicitly obtained access to the customer’s account to facilitate the fraud. In such instances, the customer will have certain rights to privacy which the applicant will need to respect. To mitigate the potential injury to the rights of innocent third parties, and to facilitate the initial grant of the order (insofar as the court is required to balance the possible harm to the person whose information is to be disclosed), the applicant may wish to include provisions in the order which require the disclosed information to be kept separately and only disclosed to certain classes of person.

In circumstances where the disclosure orders are sought as the first step following discovery of the fraud, the claimant should…