Electronic funds transfers (EFTs) have become the backbone of modern commercial transactions. Wire payments, automated clearing systems, online banking platforms, and digital authorization tools allow businesses to move substantial sums within seconds. While these systems enhance efficiency, they also create opportunities for fraud.
Business email compromise schemes, phishing attacks, spoofed vendor instructions, and unauthorized wire transfers are now common features of commercial litigation in Ontario. When funds are diverted or misdirected, the immediate question becomes urgent and complex: who bears the loss?
In commercial disputes involving electronic funds transfer fraud, liability may rest with the business that authorized the payment, the financial institution that processed it, an employee who failed to follow internal controls, or even a third-party fraudster. The answer depends on contractual allocation of risk, negligence principles, statutory duties, and evolving case law.
Electronic funds transfer fraud typically arises in one of several scenarios. A fraudster gains access to a company’s email system and sends altered payment instructions. A supplier’s account information is changed without proper verification. An employee receives convincing instructions that appear to originate from senior management. Alternatively, a cybercriminal intercepts communications and redirects a wire payment.
The sophistication of these schemes has increased significantly. Fraudsters frequently exploit social engineering tactics rather than technological vulnerabilities. The deception often appears legitimate, and payments are authorized internally before the fraud is detected.
By the time the loss is discovered, the funds may have been transferred through multiple accounts and jurisdictions. Recovery becomes difficult and time-sensitive.
Ontario does not have a single statute governing civil liability for electronic funds transfer fraud. Instead, liability is determined through a combination of contract law, negligence principles, common law fraud doctrines, and banking regulations.
In commercial relationships, the starting point is typically the contractual agreement between the customer and the financial institution. Banking agreements often contain provisions allocating risk for unauthorized or fraudulent transfers. These clauses may define what constitutes “authorization,” establish verification obligations, and limit the bank’s liability.
However, contractual provisions are not absolute. Courts will examine whether the bank complied with its own security procedures and whether those procedures were commercially reasonable.
Beyond contractual analysis, negligence principles may apply. A party that fails to exercise reasonable care in verifying payment instructions may bear responsibility for the resulting loss.
One of the central legal issues in EFT fraud cases is whether the transfer was “authorized.” If a business employee initiates a transfer believing it to be legitimate, the payment may technically be authorized under the banking agreement. In such cases, the loss often remains with the business.
Ontario courts have generally held that where an employee with signing authority authorizes a payment—even if induced by fraud—the bank may not be liable unless it failed to follow agreed security protocols.
However, if a transfer occurs without any authorization, or if the bank fails to adhere to mandatory verification procedures, liability may shift. The precise wording of the banking contract becomes critical. Commercial clients should understand that many agreements impose strict duties to safeguard login credentials and verify transactions.
Even where contractual provisions appear to allocate risk to the customer, courts may assess whether the bank’s security measures were commercially reasonable.
If a bank ignores obvious red flags—such as unusual transaction amounts, deviations from established patterns, or known security breaches—its conduct may be scrutinized.
Ontario courts recognize that financial institutions have specialized expertise in detecting suspicious activity. While they are not insurers against fraud, they must exercise reasonable care consistent with industry standards. Disputes often hinge on expert evidence regarding banking practices and cybersecurity protocols.
In many cases, responsibility is shared. Businesses that lack adequate internal controls may face allegations of contributory negligence. For example, failure to implement dual authorization procedures, inadequate employee training, or ignoring cybersecurity warnings can weaken a recovery claim.
Courts will consider whether the company maintained reasonable safeguards in light of the size of its operations and the volume of transactions conducted. Where internal weaknesses contribute to the fraud, damages may be apportioned between the parties under Ontario’s Negligence Act.
Electronic funds transfer fraud sometimes involves internal actors. An employee with legitimate access may divert funds for personal gain.
In these circumstances, the employer may bear the loss as a result of vicarious liability principles. Employers are generally responsible for the acts of employees committed within the scope of employment.
Recovery may be pursued against the employee directly, but practical recovery is often limited. If a financial institution processed transactions that were facially irregular or inconsistent with known patterns, it may still face exposure.
Financial institutions owe duties to their customers grounded in contract and tort. Banks must comply with the terms of their agreements, including authentication procedures. They must also exercise reasonable skill and care in executing payment instructions.
However, courts recognize that banks process enormous transaction volumes daily. They are not expected to investigate every payment instruction absent specific warning signs.
The question often becomes whether the transaction was so unusual that it should have prompted further inquiry. Each case turns on its facts.
Business email compromise (BEC) schemes have generated significant litigation. In these cases, a fraudster impersonates a trusted executive or vendor and provides revised wire instructions. An employee, believing the instructions to be legitimate, processes the payment.
Because the transfer is internally approved, banks frequently argue that the payment was authorized and therefore outside their liability.
Businesses, in turn, may argue that the bank failed to detect anomalies or that security measures were inadequate. Ontario courts have increasingly emphasized the importance of robust internal verification procedures in preventing these losses.
Immediate action is critical when electronic funds transfer fraud is discovered. Time-sensitive remedies may include freezing orders (Mareva injunctions) to prevent further dissipation of assets. Norwich orders may compel third parties, including banks, to disclose information about recipient accounts.
Tracing remedies may be available where funds can be identified in specific accounts. Constructive trust claims may arise in appropriate circumstances.
Because fraudulent transfers often move rapidly across borders, coordinated legal action may be required in multiple jurisdictions. Early engagement with experienced commercial litigation counsel significantly improves recovery prospects.
Another layer of complexity arises from insurance coverage. Commercial crime policies, cybersecurity policies, and fidelity bonds may respond to electronic funds transfer fraud. Coverage disputes frequently arise over policy wording, particularly where losses result from social engineering rather than direct hacking.
Insurers may argue that voluntary transfers are excluded from coverage. Policy interpretation becomes a separate litigation issue. Businesses facing substantial losses should conduct immediate policy reviews to preserve coverage rights.
Ontario’s Limitations Act establishes a two-year limitation period from the date a claim is discovered. In fraud cases, discovery may be delayed where the wrongdoing was concealed. Courts apply a fact-specific analysis to determine when the plaintiff knew or ought to have known of the loss. Prompt legal assessment is essential to avoid limitation defences.
While litigation may provide remedies, prevention remains critical.
Courts increasingly expect commercial entities to implement reasonable cybersecurity safeguards. Multi-factor authentication, dual authorization processes, independent verification of wire changes, and employee training are now considered standard risk management tools.
Failure to adopt such measures may influence liability assessments in subsequent disputes. As electronic commerce continues to expand, judicial expectations will evolve alongside technological standards.
Electronic funds transfer fraud presents complex intersections of contract, negligence, fiduciary duty, and emerging cybersecurity standards.
Toronto businesses operate in a global marketplace where rapid digital transactions are unavoidable. The legal allocation of risk depends not only on contractual language but also on the conduct of the parties and the reasonableness of their security practices.
For financial institutions, clear contractual drafting and consistent enforcement of security protocols are essential. For businesses, rigorous internal controls and swift response strategies are equally critical.
When disputes arise, early strategic litigation planning can preserve assets, secure evidence, and position the claim for effective resolution.
If your business has suffered a loss due to wire fraud, business email compromise, unauthorized electronic transfers, or banking negligence, immediate legal action may be necessary to preserve your recovery options.
The commercial litigation lawyers at Milosevic & Associates represent corporations, shareholders, and financial institutions in complex electronic funds transfer fraud disputes. The firm pursues urgent freezing orders, asset tracing remedies, and civil fraud claims while addressing banking liability and insurance coverage issues. To schedule a confidential consultation, please contact us online or call (416) 916-1387.
© 2026 Milosevic & Associates. All rights reserved. Privacy Policy / Disclaimer. Website designed and managed by Umbrella Legal Marketing