Abacus Parenteral Drugs Limited v Stanbic Bank (U) Limited (Civil Suit 322 of 2022) [2025] UGCommC 58 (9 April 2025) | Banker Customer Relationship | Esheria

Abacus Parenteral Drugs Limited v Stanbic Bank (U) Limited (Civil Suit 322 of 2022) [2025] UGCommC 58 (9 April 2025)

Full Case Text

# **THE REPUBLIC OF UGANDA IN THE HIGH COURT OF UGANDA AT KAMPALA (COMMERCIAL DIVISION) CIVIL SUIT NO. 0322 OF 2022**

## **ABACUS PARENTERAL DRUGS LIMITED ::::::::::::::::::::::: PLAINTIFF VERSUS STANBIC BANK (U) LIMITED :::::::::::::::::::::::::::::::::: DEFENDANT**

## **Before: Hon Justice Cornelia Kakooza Sabiiti**

## **JUDGMENT**

## **Introduction**

- 1. The plaintiff instituted this suit against the defendant for negligence, breach of statutory obligations and breach of contract occasioning financial loss to the tune of UGX 2,203,503,381 (Two Billion Two Hundred Three Million Five Hundred Three Thousand Three Hundred Eighty-One Uganda Shillings). - 2. The plaintiff sought; a declaration that the defendant acted negligently and in breach of its statutory and contractual obligations in wrongfully debiting the plaintiff's Account Number 9030005623935 occasioning financial loss; an order compelling the defendant to refund the sum of UGX. 2,203,503,381, general damages, exemplary damages, interest and costs of the suit.

## The Plaintiff's case

3. In its plaint, the plaintiff averred that it holds several accounts with the defendant including Account Number 9030005623935. That in a bid to ease its daily financial reconciliations and for salary payments for its staff at its Mukono factory, the plaintiff on the 12th May 2010 applied and obtained from the defendant online banking services in respect of the Account. The plaintiff authorised Mr. Arthur Moses Buyemba and Mr. Rao Venkato Chakka Subba to utilise the online service on its behalf.

- 4. However, upon an audit on the Account transactions, the plaintiff discovered that between the months of November 2015 and March 2018, the defendant honoured a number of payments over the Account and resultantly a total sum of UGX 2,203,503,381 was debited without the plaintiff's knowledge and/or authorisation. - 5. The Plaintiff further discovered that all the recipient accounts were held with the defendant which had the full particulars of the beneficiary accounts and should have ascertained the true beneficiary bank names before effecting the wrong withdraws. The plaintiff averred that it had suffered great financial loss occasioned by the defendant's negligence, breach of contract and breach of statutory obligations.

### The Defendant's case

6. In its written statement of defence, the defendant denied liability and contended that the plaintiff was given the take on documents which clearly place the risk of operation of the online banking platform system upon the plaintiff. That the online service is an STP (straight through process) where the authority to initiate, verify, confirm and authorize a transaction on the customer's account sits with the owner of the account. Further that the defendant provided an online technology platform that enabled the customer to be in full charge of all transactions on its account without any intervention from the defendant at any stage.

7. The defendant also stated that the plaintiff was contributorily negligent in (a) using officers who could have abused their mandate, (b) failing to detect the payments in question for a long time despite having online viewing rights and access to its account, (c) allowing its officials to transfer funds to payees not identified by proper name, and (d) making payments for an improper purpose. The defendant prayed that the suit be dismissed with costs.

#### **Representation**

8. The plaintiff was represented by **M/s Shonubi Musoke & Co. Advocates** and the defendant by **M/s S&L Advocates.**

#### **Issues**

- 9. During scheduling, the following issues for determination were adopted by court; - i. Whether the defendant breached the banker-customer relationship? - ii. Whether the plaintiff was contributorily negligent and if so to what extent? - iii. What remedies are available to the parties?

#### **Hearing**

10. During trial**,** the plaintiff led evidence through Mr. Raymond Muntu **(PW1)** its former Regulatory and Brand Protection Manager, and Mr. Venkata Subba Rao Chakka **(PW2)** the former Finance Manager. The defendant presented one witness; Mr. Bukenya Ronald **(DW1)** – the Business Online Officer for the defendant bank.

11. The burden of proof as to any particular fact lies on that person who wishes the court to believe in its existence, unless it is provided by any law that the proof of that fact shall lie on any particular person (*See; Section 103 of the Evidence Act Cap 8.***).** The burden remains on the plaintiff to prove the case on the balance of probabilities as held in the case of **Yoswa Kityo vs Eriya Kaddu (1982) HCB 58.**

## **The Evidence**

12. **PW1,** the plaintiff's former Regulatory and Brand Protection Manager (2014- 2019), testified that the plaintiff company opened an account number - 9030005623935 with the defendant bank, and on 12th May 2010 applied for and obtained online banking services. PW1 testified that between November 2015 and March 2018, the defendant bank honoured a number of unauthorised and illegal payments to disguised or fictitious accounts amounting to UGX 2,203,503,381/= contained in the abridged bank statement in **PEX.5** which is summarised in the **Table 1** below:

| No. | Account Number | Account Name | Amount<br>(UGX) | | |-----|----------------------------|---------------------|-----------------|--| | 1. | 9030013816319 | Hope Kabajjungu | 804,510,193/= | | | | Stanbic Mukono<br>Branch | | | | | 2. | 9030011572099 | Hope Kabajjungu | 1,112,564,811/= | | | | Stanbic Forest Mall Branch | | | | | 3. | 9030000876479 | Muwonge<br>Nakiriza | 250,409,077/= | | | | Stanbic Mukono Branch | Marion | | | | 4. | 90300006053547 | Alice Amooti | 15,604,000/= | | | | Stanbic Mukono Branch | | | | | 5. | 9030013776767 | Andrew Mbirige | 20,494,300/= | | | | Stanbic Mukono Branch | | | | | | Total | 2,203,582,381 | | |

- 13. PW1 testified that whereas the payments were made to the holders of the above accounts, the transaction description for the payments indicated other beneficiary account names of service providers/vendors including Nunu Transporting Agency, Sion Hardware Ltd, Tosi Printer, Victoria Nile Plastics Limited, Mpeewo General Contractors and Skim Services Ltd among others. PW1 further stated in his evidence that the account beneficiary names did not correlate with the account numbers to which the scheduled payments were to be made. That the plaintiff company did not authorise the payments, and the defendant bank did not discharge its legal and contractual mandate in ensuring that the account numbers to which the impugned payments were made correlated with the beneficiary names shared by the plaintiff company. Further that the defendant bank ought to have declined the payment instructions or reverted the money back, and as such breached its duty when it honoured the payments. - 14. During cross-examination, PW1 testified that the Mr. Buyemba Arthur Moses the Finance Manager of the plaintiff company filled out the payment instructions. That prior to 2015, the online platform had an initiator- Mr. Buyemba and an authoriser – Mr. Shuba (PW2) who left the company and was replaced by Mr. Chakkur who in turn left four months later, after which Mr. Buyemba become both initiator and authoriser. - 15. PW2's evidence was that between October 2009 and April 2015 he was employed as Finance Manager of the plaintiff company. That at the time he joined the company, the Accounts Manager was Mr. Buyemba Arthur Moses. PW2 recounted that in 2010 a resolution was passed by the plaintiff company authorising electronic banking and PW2 together with Mr. Buyemba signed the online banking services agreement on behalf of the company (**PEX.3**). That at

the time of installing e-banking, the main purpose was to view and download bank statements. That in 2013, the online banking system was upgraded to include payment of salaries and labour contracts and the plaintiff company signed off the authorisation for the same (**PEX.4**).

- 16. It was PW2's evidence that the process of making payments included sending a payment request to the defendant bank which would confirm the details and proceed to make payment. That in 2013, the plaintiff company started paying labour contractors and salaries online, the two step process included an initiator (Mr. Buyemba) and the approver (PW2) who each had individual passwords. PW2 stated that by the time of his departure from the plaintiff company, no payments had been made to suppliers. - 17. During cross- examination, PW2 reiterated that the main purpose of opening the account was to pay salaries and labour contractors only but not vendors/ suppliers. That the company had a Crane Bank account from which all vendors were being paid. PW2 also clarified that during the six-year period that he used the system, there were no discrepancies. Further that, the data entry and approval system ended with the plaintiff company. - 18. DW1**-** the Business Online Officer who joined the defendant bank in 2012 testified that the plaintiff enrolled the electronic payment system in June 2010. That initially, the system was installed with on user feature to view bank statements but was later upon application by the plaintiff, allowed to make payments online. That this feature had two users who were employees of the plaintiff bank, where one user would initiate transactions and upload beneficiary details, and the other user would verify, confirm and authorise payments.

- 19. DW1 stated in his evidence that all the questioned payments the subject of the suit were made to account numbers and names of beneficiaries written and verified by the plaintiff's authorised users. The system was a straight through process which enabled the account holder to make payments off its account to beneficiaries without the intervention of the bank. Further that, the system did not validate the account name but only the account number. That validation of account name and account number is applicable to inter-bank transfers, however, all the questioned payments were inter-account transactions. - 20. During cross-examination, DW1 stated that no verifications were done by the bank in respect of transfers made to accounts held in the bank. Further that in this instance, no reversals were done even when the monies were sent to holders of Stanbic bank accounts where the beneficiary names were in error.

## **RESOLUTION**

#### **Issue No. 1:** *Whether the defendant breached the banker-customer relationship?*

- 21. Counsel for the plaintiff submitted that the defendant bank acted negligently by allowing the transfer and/or payment of the specified amounts through its electronic system without verifying the accuracy and completeness of the beneficiary account details. That consequently, this constituted a breach of both its contractual and statutory obligations. - 22. Counsel for the plaintiff relied on the decision in **Esso Petroleum Company V Uganda Commercial Bank S. C. C. A No. 14 of 1992** and **Mobil (U) Limited V Uganda Commercial Bank (1982) HCB 64** to argue that the relationship between a banker and its customer is premised on a contract. That under clause

**4.4.4 of the Business Online Agreement** (**PEX.3**) executed between the parties, the defendant bank undertook to reject instructions including payments, collections and transfers that were incorrect, incomplete or not in accordance with the operational regulations, or inconsistent with an arrangement with the bank.

- 23. Counsel asserted that it is not in dispute that UGX. 2,203,503,381/= was transferred via the defendant's electronic banking system to erroneous beneficiaries' accounts based on incorrect beneficiary details. That the defendant bank had a duty under the contract to exercise reasonable care and skill in carrying out its operations. And the defendant was required to reject any instructions for payments, collections, and transfers that were inaccurate as it had done in a similar situation evidenced by email correspondences (**PEX.10**), where the bank reversed an internal account payment due to a mismatch in the beneficiary account name. - 24. The plaintiff's Counsel relied on the decision in **Stanbic Bank Uganda Limited V Moses Rukidi Gabigogo HCCA No.0028 of 2023** to argue that the duty of the bank extends to tracing and checking transactions made by its systems. Counsel submitted that the defendant ought to have taken a further step to confirm and/or verify the account details before honouring the instructions, and that it breached the banker- customer relationship in failing to do so. - 25. In reply, Counsel for the defendant submitted that the authorities cited on the general duty owed by the bank to its customers are irrelevant as the duty can be modified (restricted, limited or expanded) by a written contract between the parties. That the parties executed an Agreement (**PEX.3),** by which the defendant provided a "straight through" technology platform which would process the payments as initiated, uploaded, verified and authorised by the plaintiff without

any intervention thereby transferring the risk of using the online platform to the plaintiff.

- 26. Counsel further submitted that under **Clause 4, 8, 12 and 17 of the Agreement**, the plaintiff maintained the overall responsibility for the operation of the online service and the associated security risks within its organisation. That the risks were to be mitigated through appropriate internal controls which required that the operational mandate was given to two officers of the plaintiff. Further that the Agreement not only placed the responsibility of the risks arising from the use of the platform on the plaintiff but also indemnified the defendant from the losses arising from the operation of the account under the Agreement. - 27. In rejoinder, Counsel for the plaintiff disagreed with the defendant's reliance on clauses 4.2.2, 4.2.4, 4.2.7, 8.1, 17.1.1 and 17.1.5 of the agreement to justify its failure to verify and validate the details of the beneficiary accounts. Counsel argued that the clauses pre-suppose that the transfer was being performed correctly with all account details, well aligned and properly matched. That in this instance, the defendant effected transfers where the beneficiary account name did not match the account number. Counsel further argued that PEX.3 is a standard agreement generated by the defendant as such the *Contra Proferentem* rule should be applied.

#### Decision

28. I have duly evaluated the evidence adduced and considered the submissions of either Counsel. PW1 testified that under the New Business Online banking services arrangement a number of payments were made to erroneous bank accounts by wrong entries by the plaintiff's staff and that these payments were

| a | 24/02/2018 | 20,450,540 | aa | 02/06/2016 | 20,107,200 | | aaa | 30/05/2016 | 26,400,000 | | |---|------------|------------|----|------------|------------|--|-------|------------|---------------|--| | b | 15/03/2018 | 26,480,300 | bb | 10/06/2016 | 25,716,580 | | bbb | 10/06/2016 | 25,716,580 | | | c | 22/03/2018 | 24,431,120 | cc | 14/06/2016 | 15,500,000 | | ccc | 02/06/2016 | 20,107,200 | | | d | 09/03/2018 | 15,290,000 | | | 13,810,324 | | ddd | 14/06/2016 | 15,500,000 | | | e | 12/02/2018 | 36,280,760 | dd | 17/06/2016 | 14,211,600 | | eee | 17/06/2016 | 13,810,324 | | | f | 30/01/2018 | 22,155,861 | ee | 19/07/2016 | 27,687,000 | | | | 14,211,600 | | | g | 07/02/2018 | 3,415,100 | | 08/07/2016 | 28,475,087 | | fff | 19/07/2016 | 27,687,000 | | | h | 07/02/2018 | 5,490,000 | ff | | 3,618,820 | | ggg | 08/07/2016 | 28,475,087 | | | i | 24/01/2018 | 20,600,000 | gg | 28/06/2016 | 23,623,600 | | | | 3,618,820 | | | | 24/01/2018 | 15,030,970 | hh | 15/07/2016 | 26,242,420 | | hhh | 28/06/2016 | 23,623,600 | | | j | 07/02/2018 | 6,790,300 | | | 15,896,725 | | iii | 15/07/2016 | 26,242,420 | | | k | 19/02/2018 | 12,604,200 | ii | 29/07/2016 | 14,327,930 | | jjj | 29/07/2016 | 15,896,725 | | | | 19/02/2018 | 16,243,100 | jj | 12/08/2016 | 14,256,265 | | | | 14,327,930 | | | l | 12/02/2016 | 21,999,968 | kk | 08/08/2016 | 27,242,420 | | kkk | 12/08/2016 | 14,256,265 | | | m | 23/02/2016 | 21,311,400 | ll | 10/08/2016 | 26,553,087 | | lll | 08/08/2016 | 27,242,420 | | | n | 26/02/2016 | 22,824,848 | | | 10,827,000 | | mmm | 10/08/2016 | 26,553,087 | | | o | 26/02/2016 | 13,096,981 | mm | 28/08/2016 | 8,192,610 | | nnn | 25/08/2016 | 10,827,000 | | | p | 03/03/2016 | 18,000,000 | | | 3,423,530 | | | | 8,192,610 | | | q | 22/03/2016 | 10,246,600 | nn | 22/08/2016 | 9,350,000 | | | | 3,423,530 | | | | | 14,357,200 | oo | 22/08/2016 | 10,120,000 | | ooo | 22/08/2016 | 9,350,000 | | | r | 07/03/2016 | 3,511,080 | pp | 12/02/2016 | 21,999,968 | | | | 10,780,000 | | | s | 11/03/2016 | 25,591,021 | qq | 03/03/2016 | 18,000,000 | | ppp | 22/08/2016 | 10,120,000 | | | t | 13/04/2016 | 15,500,000 | | 22/03/2016 | 10,246,600 | | qqq | 28/08/2016 | 10,636,961 | | | u | 09/05/2016 | 26,316,580 | rr | | 14,357,200 | | rrr | 12/10/2016 | 35,005,360 | | | v | 20/04/2016 | 10,000,500 | ss | 07/03/2016 | 3,511,080 | | sss | 21/10/2016 | 20,526,893 | | | | | 16,585,000 | tt | 11/03/2016 | 25,591,021 | | ttt | 18/10/2016 | 29,526,893 | | | w | 08/04/2016 | 9,816,730 | uu | 13/04/2016 | 15,500,000 | | uuu | 27/09/2016 | 24,428,360 | | | | | 13,816,730 | vv | 09/05/2016 | 26,316,580 | | vvv | 19/08/2016 | 32,723,087 | | | | | 1,700,000 | | | 10,000,500 | | www | 07/09/2016 | 36,488,140 | | | x | 13/05/2016 | 25,811,021 | ww | 20/04/2016 | 16,585,000 | | xxx | 07/10/2016 | 22,842,848 | | | y | 19/05/2016 | 11,168,143 | | | 9,816,730 | | yyy | 07/09/2016 | 36,488,140 | | | z | 30/05/2016 | 26,400,000 | xx | 08/04/2016 | 13,816,730 | | | | | | | | | | | | 1,700,000 | | TOTAL | | 1,733,705,151 | | | | | | yy | 13/05/2016 | 25,811,021 | | | | | | | | | | | | 11,757,447 | | | | | | | | | | zz | 19/05/2016 | 11,168,143 | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |

## not reversed or rejected by the defendant. An analysis of the evidence by adduced by PW1 of the erroneous payments in is presented in **Table 2** below: - 29. The amounts in **Table 2** above are derived from the evidence of PW1 under paragraph 15 of his Witness Statement in which he testified that these payments were made from the account of the plaintiff to erroneous/disguised accounts using the online platform. The total of these figures is **UGX 1,733,705,151** and not UGX. 2,203,503,381 as claimed in the plaint. Counsel for the plaintiff had submitted that the figure under the plaint was under the agreed facts and that since it was not disputed as between the parties they do not require to be subjected to any proof in accordance with Section 57 of the Evidence Act Cap 8. With due respect to counsel, I do not agree with this position because the agreed facts do not state that these amounts were erroneously paid which is the claim under the plaint. The agreed facts simply stated that the amount was paid to the named accounts. This means that the plaintiff still has to discharge the burden of proof that these amounts were actually erroneously paid. - 30. It was noted from the evidence adduced that the Plaintiff did not prove the claim in the plaint that the payment of UGX 250,409,077 to account 9030006053547 stated to belong to Muwonge Nakiriza Marion was made to a disguised/erroneous account. Similarly, the payment of UGX 20,494,300 to Andrew Mbirige on account 9030013776767 was not proved to be erroneous. It is only the abridged statement (**PEX.5**) that mentions the payment to the accounts of Muwonge Nakiriza Marion and Andrew Mbirige as well as one Alice Amooti. However, these payments were not included under the Plaintiff's Bank Statement, **PEX.11** and therefore the plaintiff did not prove the claim that payments were erroneously made to these accounts. - 31. Further, during cross examination, PW1 admitted that the amounts under (n) and (o) in **Table 2** above of UGX 22,824,848 and UGX 13,096,981totalling to UGX

35,921,929 were correctly paid to the accounts of Mpewo General Company Limited and Skim Services Limited respectively. Therefore, when these amounts are deducted from the initial total of UGX 1,733,705,151 the amount proved by the plaintiff that was erroneously paid out stands at **UGX 1,697,783,222**.

- 32. An analysis of the individual payments under the evidence of PW1 in paragraph 15 of his witness statement shows that the total figure of the erroneous payments arises from payments made in respect of two accounts of one Hope Kabajjungu who held two accounts in the defendant bank. The first was Account Number 903000013816319 in Mukono Branch and the second was Account Number 9030011572099 in Forest Mall Branch. The Account opening forms, **DEX.1**, for both accounts of Hope Kabajjungu confirmed that the use of different service providers' names under her two accounts were actually disguised or erroneous payments. The plaintiff has therefore proved that the amount of **UGX 1,697,783,222** was erroneously paid through the online banking system. - 33. With regards to the liability of the defendant bank, it was DW1's evidence that the defendant's online banking system would not validate the beneficiary names indicated by the plaintiff and the defendant was not duty bound to confirm that whether the beneficiary account name and the beneficiary account number corresponded. DW1 testified that it was the plaintiff's role under the designated initiator and authorizer roles to verify that beneficiaries' details including the account name, account number, bank name, sort code and amount were correct. - 34. Counsel for the defendant submitted that the online banking system was an STP *"straight through process"* meaning that the plaintiff would not only initiate a payment transaction in the system but also upload, verify and approve the payment itself without any intervention from the defendant. That the validation

was by the customer and not the bank.

- 35. The bank-customer contract is one of mandate and the parties entered an agreement for New Business Online banking services (**PEX.3 and PEX.4**). In the case of **Selangor United Rubber Estates Ltd vs Cradock (No 3) [1968] 1 WLR 1555; Westminster Bank Ltd v. Hilton (1926) 43 TLR** it was held that under a bank-customer contract, a bank is required to effect a customer's orders timeously once the instruction is given in accordance with the terms agreed between the parties. The bank has a duty to carry out its customer's authorised payment instructions (where the customer's account is in credit). The common law principle is that a bank has an obligation to exercise reasonable care and skill in performing their mandate. What this means in matters of electronic transactions is that banks have a duty to take reasonable measures to ensure that their digital banking systems are secure and are regularly reviewed and updated. - 36. It is quite clear that the relations between the parties are governed by the online banking services agreement (**PEX.3** and **PEX.4**) executed by the parties. With regard to the contractual obligations of the defendant, under the clause on Rights and Obligations of the parties, clause 4.4.4 provided that-

*"The Bank shall reject instructions, including payments, collections and transfers that are incorrect, incomplete, or not in accordance with the Operational Regulations, or inconsistent with any arrangement with the bank."* (Emphasis mine)

37. Under clause 6.2 on Disputed transactions, the bank had the powers to reverse any amounts paid to or by the Principal and/or Participants if the transaction is disputed. Further, under clause 12 on Warranties and Indemnities, the Bank warranted that it had the requisite skills, expertise and resources to perform the contract.

38. From the foregoing, it is evident that it was a specific contractual obligation under the agreement for the New Business Online banking system that the bank shall reject incorrect payments or transfers. In the case of **Olanya Hannington Vs. Acullu Hellen Civil Appeal No. 0038 of 2016,** Justice Stephen Mubiru, held that "*It is trite law that when a document containing contractual terms is signed, then, in the absence of fraud, or misrepresentation, the party signing it is bound.*" The same principle was applied in the case of **Pius Kimaiyo Langat vs. Cooperative Bank of Kenya Ltd (2017) eKLR** where the Court of Appeal in Kenya held that:

> *"We are alive to the hallowed legal maxim that it is not the business of courts to rewrite contracts between parties. They are bound by the terms of their contracts, unless coercion, fraud, or undue influence are pleaded and proved "*

39. The defendant bank did not refute the evidence adduced under the plaintiff's bank statement, **PEX.11**, of the two accounts belonging to one Hope Kabajjungu that were paid the total sum of UGX 1,697,783,222 under wrong descriptions and account names that did not belong to the purported beneficiary. It is noted that the said Hope Kabajjungu who was the recipient of the erroneous payments is a customer of the defendant bank which had all her banking information as per **DEX.1** and therefore the bank had the internal capacity to verify that her account name was falsified repeatedly in the names of different service providers The bank did not show that the online payment system had sufficient security features to safeguard against incorrect payments in accordance with its contractual obligations. The bank had a duty to put in place robust fraud detection and prevention solutions to protect their system and the customer. At the bare minimum the online banking system should have flagged the repeated use of the same account numbers in the names of different beneficiaries.

- 40. Counsel for the defendant bank raised the issue of the Limitation of Liability Clause 17 and submitted that clause 17.1.4 provides that the defendant bank shall not be liable for any losses suffered by the Principal arising from fraud, misappropriation or incorrect payments of funds. However, a careful review of this clause shows that this limitation is strictly with regard to circumstances where the Principal and/or Participant has not enforced an electronic transactional limit on the contra bank account(s) loaded to the New Business Online facility. Since no evidence was led with regard to failure to enforce transactional limits, I find that this clause is not applicable. - 41. In the circumstances, I find that the plaintiff has proved on the balance of probabilities that the defendant bank breached its contractual obligations. This issue is resolved in the affirmative.

## **Issue No. 2**: *Whether the plaintiff was contributorily negligent and if so to what extent?*

42. On this issue, Counsel for the plaintiff submitted that the defendant has the burden to prove that the actions of the plaintiff materially contributed to the damage suffered. Counsel argued that the cause of the loss on the plaintiff's end was primarily due to the defendant's failure to verify and/or validate the account details.

- 43. Counsel for the defendant relied on **the decision in Sambaga V National Housing and Construction Corporation Civil Suit No. 53 of 2016 [2022] UGHCCD 119** to argue that a person is guilty of contributory negligence if they ought to have reasonably foreseen that failure to act as a reasonable and prudent person might result in harm. That the plaintiff's breach of the internal controls and deviation from the terms of the contract that the account would have two signatories contributed to the losses they suffered. - 44.**In Acaye Richard v. Saracen (Uganda) Limited & 2 Ors Civil Suit No. O63 of 2011,** Mubiru J opined that to succeed in proving contributory negligence, the defendant has to prove that; (a) the risk was foreseeable (that is a risk which the person knew or ought reasonably to have known); and (b) the risk was not insignificant; and (c) in the circumstances, a reasonable person in the position of the person would have taken the precautions. - 45. In accordance with the agreement between the parties, the plaintiff nominated its employees Mr. Buyemba Arthur Moses and Mr. Subba Roa (PW2) as users of the system, where Mr. Buyemba would initiate transactions and upload beneficiary details, and Mr. Subba would verify, confirm and approve payments without intervention from the defendant. For three years, the system was used without issue until 2015 when Mr. Subba left the plaintiff company and Mr. Buyemba assumed both the role of initiator and approver contrary to the understanding between the parties. - 46. Under the clause on Rights and Obligations of the parties, clauses 4.2.2 and 4.2.3 provided as follows-

*"The Principal and Participants shall;*

*4.2.2 maintain overall responsibility for the operation of the Service within its organization and manage the service and associated security risks through appropriate internal controls*

*4.2.3 Immediately inform the Bank in writing of all assigned and changed role allocations within its organisation".* Emphasis mine

- 47. Under the above clauses of the online banking services agreement, the plaintiff was responsible for the operation of the service within its organisation and for the associated security risks. The plaintiff breached its contractual obligation under the agreement to implement appropriate internal measures to prevent breaches within its organisation when it merged the initiator role and authorizer role in the online banking system. Basic sound financial management as a bare minimum requires a system of checks and balances. - 48. PW2 testified that during his employment with the plaintiff, monthly reconciliations and internal audits were done. It is noted that some of the erroneous payments to the Accounts numbers belonging to the said Hope Kabajjungu had the descriptions of the service providers as "*PAYMENT"* and "*JULY-2016*". The fact that the plaintiff company had access to its online statements and did not detect any anomalies in such descriptions of payees and continued making payments to the erroneous accounts for three years indicates that contrary to reasonable behaviour of a diligent customer, the plaintiff did not have any internal measures to prevent the misappropriation of funds. - 49. Whereas the defendant bank had a duty to take reasonable measures to ensure that their online banking systems are secure, the plaintiff as the customer has a corresponding duty to maintain the contractually agreed internal controls which

they failed to do. PW2 testified that under the online banking system the initiator and the approver each had a different individual password. Fraud in online systems often begins with compromised credentials and in the instant case the plaintiff negligently shared passwords or allowed the dual control by a single individual which was a serious security lapse that exposed the plaintiff to the fraud.

- 50. The merging of the initiator and authoriser role in a financial payment system was a significant and foreseeable risk which the plaintiff ought to have known. I therefore find that the plaintiff was grossly negligent. This issue is answered in the affirmative that the plaintiff's actions and omissions were negligent and contributed to the financial loss. - 51. With regard to the apportioning of the extent of the negligence between the parties, in the US Federal Court of Appeals case of **Beau Townsend Ford Lincoln v. Don Hinds Ford, No. 17-4177 (6th Cir. 2018),** the principle held was that *"Losses attributable to fraud should be borne by the parties in the best position to prevent the fraud."* - 52. In the instant case, since both parties are in breach of their contractual obligations and were negligent with regard to their duty of care, the court is inclined to apportion the loss according to their comparative fault. The failure by the plaintiff to exercise basic financial internal controls exposed the plaintiff to the fraud and greatly contributed to the fraudsters success. The plaintiff in this case was in the best position to prevent the fraud. Therefore, it is my considered opinion that the plaintiff is more to blame for the loss to the extent of 80%. The defendant bank is 20% to blame for not having robust security features in its online banking

system to ensure that the beneficiary account details of the beneficiaries within its own internal banking system correspond before the payments are effected.

## **Issue No. 3:** *What remedies are available to the parties?*

- 53. Under the plaint, the plaintiff sought; a declaration that the defendant acted negligently and in breach of its statutory and contractual obligations in wrongfully debiting the plaintiff's Account Number 9030005623935 occasioning financial loss; an order compelling the defendant to refund the sum of UGX. 2,203,503,381/=, general damages, exemplary damages, interest and costs of the suit. - 54. Given the finding of this court on the contributory negligence of the plaintiff and the apportionment of negligence of 80% and 20%; the plaintiff is to only recover 20% of the money erroneously paid out. The total amount proven as erroneously paid out is UGX 1,697,783,222. Therefore 20% of this is UGX 339,556,644 which the defendant is to pay the plaintiff. - 55. With regards to the plaintiff's prayer for general and exemplary damages it is a common law maxim that he who comes to equity should come with clean hands. Given the larger apportionment of contributory negligence to the plaintiff, their hands are not clean and accordingly the prayers for general and exemplary damages are denied. - 56. With regard to the costs of the suit, it is the established principle of law under **Section 27 (2) of the Civil Procedure Act** that costs of any action, cause or matter shall follow the event unless court for good cause orders otherwise. The plaintiff has been only partially successful and in the circumstances each party will bear its costs.

## **Decision of court**

- 57. In the final result; judgment is entered partially in favour of the plaintiff with the following orders - (a) The defendant to pay the plaintiff the sum of UGX 339,556,644. - (b)Interest is awarded on the above amount at 18% per annum from the date of filing the suit till full payment. - (c) Each party to bear its costs.

It is so ordered.

Signed and uploaded electronically in ECCMIS this 9th day of April 2025

**Cornelia Kakooza Sabiiti Judge**