The Commercial Division of the Supreme Court of Mauritius has delivered an important decision in EOS Mascarenes Ltd v Mauritius Commercial Bank Ltd (2025 SCJ 114), clarifying the extent of a bank’s duty of care in processing payments. In particular, the Court considered whether the contractual obligation and duty of care that a bank owes to its customer can be extended to a third party. The case concerned a fraudulent scheme that was orchestrated by an employee of the plaintiff, which resulted in misdirected payments. The plaintiff claimed that the receiving bank was negligent in failing to verify whether the intended beneficiary matched the account number.
The court dismissed the claim, holding that the bank did not owe a duty of care to the plaintiff as there was no contractual relationship between them and no special circumstances that would have required the bank to carry out further investigation before crediting the account that was identified by the bank account number provided on the payment instructions. The ruling is significant for banks and financial institutions, reinforcing that their obligations are primarily towards their own customers and that payment processing standards relying on account number verification remain legally sound.
Background
The plaintiff’s employee fraudulently misrepresented to the accounting department of its parent company that one of the plaintiff’s service providers had changed its banking details and that payments to that service provider would henceforth need to be made to a new account. As a result, the plaintiff issued payment instructions to its banks to transfer funds to an account at the Mauritius Commercial Bank (MCB), which was not that of the service provider. The plaintiff then claimed that upon receiving the funds from the paying banks and before crediting the relevant account with those funds, the MCB should have verified whether the name of the beneficiary corresponded with the account number provided on the payment instructions.
The plaintiff’s case was grounded entirely in the tort of negligence. In that respect, a significant part of the Court’s judgment addresses an important preliminary issue as regards whether a bank owes a duty of care to non-customers, i.e. whether the contractual duty of care that a bank owes to its customers, extends to third parties.
It was submitted on behalf of the MCB that the broader concern was that the effect of such a proposition (if accepted) would essentially imply a general duty of banks to protect the monies and interests of third parties who deal with their customers. The MCB’s submission was that not only does such a proposition have no basis in law, but also, it would potentially open the floodgates to claims made against banks by third parties.
The test of “no apparent anomaly”
The Court held that the correct position is that a bank’s duty to take necessary measures to prevent prejudice from being caused to a customer or third party, arises only when it is in the presence of an apparent anomaly (“anomalie apparente”). This principle is derived from French jurisprudence, as well as the decision of the Judicial Committee of the Privy Council in Royal Bank of Scotland International Ltd v JP SPC 4 & Anor ([2022] UKPC 18), which held that a bank does not owe a duty of care to third parties unless it knew or ought to have known that there was a fraud which was being committed in the transfer of money.
As such, the Court considered that the essential question that it had to decide was whether there was any apparent anomaly on the face of the payment instructions that MCB received from the paying banks.
In that respect, MCB’s defence rested on its use of the Straight-Through Processing (STP), which is an automated system that the bank has implemented since more than 20 years to process payment instructions. The STP mechanism does not carry out a name-matching exercise but verifies only whether the account number provided in the payment instructions is that of an account held at the bank. The bank argued that this system is an industry standard designed for efficiency and that manually verifying every payment would be impractical given the thousands of transactions that it processes daily.
The Court accepted that position. In particular, the Court examined Tidal Energy Ltd v Bank of Scotland Plc ([2014] EWCA Civ 1107), an English Court of Appeal decision that upheld a similar system—CHAPS—which processes payments based on account numbers rather than beneficiary names. The court adopted the analysis set out in that decision, highlighting that the object of an automatic verification system is to achieve rapid payment and that the court should lean against a construction that involves imposing a requirement on a receiving bank which would frustrate that object. On that basis, the Court found that the use of STP was not negligent and that there was therefore no apparent anomaly in the transactions which could have alerted MCB to potential fraud. As such, the bank had no duty to investigate further.
The Court further distinguished the matter with earlier cases involving fraudulent cheques, where banks were found liable because the transactions exhibited clear irregularities. In this case, however, the instructions received by MCB appeared routine, and the bank was entitled to rely on its established payment verification processes.
Importance for the banking industry and the Mauritius IFC
This decision provides much-needed clarity for banks and financial institutions by reaffirming that their duty of care does not automatically extend to non-customers. The court’s approach limits the risk of excessive litigation against banks, ensuring that they are not unfairly held liable for fraudulent transactions initiated outside their control.
A key aspect of the decision is its endorsement of STP as a legitimate and efficient payment processing system. In an era of increasing automation, banks process millions of transactions daily, making manual verification impractical. The judgment confirms that banks are entitled to rely on account numbers as the primary means of verifying payments and are not required to cross-check names unless an anomaly is evident. Had the court ruled otherwise, banks might have been forced to implement costly and time-consuming additional verification measures, potentially slowing down payment processing and increasing operational risks. As financial transactions become increasingly digital, the judgment sets an important precedent for balancing fraud prevention with operational efficiency.
As such, the Court’s decision provides reassurance to financial institutions against undue liability and strikes a careful balance between ensuring the security of banking transactions and maintaining the efficiency of modern payment systems.
This judgment has broader relevance for the Mauritius IFC, the legal framework of which is influenced by common law principles and international banking regulations. By aligning with international banking standards, the judgment hopefully reassures multinational banks operating in the jurisdiction that their standard industry practices will be upheld that their liability exposure remains within internationally accepted boundaries. It is also reasonably seen as a signal to general users of the Mauritius IFC that banking operations are handled according to international best practices, without undue judicial interventions that could slow down transactions or introduce additional costs.
Bilshan Nursimulu (counsel), Keseven Nair (attorney) and Maleeka Muhomud (attorney) successfully acted for the Mauritius Commercial Bank in this matter.
