Grounded Ingenuity | Refined Results

June 01, 2021
By Timothy Loh and Mary Lam
Cyber fraud causes billions of dollars of losses each year. Fraudsters often use Hong Kong as a destination for funds fraudulently obtained from victims because Hong Kong is an international business and financial centre. Though the path to recovering such funds is typically complicated by the fact that fraudsters take active steps to limit recovery, Hong Kong offers a robust legal system that offers the means for asset recovery. In this article, we describe common asset recovery options for victims of cyber fraud where the funds have been sent to Hong Kong. In an earlier article, we provided a checklist of immediate action items for victims of cyber fraud where funds are transferred to Hong Kong. Readers with specific queries as to asset recovery options as a result of cyber fraud should contact one of our dispute resolution lawyers.


Cyber fraud takes many forms. According to the Anti-Deception Coordination Centre of the Hong Kong police, the most common forms of cyber fraud are business email compromise, confidence fraud and investment fraud.

Business Email Compromise (BEC) Fraud

Business email compromise is a type of cyber fraud where fraudsters compromise email systems, enabling them to impersonate individuals for the purpose of giving instructions for the movement of funds or otherwise disclosing valuable commercial data to the fraudsters. Business email compromise is sometimes known as email account compromise (EAC).

Confidence Fraud

Confidence fraud is a type of fraud where fraudsters gain a victim’s confidence under false pretences to persuade the victim to give them money. A common type of confidence fraud is romance fraud, where a fraudster meets a victim online and develops a romantic relationship with the victim. Once the fraudster earns the victim’s trust, the fraudster indicates a need for funds.

Investment Fraud

Investment fraud is a type of fraud where fraudsters use false pretences to persuade a victim to make an investment in a business or financial product that does not exist or that is different from what the victim has been led to believe. In a common type of online investment fraud, the fraudster preys on a victim looking to raise capital for a business. The fraudster assures the victim that he will be able to provide the needed capital but the victim must pay various fees to access the capital. Needless to say, once the fees are paid, no capital is provided.

The Role of Hong Kong in Cyber Fraud

Hong Kong is an international business and financial center. It is common for companies around the world to deal with businesses and financial institutions in Hong Kong. As a result, the use by fraudsters of bank accounts and companies located in Hong Kong often raises no alarms.

At the same time, incorporating a company in Hong Kong is a fast and easy process.

Given the foregoing, it is not surprising how frequently cyber fraud involves Hong Kong banks and companies. Indeed, according to the U.S. Federal Bureau of Investigation (FBI), the majority of business email compromise and email account compromise frauds feature Hong Kong bank accounts.

The Role of The Hong Kong Police

Though it is possible to recall funds which have been transferred as a result of cyber fraud where the funds have yet to be deposited into the bank account in Hong Kong designated by the fraudster, once the transfer is complete, it is highly unlikely that the funds can be recalled. This is not, however, to say that the victim has no remedies available.

Making a Report to the Police

A first step is for the victim to report the fraud to its local police as well as the Hong Kong police. As a practical matter, the Hong Kong police will not assist the victim to recover the funds. While they will investigate, they will not adjudicate the rightful ownership of funds in a bank account. It is for the Hong Kong courts to conduct that adjudication.

The Hong Kong police report, however, provides evidence of the cyber fraud and will be helpful in establishing the bona fides of the fraud should the victim advance a claim in court to recover the proceeds of the fraud (i.e. the monies transferred by the victim to the fraudster and what becomes of it).

Action by the Police

In the normal course, once the victim reports the cyber fraud to the Hong Kong police, the police will open an investigation. There are a number of possible criminal offences including fraud and obtaining property or pecuniary advantage by deception.

At times, the Hong Kong police may disclose information discovered by them in the course of their investigation such as the bank balance of the account to which the proceeds of the fraud have been transferred. However, they have no obligation to do so and often will refuse to do so, sometimes on the basis of personal data privacy legislation.

Equally, the Hong Kong police may issue a “no-consent” letter, or a Letter of No Consent ("LNC"), to a holder of the proceeds of the fraud, typically the bank in which the proceeds of the fraud have been deposited. The effect of such a letter is to put the recipient on notice that dealings in those proceeds may constitute a criminal offence. In this way, it generally results in the banks freezing the account in which the proceeds are held. However, as with the disclosure of information, the Hong Kong police have no obligation to issue a no-consent letter.

Civil Proceedings Required for Asset Recovery

In light of the Hong Kong police focus on criminal investigation rather than asset recovery, as a general principle, the victim of a cyber fraud will need to retain Hong Kong lawyers to engage in asset recovery efforts for the return of the proceeds of the fraud. There is no bar in Hong Kong for a victim to pursue asset recovery in the civil courts in tandem with a criminal investigation or criminal proceedings.

Asset recovery efforts through the civil courts in Hong Kong will typically involve 2 distinct stages, the first being to discover the location of the proceeds of the fraud and if necessary, to protect them from dissipation, and the second being to obtain court order for the return of those proceeds.

Discovery of Assets Available For Recovery

Norwich Pharmacal Order

A Norwich Pharmacal order is an order of a court for disclosure of information against a person whose only involvement is to become mixed up in wrongful activities of others. The order facilitates discovery where such discovery is necessary to enable the victim to obtain relief against a wrongdoer.

A victim of a cyber fraud may apply to court for a type of Norwich Pharmacal order known as a Bankers Trust order to compel the bank which received funds from a fraud to disclose information and records relating to the bank account to which the funds were deposited. Without a Bankers Trust order, a victim would be neither able to identify the account holder to sue him to recover the proceeds of the fraud nor would the victim be able to trace the proceeds of the fraud and ascertain whether there are funds remaining in the account which could be recovered.

A Norwich Pharmacal order requires the victim showing the following:

  • Cogent and Compelling Evidence of Wrongdoing - There must be cogent and compelling evidence to show that serious tortious or wrongful activities have occurred. Where fraud or other similarly serious allegations are made, the degree of proof must be correspondingly high. This standard of proof reflects the fact that the wrongdoer is not and will not likely be before the court to answer the allegations against him.

  • Substantial Benefits of Discovery - The victim must prove that the order will (very likely) reap substantial and worthwhile benefits for him. In a typical asset tracing and recovery claim, there must be a high possibility that the discovery must either allow the victim to preserve or recover what may well be his assets or realistically lead to the discovery of such assets. Where the victim can obtain the information sought by the order through other means, a Norwich Pharmacal order may be denied.

  • Discovery Necessary - The discovery sought must be specific and restricted to those documents that are necessary to enable the victim to preserve or discover assets. This does not necessarily mean that discovery orders cannot be wide; what is crucial is that the discovery, be it wide or narrow, should be necessary.

Bankers Books and Records Order

Under s. 21 of the Evidence Ordinance, the victim may apply to court for an order that a bank provide access to entries and copies of specified records for the purposes of any proceedings. Such an order, known as a Bankers Books or Bankers Records order, allows the victim to trace the funds transferred to the fraudster’s designated bank account.

Position of Banks in Asset Recovery Discovery

Banks, in general, adopt a neutral stance in proceedings for the production of documents such as bank account opening documentation, bank account statements or other records relating to transactions on a suspected fraudster’s account. This means that in general, they will not oppose applications for discovery though, if they consider the scope of discovery is too broad, they may do so.

Though a victim of fraud may well complain that it should not be put to the burden of bearing the costs for discovery, given that a bank is an innocent third party being ordered to assist the victim, the courts have taken the view that the bank is normally entitled to reasonable charges incurred in complying with disclosure orders on an indemnity basis, meaning it is normally entitled to direct dollar-for-dollar reimbursement of its usual administrative fees and photocopying charges in producing bank entries and its legal costs in connection with the victim’s application for disclosure.

Preserving Assets For Recovery

A victim of a cyber fraud will be concerned with ongoing movement of the proceeds of fraud as continued movement may render asset recovery efforts uneconomical. Thus, where the assets are at risk of being moved by the fraudsters out of the victim’s reach, the victim may wish take steps to protect those assets.

Mareva Injunction

A Mareva injunction is an order of a court to freeze assets. A victim of a cyber fraud may apply to court for a Mareva injunction against a bank account holder which received funds from the fraud, and a copy of the Mareva injunction order will be served on the bank with which such bank account is held so as to prohibit the bank from allowing any dealings in those funds. The effect of a Mareva injunction is to prevent the fraudster from withdrawing those funds from the bank.

A Mareva injunction is normally issued ex parte, meaning without the person (i.e. the bank account holder) subject to the order being notified in advance of the victim’s application for the injunction. This is sensible because if the person were notified of the application, he might seek to remove the assets before the order is given.

Particularly because a Mareva injunction is issued ex parte, it has the potential to cause considerable harm to the person subject to it. For example, a Mareva injunction against the holder of a bank account to which funds were transferred under the fraud could cause significant loss to the account holder in that the account holder could be prevented from using that account to meet important business or personal payment obligations. In circumstances where the holder has not had an opportunity to challenge the allegations of fraud being made.

Given this risk of harm, the requirements for a Mareva injunction are high:

  • Good Arguable Case - The victim must show that it has a case which is more than barely capable of serious argument yet not necessarily having more than 50% chance of success. The case should be based on a substantive claim which has already been commenced or is about to be commenced against the person subject to the order.

  • Assets within Jurisdiction – The party against whom the injunction is sought must have assets within the jurisdiction of Hong Kong.

  • Real Risk of Dissipation of Assets – The victim must show there is a real risk, judged objectively, that the other party will make itself judgment proof by disposing of or concealing its assets unless restrained by the court. It is not enough to show that the party against whom the injunction is sought has a reason or opportunity to dissipate assets and there is no presumption that such a party will make itself judgment proof merely because it has the means to do so. In this case, where there is compelling evidence that a bank account holder has engaged in fraud, the court is more likely to infer that the account holder is of low morality and will thus seek to render himself judgment proof by withdrawing the funds from his account. On the other hand, where there is significant and unexplained delay in applying for a Mareva injunction, the court may infer that there is little risk of dissipation of assets in the account.

  • Balance of Convenience – For the victim to obtain a Mareva injunction, the balance of convenience must lie in favour of granting the injunction. In this regard, the inconvenience and indeed harm that may be caused to a holder of a bank account must be weighed against the need to protect the proceeds of the fraud from being moved out of the reach of the victim.

A Mareva injunction will typically include a return date, meaning a date on which the parties will return to court to determine whether the injunction will be set aside, varied or discharged. The return date gives the person against whom the injunction is ordered an opportunity to challenge the injunction.

Gagging Order

A gagging order is an order of a court which prohibits disclosure of information relating to court proceedings. A victim of a cyber fraud may apply to court for a gagging order to prevent a bank which received funds from the fraud from disclosing the fact that the victim is taking legal proceedings for discovery as a first step to recover those funds. A gagging order may be important where, for example, the account to which the funds were transferred in the fraud has not yet been frozen.

A gagging order is an exceptional remedy and will only be granted when a strong case is made out that a gagging order should be made, such as when there is clear and cogent evidence supported by compelling reasons. The court may grant the order if it believes that once the fraudster is aware he is being pursued, he will take steps to frustrate any claim that might be made against him or investigations being carried out. The court must balance the prejudice caused to the victim if a gagging order is not granted and the prejudice caused to the other party or any third party.

A gagging order will normally include a return date, with the idea that the prohibition on disclosure may be released once steps are taken so that asset recovery efforts will no longer be frustrated by the fraudster’s knowledge of the legal proceedings being taken by the victim.

Anti-Money Laundering Legislation

The Organized and Serious Crimes Ordinance and other anti-money laundering legislation in Hong Kong prohibit a person from dealing with property where the person knows or has reasonable grounds to believe that the property in whole or in part, directly or indirectly, represents proceeds of certain crimes including indictable offences for fraud. The prohibition does not apply where the Hong Kong police consents to such dealing.

As noted above, as part of its investigation, the Hong Kong police may issue a “no-consent” letter (or LNC) to a bank in respect of a bank account, which often has the effect of freezing that bank account. However, it is for the bank to decide whether to freeze the account and it is for the police to decide how long it may wish to take a no-consent position.

It is possible for a victim instead of the police to make a report to a bank in the hopes that the bank will freeze the account. However, it is generally more persuasive for a Hong Kong law firm to make a request to freeze a bank account and it is generally best practice for a Hong Kong law firm to apply for injunctive relief rather than to rely upon a bank’s anti-money laundering processes to preserve the proceeds of any cyber fraud.

Claims For Asset Recovery

Unjust Enrichment

A victim of a cyber fraud may advance a claim of unjust enrichment against the holder of a bank account in which the proceeds of the fraud are held. Where a court determines that the holder of such account has been unjustly enriched, it can take steps to reverse the unjust enrichment by restoring the proceeds of the fraud back to the victim.

In a claim for unjust enrichment, the victim must show that (i) the holder of the bank account was enriched, (ii) the enrichment was at the victim’s expense, and (iii) the enrichment was unjust. Unjust enrichment is a receipt-based cause of action. It does not depend upon proving fault on the part of the defendant.

Enrichment at the victim’s expense can be shown where the proceeds of the fraud were deposited into the account. Such enrichment may be unjust if it is caused by a mistake of fact or law. It is prima facie unjust for a recipient of money to retain the money when, if the payer had known the true state of affairs, he would not have paid the money. Equally, enrichment may be unjust if there is a total failure of the anticipated performance for which money was paid or the very purpose for which payment was made.

Change of Position

A claim for unjust enrichment may be defeated by a number of defences. One defence is for change of position, meaning that where the victim claims against a holder of a bank account for unjust enrichment, the holder of the account may defend that claim by showing a change of position such that it would be inequitable to require him to make restitution. So, for example, where the holder of an account received the proceeds of a fraud, did not realize that he should not have received those proceeds and paid money out of those proceeds to make a charitable donation, he may be able to make out a defence of change of position.

Constructive Trust

In cyber fraud, the victim may seek a constructive trust over the proceeds of the fraud. In such a constructive trust, the victim would be the beneficiary of the trust and would therefore be entitled to call for the delivery of these proceeds. An advantage of a constructive trust is that it establishes a proprietary claim over those proceeds which can not only defeat claims of other creditors of the holders of the account in which the proceeds are deposited but may facilitate asset recovery where those proceeds are moved through the banking system.

Tracing and Following

In this respect, in a typical cyber fraud, the fraudster will move the proceeds of the fraud from the original account to which the victim deposited the funds to one or more accounts. As a result, once the victim establishes a basis for a constructive trust over the proceeds of the fraud, asset recovery efforts will focus on following and tracing the proceeds.

In this regard, following is the process of identifying the proceeds of the fraud as it is transferred from one person to another. Tracing is the process of identifying a new asset as a substitute for an original asset. In tracing, where one asset (e.g. money) is exchanged for another asset (e.g. certificate of deposit), the victim may elect to treat the substitute asset as representing the value contained in the original asset.

Backward Tracing and the Intermediate Balance Rule

A difficulty with tracing is that bank accounts to which the proceeds of a cyber fraud are deposited may see multiple deposits and withdrawals.

The intermediate balance of the account may fall below the original amount deposited as a result of withdrawals and then may rise again above the original amount deposited as a result of deposits. In such circumstances, traditionally, unless the victim could show that the subsequent deposits were intended to make good the earlier withdrawals, the victim would face difficulties in tracing the proceeds beyond the lowest intermediate balance.

Similarly, payments may be made out of an account in anticipation of the receipt of the proceeds but before the proceeds are actually paid into the account. Again, traditionally, the victim would face difficulties in tracing any monies paid out before the proceeds of the fraud were deposited.

Newer developments in the law, however, suggest it may nevertheless be possible to trace the proceeds as they move through the accounts in these circumstances so long as there is a clear link between credits and debits to an account as part of a co-ordinated scheme. The precise boundary of these new developments remains unclear but it may be possible that a court may infer that a payment into one account is attributable to a previous payment out of another account and therefore traceable where the two payments are of a similar though not identical amount and the time gap between them is reasonably short. Similarly, it may be possible to trace the proceeds of a fraud even though money is paid out of one account before the proceeds of the fraud are deposited into that account so long as the money was paid out with the expectation that the deposit would reimburse that payment out.

In the leading case, Federal Republic of Brazil v. Durant International Corporation [2015] UKPC 35, the Privy Council stated:

“The development of increasingly sophisticated and elaborate methods of money laundering, often involving a web of credits and debits between intermediaries, makes it particularly important that a court should not allow a camouflage of interconnected transactions to obscure its vision of their true overall purpose and effect. If the court is satisfied that the various steps are part of a co-ordinated scheme, it should not matter that, either as a deliberate part of the choreography or possibly because of the incidents of the banking system, a debit appears in the bank account of an intermediary before a reciprocal credit entry…”

Bona Fide Purchaser for Value

However, regardless of whether the proceeds of the fraud remain specifically identifiable, the victim will be barred from recovering those proceeds if his proprietary interest in those proceeds is extinguished. This may occur where the proceeds are received by a bona fide purchaser for value without notice of the fraud. So, for example, if the fraudster uses monies from the victim to purchase goods and the seller of the goods is unaware (and ought not to have been aware) that the monies used to pay for those goods are proceeds of the fraud, the seller will take those monies free of any interest the victim might have had on those monies.

In other words, the victim will be unable to trace those monies into the hands of the seller and his proprietary interest in those monies will be extinguished.

Default Judgment

Though the bank accounts in which the proceeds of a fraud are typically deposited may belong to a legitimate business who may contest asset recovery proceedings taken by the victim to recover those proceeds, in many cases, the bank accounts are controlled by the fraudsters themselves. In these cases, where the victim commences asset recovery proceedings, the fraudsters will often not defend.

In the absence of the fraudsters filing and serving an acknowledgement of service and a statement of defence within the stipulated deadline under Hong Kong court rules, the victim can apply for judgment. In this case, the court will scrutinize the matters pleaded in the victim’s statement of claim to determine whether the victim is entitled to the judgment sought, making its determination on the basis of pleaded facts rather than on the evidence.

Note that it is not the normal practice of the court to make a declaration without a trial. In this respect, a concern is that the declaration may bind third parties without the court having been through the evidence. Nevertheless, the courts have been prepared to do so in the case of cyber fraud where there is a genuine need for declaratory relief which the court can properly grant on the merits of the case and justice would not be done if such relief were denied.

Garnishee Order

After obtaining a judgment, a victim will often apply for a garnishee order to satisfy the judgment from the bank account in which the proceeds of the fraud are held. A garnishee order takes place in 2 stages, within an order nisi being served on both the bank and the account holder. If no one, whether the bank served with the order nisi or any other person, disputes the order nisi, the order becomes absolute. At that time, the bank must pay the amount due to the victim under the order from the account balance and such payment will discharge the bank’s liability to the account holder to the extent of the payment.

Vesting Order

In the case of judgment in the victim’s favour on a proprietary claim, a potential “shortcut” to a garnishee order in the enforcement of the judgment is a vesting order pursuant to the Trustee Ordinance. A vesting order treats the holder of the proceeds of a fraud as a trustee of a bare trust and compels the holder as trustee to transfer the funds back to the victim.

There is some uncertainty as to whether and when a vesting order might be available to a victim of cyber fraud in Hong Kong as there are conflicting authorities.

We use cookies to enhance your experience of our websites and to enable you to register when necessary. By continuing to use this website, you agree to the use of these cookies. For more information and to learn how you can change your cookie settings, please see our Cookie Policy and our Privacy Notice.