Executive Summary: Key Legal and Evidentiary Issues

• Scope of a financial institution’s duty of prudence and diligence when international wire transfers trigger anti-fraud alerts and depart from a corporate client’s normal profile.
• Impact of an employee’s misleading statements to the bank’s fraud analyst on liability, where the employee is herself manipulated in a sophisticated “fraude du président” (CEO fraud) scheme.
• Adequacy of Desjardins’ fraud-detection framework, including Firco alerts, analyst training, and the absence of formal procedures or checklists to rule out CEO fraud risks.
• Extent to which TYT’s weak internal controls, lack of segregation of duties, and unchecked authority of its chief accountant contributed causally to the loss.
• Effect and enforceability of AccèsD limitation-of-liability clauses in a contract of adhesion when the bank is alleged to have breached its essential obligation of prudence.
• Allocation of loss through comparative fault, resulting in Desjardins bearing only a quarter of the proven loss while TYT assumes the majority due to its contributory negligence.

Background and parties
Groupe TYT inc. is a trucking company incorporated under the Canada Business Corporations Act, employing around 225 people and banking with Caisse Desjardins de Drummondville since about 2010 via the AccèsD online platform operated by the Fédération des caisses Desjardins du Québec. In June 2020, TYT held several accounts with the Caisse, including an EOP corporate account tied to a line of credit and accessible through AccèsD. Internally, TYT’s finances were overseen by Luc Chamberland (VP finance/GM) and, at the operational level, its chief accountant, Line Blais, a CPA who had recently assumed broader duties due to another finance manager’s maternity leave.
The Caisse is a cooperative financial institution whose operations are framed and standardized by the Fédération, which sets group-wide risk-management and anti-fraud policies. At the onset of the COVID-19 pandemic, TYT had obtained about $1.5 million in emergency financing from government and development-bank programs and was no longer in acute cash-flow distress, a fact known to its banking representatives.

Nature of the fraud and transactions
Between 8 and 15 June 2020, TYT fell victim to what is commonly called “fraude du président” or CEO fraud. Fraudsters spoofed the work email of TYT’s president, Patrick Turcotte, and presented themselves as him and as external lawyers from Deloitte, notably a purported Me Didier Ferguson and a Me Morin. Through sustained email exchanges and phone calls, they convinced Blais she was confidentially helping Turcotte close a sensitive takeover (OPA) requiring urgent and secret international payments to Asia.
Under their direction, Blais disclosed key financial details (available balances and daily transfer limits) and then executed five international wire transfers from TYT’s account to beneficiaries in Hong Kong and mainland China, each in the vicinity of USD 330,000–360,000. In total, USD 1,750,000 (about CAD 2.38 million) was sent out in five transfers over seven days. The fraudsters buttressed credibility with purported OPA confidentiality constraints, explanations for why only they, not Turcotte, could speak by phone, and even falsified documents showing a large incoming “external financing” transfer that would supposedly replenish the account.
Desjardins’ automated Firco system flagged all five outgoing transfers as potentially problematic. This system, in operation since 2018, is designed to intercept transactions that match certain risk parameters and then route them for human review. The first two transfers on 8 and 9 June were frozen and referred to Desjardins’ fraud-prevention analysts, while subsequent alerts were handled more mechanically.

Desjardins’ systems and conduct
The core of the case turned on whether Desjardins acted as a prudent and diligent financial institution in investigating these alerts. Analyst Sindy Madore contacted TYT on 9 June about the first two transfers. She first attempted to reach the listed “principal administrator” on AccèsD, but ultimately spoke with Blais, who had full authority to execute international transfers up to USD 500,000 per day.
According to Blais, the call was brief and focused on basic “security questions” about a new supplier; she testified Madore did not explain the mechanics of CEO fraud, did not emphasize the risk pattern the bank was seeing, and did not probe who had actually instructed the transfers. Madore’s contemporaneous internal note recorded that Blais described the payments as involving a new supplier, confirmed that goods had been received, and indicated there would be more transfers, without any explicit “urgent” or “confidential” instruction from a manager. Relying mainly on these answers and a limited 60-day account history, Madore validated the first two transfers and instructed that the funds be released.
The third and fourth transfers, on 10 and 11 June, were again intercepted by Firco but, because they involved the same beneficiary as before, were cleared by Desjardins’ international transfers team without further fraud-unit review. No human re-assessment took into account the accumulating “velocity” of unusually large outbound wires to a new region, despite Desjardins’ institutional awareness that pandemic-era cyberfraud levels were rising and that CEO fraud was a known typology. The fifth transfer, to a new Chinese beneficiary on 15 June, was sent back to the fraud-prevention unit; analyst Roxanne Livernois briefly spoke with Blais and, treating it as a repeat of the earlier scenario, validated the transfer.
The Court found several systemic problems on the bank’s side: Madore had no formal description of duties as a fraud analyst, no structured checklist or written procedure for investigating Firco alerts, and only informal peer-to-peer training, with no documented pre-2020 training specific to CEO fraud despite the risk being well-known in the industry. Analysts only saw limited account history and no aggregate view of multiple recent alerts. The Court held that Desjardins failed to implement “commercially reasonable” fraud-control protocols in this context, particularly for high-value international wires in a pandemic-driven cybercrime environment.

TYT’s internal controls and contributory fault
While Desjardins’ anti-fraud response was found wanting, TYT’s own internal controls were also heavily scrutinized. Following internal restructuring, TYT’s finance function had been effectively halved, leaving Blais with concentrated authority: she could add new suppliers, manage the cashflow spreadsheet, and unilaterally initiate international transfers up to USD 500,000 per day. TYT had implemented dual-signature requirements for cheques but did not activate analogous dual-authorization or other safety features available in AccèsD for high-risk electronic transfers.
The Court accepted expert evidence, based on the COSO internal-control framework, that this lack of segregation of duties and absence of compensating oversight amounted to a significant governance weakness. Neither Turcotte nor Chamberland had regular or structured visibility into daily electronic transactions, and no systematic control mechanism existed to flag new foreign suppliers or unusually large transfers for second-level review.
TYT was not faulted for failing to anticipate CEO fraud in a technical sense or for not having formal written codes or cyber training equal to those of a bank. However, it was held negligent for leaving an employee—with no internal counter-signature requirement and no contemporaneous oversight—in sole control of creating foreign payees and sending seven-figure sums offshore in a single week.

Conduct of the chief accountant and evidentiary assessment
The Court distinguished carefully between Blais as a victim of manipulation and Blais as a source of misleading information in the bank’s verification process. It found she did not act with fraudulent intent; she was pulled into a highly sophisticated social-engineering scheme, and the fraudsters systematically addressed each of her doubts by invoking confidentiality, tight timelines, and apparently plausible corporate-finance rationales. Her failure to demand formal OPA documentation, board resolutions, or in-person confirmation from both shareholder-brothers was treated as a lapse of professional rigor, but not as gross negligence or wilful blindness in the circumstances.
Where Blais did commit fault was in her phone answers to Madore on 9 June. To comply with the instructions of the fake Turcotte and the supposed Deloitte lawyer, she told Desjardins that the transfers involved a new supplier, that the goods had already been received, and that more such payments would follow—statements she knew were inaccurate. Those answers misdirected Madore toward the “fake supplier” scenario and away from probing for signs of CEO fraud, especially around who had actually ordered the transfers and whether any supposed lawyer or senior executive could be independently verified. The Court found these untrue answers materially influenced the analyst’s decision to release the first two transfers, and therefore constituted contributory fault attributable to TYT.

AccèsD convention and limitation of liability
Desjardins sought to rely on limitation-of-liability clauses in the AccèsD adhesion contract (2018 and updated 2019 versions). Those clauses purported to make the client fully responsible for damages arising from its own negligence, misuse or fraud, and for “any fraudulent act” committed against it, while emphasizing that the company must maintain internal control and surveillance activities to combat fraud.
The Court held that these contractual terms could not absolve Desjardins from responsibility for its own breach of an essential obligation of the banking contract—namely, the duty of prudence and diligence in executing instructions and in reacting to serious anomalies and fraud indicators. In Quebec civil law on contracts of adhesion, an exclusion that effectively nullifies a party’s core obligation is abusive and unenforceable. The limitation clause was therefore ineffective to bar the claim arising from Desjardins’ failures in fraud detection and analyst training, although it remained relevant in assessing expectations that the client would have internal controls and justifying some reduction of the bank’s share of liability.

Recovery efforts and causation of loss
Once the fraud was discovered on 16 June 2020—after the account went unexpectedly into overdraft and the Caisse’s account manager contacted TYT—both Desjardins and TYT moved quickly. Desjardins promptly initiated SWIFT refund requests and worked with correspondent banks in Asia; TYT retained Dentons to pursue parallel efforts. The court accepted that by the time the fraud came to light, the first three transfers had already been debited from the receiving accounts abroad and could not realistically be recalled. Only the funds from the fourth and fifth transfers were ultimately recovered (approximately USD 686,916), leaving three earlier wires, totaling about CAD 1.426 million, as the net loss.
The Court found no negligence in Desjardins’ post-discovery recovery efforts: the steps taken were consistent with industry practice, and delays were minimal relative to the timing of the foreign debits. Accordingly, TYT’s claim to recover Dentons’ professional fees as damages failed for lack of fault and causation on the bank’s part in that phase.

Court’s ruling and apportionment of loss
On liability, the Superior Court concluded that Desjardins, through the Fédération, breached its duty of prudence by: (i) conducting an incomplete, poorly structured verification call on 9 June that failed to properly explain CEO fraud to Blais or to ask targeted questions about who had truly ordered the transfers and with whom she had spoken; (ii) failing to route the third and fourth Firco-flagged transfers back to the fraud-prevention unit for renewed human review in the face of an abnormal series of large transfers to a new region; and (iii) not ensuring that its fraud analysts received adequate and documented training on CEO fraud or had basic procedural tools (like checklists) for investigating alerts. These failures were held to have a direct causal connection to the loss stemming from the first three transfers and the associated bank fees.
At the same time, the Court held that TYT was significantly contributorily negligent. It allowed Blais to hold unchecked electronic payment power with no internal segregation of duties or second-level oversight for high-risk transactions and failed to activate available dual-authorization options in AccèsD for large international transfers. The company also bore responsibility for Blais’s inaccurate and misleading statements to Desjardins’ fraud analyst, which materially undercut the bank’s ability to detect the fraud.
Applying the Civil Code rules on multiple tortfeasors and contributory negligence, the Court apportioned 75% of the responsibility to TYT and 25% to the Fédération des caisses Desjardins du Québec. Only the Fédération, as the entity responsible for group-wide risk and fraud-management systems, was condemned in damages; the claim against the local Caisse Desjardins de Drummondville was dismissed. On the quantified loss of CAD 1,427,027.62 (three unrecovered transfers plus five bank fees of CAD 75 each), the Court ordered the Fédération to pay Groupe TYT inc. CAD 356,756.90, plus interest and the additional indemnity under article 1619 C.C.Q. from 30 June 2020, and to cover 25% of TYT’s recoverable legal costs, thereby making TYT the partially successful party with a limited but concrete monetary award.