Clifford Chance

Following a cybercrime, it will not always be possible to identify those responsible for a fraud or ransom demand. In cases involving digital assets, the underlying distributed ledger or blockchain technology, by design, often allows anonymous or pseudonymous transactions, and near-instantaneous transfers mean those digital assets can change hands very quickly. However, the English courts possess well known tools (Norwich Pharmacal and Bankers Trust orders) allowing fraud victims to obtain information from third parties that have been used (unwittingly) to advance a fraudulent scheme.  

As England has become a hub of international fraud litigation, the courts have permitted some of those tools to be used on "foreign" parties (i.e. those not otherwise within its jurisdiction). However, recent cases arising from frauds and cybercrimes involving digital assets have exposed some unjustified discrepancies in jurisdictional rules. Since 1 October 2022, it is now more straightforward for claimants to obtain information about the location of their property and the identify of fraudsters from foreign non-parties. In a digital asset context this may result in exchanges, wallet providers and financial institutions that otherwise have no connection to England being ordered to provide such information.

Context: recent information requests to foreign crypto non-parties

The English courts have developed two types of orders which can assist claimants in these situations.

• Norwich Pharmacal Order (NPO), is an order against a third party involved in (but not responsible for) a fraudulent transaction, to obtain the information or documents that might be needed to be able to pursue a claim. This might include the identity of the fraudster or location where assets have been diverted to, for example.
• Bankers Trust Order (BTO), is an order against a financial institution to provide documents or information on one of their clients who has committed a fraud – for example, the records of a transaction. 

Historically, English courts have been hesitant at permitting claims for NPOs and BTOs to be served on parties outside of England and Wales (see the background on service rules below).  A number of recent cases concerning digital assets obtained by fraud or hacking have confirmed the limits of the courts' jurisdiction. However, the courts have not always addressed the matter consistently and have found themselves forced to draw distinctions between NPOs and BTOs that have been difficult to justify.

In Ion Science and another v Persons Unknown [2020] (Unreported), the claimants sought a BTO against the parent companies of Binance and Kraken following an initial coin offering fraud where the Bitcoin in question had been traced to accounts on those exchanges. The court said that previous cases had found that NPOs could not pass through any of the jurisdictional gateways.  However, that authority was distinguished in the case of BTOs and permission to serve the claim for a BTO was granted on the grounds that the exchanges were "necessary or proper parties" to the claim against the fraudsters and/or that it relates to property within the jurisdiction. There was also a suggestion that exceptional circumstances (in this case "hot pursuit") justified service being permitted.

In Fetch.ai [2021] EWHC 2254, the claimants sought a BTO and NPO against Binance (in the Cayman Islands and a UK subsidiary).  Permission to serve the claim for the NPO was again denied based on previous caselaw while permission to serve the claim for the BTO was given based on Ion Science.  But the judgment highlights the inconsistency in approach and noted that these points may not go the same way at a fully contested hearing.  The unsettled (and unsatisfactory) position was further illustrated by the decision in Mr Dollar Bill Ltd v Persons Unknown and Others [2021] EWHC 2718 (Ch), in which the court permitted a claim for an NPO to be served against Binance, but seemingly without considering Ion Science or Fetch.ai. The judge in Fetch.ai and Sir Geoffrey Vos, the Master of the Rolls (one of England's most senior judges) have commented extrajudicially that reform to these jurisdictional rules would be welcome.

Serving claims on parties outside of England

Any claimant in the English courts wishing to serve a claim on a party outside of England must, subject to certain exceptions, obtain the permission of the court.  The starting point is to show that a claim falls within one of the relevant "jurisdiction gateways" in the English Civil Procedure Rules (CPR).  A claimant must also show that there is a serious issue to be tried and that England is an appropriate forum for the dispute to be heard.  Prior to this reform, none of the jurisdictional gateways provided expressly for claims for NPOs or BTOs.

The new changes explained

This issue was one of a number considered recently by the Civil Procedure Rule Committee (the CPRC) in the context of a review of the jurisdictional gateways.  The review has resulted in the introduction of 4 new gateways, which forms part of a broader and ongoing exercise to adapt English jurisdictional rules following Brexit, now that the UK is no longer required to conform to EU rules.  One of the CPRC's stated aims was to make it easier to obtain NPOs and BTOs against foreign parties to facilitate claims by digital asset fraud victims. 

The new paragraph 3.1(25) of Practice Direction 6B (the Information Orders Gateway) provides the basis for the following types of claim to be served on a party outside of England and Wales (with the court's permission):

"Information orders against non-parties

A claim or application is made for disclosure in order to obtain information—

(a)       regarding:

(i)        the true identity of a defendant or a potential defendant; and/or

(ii)       what has become of the property of a claimant or applicant; and 

(b)       the claim or application is made for the purpose of proceedings already commenced or which, subject to the content of the information received, are intended to be commenced either by service in England and Wales or pursuant to CPR rule 6.32, 6.33 or 6.36."

This new rule took effect on 1 October 2022.

The changes bring several benefits to claimants. Claims for NPOs (or equivalent under the new gateway) can now be served outside of England and Wales (with the court's permission) and the uncertainty as to the position of BTOs (or equivalent) has been removed. Claimants do not have to commence substantive proceedings in England before seeking NPOs or BTOs against foreign parties, making it (in principle) less expensive and time consuming to explore whether there is a viable claim against the fraudsters.

However, there are still a number of potential issues arising from the new Information Orders Gateway:

• There is no express reference to NPOs or BTOs and the listed information does not overlap entirely with the information commonly sought pursuant to such orders (in particular there is no reference to information required to identify wrongdoing or plead a case).  It remains to be seen whether the courts will read the new gateway as importing the full scope of NPOs and BTOs at common law.
• The gateway is limited (intentionally) to narrow categories of information. The changes do not, for example, extend to wider applications for disclosure from non-parties (governed by a separate regime under CPR Rule 31), affect rules prohibiting NPOs being obtained in support of court proceedings outside of England or in general support of enforcement of a judgment. The CPRC rejected a proposal for a much broader gateway for general applications against non-parties. 
• The actual service of claims remains unchanged. Unless an order for alternative service can be obtained (permitting service via email or even a cryptoasset such as an NFT dropped into a wallet on the grounds of urgency) then this may still be a lengthy process.  Claimants will still need to consider seeking similar orders in courts of a non-party's domicile.

Another area of uncertainty is the nature of the evidence that an applicant will need to provide when it has not yet started substantive proceedings in the English courts. Where proceedings have not started, the gateway is available only where a claim will be brought by service in England or by service out of England pursuant to other jurisdictional gateways "subject to the information received".  It is therefore unclear whether an applicant will need to satisfy the court that there is some prospect (real or otherwise) of the court ultimately having jurisdiction to hear the substantive claim. When the purpose of the rule change is to reduce the difficulty of obtaining information at an early stage, requiring significant evidence as to the court's hypothetical future jurisdiction would seem counterproductive. 

The practical impact of reform on non-parties

These changes could see a significant rise in applications against crypto exchanges and wallet providers based outside of the UK, as well as banks if fiat currency was involved in the relevant frauds. Potential respondents should consider if they are prepared in advance of receiving any such claim. Non-compliance with any court order can be a serious issue for a company, from a legal, regulatory and reputational perspective.  In principle, non-compliance can lead to fines or even imprisonment for contempt. Consider expansion plans and the possibility for English customers to utilise products - even if a company has no current contact with the UK, it (or its management) may do so in future. 

Be prepared

Crypto firms and banks and other potential respondents should ensure that they have systems and policies in place for handling information requests. A key question is how an order from a foreign court interacts with contractual or legal duties of confidentiality and secrecy in its own jurisdiction. Is there any law in their jurisdiction that would prohibit them from complying with English court orders, such as a blocking statute? In some cases that may require the firm to obtain the permission of its local court before complying with any order. Data protection legislation may also be relevant. 

Companies named in a claim for a NPO/BTO do have the right to challenge it on certain grounds. Firms should also assess whether they are at risk of being named as an actual defendant, as this is a ground on which to challenge any NPO. Ultimately, any company named in a claim will need to be in a position (quickly) to decide whether to challenge any order or to remain neutral and to decide whether it makes an appearance in an English court at all.

Future reform

The scale of fraudulent activity involving digital assets means that the caseload in the English courts is likely to increase.  In that context, the CPRC is also considering another new gateway specifically in respect of claims relating to cryptoassets. For now, it has been agreed that this should wait until the Law Commission has completed its work on conflicts of law issues raised by cryptoassets. That work has only just begun and the Law Commission currently intends to publish a consultation paper in the second half of 2023.