Saturday, 26 April 2008

Security reviews of IT systems

Regular reviews and checking of the security of IT systems to ensure compliance of systems with organizational security policies, standards and procedures is essential. A regular review of IT Systems against a set industry standard or other accepted baselines and configuration guidelines provides an organization with a benchmark against which the organizations security may be compared to information security best practices. Internal audits helped to ensure that your organization is meeting its own targets and expectations.

Security Reviews
A security review should be an overall security evaluation which examines;

  • Your organization’s business requirements;
  • How you currently provide for security within the organization,
  • Industry’s best practices for providing those requirements.
It is usual for organizations to engage third party vendors or in selected cases an independent audit group within the organization with a different reporting structure. This is done so that an objective result is obtained.

The goal of a security review is to capture a snap shot of your organization’s security from not only a technical perspective but also from a policy and procedural one. Sometimes it may also include topics as diverse as physical security and Human resources matters.

Some common steps involved are;
1. Information Asset Identification to verify that the items covered in a risk assessment are adequate. This involves asking:
· what information assets exist,
· where they are located,
· who needs access to this information,
  1. Internal employees
  2. External Customers
  3. External Companies

· who must not have access to this information.

2. Information Sensitivity and Criticality Assessment to assess the levels of:
· sensitivity of the information:

o Classification of each information asset
o Identification of the consequences of the information falling into the wrong hands

· criticality of each of the organization’s information assets:

o During normal times
o During special periods (end of year, end of month, reporting periods etc)
o Identification of consequences of data being unavailable for:
o 8 hours,
o 24 hours,
o More than 24 hours.

3. Access Policy Review to determine what your organization’s security model should be permitting and what it should deny.

4. A Security Supporting Functions Review looks at those parts of your existing environment which passively enhance the security of your environment from a monitoring or procedural perspective. These can include:

  • Policies
  • Procedures
  • Intrusion Detection Systems
  • User Activity Monitoring Systems
  • System Integrity Testing Systems

From this it is possible to determine if the current environment has adequate controls covering the following areas:

Maintenance procedures

o Patches and Upgrades
o Account Maintenance
o Backups and Recovery

· Change Management

o Development
o Testing
o Implementation

· Intrusion Detection

o attack detection
o identification,
o reporting, and

· response

o User Activity Monitoring
o Correct detection of Inappropriate Use

· Correct investigation of incidents of Inappropriate Use

5. A review of an organization’s Security Enforcing Functions is designed to evaluate those parts of your environment that actively enforce security. These include:

  • Filter routers
  • Firewalls
  • Operating System Access Controls
  • Application Server Configurations
  • Digital Certificates and Encryption

The aim of this is to determine if existing Security Enforcing Functions within your organization:
1. Provide an adequate level of redundancy
2. Provide an adequate level of protection
3. Require modification in any way to provide more appropriate levels of protection or redundancy.

Thursday, 24 April 2008

Proving absence of a deed

I have seen people try to prove innocence by demonstrating a lack of something. This may be as simple as proving an absense of a file or it may be something more complex.

In this post, the person had possession of a computer file and wanted to prove that he had never viewed it. That it was copied to the recycle bin and deleted but never opened. The copy and move for the delete being a chage of state however. The person admitted having possession of the file. The file was a copy of an exam (before the test) given by another - without the person's knowledge - so we are told.

The simple thing is that proving that some things did not occur while allowing that others could have is not legal proof that the event did not occur. You can certainly do this, but as it does not go to adding proof that the event did not occur, why would be my question.

Being tainted with having completed a law degree, I also look at this from an evidence law perspective. This assertion that you are doing adds no more than the evidential weight of the persons affidavit of innocence alone.

The difficulty is that possession is already admitted. He has stated he had the files. Also, recycle bin is no proof of deletion. In the event that the offence is possession, then this is admitted. He should have deleted them immediately and not brought them in. I fail to see of what benefit your work would be.

As an example of a criminal case of possession, CP is possessed through mere holding of a single copy. In the US there is a defence if less than 3 images are immediately reported to police, but immediately is as soon as you can get to a phone.

From the perspective of a member of a couple University boards, the issue is mere possession. Going to court will not change this as he has admitted possessing the files. Deleting them is no defence. If I was the training firms attorney, my case would come to the question:

LawyerDid you hold a copy of the file?”
DefendantYes, but…”
Lawyer “Thankyou that will be all, the defendant has by his own admission stated he is guilty”.

As the lawyer for the side stating possession, that is all I need to do. This may not seem fair, but the law is about a stated set of principles, not fairness.

Your ONLY defence is categorical proof that no file was ever viewed while in possession. In this event, the individual is still guilty, but basically forgiven if lucky. As you can not prove that the file was never opened when it has been copied, you can have no case.

Removing Malware

Malware can be removed, but it is difficult and requires forethought and planning before the event.

The removal can work if there are hashes to validate the integrity of files. This is most crucial for libraries and binaries, but data is also important.

The important thing is not to trust the binaries on the system (eg even tripwire) as these may be compromised. In the event that there are no hashes, then you have problems. A vanilla install may provide some answers. For instance most systems have hashes stored for the major binaries someplace. Redhat, Windows etc all have been hashed and the hashes recorded.

The same applies for many other applications as well. As soon as you move from the common applications - this poses a greater difficulty.

There is also the REMOTE chance of a common binary or library having a hash collision, but I am yet to see this outside the lab for any common ones.

The issue also comes from the time to determine this. It is usually (not always) quicker to rebuild.

Wednesday, 23 April 2008

Whitehats Security Conference

A security conference focused on fixing problems and not making them starts in NY and London next year. See the link above for details.

Slirpie (Proxy)

Through the use of selected open proxies (the so-called "anonymous" open proxies), an attacker can conceal their true IP address from the accessed service and host. This is used in access attacks, DOS, and other abuse. Open proxies are therefore often are a problem without a solution. The legislative solution failing due to jurisdictional issues in many cases and in others the site administrators may not know that they are running an open proxy. This can be the result of misconfiguration of proxy software running on the computer, or of infection with malware (viruses, trojans or worms) designed for this purpose. One such proof of concept proxy was slirpie.

This proxy and attack is by Dan Kaminsky requires 3 components:

  1. The Browser, which has access to internal resources
  2. The Attacker, which wants access to those internal resources
  3. The Proxy, which sends code to the Browser to copy messages from the Attacker

The Proxy, which is software designed by Dan is called Slirpie.

It is a Multiprotocol Server, Built using POE which accepts TCP streams for Browser delivery, containing routing data. It also:
  • Accepts HTTP requests for those routable streams
  • Accepts DNS requests to direct routing
  • Accepts XMLSocket requests to determine routing policy
This may be used to subvert controls in Flash. It is designed to allow an attacker that connects to the Proxy to effectively subvert the appropriate resources in Browser to service the Attacker’s connections.

Tuesday, 22 April 2008


A threat is any circumstance or event with the potential to cause harm to an organization through the disclosure, modification or destruction of information, or by the denial of critical services. Threats may be either non-malicious (like those caused by human error, hardware/software failures, or natural disaster) or malicious (within a range going from protests to irrational in nature). Typical threats include:

Availability Issues - Systems and Hardware Failure - Failure of hardware and software whether due to design flaws or faults often result to a denial of service condition and/or security vulnerabilities or compromises through the malfunction of a system component. This group includes:
o Environmental Hazards such as damage from fire, flood, dust, static electricity, or electrical storms;
o Hardware and Equipment Failure - mechanical or electrical failure of the computer, its storage capacity, or its communications devices
o Software Errors - programming bugs to simple typing errors
o Accidents, Errors, and Omissions
o Intentional Acts - fraud, theft, sabotage, and misuse of information by competitors and employees

Confidentiality Issues - Illegitimate Viewing of Information – The screening of confidential information by unauthorized parties may occur. Some examples are: electronic mail sent to the wrong recipient, printer redirections, incorrectly configured access control lists, badly defined group memberships etc.

Perception Issues - Misrepresentation - Attempts to masquerade as a legitimate user to steal services or information, or to initiate transactions that result in financial loss or embarrassment to the organization.

Integrity Issues - Unauthorized deletion or modification of information - Intentional damage to information assets that result in the loss of integrity of the assets.

A threat does not always result in actual harm. A risk is a threat that takes advantage of vulnerability in a system security control. The system must be visible to the attacker. Visibility is a measure both of the attractiveness of a system to malicious intruders and of the amount of information available about that system.

Some organizations are more visible than others are, and the level of visibility may change regularly or due to extraordinary events. The Australian Stock Exchange is much more visible than the Migratory Bird Management Office, and the Australian Tax Office is particularly visible as Oct 31th nears. Exxon became much more visible after the Valdez disaster, while MFS became much less visible after being acquired by Worldcom (and before they vanished).

Many Internet-based threats are opportunistic in nature. An organization’s level of visibility directly drives the probability that a malicious party will attempt to cause harm by realizing a threat by exploiting a vulnerability.

Monday, 21 April 2008

UCP 500 - successful or not.

Documentary credits or “letters of credit” act as the "crankshaft of modern commerce"[1]. This has not however stopped the complications that have occurred. A strict reliance on the correct receipt and processing of precise documents must occur prior to completing any transaction. These instruments are extremely widespread within international trade. This fact acts as the difficulty between fifty and sixty-five percent of all documentary credits fall short of the manuscript element upon first presentation.[2]

Documentary credits are of great importance to international and domestic commerce. The documentary credit is essential to the function of the original contract, superimposing a payment system to the original sale contract without changing the contract or becoming a part of it. Although joint in some analogies, the two are austerely autonomous. Lord Diplock articulated the principle behind documentary credits:
The whole commercial purpose for which the system of confirmed irrevocable documentary credits has been developed in international trade is to give to the seller an assured right to be paid before he parts with control of the goods[3].
This paper will address the level of compliance and fundamental issues raised through the English courts that banks require to be fulfilled prior to issuing payment from a documentary credit. The paper shall present a broad backdrop before examining:
The pertinent articles within the UCP 500[4];
The responsibility played by the common law through the English courts in interpreting the guiding principles contained with in the UCP;
The existing situation under the current common law as determined by the English courts; and
An examination of the current compliance regime.

English courts have clearly defined documentary credits on “strict compliance”[5], the “fraud exception”[6] and the “nullity fallacy”[7]. These are convincingly apparent as is the prevailing significance of preserving the effectiveness of the international payments system. The current position has been constructed from numerous inconveniences with initially interpreting of several rules. The outcome was the publishing of four position documents by the ICC[8] to clarify these concerns[9]. Articles 9, 13, 14, 21, 23, 37 and 48 have been the subject of “more than 58% of all the ICC Opinions”[10].

Documentary credits and the role in financing international trade
The documentary credit system is the most common form of foreign trade finance. However, Professor Ellinger[11] states that documentary letters of credit create the twin issues of providing security and raising credit where sales contracts entailing international shipments introduce significant interruption between the manufacture and delivery of the merchandise. He further states that the sales contract does not present security for either the buyer or seller. The seller loses possession of the merchandise prior to payment, which leaves no remedy in situations where the buyer becomes insolvent and there is a deficient or ineffective retention of title clause[12]. Alternatively, a buyer that pays prior to consignment may have no satisfactory remedy against a defaulting seller. This is particularly the case when the performance of the sales contract provisions are not met or in the occasion of the seller becoming insolvent.
Neither party to the contract may seek to provide funding nor credit to cover the potentially substantial interruptions chanced through international shipping.

Irrevocable documentary letters of credit provide the customary resolution to both problems. Banks act as creditworthy third parties that consent to compensate the seller on the presentation of the letter of credit to the issuing bank by the seller when accompanied by each of the applicable shipment documents. This resolution assures the seller that where they are in compliance with the sales contract, the merchandise will have been sited onboard the agreed transport and sent off. The seller meanwhile can be assured that compliance with the delivery provisions, as documented in the sales contract, guarantees[13] compensation will be received for the merchandise.[14]

The participation in this exercise of a corresponding bank, which is typically nominated by the issuing bank to perform as the issuing bank's agent in accepting the documentary credit tendered by the seller together with the supporting shipment documents, is common. When the instruments strictly adhere to the provisos enclosed within the letter of credit, the corresponding bank will provide recompense to the seller. The corresponding bank is then owed repayment from the issuing bank that has to seek payment from the buyer.[15]
Documentary credits generally have contractual terms that are based on the UCP 500. As has been noted, two distinct contracts are formed when the buyer opens credit with the issuing bank. The first contract is formed between the buyer and the issuing bank. The second forms as the seller is given notice of the irrevocable credit[16]. This contract is created by the bank and the seller. The bank is accountable to the seller to reimburse the settled charge for the merchandise as defined in the contract of the buyer and seller. This forms an autonomous contract[17] for the issuing bank to disburse the cost of the merchandise to the seller by or through the corresponding bank upon tendering of the transport papers as defined in the credit instrument.

English law rewards this unconditional responsibility of by the bank by allowing reliance on the doctrine of strict compliance[18]. The seller is required to present all the documents specified in the credit exactly. Any non-conformance with this condition permits the bank to decline payment (the provisions of the credit ought to be measured as a whole taking into account current banking practice[19]).

The risk is minimal in cases where the transmitting and the receiving banks are both in reality the same firm, or they are establishments with sacrosanct veracity and credit. The transmitting branch may be relied on to conduct the form of assessment of the instruments stipulated by the UCP under Art.13(a). In effect, the applicant acquires sufficient protection and controls resulting in a transaction with no greater risk than that of documents transmitted devoid of dematerialisation.

The risks that result when these instruments are transmitted electronically diverge if the banks are not directly connected. The bill of lading is particularly problematic as the beneficiary using a different letter of credit, which is then switched, may offer it deceitfully. Certificates are similarly counterfeited using blanked out originals. Electronic transmission assists those committing fraud by making detection more difficult.

The Fundamental Doctrines
The “pillars[20] supporting the operation of documentary credits consist of the severance from the underlying contract, and the dependence on documents alone. Devoid of these protections, banks remain outside the process due to the risk forced through simple involvement in the matter. Sellers would not be implicated as an infringement of the sale contract would unavoidably distress the payment contract. Buyers would not be implicated, as certainly of the authenticity of delivery would be difficult to prove to their satisfaction. The heart of documentary credits is a consequence of risk distribution. The "rules"[21] of documentary credits give importance to their utility.

The initial pillar is the separation of contracts. The payment contract distinct from the original contract other than the latter produced the reason for the former. A breach of one is not a breach of the other[22]. No cause of action against the buyer will result if the bank does not achieve payment. All parties concerned have access to a remedy for any breach within the contractual structure, but there is not recourse for all breaches to all participants. Lord Diplock explained the separation of contracts in United City Merchants (Investments) Ltd:
It is trite law that there are four autonomous though interconnected contractual relationships involved:
(1) the underlying contract for the sale of goods to which the only parties are the buyer and the seller;
(2) the contract between the buyer and the issuing bank under which the latter agrees to issue the credit and either itself or through a confirming bank to notify the credit to the seller and to make payments to or to the order of the seller ...;
(3) if payment is to be made through a confirming bank, the contract between the issuing bank and the confirming bank authorising and requiring the latter to make such payments and to remit the stipulated documents to the issuing bank when they are received, the issuing bank in turn agreeing to re-imburse the confirming bank for payments made under the credit;
(4) the contract between the confirming bank and the seller under which the confirming bank undertakes to pay the seller

This principle is recognised as the “Doctrine of Autonomy”. The Doctrine of Autonomy is expressed in Gian Singh & Co. Ltd v. Banque de l'Indochine[24] in which the bank supplied compensation under a documentary credit that mandated, inter alia, the deposit of a signed certificate and production of a passport, which in this instance where forgeries. Lord Diplock held that the only question was whether the documents gave the impression of being genuine. As a result, the bank was compelled to make payment, notwithstanding the infringement of the underlying contract.

Similarly, in Australia, Pacific Composites Pty Ltd & Anor v. Transpac Container System Ltd & Ors[25], revolved on documentation offered according to the documentary credit that confirmed that the goods had been refrigerated for shipment. The bank paid under the credit. The goods had not been refrigerated for delivery and were worthless to the buyer. Tamberlin J. held that the bank had rightly paid under the credit,[26] and that the papers signifying the merchandise had been refrigerated were merely false. The buyer won its action against the seller.

The international sale of goods governed by the UCP must obey the rules and all pertinent provisions, whether on letters of credit, bankers' duties and responsibilities or other associated matters. The UCP allows parties the discretion to determine the format of the letter of credit or the particular instruments required for payment. When these matters have been established between a buyer and a seller, the arrangement is binding. The banks will obtain a mandate from the parties which must be observed. Thus, it is the parties to the sale contract who demarcate the extent of functions that the bank may conduct in relation to the inspection of the particular papers. The bank's duty as to the assessment of the documents is required to also conform to the relevant provisions of the UCP. The parties and not the bank specify whether the documents “conform” or are “discrepant” to the applicable provisions of the UCP. Banks consequently assume responsibilities conferred on them by the parties, and those conferred under the UCP, when the transaction is defined within the UCP.

The chief Articles associated with a letter of credit transaction, together with the responsibilities of banks for inspecting the documents include:
12 - incomplete or unclear instructions;
13 - standard for examination of documents;
14 - discrepant documents and notice;
15 - disclaimer on effectiveness of documents;
16 - disclaimer on the transmission of messages;
20 - ambiguity as to the issuers of documents;
21 - unspecified issuers or contents of documents;
34 - insurance documents;
35 - type of insurance cover;
37 - commercial invoices; and
38 - other documents.

Though the documentary credit system formulated by the ICC has been running for over 60 years, disagreement continues as to the standard for assessment of documents and the specificity of directives to banks by buyers and sellers. The English courts have delivered judgment on the obligations of buyers, sellers and banks concerning transactions governed by the UCP. In Glencore International AG and Another v Bank of China[27] the validity or invalidity of the refutation of documents on grounds of discrepancy became a concern and the English courts delivered judgment based on the pertinent provisions of the UCP.

Issues in English Law
Substantial quantities of cases relating to the inconsistency of documents with mention to the various UCP provisions have found their way to the English courts. The complexity in deciding if a documents is conforming is occasioned either throgh the sellers failure to tender the specific documents, or by the buyers failure to specify particular documents. A dialogue including the buyer and the seller as they negotiate the trade contract that includes the clear-cut details covering the documents required by the buyer and the documents to be submitted by the seller would often alleviate these issues. The relevant bank must adhere to the provisos when the letter of credit is unambiguous as to the nature of stipulated documents.

On the basis of the decisions rendered by the English courts, it is possible to summarise the guidelines as to when documents may be regarded as “discrepant”. The opinion of Viscount Sumner in Equitable Trust Co. of New York v Dawson Partners Ltd (1927) remains valid.[28] The Court of Appeal in J.H. Rayner and Co. Ltd v Hambros Bank Ltd (1943) [29] pointed out the absoluteness of instructions to a bank by a customer. A bank is not required to comply with the trade customs and trade terms of its clients in rejecting documents. McNair J. in Bank Melli Iran v Barclays Bank (Dominion, Colonial & Overseas) (1951)[30] addressed the issue where an accepting bank is required to act stringently in accordance with the mandate of the issuing bank. In Midland Bank Ltd v Seymour (1974)[31] the court held that the language in a letter of credit must be given their reasonable interpretation[32]. The court also noted that all valid documents should contained precise particulars and that such documents must be mutually consistent as a whole. This decision puts the burden on the seller to tender legitimate and accurate documents where the depiction of merchandise is consistent with the consequent letter of credit. In Devlin J. stated inter alia that instructions to banks need be given with reasonable clarity[33]. This places the obligation predominantly on the buyer; or else, a buyer may contribute to constructing discrepant documents.

The credit must be the reference instrument used to determine the conformity with the other documents. The bank should not query the underpinning principle of the terms of the credit; it need simply follow the document to the letter. Devlin J considered the issue where the bill of lading was discrepant when verified against the terms of the letter of credit in Midland Bank:
“If the terms of the credit require that the bill of lading should contain a certain description, the bill must contain that description, and it is not for the bank to ask itself what legal value such a description might have”.[34]

Lord Diplock addressed the impact of a insignificant incongruity in Gian Singh & Co. Ltd v Banque de l'Indochine (1974):
The relevance of minor variations such as these depends on whether they are sufficiently material to disentitle the issuing bank from saying that in accepting the certificate it did as it was told. Their Lordships would not think it proper to decide issues of this kind without having the benefit of the opinion of the local courts on the significance, if any, which would be attached by those who transact business in Singapore to particular minor variations in the precise words used in their transactions”.

Whether a particular discrepancy is adequately material is to be determined by the bank that confirms the documents. Often documents with inconsequential inconsistencies are received with the permission of issuing banks in legitimate cases.

In The Lena (1981)[35], Parker J in relation to a sight draft said that:
“Whether or not a sight draft or any other document serves a useful purpose is not a matter with which the bank is concerned. Its contract is to pay in accordance with the terms of the credit”.[36]

It remains mandatory for banks to confirm the depiction of merchandise in a letter of credit alongside that in the parallel invoice, although an invoice is not an direction to pay[37]. The Lena confirmed:
If specific items of description are included in the credit they must also be included in the invoice[38].

In determining the level of compliance of documents the “linkage between the documents is not, as such, necessary, provided that each directly or indirectly refers unequivocally to the goods” (Banque de l'Indochine v Rayner).[39]

In Astro Exito Navigacion SA v Chase Manhattan Bank NA[40] the court held, “miniscule difference does not by any stretch of imagination render the documents inconsistent with one another”.[41] The Court of Appeal in the Seaconsar Far East Ltd v Bank Markazi Jomhouri Islami Iran further considered this issue[42]. One of the issues was whether the non-existence of the letter of credit number and the buyer's name was an utterly inconsequential matter. Lloyd LJ. held that where a credit particularly required certain details, they should not be considered as inconsequential for dismissing them as matters of insignificant discrepancy[43], predominantly when there is an express condition that the documents should be related, and the absence in one may be alleviated by reference to another[44].

Under UCP, Article 13(b), the right to decline documents, on inspection, by either an issuing bank or a confirming bank, if any, or by a nominated bank acting on their behalf, is conserved. Article 13(c) bestows banks with the power to disregard documents: “If a Credit contains conditions without stating the document(s) to be presented in compliance therewith”. “Disregard” of documents is distinct from “rejection” on the ground of inconsistency. Refusal to acknowledge documents must occur within seven banking days[45]. Discrepancy may not inevitably relate to the material characteristics of the document. Even the exclusion of the letter of credit number and the buyer's name may not be disregarded as “trivial” for the intention of rejecting documents on the basis of their discrepancy[46].

Glencore[47] appears to have forced an unmitigated requirement on banks to certify that the rejection of documents on the ground of discrepancy does not occur when the added information as to the goods in a commercial invoice is not “detrimental to or in any way inconsistent with the requirement in the Credit”[48]. These omissions do not aid in corroborating the authenticity of documents. If a brand of merchandise falls within its broad generic narrative it would not qualify as a discrepancy in the of description of merchandise.

An issue in Glencore[49] was whether the “origin of goods” ought be treated as part of the description of merchandise. The Court of Appeal held that the brand fell within the broad generic narrative, and that the description of merchandise in the trade invoice did correspond to the description in the Credit. Origin of goods should be included as part of the description when merchandise may be effortlessly identified by their origin.

The Bank of China in Glencore[50] argued that the application of the words “Western” and “Indonesia” created uncertainty. Consequently, the documents were to be regarded as discrepant. However that argument was not upheld by the Court of Appeal, which held that apparent uncertainty was not grounds for causing an “inquiry”. In this manner, the Court of Appeal departed from the decision in Golodetz,[51] and overruled Rix J. (the Seaconsar case) in the Commercial Court who had upheld the refutation of documents by the Bank of China.
The decision of the Court of Appeal in Glencore will incite controversy rather than reconciling doubts as to the grounds that banks may use to justify rejecting documents that appear as discrepant.

The fraud exception at common law
English courts have determined the fraud exception narrowly requiring knowledge on the part of a beneficiary of the deceit to be practised before the autonomy principle can be breached and that mere nullity of a document will not, of itself, call into question the bank's decision to pay when there is apparent conformity with the requirements of the credit. Judgments in the Court of Appeal and the refusal of leave to appeal by the Appeal Committee of the House of Lords have seriously affected the nullity argument. The English law on this subject is now unambiguous and certain, though debatably not in a complete state.

In Equitable Trust Co. of New York v. Dawson Partners Ltd[52], Viscount Sumner said “If it [the bank] does as it is told, it is safe; if it declines to do anything else, it is safe; if it departs from the conditions laid down, it acts at its own risk.”[53]
In Montrod Ltd v Grundkotter Fleischvertriebs GmbH[54] the facts were that the seller (GK), a German company, contracted to sell 400 metric tonnes of frozen pork sides C.I.F. to Ballaris, a Russian firm. The transaction would be financed using a documentary credit.

When Montrod was informed by its bank that the credit plus enclosed documents had been received and were apparently conformant, they instructed the bank that it had not signed the certificates and that payment should not be completed, as the certificates were evidently a forgery. After seven days, the bank decided that the documents were in conformity on their face and anticipated transacting payment. Montrod applied for an injunction but was dismissed inter partes as there was no evidence of falsification by GK. The bank later paid in harmony with the terms of the credit.

Montrod pursued its action to full trial alleging deceit by GK. They argued that a different ground for non-payment exist in law, namely that of the “nullity exception”.

Montrod proposed this exception to the autonomy rule could be formulated if, by time of full payment, the only reasonable inference is that a document (created by the beneficiary) presented under a credit is not what it appears on its face to be, but is a nullity, then the bank is not obliged to pay. This argument was rejected by the trial judge as unsupported by authority in England and contrary to the express provisions contained in UCP[55].

Potter L.J in the Court of Appeal[56] determinedly refused to do so as urged by Montrod:
“The fraud exception to the autonomy principle recognized by English law has hither to been restricted to, and it is in my view desirable that it should remain based upon, the fraud or knowledge of fraud on the part of the beneficiary or other party seeking payment under and in accordance with the terms of the letter of credit ... In my view there are sound policy reasons for not extending the law by the creation of a general nullity exception.”[57]

This paper sought to summarise the principles enshrined by the English courts concerning the success of the UCP 500 in the documentary credit system. This has been best exemplified by an almost universal incorporation of the stipulations of the UCP in the majority of international trade finance arrangements. The essential significance of security of payment to the seller of merchandise is the key to the success of the system and the English courts have been quick to understand this stipulation.

The distinct necessity for the production of documents contained within the credit instrument to guarantee payment is the raison d'ĂȘtre for the extensive recognition of this means of trade finance. The intrinsic straightforwardness of the arrangement both guarantees its accomplishments and also contains its greatest weakness, that of deceitful behaviour by the seller, the shipper or another party where inaccurate or forged documents are produced to match with those detailed within the instrument.

The predicament intrinsic to this method is the obligation to create the certainty of payment when the (at times seemingly) appropriate documents are submitted while combating the financial advantage that may be gained through fraud and deception. Although the UCP is now dated and was in effect a banker’s instrument, it helped generate commercial confidence in international trade transactions.

1. Arkins, Jonathan R.C. (2000) “SNOW WHITE V. FROST WHITE: THE NEW COLD WAR IN BANKING LAW” Journal of International Banking Law, J.I.B.L. 2000, 15(2), 30-41
2. Bergami, Roberto (2007) “Will the UCP 600 Provide Solutions to Letter of Credit Transactions?” International Review of Business Research Papers Vol.3 No.2 June 2007, Pp. 41 - 53
3. Bertrams R.I.V.F. (1996). “Bank Guarantees In International Trade: The Law And Practice Of Independent (First Demand) guarantees and standby letters of credit in civil law and common law jurisdictions”. 2nd, rev. ed. Paris: ICC Pub. The Hague: Kluwer Law International.
4. Backus, Dana Converse & Harfield, Henry (1952) “Custom and Letters of Credit: The Dixon, Irmaos Case” Columbia Law Review, Vol. 52, No. 5 (May, 1952), pp. 589-602 doi:10.2307/1118801
5. Buckley, R.P., (1996) “Potential Pitfalls with Letters of Credit", Australian Law Journal, Vol. 70, p. 217
7. Collyer, G (2006), “The Origins of the UCP 600 Revision”, Coastline Solutions, viewed 21st August 2007,
8. Cornford, Andrew (2000) “The Basle Committee’s Proposals for Revised Capital Standards: Rationale, Design and Possible Incidence” UNITED NATIONS CONFERENCE ON TRADE AND DEVELOPMENT, G-24 Discussion Paper Series, No. 3, May 2000
9. Department of Policy and Business Practices (2003), Commission on Banking Technique and Practice: Meeting on 21 and 22 May at Paris, France (Document Number 470/1003), International Chamber of Commerce, Paris, France. 2006, Commission on Banking Technique and Practice: Executive Summary of Meeting on 16 and 17 May at Vienna Austria (Document Number 470/1078), International Chamber of Commerce, Paris, France.
10. Dolan John F (1999-). “The Law of Letters of Credit: Commercial And Standby Credit”. Arlington, VA: A.S. Pratt & Sons Group.
11. Fellinger, G.A.(1990) "Letters of Credit: The Autonomy Principle and the Fraud Exception", J.B.F.L.P. 4.
12. Goode, R (1995) “The Financing of International Trade” in. Commercial Law, 2nd ed., Penguin Books, London.
13. Guest, A.G., Ed. (2002), “Benjamin's Sale of Goods”, 6th Ed., Sweet & Maxwell, London, (2002), p.1624.
14. Hedley (2001). “Bills of Exchange and Bankers’ Documentary Credits”. 4th Ed. London: Lloyd’s of London Press.
15. Howard, T. & Davenport, B. (1996) “English Maritime Law Update 1994/95” 27 J. Mar. L. & Com. 427
16. Jack R, Malek A, Quest D (2001). “Documentary credits: the law and practice of documentary credits including standby credits and demand guarantees”. 3rd ed. London: Butterworths.
17. Klein, CH (2006), “Letter of Credit Law Developments”, Jenner & Block LLP, Chicago, Il, USA.
18. Kreitman, Roger Principal Consultant, Mantissa (1996) “UCP 600: Recent progress” July 2006 available online at, viewed 28th Aug 2007.
19. Mugasha, A (2003), “The law of letter of credit and bank guarantees”, The Federation Press, Sydney, NSW.
20. McKendrick, E. (2000) “Contract Law” Palgrave,4th Ed.
21. Pennington, RR, (1987) “Bank Finance for Companies”, Sweet & Maxwell, London
22. Petkovic. Denis (1994) “UCP 500: EVOLUTION NOT REVOLUTION” Journal of International Banking Law, J.I.B.L. 1994, 9(2), 39-45
23. Rutten, Lamon (UNCTAD), (2004) “A Primer on New Techniques Used By The Sophisticated Financial Fraudster (With Special Reference to Commodity Market Instruments)” UNCTAD/DITC/COM/39 (7th March 2003) UNCTAD secretariat.
24. R.S.T. Chorley, Law of Banking, 6th ed., Sweet & Maxwell, London, 1974
25. Schlesinger, V (2003), “The beleaguered letter of credit”, Journal of Commerce, vol. 4, no. 2, pp. 26-7.
26. Todd, Paul (2003). “Cases and materials on international trade law”. London: Sweet & Maxwell.
27. Todd, Paul, (1998). “Bills of lading and bankers' documentary credits”. 3rd Ed. London: LLP.
Weissman, I (1996), “'Letters of credit - doing business in a global market”, CPA Journal, vol. 66, no. 1, pp. 46-9.
Wright, D., "Sellers Beware: Letters of Credit under UCP 500 come under the Scrutiny of the Court of Appeal”, supplement to [1995] 12 JIBL, at iii.
Aluminium Industrie Vaassen BV v Romalpa Aluminium [1976] 1 W.L.R. 676.
Bank Melli Iran v Barclays Bank (Dominion, Colonial & Overseas) [1951] 2 Lloyd’s Rep 367
Bankers Trust Co. v. State Bank of India [1991] 1 Lloyd's Rep. 587, confirmed on appeal [1991] 2 Lloyd's Rep. 443 at 449
Banco Santander SA v Bayfern Ltd [1999] 2 All E.R. (Comm) 18.
Banque de l'Indochine et de Suez SA v. J.H. Rayner (Mincing Lane) Ltd [1983] 1 QB 711 at 733; 1 Lloyd's Rep. 228 at 233.
Bunga Seroja (The) [1994] 1 Lloyd's Rep 455
Czarnikow-Rionda Sugar Trading Inc v Standard Chartered Bank Ltd [1999] 1 All E.R. (Comm) 890.
Dexters Ltd v Schenker & Co (1923) 14 Lloyd’sR.586
English, Scottish and Australian Bank v Bank of South Africa (1922) 13 Lloyd’s Rep. 21 at 24
Equitable Trust Co. of New York v Dawson Partners Ltd [1927] 27 Lloyd’s Rep. 49
Gian Singh & Co Ltd v Banque de l'Indochine [1974] 2 All E.R. 754
JH Rayner & Co. Ltd v Hambro’s Bank Ltd[1943] KB 37
Kydon Compania Naviera SA v National Westminster Bank Ltd and Others ("The Lena') [1981] 1 Lloyd's Rep. 68.
M. Golodetz & Co. v Czarnikow-Rinda, [1979] 2 Lloyd's Rep.
Malas (Hamazeh) & Sons v British Imex Industries Ltd [1958] 2 Q.B. 127
Midland Bank Ltd v Seymour [1955] 2 Lloyd's Rep 147
Montrod Limited v (1) Grundkotter Fleischvertriebs GmbH (2) Standard Chartered Bank [2002] 3 All E.R. 697
Moralice (London) v E.D. & F. Mann (1954) 2 Lloyd's Rep. 526
Niru Battery Manufacturing Co v Milestone Trading Ltd [2002] 2 All E.R. (Comm) 705
SAFA Ltd v Bank Du Caire [2000] 2 All E.R. (Comm) 567
Seaconsar v Bank Markazi Iran [1993] 1 Lloyd's Rep 236 (the Seaconsar case)
Seaconsar Far East Ltd v Bank Markazi Jomhouri Islami Iran [1994] 1 AC 438
Sirius International Insurance Corp (Publ) v FAI General Insurance Co Ltd [2002] 2 All E.R. (Comm) 745
Solo Industries UK Ltd v Canara Bank [2001] 2 All E.R. (Comm) 217
Soproma v. Marine & Animal By-Products Corp [1966] 1 Lloyd's Rep 367
Sztejn v J. Henry Schroder Banking Corporation 31 N.Y.S. 2d 631 (1941).
TTI Team Telecom Int’l Ltd. v Hutchison 3G UK Ltd., [2003] 1 All E.R. (Comm.) 914 (Q.B.) (Eng.)
United City Merchants (Investments) Ltd and Ors v. Royal Bank of Canada and Ors [1982] 2 All E.R. 720 at 725.
Unreported decision of Tamberlin J., Federal Court of Australia, NSW District Registry in Admiralty, May 11, 1998, NG377 of 1996.
Urquhart, Lindsay & Co v Eastern Bank Ltd [1922] 1 K.B. 318 at 322-323.
Statues, Regulations, Etc.
The Uniform Customs and Practice for Documentary Credits (1993 Revision), ICC Publication No.500. See

[1] R.S.T. Chorley, (1974), p. 225.
[2] See Buckley R.P. (1996); [1991] 1 Lloyd's Rep. 587, confirmed on appeal [1991] 2 Lloyd's Rep. 443 at 449, & [1983] 1 QB 711 at 733; 1 Lloyd's Rep. 228 at 233.
[3] [1982] 2 All E.R. 720 at 725.
[4] The Uniform Customs and Practice for Documentary Credits (1993 Revision), ICC Publication No.500. [Hereafter UCP 500 or UCP]
[5] Stud. iur. Andreas Karl (2004)
[6] Byrne, 2007; Morris, 1998
[7] TTI Team Telecom Int’l Ltd. v. Hutchison 3G UK Ltd., [2003] 1 All E.R. (Comm.) 914 (Q.B.) (Eng.)
[8] ICC - International Chamber of Commerce
[9] Collyer (2006)
[10] (Department of Policy and Business Practices 2003, p. 2)
[11] Benjamin's Sale of Goods, (2002), p.1624.
[12] Such a contractual term is commonly known as a “Romalpa clause” following the dictum in [1976] 1 W.L.R. 676.
[13] See "The Financing of International Trade" in Goode, R. Commercial Law, 2nd ed., Penguin Books, London, (1995).
[14] A letter of credit is generally to be treated as cash and refusal to pay by a bank generally entitles the beneficiary to claim summary judgment for debt. In the unusual circumstance that the bank is also involved in the underlying transaction and fraud is a possible defence to payment, summary judgment against the bank is inappropriate: [2000] 2 All E.R. (Comm) 567. A similar application of the principle in relation to a performance bond is in [2001] 2 All E.R. (Comm) 217.
[15] This is even the case where the corresponding bank has paid a discounted amount before the maturity date and fraud was later alleged against the beneficiary [1999] 1 All E.R. (Comm) 890. When there is a direct dispute between the issuing bank and the corresponding bank concerning an early discounted payment, the right to indemnity only arises on the maturity date and if a fraud defence to liability would be available at that date, the decision to make early discounted payment shifted the risk of early payment to the paying bank: [1999] 2 All E.R. (Comm) 18.
[16] Per [1922] 1 K.B. 318 at 322-323. See also Arts 3 and 6, UCP 500.
[17] There is a theoretical problem with the existence of the autonomous payment obligation, namely that no consideration moves from the seller to the bank when he receives the documentary credit. Two explanations have be offered, namely that consideration is present and does move from the seller as until he receives notification of the documentary credit, he is under no obligation to ship the goods, as provision of the credit was a requirement of the sales contract per Greer J. in (1923) 14 Ll.L.R.586. The second explanation is based on mercantile usage and expediency per Jenkins L.J. in [1958] 2 Q.B. 127 at 129. Whereas both views confirm the existence of the autonomous obligation, neither are particularly convincing from a theoretical point of view as regards the English law of contract. This outcome however is a good example of how civilian-based commercial law, the Lex Mercatoria, trumps one of the doctrines of common law in order to align English law with ubiquitous international commercial usage.
[18] The rule is clearly stated in (1922) 13 Ll.L.R 21 at 24 per Bailhache J. where he opined: “It is elementary to say that a person who ships in reliance on a letter of credit must do so in exact compliance with its terms. It is also elementary to say that a bank is not bound or indeed entitled to honour drafts presented to it under a letter of credit unless those drafts with the accompanying documents are in strict accordance with the credit as opened.” However, where a party expressly agreed not to draw down payment unless certain conditions were met, that agreement could be enforced, so displacing the autonomy principle in this special case: [2002] 2 All E.R. (Comm) 745.
[19] See Art.13(a), UCP 500.
[20] Cornford, A (2000), (supervisory review and market discipline can at times also act as a third “pillar”)
[21] Ibid
[22] Fellinger G.A.
[23] [1982] 2 All E.R. at 725
[24] [1974] 2 All E.R. 754.
[25] Unreported decision of Tamberlin J., Federal Court of Australia, NSW District Registry in Admiralty, May 11, 1998, NG377 of 1996.
[26] ibid., at p. 6.
[27] [1996] Lloyd's Rep. 135. (Refusal of documents particularly related to allegedly linked documents)
[28] [1927] 27 Ll.L.Rep. 49 at 52.
[29] [1943] KB 37
[30] [1951] 2 Lloyd's Rep. 367.
[31] [1955] 2 Lloyd's Rep 147
[32] [1955] 2 Lloyd's Rep. 147 at 148.
[33] [1955] 2 Lloyd's Rep. 147 at 148. See also [1979] 2 Lloyd's Rep. 450 at 456, per Donaldson J., at 511.
[34] [1955] 2 Lloyd's Rep. 147 at 148.
[35] [1981] 1 Lloyd's Rep. 68
[36] See further [1981] 1 Lloyd's Rep. 68. At 75.
[37] See further [1981] 1 Lloyd's Rep. 68. At 75.
[38] See further [1981] 1 Lloyd's Rep. 68. At 76.
[39] [1983] 1 Lloyd's Rep. 228. at 233, per Donaldson, MR.
[40] The Messiniaki Tolmi
[41] [1986] 1 Lloyd's Rep. 455 at 461, per Leggatt J; see also (1954) 2 Lloyd's Rep. 526, per McNair J.
[42] [1993] 1 Lloyd's Rep. 236.
[43] See further [1991] 2 Lloyd's Rep. 443.
[44] See further the Seaconsar case, [1993] 1 Lloyd's Rep. 236. at 240.
[45] Article 13(b)
[46] Ibid., at 236.
[47] [1996] Lloyd's Rep. at 136
[48] Ibid.,. at 136
[49] Ibid.
[50] Ibid.
[51] See also Wright, D. at iii.
[52] (1926) 27 LI.L.R. 49
[53] As reported in Backus, Dana Converse & Harfield, Henry (1955)
[54] [2002] 3 All E.R. 697.
[55] Ibid.
[56] [2002] 3 All E.R. 697 at 709. A bank made a payment pursuant to a documentary credit. The credit called for the presentation of certificates of inspection that needed to be signed by the applicant of the documentary credit. The certificates, when presented to the bank, on their face complied with the terms of the letter of credit, however, they were signed without the authority of the company required to sign. The signer did not know he lacked authority. It was found that they were not fraudulent and that there was neither recklessness, haste, nor blame in the conduct of the signer. The documents were not a “nullity”.
[57] ibid. at 712.