Luno Malaysia Sdn Bhd v Yew See Tak: A Legal Analysis of Duty of Care in Cryptocurrency Transactions

‍Introduction

The case of Luno Malaysia Sdn Bhd v Yew See Tak [2024] MLJU 2703 presents a significant legal development in Malaysia's cryptocurrency sector. It deals with the question of whether a digital asset exchange operator (Luno) owed a duty of care to a user (Yew See Tak) whose account was compromised, resulting in financial loss. The Sessions Court initially ruled in favour of the plaintiff (Yew), but the High Court overturned the decision, stating that Luno was not responsible for the loss under negligence principles.

This case raises important issues regarding the legal obligations of cryptocurrency platforms, the scope of their duty of care, and the implications for users engaging in digital asset trading.

Background of the Case

The dispute arose when the plaintiff, Yew See Tak, a registered user of Luno Malaysia, discovered that unauthorised transactions had taken place in his Luno account. On 6 March 2021, Yew's account was used to purchase 2.730096 Bitcoin (worth RM566,570.70 at the time), which, along with an existing balance of 0.15106083 Bitcoin, was subsequently transferred out to an unknown cryptocurrency wallet. Yew contended that he had no knowledge of these transactions nor did he authorise any of them. He proceeded to report the issue to Luno on the same day.

Luno responded on 8 March 2021, locking the account for security purposes. However, by that time, the transactions had already been completed. Yew subsequently sued Luno, alleging that the platform failed to exercise reasonable care in protecting his assets.

Arguments by Both Parties

Plaintiff’s Argument (Yew See Tak)

Yew claimed that Luno owed him a duty of care as a customer and a fiduciary duty in safeguarding the cryptocurrency held within his account. He alleged that:

1. Luno’s response to his complaint was not prompt, which contributed to his losses.
2. Luno failed to call key witnesses during the Sessions Court trial who could have provided insight into how it handled such security incidents.
3. Given that Luno was the only Recognized Market Operator (RMO) for cryptocurrency trade in Malaysia, it should be held to a higher duty of care in protecting users.
4. The nature of the transactions (large amounts transferred within a short period) should have raised security concerns and prompted Luno to act earlier.

Based on these arguments, Yew sought special damages of RM597,920.05 and RM100,000 in exemplary damages for Luno’s alleged negligence.

Defendant’s Argument (Luno Malaysia Sdn Bhd)

Luno denied liability, contending that:

1. The security of Yew’s Luno account was solely his responsibility. Luno maintained that all transactions were authorised using the correct security credentials, including two-factor authentication (2FA).
2. The plaintiff’s own email and mobile phone security had been compromised, which allowed an unknown third party to gain access to his Luno account.
3. Luno had no control over the plaintiff’s cryptocurrency holdings since the transactions were performed using his verified credentials.
4. As an RMO, Luno’s primary responsibility was to ensure transactions were correctly authorised, not to monitor or intervene in user activities beyond its security protocols.

Luno argued that it did not owe a higher duty of care merely because it was licensed by the Securities Commission, and that the Sessions Court erred in imposing an excessive standard of care on the platform.

Decisions by the Sessions Court and the High Court

Sessions Court Decision

The Sessions Court ruled in favour of Yew, holding that:

1. Luno owed a duty of care to its users to protect their assets.
2. Luno’s response was delayed, and its failure to intervene promptly contributed to the loss.
3. The fact that Luno was the only RMO for cryptocurrency in Malaysia at the time justified imposing a higher duty of care on the company.

Based on these findings, the Sessions Court awarded the plaintiff RM597,920.05 in special damages and RM100,000 in exemplary damages.

High Court Decision

On appeal, the High Court overturned the Sessions Court’s decision, ruling that:

1. Luno did not breach any duty of care as it had followed standard security procedures.
2. The cause of the loss was the plaintiff’s own failure to secure his email and mobile phone, which were necessary for accessing his Luno account.
3. Imposing a higher standard of care on Luno solely because it was an RMO and/or the only RMO operating was unreasonable and legally unjustified.
4. Luno’s Terms of Use explicitly stated that users are responsible for maintaining the security of their own accounts.

As a result, the High Court set aside the Sessions Court’s judgment and allowed Luno’s appeal with costs.

Key Legal Issues and Analysis

Duty of Care and Negligence

A core issue in this case was whether Luno owed a duty of care to its users beyond the standard security measures it had in place. Under negligence principles, a duty of care arises when:

• Harm is reasonably foreseeable due to the defendant’s actions.
• There is a relationship of proximity between the parties.
• It is fair, just, and reasonable to impose such a duty.

The High Court applied the test in Tenaga Nasional Malaysia v Batu Kemas Industri Sdn Bhd [2018] 5 MLJ 561, concluding that Luno did not owe a heightened duty of care as suggested by the Sessions Court. Instead, Luno’s obligations were limited to ensuring that transactions followed its pre-established security protocols.

2. Security Responsibilities and User Negligence

A major turning point in the case was the plaintiff’s admission that:

• His email account had been compromised, allowing unauthorised access to multiple trading platforms, not just Luno.
• His mobile phone was not adequately secured, which facilitated the completion of the disputed transactions.
• Luno had no control over the plaintiff’s email and personal security settings.

These admissions reinforced the High Court’s finding that the plaintiff’s own negligence was the primary cause of the loss, rather than any failure on Luno’s part.

Fiduciary Duty and Recognised Market Operators (RMO)

The Sessions Court had initially found that Luno owed a fiduciary duty to its users, given its status as an RMO under the Securities Commission. However, the High Court rejected this, ruling that:

• Luno’s role was akin to a digital trading platform, not a trustee holding assets on behalf of users.
• The Terms of Use explicitly stated that Luno was not responsible for account security beyond its platform safeguards.
• Imposing a fiduciary duty would place an unreasonable burden on cryptocurrency platforms, affecting the broader fintech industry.

This ruling sets an important precedent by clarifying the regulatory expectations for RMOs in Malaysia’s digital asset space.

Implications and Future Considerations

The decision in Luno Malaysia Sdn Bhd v Yew See Tak has significant implications for both cryptocurrency exchanges and users in Malaysia. It reinforces the principle that:

• Users bear the responsibility for securing their own accounts.
• Cryptocurrency exchanges are not liable for losses resulting from a user’s compromised security credentials.
• The mere fact that an exchange is an RMO does not automatically impose a heightened duty of care.

However, it remains to be seen whether this ruling will stand. The plaintiff may choose to appeal to the Court of Appeal, which could reconsider the scope of duty owed by cryptocurrency exchanges. If an appeal is filed, it may result in further legal clarification on the responsibilities of digital asset platforms and user security obligations in Malaysia.

This article is written by Raja Nadhil Aqran (Partner) and Vishnu Vijandran (Partner). It only contains general information. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such.

‍