Online
Article
CJIL Online 5.1

International Football Transfer Agreements and Liability for Negligent Payment of ‘Hacked’ Invoices

Ilias Bantekas
Professor of Law at Hamad bin Khalifa University (Qatar Foundation) and Adjunct Professor of International Law at Georgetown University, Edmund A. Walsh School of Foreign Service.

There exists a number of seemingly inconsistent decisions and judgments issued by courts and sports tribunals on the topic of erroneous bank transfers as a result of hacked invoices for football transfer fees delivered through hacked email addresses. The buyer is presumed to have the burden of making correct payment and consequently is found to be in breach of its obligation to the selling club for failure to pay to the seller’s bank account. The argument presented here, which is consistent with the spirit of relevant statutes, institutional rules, and the limited case law, is that there is a clear due diligence standard demanded from seller and buyer in player transfer agreements. Both must ensure, on the basis of a best-efforts approach, that their IT systems are not susceptible to external interference, and if they have any suspicion that they have indeed been interfered with, they must alert the other party immediately. The buyer, in particular, must use alternative (personal) channels of communication with the seller where the latter alters its banking details as those are registered in FIFA’s Transfer Matching System (TMS). Where the buyer takes all appropriate due diligence measures and the seller fails to respond on time or is otherwise negligent in its IT controls, the buyer’s liability for erroneous payments is partial, if at all, since the seller is deemed to have contributed to the buyer’s breach of contract.

TABLE OF CONTENTS

I. Introduction

Transfer fees in sports contracts are largely standardized.1 Domestic laws generally follow contractual freedom and non-formality requirements,2 notwithstanding the fact that sport governing bodies (SGBs) (i.e. the international federation of each sport, which is responsible for administering rules and regulations to national sport federations and their clubs) demand that all stakeholders conform to certain safeguards and processes they have instituted for the orderly maintenance of transfers, as well as to ensure transparency as far as possible.3 There is still some doubt, however, whether the formalities required by SGBs substitute the non-formality assumption in the drafting of contracts and whether they in fact give rise to a consent-based formality. By way of illustration, the Federation International de Football Association (FIFA), the SGB for global football, has instituted a Transfer Matching System (TMS).4 TMS consists of an online platform where all transfers must be registered and details of bank accounts (for transfer purposes)5 and sums of transfer fees paid need to be disclosed.6 The TMS is interrelated with FIFA’s Clearing House,7 which renders relevant processes transparent and legitimate.

The TMS plays an important administrative role and is linked to the parties’ transfer agreement. However, there is no suggestion to the effect that if the transaction fails to use the details incorporated in the TMS, then there is no valid contract or the contract is otherwise unenforceable. Rather, in the opinion of the author, the TMS serves as an aid to transfer agreements because it contains the parties’ financial and banking information; hence, using that information to make a transfer absolves the buyer from any liability for non-payment and facilitates safe payments where the communication channels of the transferring clubs are or could be compromised by hackers. In such cases, the club making payment (obligor) may be in receipt of erroneous information about the bank account of its counterpart and be asked to make a bank transfer to the account of hackers, which typically operate as criminal organizations.8 In circumstances of this nature, even if it is assumed that both clubs are acting without malice and in good faith, it is a matter of question as to whether the debtor (i.e. the transferor, obligor) has discharged its obligation under the contract by making payment to the erroneous account, or whether its obligation has yet to be discharged. In addition, one is confronted with the issue of due diligence,9 especially as to whether both parties exhibited sufficient diligence in the discharge of their contractual obligations. This also includes their computer software and information technology (IT) systems that would deny any form of contributory negligence. And if said due diligence is found to be insufficient, one is naturally confronted with the question of how to quantify the negligence that has resulted in the debtor’s failure to discharge its obligations under the contract.10 The outcome is significant for the obligor. In accordance with Article 64 of FIFA’s Disciplinary Code (FDC),11 a regulation adopted internally by FIFA which contractually binds its national association members and their clubs, failure to pay a sum of money in whole or in part incurs a fine and sanctions for the club (e.g. relegation, prohibition of transfers). Failure to pay also incurs an enforceable binding award by the Court of Arbitration for Sport (CAS), an arbitral institution set up to administer sports disputes and whose jurisdiction is linked to the majority of SGBs through specific mention in internal instruments,12 or the FIFA Tribunal, which operates as a first instance arbitral tribunal. Any appeals against such awards are heard by the appeals chamber of CAS. A club that has been tricked to pay into an erroneous account has not discharged its contractual obligation to the obligee and must do so in addition to possible sanctions. The key argument underlying this article is that where the seller is negligent in protecting its IT systems from hackers, which, in turn, allows the hackers to fraudulently communicate with the buying club, the payment of transfer fees to fraudulent accounts by the buyer should serve to reduce its liability against the selling club.

The article examines the relevant practice before the CAS, as well as the law and practice under Swiss law, given that Swiss law is complementary to the CAS Code13 and FIFA Statutes14 and that the issues in question are of a substantive nature, which the CAS Code does not address. The issues under consideration are not set in stone and leave significant latitude to courts and arbitral tribunals to make their own assessments. As a result, judgments and awards vary in the way that judges and arbitrators approached similar hacking cases and assessed the parties’ due diligence performance and contractual behavior. It is presumed that the parties to transfer agreements do not typically foresee such eventualities arising and are content to rely on the general provisions of civil codes, which are not elaborate on contract-based contributory negligence. It is unsurprising, therefore, that tribunals entertaining such disputes rely on a handful of past awards/judgments and a good deal of their own discretion. 

The article is organized as follows. Section 2 explores FIFA’s data protection and confidentiality institutional rules, as well as the part of European Union (EU) law that applies to it. Section 3 examines the due diligence requirements demanded in law and practice from clubs in the transfer of funds from one bank to another. Section 4 analyzes whether and to what extent hacked invoices with details of fraudulent accounts may give rise to contributory negligence on the part of a selling club (obligee). Section 5 looks at FIFA’s TMS mechanism with the view that while all data relating transfers must be input therein, the parties to a transfer agreement are not precluded from agreeing on an alternative bank account. Section 6 delves into the practice of non-waiver of formalities in respect of any amendments to transfer agreements, which renders contributory negligence, in theory at least, less likely.

II. FIFA’s Data Protection and Confidentiality Rules

FIFA has set out a number of institutional rules that help ensure sufficient data protection, which, in turn, are meant to prevent the calamities of third-party intervention in the IT systems of club. Data15 protection has to be read in conjunction with confidentiality requirements, because organized criminal groups prey on leaked, available, or hacked details of agreements and the parties’ financial details in order to make their emails more believable. More specifically, Annex 3 on General Obligations of Clubs and Associations16 requires clubs and associations to act in good faith17 and maintain confidentiality over all data in TMS. In particular, it is mandated that clubs and associations must always “apply the highest degree of care to guarantee complete confidentiality and only use confidential data for the purpose of completing player transfers in which they are directly involved.”18 Failure to apply the highest degree of care to safeguard the security and confidentiality is clear breach of this duty. While it may be argued that the breach was unintentional, the negligent disclosure resulted in material harm.19

Annex 3 further specifies that only authorized individuals20 that are trained as TMS users are allowed to access the system.21 There is little doubt that the training and access control requirements set out by FIFA are chiefly intended to avoid misuse of the TMS system by third parties wishing to unlawfully infiltrate it, as well as to allow the handling of data in accordance with the proper confidentiality protocols.22 Moreover, Article 8.1 of FIFA Data Protection Regulations23 emphasizes that every entity is responsible for implementing technical and organization measures to ensure compliance with FIFA Data Protection Policy and Data Policy and applicable local laws,24 including general principles of EU law.25 These responsibilities include:

  1. Training subordinates to comply with data protection obligations.
  2. Documenting the nature, purpose, and grounds of all personal data processing activities.
  3. Establishing technical and organizational safeguards to meet regulatory requirements.

Going one step further, Article 8.2 of the FIFA Data Protection Regulation specifically requires that ‘Every entity shall implement internal guidelines to identify a Process Owner for every Processing of Personal Data.’26 This ensures accountability and clarity in data management.27

In the EU context, the protection of the individual right associated with unlawful data retention or other forms of privacy-related interference is predicated in general human rights instruments and data-related provisions in recent human rights treaties, such as Article 8 of the EU Charter of Fundamental Rights, 28 the highest ranking human rights instrument/treaty within the EU with direct effect upon EU citizens. The right is also protected by data-specific instruments which confer individual rights,29 although their primary purpose is not human rights-related. One such example is the General Data Protection Regulation (GDPR),30 the key EU instrument for the protection, storage, and use of data. In order to further induce and ensure trust among users, Article 8.2 of the FIFA Data Protection Regulation was specifically drafted. FIFA’s Data Protection Regulation further stipulates that:

“All Personal Data must be safeguarded against the risk of loss of confidentiality, integrity and availability. The Entity shall implement all necessary state-of-the-art and commercially reasonable organisational and technical measures. The Entity shall implement and enforce internal guidelines with respect to information security.”31  

This suggests that it is not only FIFA that is responsible for the integrity of personal data through its own internal mechanisms but also all those stakeholders to the TMS systems, chiefly clubs. Clubs should therefore ensure that their IT systems are maintained and safeguarded to the greatest possible degree so that personal data in TMS remains secure. Breach of FIFA’s Data Protection Regulation would hence serve as evidence of contribution (by the obligee) to the contractual breach of non-payment by the obligor, where the latter relied on hacked emails belonging to the obligee.32

III. Football-Related Due Diligence Bank Transfer Requirements

The starting point for this discussion is the freedom of parties to a civil contract to define in full the scope of their agreement, subject only to a) possible legality requirements and b) any mandatory statutory or common law rules that supersede party autonomy. Given the nature of transfer agreements as contracts, the parties are free to regulate the precise limits of the liability of both seller and buyer. In practice, the parties to all contracts, including football transfer agreements, do not specifically address contributory negligence but only that obligations be performed; it is also common to stipulate liquidated damages in advance to avoid the assessment of damages by the courts. This suggests that in the context of football transfers, the parties typically rely on the general statutory rule whereby the seller is liable for delivering the good (in the case at hand making the player available for the transfer and delivery of title), whereas the buyer is responsible for prompt payment.33  

The relevance of due diligence in the present context is pertinent to the attendant obligations underlying the payment of the transfer fee. Namely, the obligee should ensure that its IT systems are sufficiently protected from third party intervention and the obligor should take all possible measures to ensure that payment is made to obligee’s bank account.34 The two competing obligations do not fully allow the general statutory rule to operate; the obligor is liable for discharging payment. Nor is the general injunction in Article 74(2) of the Swiss Code of Obligations (SCO), which contains the contracts law section of the Swiss Federal Civil Code, always helpful in sports transfers. This provision posits that pecuniary debts must be paid at the place where the creditor is resident at the time of performance. Even so, there is no institutional or other rule that forbids clubs from retaining accounts in jurisdictions other than the country wherein the club is incorporated. Hence, a literal application of Article 74(2) of the SCO might well play in the hands of organized crime. Key in this respect is Article 99 of the SCO, according to which parties to a contract are obliged to act with due diligence when complying with their financial obligations.35

The CAS has made it clear in its interpretation of Article 152(1) of the SCO that the parties to a contract are saddled with positive duties that require them to take any action that safeguards the prospect of fulfilling their mutual obligations.36 In the case at hand (correct transfer payment), in order for a condition to be fulfilled, it is necessary that the parties do not act in bad faith37 “in a gross manner.”38 Article 2(1) of the SCO emphasizes that “every person must act in good faith in the exercise of his or her rights and in the performance of his or her obligations.”39 This principle is reiterated in all civil law jurisdictions. Acting in bad faith, even if one fulfils all their own obligations, amounts to a breach of contract.40 As regards specific instances of hacked emails sent by organized crime groups, the Swiss Federal Supreme Court (SFSC), which is important in this discussion because arbitral awards issued by CAS may be set aside by the SFSC under narrow procedural grounds,41 has emphasized that the obligor must carry out additional checks when there are serious indications of forgery, when a request in an email exchange does not relate to a transaction provided for in the contract, and when particular circumstances raise doubts.42 As regards the due diligence obligations of the obligee’s safeguarding of its own IT systems, in the context of an otherwise clear-cut case, the SFSC argued that:

[I]t has not been established in this case that the applicant had insufficiently protected his e-mail account; it is not known how the hackers managed to gain control of it and, consequently, what measures would have prevented this takeover. The defendant's argument is based on mere conjecture (insufficiently complex password, access via unprotected computers, etc.), which presupposes that if third parties were able to gain control of the applicant's e-mail account, this is due to the fact that the applicant did not take the security measures that could be expected of him. However, this assumption is erroneous: it is indeed well-known that in recent years, many government services and private companies - which took reasonable precautions to protect themselves - have been the subject of cyberattacks, sometimes successfully, by malicious third parties. Therefore, one cannot presume without further examination that a takeover like the one suffered by the applicant implies a lack of diligence on its part.43

Based on this paragraph above, it does not stand to reason that all instances of IT breaches exonerate the obligee from its contractual duties towards the obligor. If this were the case, there would be no standard of due diligence for obligors in this respect. Rather, where the obligee is responsible for any breach of its IT systems that is preventable by ordinary industry standards, as well as any negligent use of such systems by its agents and employees, such a standard is certainly quantifiable and subject to scrutiny by the courts, whether independently or through the provision of expert evidence.44

In Gil Vicente Futebol v. FK Rad, a CAS tribunal was faced with a transfer agreement that was meant to be paid through several invoices which contained the details of the bank account. The agreement and payment details had been uploaded on TMS. At some point an email with the first invoice was received. Yet, 2.5 hours later a second email was sent which asked the obligor to hold payment because the obligee’s IBAN (International Bank Account Number), a globally standardized format for an individual bank account number in order to facilitate payments, had been “taken down” by the bank, so a new bank account would be sent through a second invoice.45 Subsequently, the second email contained a new bank account in a different bank and country. The bank details in the second invoice did not correspond with those held in the TMS.46 Moreover, although the invoices were sent on different dates, the dates on the body of the invoices were the same.47 Finally, the layout, format and fonts of the invoices were significantly different from each other. All these factors taken together should have raised suspicion, even though the emails were coming from what seemed to be the obligee’s email account.48 The CAS tribunal thus came to the conclusion that:

All these factors together raise suspicions by a reasonable third person on the correctness of the second [hacked] invoice. The obligation to act diligently therefore requires from the performing party, namely the appellant, to verify the correctness of the second invoice. By not doing so, the appellant breached its obligation of due diligence and is liable thereof according to Article 99 SCO. As the payment of the first instalment was not credited to the respondent’s bank account to the appellant’s breach, the latter did not discharge its contractual obligation regarding the payment of the first instalment.49

This operative paragraph introduces a reasonable standard combining good faith and due diligence to make a sound assessment of the parties’ liability for breach of contract. In addition to the SFSC, FIFA’s Disciplinary Committee and CAS have assessed a handful of cases where third parties made fraudulent use of club emails in order to defraud the obligor to make transfers to their accounts rather than the accounts of the obligee. The reasonable standard of care was highlighted in a recent case before FIFA’s Players’ Status Tribunal. The case was Associacao Chapecoense de Futebol, Brazil v Malmö FF, Sweden.50 Swedish club Malmö had agreed to the purchase of a footballer from the Brazilian club, and the transfer agreement envisaged two installments for payment. At some point, the Swedish club received an email from the legitimate account of Chapecoense de Futebol (which turned out to have been hacked). The fraudulent email suggested that because of an earlier transaction with a Russian club, the Brazilian authorities were putting constraints on the club’s Brazilian bank account, which was referred to in both the transfer agreement as well as TMS.51 As a result, the email requested that transfer be made to a bank account in Slovakia.52 Even though the obligor maintained that no red flags were apparent,53 the FIFA Tribunal was unconvinced. It held that:

[F]ollowing the amended payment instruction the Respondent received, it did not seem to have undertaken any other verification steps with the Claimant to double-check the payment details before remitting the amount, especially since the banking details had changed to an account located in Slovakia... 54 the Respondent had to notice that the bank account to which it paid the amounts was an account in Slovakia, while the Claimant was a club based in Brazil, moreover due to the fact that transfer agreement already established the payment details for purposes of payment of the transfer compensation…. once given a new bank account, especially located in Slovakia, the Respondent had to, at least, further clarify this issue before executing any payments.55

Tribunal’s determination, especially because the directors of both clubs maintained open communication through their WhatsApp numbers and hence verification in the change of bank account was a mere message away. It was thus highlighted that:

[I]t is for clubs to be diligent when making payments, which means, for instance, checking information accurately and reviewing relevant data, such as the bank details included in TMS, as well as taking the necessary precautionary steps to question the Claimant via any other communication channels.56

Due diligence is clearly a big part of the verification process, and the decision suggests that where such verifications take place and no more red flags are raised, the obligor’s liability for breach of contract is diminished significantly.

IV. Hacked Emails with Bank Details Culminating in Contributory Negligence

In contract law, contributory negligence, or more precisely contributory fault, refers to a situation where a party’s own actions or omissions contributed to the damages they suffered as a result of a breach of contract by another party.57  This can lead to a reduction in the damages awarded to the injured party, reflecting their own contribution to the loss. The court or arbitral tribunal will determine the extent to which each party is at fault and apportion the damages accordingly. Contributory fault can and usually is raised as a defense by the party accused of breaching the contract.58 In the common law tradition, it is usually inscribed in the civil code, or otherwise implied as a general principle of contract law, whereas in certain common law jurisdictions it has developed both in case law59 and statute.60 In Switzerland, the general rule is provided in Article 97(1) of the SCO, which reads:

An obligor who fails to discharge an obligation at all or as required must make amends for the resulting damage unless he can prove that he was not at fault.61

The key phrase here is “unless he can prove that he was not at fault.” A person that is not at fault or only partly at fault cannot contribute to the harm arising from a contractual breach, or at least contributes only partially to it. The same language is used in Article 99(1) of the SCO. Paragraph 2 of Article 99 of the SCO provides an excellent snapshot of a particular intricacy associated with erroneous payments arising from hacked emails, namely the lack of intent to profit. It reads as follows:

The scope of such liability is determined by the particular nature of the transaction and in particular is judged more leniently where the obligor does not stand to gain from the transaction.62

In all the football cases analyzed in this article, or which have come before CAS or FIFA tribunals, it has never been intimated that the buying club was acting in concert with the hackers or that it was somehow involved in a conspiracy to avoid payment and thus cause intentional harm to the selling club. As a result, the obligors in all these cases did not stand to gain from the erroneous payment. In fact, they risked paying the same transfer fee twice, in addition to possible penalties, interest, and legal fees.

In Shenzhen FC, the sole arbitrator was confronted with a claim for damages arising from the non-payment of the solidarity contribution owed by the purchasing club (obligor).63 The decision of the sole arbitrator, which was in favor of contributory negligence, was appealed to a Disciplinary Committee. The obligee did not dispute that its IT systems had been infiltrated and that fraudulent emails representing the club had been dispatched from its email accounts.64 However, the obligee emphasized that it had tried in vain to inform the obliger after realizing that payment had not been made to its registered TMS account.65 Even so, there was a string of fraudulent emails sent from the obligee’s email accounts, and the obligee contacted FIFA and the police a good four months after the erroneous bank transfer had been made. The question that naturally arose for the panel was whether the obligee had met the industry standard of due diligence in order the attribution of contributory negligence to the obligor’s breach. The Disciplinary Committee sided with the award of the sole arbitrator. It held that:

it follows from Swiss law that, in cases of wrong payments, a debtor is not to be discharged from its payment obligations unless it can be seen that the debtor paid to the wrong person as a result of the contributory negligence of the creditor party – the former having likewise been stipulated by the Court of Arbitration for Sport (CAS) in its Award regarding a very similar issue, CAS 2020/A/6784. In this respect, the Single Judge emphasized that pursuant to art. 41 of the Swiss Code of Obligations (SCO), read in conjunction with art. 99(3) SCO, the party which had caused the damage to the other party, whether willfully or by negligence, shall be the party to compensate it. This being said, at the same time, the Single Judge also underlined that pursuant to art. 44 SCO (free English translation) “[w]here the person suffering damage consented to the harmful act or circumstances attributable to him helped give rise to or compound the damage or otherwise exacerbated the position of the party liable for it, the court may reduce the compensation due or even dispense with it entirely.”66

This passage confirms the author’s earlier assumption that contributory negligence by the obligee is indeed a reality in football-related bank transfers and the relevant test is based on whether the obligee “caused damage [i.e. breach of contract] to the [obligor], whether wilfully or by negligence.” Consequently, if the actions of the obligee can be quantified in such a manner as to have wholly caused the obligor to make the erroneous payment, the latter shall be compensated in full. If the contributory negligence only partially caused the erroneous payment, the level of fault of each party shall be freely determined by the court or tribunal. The Disciplinary Committee, while noting the judgment of the SFSC in Case 4A_386/2016 to which we have already made extensive reference,67 affirmed that it is not the obligee’s unintentional hacking by third parties that constitutes the act of negligence (at least in the case at hand) but rather its failure to notice the “fake” correspondences sent to the obligor. In particular, the obligee’s failure to notice the fraudulent communications and replies to such communications, despite such communications having been made from its own email addresses, accounted for negligence.68 As a result, the obligor was found to have acted in good faith when it made payment to an erroneous bank account.69

Contributory negligence in the event an obligee’s IT systems are hacked raises the question of abuse of right. It would be absurd for the obligee to demand payment of the contractual fee from the obligor on the ground of breach of contract simply because of the assumption that the obligor must pay at the place of residence of the obligee and because the burden to discharge payment is on the obligor. Article 2(2) of the SCO stipulates that the manifest abuse of a right is not protected by law. In following long-standing civil law tradition, this suggests that where a contracting party knowingly acts contrary to a formal requirement, it cannot later invoke the reserved form. In this case, its conduct is an abuse of rights and therefore does not deserve protection. In the cases at hand, the correlation is clear. If a party failed to realize its IT system was being hacked and did not immediately alert the authorities or the other party when under ordinary standards it had the capacity or the presumed availability to do so, then it cannot rely on the obligor’s erroneous payment as being a breach of contract. In most cases of hacked emails and subsequent erroneous payments, assuming both sides are not acting under criminal pretences, the obligor would have sent some kind of communication to the obligee confirming payment. It is assumed that professional football clubs operate beyond normal working hours, and bank transfers constitute a seminal part of their existence. Hence, in the opinion of this author, a 24-hour window to assess receipt of funds is sufficient. This provides a sufficient time frame to notify the obligor so that it can cancel the transaction with its own bank and retrieve its funds. Failure to do so contributes to the erroneous payment of the obligor.

V. Is the TMS Definitive Proof of the Parties’ Bank Details?

The TMS is an online platform to which all FIFA national football associations and clubs under their aegis are registered members. Details of the associations and their clubs, including bank details, are registered on TMS, and the system’s purpose is to manage the international transfer of football players. While registration and input of details on TMS is mandatory for national associations and clubs,70 it is not clear if clubs may circumvent TMS by contract while retaining the same degree of transparency required under TMS. Besides entering each club’s details, where a player has been transferred, details of the contract and payment must also be entered on TMS by the buying and the selling club. This is the basis for the issuance of the International Transfer Certificate (ITC), which confirms the purchase by the buying club as well as proper payment and is mandatory for any transfer to take place and be officially recognized by FIFA. The TMS is not designed to do more than what has already been stated, and it is clearly intended to facilitate transparency and payments for both the selling and buying clubs and as a central database for any legitimate future use. As a result, TMS is not accompanied by an investigative or similar mechanism.

For the purposes of this article, a contractual circumvention would consist of merely communicating an alternative bank account because the TMS-registered bank’s IT system was under maintenance, the account was closed or suspended, the bank was no longer operation, or simply because the country where the bank was incorporated had instituted lengthy controls for overseas transfers. All of these situations may have caused the obligor to default on its transfer agreement through a late payment. As a result, it makes little sense to argue that the obligee cannot amend its banking details in the TMS, and indeed for the obligee to request an alternative account, where any of the parties risks violating its obligations under the definitive transfer agreement. The obligee should as a matter of utmost urgency alter its bank details in TMS to ensure consistency. This is confirmed, among others, by the FIFA Players’ Status Tribunal decision in Associacao Chapecoense de Futebol, Brazil v. Malmö FF, Sweden,71 where the likelihood of a valid payment in bank accounts not registered on TMS was intimated, and certainly this was not a point of contention.

Based on the aforementioned discussion, an ideal transfer agreement should look like something like this. The prospective buying club approaches its desired player upon expiration of its contract or six months before expiration, following notification to the player’s club. Upon finalization of the transfer details, the two clubs enter into an agreement, upon which an international transfer certificate (ITC) is issued and both parties register the agreement and their financial details on FIFA’s Transfer Matching System (TMS).72 TMS will contain the bank details of both buyer and seller. If prior to the transfer of the fee by the buyer the seller demands a method of payment not registered on TMS, the buyer should make inquiries with the seller and ensure that the new set of instructions are legitimate. The greater the level of inquiry and due diligence, assuming this is well documented, the more assurance against any liability on the part of the buyer.

VI. Waiver of the Contractual Form

It has already been stated in the introduction that party autonomy prevails. Given that it is not absurd for the parties to agree on a transfer to a bank account other than the one registered on TMS, the parties may well bypass TMS on this particular point. In the majority of football transfer agreements, there exists a stipulation whereby any changes to the transfer agreement must be in writing and countersigned by both parties.73 This stipulation, which usually goes unnoticed, is crucial in our examination and assessment of due diligence in the event of hacked emails requesting payment to an account that is different from that on TMS.

Under Swiss law, the contractual formal requirement can be waived at any time without any formal requirements. Amendments are also possible without requiring a specific form.74 Just like the stipulation in the definitive transfer agreements noted above, the parties can agree that a subsequent amendment or waiver of the formal requirement also requires a certain form in order to be valid (so-called qualified formal requirement). This can be done by agreeing that the requirement of form refers to all contractual amendments and thus includes itself. However, even qualified formal requirements can be waived informally by the parties. It is only necessary to prove that both parties have (expressly or impliedly) declared their intention to amend the qualified form requirement or to subsequently waive it.75

The consequence in the present circumstances is that the hacked invoice will lack the formality requirement. Hence, it will not be signed or countersigned by both parties. This, however, is only true where the hacked invoice is in the form of a message in an email or text and is not accompanied by an amended contract. This entails that in circumstances where the hackers dispatch a fraudulent invoice along with a fraudulently amended contract that contains a forged signature of the obligee (the selling club), then the contractual stipulation no longer applies because of the obligor’s good faith. The tribunal must make an assessment of the parties’ due diligence in order to detect whether the buying club (obligor) took notice of all red flags between making its erroneous payment and whether the selling club contributed in any way to the infiltration of its IT systems that caused the buying club to make the erroneous transfer.

VII. The Fate of Penalty Clauses in Transnational Transfer Agreements

An overlooked consequence of hacked invoices and erroneous payments is the fate of penalty clauses. It is well accepted, of course, that parties to all contracts can insert penalty clauses, in addition to other damages clauses (such as liquidated damages), in order to entice and ensure compliance. Even so, the courts are generally disinclined from enforcing “excessive” penalty clauses. In the context of transnational transfer agreements, penalty clauses are chiefly meant to ensure that the obligor makes timely payments and does not hold the obligee hostage through delay tactics. As a result, penalty clauses are not usually tied to other conditions, save of course that the player is fit and free from injury.

The importance of penalty clauses is evident after CAS or other court or tribunal makes a determination about the liability of the obligor to discharge its payment obligation. Where the obligor is found to have not discharged this obligation, despite the absence of bad faith, then the question arises whether it is also liable for the payment of the penalty. The FIFA Regulations do not regulate the enforceability of penalty clauses and hence the matter in practice will be resolved by reference to the governing law of the parties’ contract; in most cases, Swiss law, as subsidiary law will be applied by CAS tribunals. In accordance with Article 160 of the SCO, where a penalty is promised for non-performance or defective performance of a contract, the creditor may only compel performance or claim the penalty, unless otherwise agreed. Article 160 of the SCO reads as follows:

1. Where a penalty is promised for non-performance or defective performance of a contract, unless otherwise agreed, the creditor may only compel performance or claim the penalty.

2. Where the penalty is promised for failure to comply with the stipulated time or place of performance, the creditor may claim the penalty in addition to performance provided he has not expressly waived such right or accepted performance without reservation.76

If the aim of the penalty clause was to function cumulatively with the performance under the definitive transfer agreement, that is, to make timely payments, failing to do so triggers the obligation to also pay the penalty.

As regards the issue as to whether the agreed penalty clause is excessively high and should be subject to reduction by CAS panels, this is regulated by Article 163 of the SCO, which stipulates as follows:

1. The parties are free to determine the amount of the contractual penalty.

2. The penalty may not be claimed where its purpose is to reinforce an unlawful or immoral undertaking or, unless otherwise agreed, where performance has been prevented by circumstances beyond the debtor’s control.

3. At its discretion, the court may reduce penalties that it considers excessive.77

Article 163(3) of the SCO certainly provides discretion to CAS panels to reduce penalty amounts already agreed in contracts, if it finds them to be excessive. No doubt, what constitutes an excessive penalty clause is a matter of discretion, but also quantifiable determinations, such as whether it might be consistent with the harm caused. Reduction of penalties in accordance with Article 163(3) of the SCO have been assessed on numerous occasions by CAS Panels. In particular, in Hammarby Fotboll AB v. Besiktas Futbol Yatirimlari Sanayi ve Ticaret, which concerned a loan agreement that could be converted to a permanent transfer subject to the payment of a fee; non-timely payment was further subject to a penalty fee. One of the key questions during the proceedings before CAS was whether the penalty fee could be reduced at the discretion of the panel. It was held that:

The reduction of the penalty is reserved for exceptional cases and solely in cases where the penalty is considered as grossly unfair. This follows from Article 163(1) CO, which expressly provides that a penalty can be set at any amount by the parties. As a rule, the parties are therefore bound by their agreement and the principle of freedom of contract commands that the tribunal abides by the parties’ agreement.78

In equal measure, in Club Atletico Mineiro v. FC Dynamo Kyiv, non-payment of the agreed transfer fee was justified by the obligor on grounds of force majeure, specifically arising from the introduction of financial coercive measures adopted by a state court to enforce and collect tax debts. The CAS tribunal was asked, inter alia, to assess whether non-payment under such circumstances entailed the payment of the agreed penalty. It held as follows:

[T]here must be a manifest contradiction between justice and fairness on the one hand and the liquidated damages on the other hand, in other words a massive imbalance is required for interfering with the parties’ agreed assessment of the liquidated damages.79

The CAS jurisprudence tends to show that the reduction of a penalty under the terms of Article 163(3) of the SCO is limited to exceptional cases where an agreement is fundamentally unfair.80 Nonetheless, none of the cases examined by CAS tribunals on the basis of Article 163(3) of the SCO have concerned hacked invoices and the payment of transfer fees to organized crime by obligees acting in good faith. Going a step further, the situation has not arisen where a penalty clause for late payment or non-payment involved the contributory negligence of the obligee, through the latter’s failure to secure the safety of its IT systems and communications.

Despite existing CAS jurisprudence,81 a line in the sand should be drawn to distinguish the situations at hand. Where the obligee contributes, even to a small degree, to an erroneous payment by the obligor, it is not in the interests of justice that the obligor be made to pay a penalty fee in addition to injury for contractual harm. If the obligee contributed to the contractual damage, it follows that it has also contributed to the triggering of the penalty clause and hence its contributory negligence should be attributed to that. The interests of justice82 should not be perceived from a narrow contractual lens83 but rather from the broader viewpoint of whether it is just and deserving for a person that has been deceived, who has acted in good faith, and has sustained a heavy loss itself to be further penalized. Penalty clauses are meant to punish those parties to a contract that fail to perform their obligations while typically reaping an advantage from such failure to perform. If A agrees with B to buy real estate in exchange for money and inserts a 10 per cent penalty clause for failure to pay the full amount on time, then A (obligor) incurs damages to the extent of the agreed payment in addition to the penalty fee. If A (obligor) has found a better investment for its money, then the damages and penalty paid to B may be offset by this better investment. Ultimately, A may be better off by breaching its contractual obligations to B. On the contrary, in the situations described in this article, the obligor is never better off by its failure to pay the transfer fee. This is because the obligor has already paid the transfer fee to the criminal organization and is unable to recover it. In addition, the obligor (buying club) will be forced to pay the same amount to the obligee (selling) club. It is clear that under no circumstances is there an efficient breach in this scenario.84 The obligor stands to lose all the time, and this is true even if the obligee is found to have negligently contributed to the erroneous payment of the obligor. As a result, it does not serve the interests of justice for the obligor to pay the same fee twice in addition to a penalty. It is certainly prudent for future CAS jurisprudence to take this line of reasoning into consideration when confronted with a similar set of circumstances and not simply consider the penalty fee as an extension of the main transfer agreement. No agreement should be construed in the absence of glaring interests of justice considerations.

VIII. Conclusion

While hacked transfer invoices delivered through hacked email accounts is not a common phenomenon, it is a reality that occurs at such a level that requires attention by all pertinent stakeholders. It may well be attributed to the so-called lex sportiva85 and in particular the private self-regulation of FIFA’s own affairs, but this result is untenable. FIFA’s Transfer Status and Clearing House Regulations are robust and set up a sufficiently strong mechanism through which clubs and FIFA can combat fraud at all levels. Equally, FIFA is subject to local and supranational privacy and data protection laws, such as the GDPR, that provide several layers of protection to all those concerned. One should also not forget that the types of deviant criminal behaviour analysed in this article are the domain of sophisticated policy enforcement operations that target electronic crime. This might well explain why invoice and email hacking cases constitute the exception rather than the rule.

Be that as it may, the focus of this article was on parties’ contractual behaviour in executing payment of their mutual definitive transfer agreement, namely buyer (obligor) and seller (obligee). The formal law leaves significant latitude to courts and tribunals, and while the case law is at times confusing, this author suggests that the requisite standard is in fact straightforward. At the first level, the parties are obliged to discharge their obligations in good faith.86 This applies not only to their own obligations but also to those obligations of the other party to which they can make a positive contribution without personal detriment.87 Hence, the maxim that the debtor (the obligor/seller in the case at hand) has the burden to make correct payment may well be hampered by knowledge in the possession of the seller, which it chose not to divulge to the buyer despite the absence of any detriment. Such conduct constitutes not only bad faith but an abuse of (contractual) rights, which in turn entails the seller’s contributory liability to the breach of contract incurred by the buyer. It has been, hopefully, convincingly exhibited that despite the obligation of clubs and national football federations to register their desired bank accounts into the TMS, they are free to request each other to deposit funds into other accounts, particularly where an account may have become dormant, where the corresponding bank is sanctioned, or in any other way inconveniences the transaction. What remains without contention is the level of due diligence expected of clubs and national football associations when requested to make transfers that differ from those in the TMS. The CAS, the FIFA tribunal, as well as Swiss courts are generally in agreement that the buyer must take extra precautions when confronted with an invoice whose banking details are different from those registered in TMS. The best way of avoiding fraudsters, the courts suggest, is by communicating with the selling club directly, that is by phone or texting mechanisms, with a view to ensuring the veracity of the communication. In most cases, no such follow up communication was found to have been undertaken. This suggests that where the buyer seriously attempts to communicate with the seller and the latter (or its agents) are negligent in communicating effectively or promptly, then they are failing their own due diligence obligations and are contributing to the contractual breach (i.e. non-payment) of the buyer. 

There is nothing in the general principle of the law of contracts, whether civil or common law, dictating that the seller is immune from liability for failing to ensure that its premises or assets (including communication systems) were fraudulently accessed by third parties, which in turn induced the buyer to make an erroneous payment. If that was the case, then good faith would be meaningless, and the buyer would always be at the mercy of a negligent seller. While in most football transfer agreements the buyer was at fault for failing to ensure the veracity of the latter invoices, every instance of the seller’s contributory negligence should be assessed on its merits and appropriate weight given to such contribution.

Although there is no empirical evidence, it is not out of the question that courts and tribunals confronted with hacked invoices delivered from hacked emails tend to side with the general assumption. Indeed, should the buyer be saddled with the debt from an erroneous transfer, the consequences of such a decision would be tolerable and certainly expected. However, were the court or tribunal to find contributory negligence on the part of the seller, the general assumption would be reversed, and this is not an easy decision. It is therefore important for judges and arbitrators to keep an open mind about electronic fraud cases in sports—although this applies in all walks of life—and make practical and individualized assessments of due diligence for each party. More importantly, they must not be afraid to apportion liability where it is due, even if it goes against the established grain.

  • 1See FIFA, Regulation on the Status and Transfer of Players (FIFA RSTP), (July 2025) https://perma.cc/26VH-XJYU. Despite the fact that this instrument has come under attack by the Court of Justice of the European Union (CJEU), this does not affect transfer fees or mode of payment as discussed in this article. Case C-650/22 Federation Internationale de Football Association (FIFA) v BZ, ECLI:EU:C:2024:824 (Oct. 4, 2024); see also Eberhard Feess & Gerd Muehlheusser, Transfer Fee Regulations in European Football, 47 Eur. Econ. Rev.645 (2003) (economic analysis of fee transfer agreements and efficiency); Christina Lembo, FIFA Transfer Regulations and UEFA Player Eligibility Rules: Major Changes in European Football and the Negative Effect On Minors, 25 Emory Int’l L Rev.539 (2011) (examining the then new FIFA transfer regulations and their negative impact on many minors who play football). In particular, European football clubs have exploited various loopholes in the transfer regulations to recruit young foreign players and retain young local players.
  • 2See Davis v. Carew-Pole [1956] 1 WLR 8332 All ER 524 (holding that there was a contract between a stable master and the British National Hunt Committee, even though the stable master was unlicensed by the Committee); see also Baker v. Jones [1954] 1 WLR 1005 (concerning whether an SGB, the British Amateur Weightlifters’ Association, could bypass its own by-laws in order to pay legal costs on behalf of its members, where the court held that the bylaws in the SGB’s constitution constituted a contract); Enderby Town v. Football Association [1971] Ch 591; Modahl v. British Athletics Federation Ltd (BAF) [2001] EWCA (Civ) 1447 (concerning an athlete suspended from events after she was suspended by BAF on the basis of a doping violation, which turned out to have been false. The athlete the proceeded to sue BAF for breach of implied contractual terms). Latham J held in para 52 that: “a legally enforceable contract can be created … where an athlete expressly agrees in an entry form to be bound by the relevant rules … [in which case] a contract can properly be implied when the circumstances make it clear that that is in essence what the athlete has promised”.
  • 3See Alan Sullivan, The Role of Contract in Sports Law 5 Aust. & NZ Sports L.J. 1 (2015); John H, Shannon & Richard Hunter, Principles of Contract Law Applied to Entertainment and Sports Contracts: A Model for Balancing the Rights of the Industry with Protecting the Interests of Minors, 48 Loy. L.A. L. Rev. 1171 (2015).
  • 4FIFA RSTP, supra note 1, annex 3 (The TMS and its operation, along with its guiding principles, is contained as Annex 3 in FIFA’s Regulations on the Status and Transfer of Players). See also id. Definitions, art 6(3), 12(1), 18ter(5), 19ter(2) https://perma.cc/26VH-XJYU.
  • 5Id.  annex 3, arts. 7, 8.
  • 6Id. art. 10.
  • 7See FIFA, Clearing House Regulations (Jan. 2025), https://perma.cc/ZD4R-TPWV. Its objectives are set forth in Article 1 and include among others the protection of contractual stability between clubs and players; process specific payments (such as solidarity contributions) arising from the transfer of players; promote financial transparency in the transfer system and prevent fraudulent conduct.
  • 8See Phil Muncaster, Hackers Steal Transfer Fees, Cripple Football Stadiums, Info-Security Magazine (July 23, 2020) https://perma.cc/HBL7-U9RQ; Dale Walker, Football Club Lazio Loses 2 Million Euros by Falling Foul of Phishing Scam, IT.Pro (Mar. 29, 2018) https://perma.cc/HL8Q-HPZS; Rasha Kassem, Understanding and Mitigating Fraud Risk in Professional Football, 45 Deviant Behavior 318 (2024) (highlighting various fraud risk factors in football, ranging from financial and sporting performance, competitive balance, and financial regulation issues to the lack of accountability, anti-fraud controls, governance mechanisms, and weak integrity culture in FIFA and football clubs). See also Ilias Bantekas, Is Organized Gambling a Threat to the Integrity of Transnational Individual Sport Competitions?, 25 San Diego Int’l L.J. 23 (2024) (The International Tennis Federation’s worldwide tournaments have been used by organized crime groups to fix matches on an industrial scale, aided by the fact that all matches are currently bettable.).
  • 9Professional clubs operate as and are incorporated as corporate actors and hence due diligence business principles apply to them directly. See Jonathan Bonnitcha & Robert McCorquodale, The Concept of “Due Diligence” in the UN Guiding Principles on Business and Human Rights, 28 Eur. J. Int’l L. 899, 901 (2017). See also John Gerard Ruggie & John F. Sherman III, The Concept of “Due Diligence” in the UN Guiding Principles on Business and Human Rights: A Reply to Jonathan Bonnitcha and Robe McCorquodale, 28 Eur. J. Int’l L. 921, 925 (2017). FIFA is set up as a private association under Swiss law, yet it operates in the same manner as both a corporate actor and foreign investor. See Ilias Bantekas & Hakan Sahin, Non-Profit Entities as Foreign Investors? The Case of International Sport Governing Bodies, 60 Stan. J. Int’l L. 70 (2024).
  • 10See infra Part IV.
  • 11FIFA, Disciplinary Code (2023), https://perma.cc/R3QN-D3DF.
  • 12CAS was established in 1984 through the financing and administration of the International Olympic Committee (IOC). This governance structure gave rise to serious conflicts of interest and in 1993 the Swiss Federal Supreme Court (SFSC) in Elmar Gundel v. FEI. decides that because of the close financial and organizational links between the IOC and CAS, arbitrations before CAS involving the IOC would not constitute valid arbitral awards under Swiss law but IOC decisions. Tribunal fédéral [TF] [Swiss Federal Tribunal] Mar. 15, 1993, Arrêts du Tribunal Fédéral Suisse [ATF] 119 271 (Switz.) ¶ 3(b). As a result of this judgment, the IOC reformed the CAS system through the adoption of the Paris Agreement Related to the Constitution of the International Council of Arbitration for Sport. This restructuring was sufficient to convince the SFSC in Larisa Lazutina and Olga Danilova v. International Olympic Committee, International Skiing Federation, and Court of Arbitration for Sport. Bundesgericht [BGer] [Federal Supreme Court] May. 27, 2003, 129, Arrêts du Tribunal fédéral Suisse [ATF]  III 445, para 3.34 (Switz.) (recognizing CAS awards as valid arbitral awards under Swiss law. CAS now operates as the global sport arbitral tribunal and its jurisdiction is multi-layered. The vast majority of SGB instruments provide for CAS jurisdiction at first instance or following an appeal against the awards of their own arbitral entities. The latter mechanism is highly unusual because there are generally no appeals against the awards of arbitral tribunals. See generally Johan Lindholm, The Court of Arbitration for Sport and its Jurisprudence (2019).
  • 13A great number of SGBs (roughly 77 per cent) are incorporated in Switzerland under Arts 60ff of the Swiss Civil Code (or Swiss Code of Obligations), such as the IOC and hence Swiss law will apply to their operations. See Arnout Geeraert et al., Good Governance in International Sport Organizations: An Analysis of the 35 Olympic Sport Governing Bodies, 6 Int’l J. of Sport Policy and Pol.3, 292–93 (2014). See also CAS, Code of Sports-related Arbitration (CAS Code), art. R58 (Feb. 2023) https://perma.cc/E58K-XU2Q: 

    “Law Applicable to the merits. The Panel shall decide the dispute according to the applicable regulations and, subsidiarily, to the rules of law chosen by the parties or, in the absence of such a choice, according to the law of the country in which the federation, association or sports-related body which has issued the challenged decision is domiciled or according to the rules of law that the Panel deems appropriate. In the latter case, the Panel shall give reasons for its decision.”

    See also id., art. 45:

    “The Panel shall decide the dispute according to the rules of law chosen by the parties, or, in the absence of such a choice, according to Swiss law …”

    In football cases, in particular cases concerning FIFA and UEFA, Swiss law is routinely applied on a supplementary basis. See e.g., Hamburger Sport-Verein e.V. v. Odense Boldklub [2004] CAS 2003/O/527, ¶¶ 4–6; Feyenoord Rotterdam N.V. v. Cruzeiro Esporte Club [2006] CAS 2005/O/985, ¶¶ 4–6; Del Bosque, Grande, Miñano Espín & Jiménez v. Beşiktaş [2007] CAS 2006/O/1055, ¶¶ 33–4.

  • 14FIFA Statutes: Regulations Governing the Application of the statutes, art. 49(2) (May 2024), https://perma.cc/6PVC-7TQ5: “The provisions of the CAS Code of Sports-related Arbitration shall apply to the proceedings. CAS shall primarily apply the various regulations of FIFA and, additionally, Swiss law.”
  • 15FIFA: Data Protection Regulations(Oct. 2019) https://perma.cc/W3J5-BWBA (defining personal data):

    “Any information relating to a Data Subject”

    “Data Subject: An identified or identifiable natural person about whom data is processed. An identifiable natural person is one who can be identified or singled out, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”

  • 16FIFA RSTP, supra note 1, Annex 3. (ensures clubs conform to their contractual obligations towards players, as well as between other clubs in their transfer agreements. It solidifies the pacta sunt servanda principle, while further laying down specific rules such as when and who to approach when considering to make an offer on a player whose contract has yet to expire).
  • 17Id. art. 6.2(a),
  • 18Id. art. 6.2(d).
  • 19Id. art. 6.2(b)48.
  • 20Id. art 6.2(e).
  • 21Id. art 5.1(b).
  • 22Chiefly, the types of data protection protocols associated with the Regulation (EU) 2016/679 (General Data Protection Regulation). Similarly, The Digital Services Act (DSA) Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act), O.J. (L 277) 27, p. 1 is a set of EU-wide rules aimed at creating a safer digital space by protecting users’ fundamental rights online and establishing a level playing field for businesses. It applies to all digital services that act as intermediaries, including online platforms, marketplaces, and social media networks, https://perma.cc/KX9D-6D9B. See also Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Jan. 28, 1981,E.T.S. No. 181. https://perma.cc/GL22-Q9FZ (focusing on strengthening the protection of personal data in two key areas: establishing independent supervisory authorities and regulating transborder data flows)
  • 23Data Protection Regulations, supra note 15.
  • 24Case C-140/20, Graham Dwyer v. The Commissioner of An Garda Síochána, the Minister for Commc’n, Energy and Nat. Res., Ir. and the Att’y Gen., 2022 ECLI:EU:C:2022:258, ¶ 42 (holding that measures taken by EU Member States under Art 15(1) of the Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications Directive (which in the case at hand involved the retention of data connected with persons accused of serious offences) must comply with the general principles of EU law, including the principle of proportionality and ensure respect for the fundamental rights guaranteed by Articles 7, 8 and 11 of the EU Charter of Fundamental Rights).
  • 25General principles of EU law are fundamental, unwritten rules that guide the interpretation and application of EU law, derived from the legal systems of member states and the values of the European Union. These principles ensure fairness, legal certainty, and respect for fundamental rights within the EU legal order. See generally Takis Tridimas, The General Principles of EU Law (Oxford University Press,  2nd ed. 2006). Other principles which the CJEU has accepted include direct effect, supremacy and effectiveness, legitimate expectations and national procedural autonomy. See Case C-112/77, August Töpfer v. Comm’n of the Eur. Communities, 1978 E.C.R. 1978-01019; Case C-453/00 Kühne & Heitz v. Produktschap voor Pluimvee en Eieren, 2004 E.C.R. ECR I-837; Case C-234/04 Kapferer v. Schlank & Schick GmbH, 2006 E.C.R. I-2585. The CJEU has held that “The protection of natural persons in relation to the processing of personal data is a fundamental right, in accordance with Art 8(1) of the EU Charter of Fundamental Rights and Art 16(1) [TFEU], both of which provide that everyone has the right to the protection of personal data concerning him or her.” Case C-604/22, IAB Europe v. Gegevensbeschermingsautoriteit, 2024 ECLI:EU:C:2024:214 ¶ 3; Case C‑60/22, UZ v. Bundesrepublik Deutschland, 2022 ECLI EU:C:2023:373 ¶ 64.
  • 26Data Protection Regulations, supra note 15, art. 8.2
  • 27Id. art. 8.
  • 28See also Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data Jan. 28, 1981, E.T.S. No. 108; Regulation  No 45/2001 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, 2001 O.J. (L 008) 1 (EC).
  • 29European Community and Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995 O.J. (L 281)31 (EC).
  • 30Even so, the CJEU has held that Article 16 of the GDPR should be construed by the objectives set out in Article 1 thereof and in recitals 1 and 10 thereof, that is to ensure a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data, as enshrined in Article 8(1) of the Charter and Article 16(1) TFEU. Case C-394/23, Mousse v. Comm’n Nationale de l’informatique et des Libertés (CNIL) and SNCF Connect, 2025 EU:C:2025:2 ¶ 21. There are many other instruments that involve a degree of data protection. See e.g. Directive 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (recast), O.J. (L 172), 56-83; Regulation 2022/991 of the European Parliament and of the Council of 8 June 2022 amending Regulation  2016/794, as regards Europol’s cooperation with private parties, the processing of personal data by Europol in support of criminal investigations, and Europol’s role in research and innovation, O.J. (L 169), 1; Regulation 2017/746 of the European Parliament and of the Council of 5 April 2017 on in vitro diagnostic medical devices and repealing Directive 98/79/EC and Commission Decision 2010/227/EU, O.J. (L 117) 176.
  • 31Data Protection Regulations, supra note 15, art. 9.
  • 32See also Code of Ethics, art. 17 (2023), https://perma.cc/5MJG-H8V2 (emphasizing the importance of confidentiality, noting that breaches of confidentiality under the FIFA Code of Ethics are subject to penalties, and any person bound by the FIFA Code of Ethics is subject to “fulfil and exercise their duties and responsibilities diligently, especially with regard to finance-related matters”).
  • 33See Obligationenrecht [OR], Mar. 30, 1911, SR 220, art. 184 (Switz.).
  • 34The Swiss Federal Supreme Court (SFSC) has confirmed that the duty of due diligence is inherent in contracts and need not be expressly referred to. Bundesgericht [BGer] [Federal Supreme Court] Dec. 7, 2010, 4A_494 /2010 (Switz.).
  • 35Obligationenrecht [OR], supra note 33, art. 99.
  • 36Sporting Clube de Portugal SAD v. SASP OGC Nice Cote d’Azur, CAS 2014/A/3647, ¶ 65 (May 11, 2015); SASP OGC Nice Cote d’Azur v. Sporting Clube de Portugal SAD, CAS 2014/A/3648, ¶ 65 May 11, 2015).
  • 37Obligationenrecht [OR], , supra note 33, art. 156.
  • 38CAS 2014/A/3648 supra note 36, para 114.
  • 39Real Betis Balompié SAD v. PSV Eindhoven, CAS 2010/A/2144, ¶ 46ff ( Dec. 10, 2010).
  • 40UNIDROIT Principles of International Commercial Contracts, arts. 1.7 and 5.1.2 (2016) https://perma.cc/3PHW-NDKT (expressing general principles of at least the common law contract tradition and with minor differences they also express a good part of the common law tradition. In all other respects the UNIDROIT Principles are not binding and very much the product of soft law).
  • 41For the role of the SFSC as the competent set aside court for arbitral awards rendered in Switzerland see Art. 180 of the Swiss Private International Law Act (PILA). Although the SFSC is the highest court in Switzerland its judgments are final there, they may well give rise to further claims before other European regional tribunals, particularly the European Court of Human Rights (ECtHR) and the Court of Justice of the European Union (CJEU). The ECtHR recently adopted a crucial judgment in Semenya v Switzerland, App. No. 10934/21, ¶ 219 (July 10, 2025) (effectively clawing back the SFSC’s argument that the CAS award in the case at hand had not offended Swiss public policy concerning the right to fair trial). The CJEU adopted Case C-124/21 International Skating Union v EU Commission and Others, EU:C:2023:1012 (Dec. 21, 2023) and Case C-333/21, European Super League Company, S.L. v Union of European Football Associations (UEFA) and Fédération Internationale de Football Association (FIFA), 2023 ECLI:EU:C:2022:993, where it found SGBs to have violated EU anti-competition laws, which neither the CAS nor the SFSC can lightly ignore. See Ilias Bantekas, The Enduring Battle between the Lex Sportiva and EU Competition Law, 30 Colum. J. Eur. L. 21 (2024) (arguing that in recent years the CJEU has been relentless in curbing the unchecked authority of SGBs and CAS in adopting instruments that violate fundamental tenets of EU law).
  • 42Bundesgericht [BGer] [Federal Supreme Court] Nov. 9, 2009, 4A_389/2009 (Switz.); Bundesgericht [BGer] [Federal Supreme Court] Jan. 29, 2008, 4A_438/2007 (Switz); Bundesgericht [BGer] [Federal Supreme Court] Apr. 24, 2006, 132 Entscheidungen des schweizerischen Bundesgerichts [BGE] 449 S. 450 (Switz.).
  • 43Bundesgericht [BGer] [Federal Supreme Court] Dec. 5, 2016, 4A_386/2016 (Switz.). The judgment was issued in French, and the translation is supplied by the author and is not official.
  • 44In order to prevent hacking of IT systems, a layered security approach combining technical, procedural, and human-centric measures is crucial. This includes robust password management, multi-factor authentication, regular software updates, network segmentation, and employee training. Implementing a comprehensive incident response plan is also vital for effective recovery from potential breaches. These best practices are advocated by the U.S. Cybersecurity Infrastructure Defense Agency, available at Cybersecurity Best Practices, U.S. Cybersecurity Infrastructure Defense Agency, https://perma.cc/Y6C5-V3NM (last visited Nov. 25, 2025).
  • 45Gil Vicente Futebol v. FK Rad 7442 C.A.S (¶ 130) (Jan. 11, 2022).
  • 46Id. ¶ 131.
  • 47Id. ¶132.
  • 48Id. ¶ 133.
  • 49Id. ¶ 134.
  • 50Associacao Chapecoense de Futebol, Brazil v. Malmö FF, Sweden, FPSD-10588, Decision (Sep. 13, 2023).
  • 51Id. ¶¶ 3, 21.
  • 52Id. ¶ 22.
  • 53Russia is heavily sanctioned by FIFA, and it makes sense that bank transfers to and from Russia, even in Brazil, may be complicated. See Ilias Bantekas, Sports Sanctions Against Russia Through the Court of Arbitration for Sport 42 Cardozo Arts & Ent. L.J. 1 (2024) (suggesting that the measures imposed by CAS were in fact private sanctions, in line with the formal and binding sanctions imposed by the UN and other intergovernmental entities such as the EU in response to Russia’s unlawful invasion of Ukraine).
  • 54Associacao Chapecoense de Futebol, Decision, 2023 FPSD-10588 ¶ 37.
  • 55Id. ¶ 39.
  • 56Id. ¶ 42.
  • 57Forsikringsaktieselskapet Vesta v. Butcher (1988) 2 All ER 43, 44 (describing failure by insurance brokers to take swift action after warned by the insured party that an onerous condition in their reinsurance contract needed to be renegotiated; when the harm occurred, the brokers were not entitled to claim).
  • 58This is not true for the common law. See Ann Taylor, Contributory Negligence: A Defence to Breach of Contract? 49 Mod. L. Rev. 102, 108 (1986); Jane Swanton, Contributory Negligence is not a Defence to Actions for Breach of Contract in Australian Law: Astley v. Austrust Ltd, 1999 J. Cont. L. Lexis 28 (May 29, 1999).
  • 59Froom v Butcher (1975) 3 All ER 520 (where a passenger that fails to wear a seat belt while the car is in motion is as liable for harm sustained as the driver causing an accident). See also F. H. Bohlen, Contributory Negligence 21 Harv. L. Rev. 233 (1907–08); W. Schofield, Davies v. Mann: Theory of Contributory Negligence 3 Harv. L. Rev. 263 (1889–90).
  • 60One example is the Law Reform (Contributory Negligence) Act 1945 in the UK. See James Davis, Contributory Negligence and Breach of Contract: Astley v. Austrust Ltd., 7 Torts L. J. 117, 121 (1999).
  • 61Federal Act on the Amendment of the Swiss Civil Code, Part Five: The Code of Obligations of March 30, 1911,  Swiss Federal Authorities, https://perma.cc/8JVE-4UTR (last visited Nov. 25, 2025).
  • 62SCO, supra note 33, art. 99(2).
  • 63Shenzhen FC, Decision FDD/7671, Decision (Nov. 4, 2021).
  • 64Id. ¶¶ 9, 10.
  • 65Id. ¶ 11ff.
  • 66Id. ¶ 45.
  • 67Bundesgericht [BGer] [Federal Supreme Court] Dec. 5, 2016, 4A_386/2016 (Switz.).
  • 68Shenzhen FC, Decision, 2021 FDD/7671 ¶ 49.
  • 69Id. ¶¶ 50, 51.
  • 70Art. 10(1) of FIFA’s Procedural Rules explicitly confirm that the contact details provided by each party in the TMS are considered binding by FIFA: “All communications shall be undertaken via the Legal Portal operated by FIFA (Legal Portal) or the Transfer Matching System (TMS).”
  • 71Associacao Chapecoense de Futebol, Decision, 2023 FPSD-10588 ¶ 37.
  • 72FIFA RSTP, supra note 1, Annex 3.
  • 73Associacao Chapecoense de Futebol, Decision, 2023 FPSD-10588 ¶ 20.
  • 74Bundesgericht [BGer] [Federal Supreme Court] 4A_409/2017 (Switz.). See also Bundesgericht [BGer] [Federal Supreme Court] 4A_619/2016 (Switz.); Bundesgericht [BGer] [Federal Supreme Court] 5A_251/2010 (Switz.)
  • 75Bundesgericht [BGer] [Federal Supreme Court] Apr. 29, 1999, Entscheidungen des schweizerischen Bundesgerichts [BGE] 125 III 263, 268 (Switz.); Bundesgericht [BGer] [Federal Supreme Court] BGer 4A_409/2017 (Switz.)
  • 76SCO, supra note 33, art. 160.
  • 77Id. at art. 163.
  • 78Hammarby Fotboll AB v. Besiktas Futbol Yatirimlari Sanayi ve Ticaret, 2847 CAS ¶ 69 (Mar. 22, 2013).
  • 79Club Atletico Mineiro v. FC Dynamo Kyiv, 3909 CAS ¶ 104 (Oct. 9, 2015).
  • 80See Cruzeiro EC v. CA Independiente, 5697 CAS ¶ 94 (Feb. 20, 2019), where the sole arbitrator concluded that a penalty that constituted 10 percent of the principal dept was not excessive and therefore should be sustained; Hammarby Fotboll AB, 2013 2847 CAS ¶106, the tribunal opined that a penalty which constituted 33 percent of the agreed transfer fee should not be considered excessive in relation to the debt and harm.
  • 81Although in Club Atletico Mineiro, 2015 3909 CAS ¶ 104, expressly relied on justice demands.
  • 82Among the many possible conceptions of justice, it is worthwhile considering Rawls’ first principle of justice as follows: “[e]ach person has the same indefeasible claim to a fully adequate scheme of equal basic liberties, which scheme is compatible with the same scheme of liberties for all”. John Rawls, Justice as Fairness: A Restatement (Erin Kelly ed., 2001) 42.
  • 83Transado-Transportes Fluviais do Sado v. Portugal, No 35943/02, Eur. Ct. H.R. (2003). See also Case 102/81 Nordsee Deutsche Hochseefischerei GmbH v. Reederei Mond Hochseefischerei Nordstern AG and others [1982] E.C.R. 1095where the CJEU held that the application of EU law cannot be limited by contractual exceptions or carve outs. See also Société Licensing Projets and others v Société Pirelli & C SpA and others, Cour d’appel [CA] [regional court of appeal] Paris, civ., Nov. 17, 2011, 09/24158. See also Art 396(2) of the Swiss Code of Civil Procedure (CCP), which allows a limited review of domestic arbitral awards where the claimant alleges a violation of the European Convention on Human Rights (E.C.H.R.). See Ilias Bantekas, Human Rights Forum Shopping in Transnational Sport Disputes 50 Brook J Int’l L 1 (2025) (arguing that recourse to the Eur. Ct. H.R. is increasingly becoming a useful resource for professional athletes whose contractual relationship with SGBs is perceived as abusing otherwise fundamental human rights).
  • 84Efficient breach theory posits that it can be more economically beneficial for a party to intentionally breach a contract and pay damages, rather than fulfill the contract's obligations, if the cost of performance exceeds the benefits. This theory suggests that breaching a contract can be a rational and even socially desirable outcome if the breaching party can compensate the non-breaching party for their losses. See Gregory Klass, Efficient Breach, in The Philosophical Foundations of Contract Law 362 (Gregory Klass et. al. eds., 2014).
  • 85See Antoine Duval, Transnational Sports Law: The Living Lex Sportiva, in The Oxford Handbook of Transnational Law 493 (Zumbansen ed., 2021); Leonardo Casini, The Making of a Lex Sportiva by the Court of Arbitration for Sport, 12 German L. J. 1317 (2011).
  • 86Simon Whittaker & Reinhard Zimmerman, Good Faith, in European Contract Law: Surveying the Legal Landscape 7, 7–15 (Zimmerman & Whittaker eds., 2000).
  • 87Id. at 40–62.
    Courts and Procedure Development, Investment, and Financial Law