There exists a number of seemingly inconsistent decisions and judgments issued by courts and sports tribunals on the topic of erroneous bank transfers as a result of hacked invoices for football transfer fees delivered through hacked email addresses. The buyer is presumed to have the burden of making correct payment and consequently is found to be in breach of its obligation to the selling club for failure to pay to the seller’s bank account. The argument presented here, which is consistent with the spirit of relevant statutes, institutional rules, and the limited case law, is that there is a clear due diligence standard demanded from seller and buyer in player transfer agreements. Both must ensure, on the basis of a best-efforts approach, that their IT systems are not susceptible to external interference, and if they have any suspicion that they have indeed been interfered with, they must alert the other party immediately. The buyer, in particular, must use alternative (personal) channels of communication with the seller where the latter alters its banking details as those are registered in FIFA’s Transfer Matching System (TMS). Where the buyer takes all appropriate due diligence measures and the seller fails to respond on time or is otherwise negligent in its IT controls, the buyer’s liability for erroneous payments is partial, if at all, since the seller is deemed to have contributed to the buyer’s breach of contract.
Winter
2026