Written by Samantha Guang and Jeeva Rachelusun Pragas
The recent decision by the High Court in Luno Malaysia Sdn Bhd v Yew See Tak has revisited and overturned key findings made at the Sessions Court,[1] raising significant questions about the duty of care owed by cryptocurrency platforms to their users in the context of unauthorised transactions. This commentary analyses the High Court’s reasoning and its implications on digital asset platforms operating under Malaysian law. A previous analysis of this case at the Sessions Court level can be accessed here.
Duty of Care and Negligence
The core of this appeal was whether Luno, the Defendant, as a recognised market operator (RMO), owed a heightened duty of care to the Plaintiff. The Sessions Court had previously held that Luno bore such a duty, relying on its regulatory status under the Securities Commission. However, the High Court found that the imposition of a higher duty merely because of licensing status was not legally justified.
With reference to the Federal Court’s test in Tenaga Nasional Berhad v Batu Kemas Industri Sdn Bhd,[2] the High Court held that the Plaintiff failed to establish the three cumulative elements required to impose a duty of care:
- reasonable foreseeability of harm resulting from Defendant’s conduct;
- proximity; and
- whether it is fair, just and reasonable to impose liability.
On this basis, the Plaintiff’s claim on duty of care could not stand.
No Breach of Duty
The Plaintiff’s own testimony revealed that the alleged loss arose after he lost access to his personal email account — an account critical to verifying transactions. He further admitted that it was his responsibility to safeguard both his email and his mobile device. The High Court found that the Defendant had no access to the Plaintiff’s email or credentials and had acted within the parameters of its security protocols.
Unlike in Robert Ong Thien Cheng v Luno PTE Ltd,[3] where system error was established, the High Court found no evidence of technical failure on Luno’s part. The transactions in question were approved through the Plaintiff’s own email and device, negating any claim of breach by the Defendant.
Causation
The High Court cited Manjit Kaur Pertap Singh v Dr Nagasparan Nathcappan,[4] reaffirming that the burden of proving causation rests on the Plaintiff. The Plaintiff failed to demonstrate any direct link between Luno’s actions, and the loss suffered. In fact, by the time he reported the issue, the transactions had already been executed and cleared.
Proximity and Foreseeability
The High Court adopted a strict interpretation of proximity, holding that the Plaintiff’s failure to maintain the security of his personal devices severed any proximate link. Citing Lok Kok Beng & Ors v Loh Chiak Eong & Anor,[5] the High Court found that harm was not reasonably foreseeable from Luno’s perspective, given the Plaintiff’s own security lapses.
Daily Transaction Limit
The Sessions Court previously found that Luno’s failure to set a withdrawal limit constituted a breach of duty. However, the High Court noted that such a requirement was not part of the pleadings and did not exist under the Terms of Use at the material time. Limits were only introduced later and applying them retrospectively would amount to rewriting the parties’ agreement — an act the High Court firmly rejected, citing Bank Islam Malaysia Berhad v Lim Kok Hoe & Anor.[6]
No Trust Relationship
The High Court further rejected the Plaintiff’s assertion that a trust relationship existed between the parties. In the absence of a formal trust instrument, the relationship remained contractual in nature. Luno is seen akin to a sentinel of digital assets, acting upon instructions and not as a trustee.
Conclusion
The High Court allowed Luno’s appeal, setting aside the RM597,920.05 in special damages and RM100,000.00 in exemplary damages previously awarded by the Sessions Court to the Plaintiff. The High Court judgment highlights that cryptocurrency platforms, while regulated, are not to be held to an unduly high standard in the absence of evidence of negligence or wrongdoing. Imposing such standards could jeopardise innovation and operational feasibility in the digital asset industry, especially for platforms which serve a large number of users.
[1] [2025] 1 AMR 302, see also Luno Malaysia Sdn Bhd v Yew See Tak [2024] MJLU 2703.
[2] [2018] 5 MLJ 561.
[3] [2020] 1 LNS 2194.
[4] [2023] 1 LNS 2424.
[5] [2015] 4 MLJ 734.
[6] [2009] 6 MLJ 839.
Published on 18 April 2025