Ludwig & Robinson PLLC

Virginia Court in Email ACH Funds Transfer Fraud Case Relies on NACHA Rules in Permitting Claims Against Bank

Posted on January 29, 2021 by Ludwig & Robinson PLLC

As L&R has showed, careful application of NACHA’s rules can be critical to resolving funds transfers losses involving ACH transfers. See L&R Obtains Prompt Full Recovery for Polish Client in ACH Cybercrime Case. A recent Virginia case illustrates the relevance and utility of NACHA’s rules. Studco Bldg. Sys. United States, LLC v. 1st Advantage Fed. Credit Union, 2020 U.S. Dist. LEXIS 238945 (E.D. Va. Dec. 18, 2020).

In another fairly typical business email compromise/social engineering scheme, a cybercriminal impersonating a vendor induced a business to send four large ACH transfers totaling $558,868.17 to the fraudster’s account at a credit union. The plaintiff asserted various claims against the beneficiary’s bank, alleging:

● Around August 2018, the credit union opened a personal checking account for an individual, John Doe, but did not verify his identity, address, prior banking history, source of funds, membership eligibility

● In October 2018, Doe transmitted fraudulent emails to plaintiff

● Plaintiff then sent an ACH transfer of $156,834.55 identifying itself, Studco, as the originator and its vendor Olympic Steel, by corporate address, as the receiver, which did not match any account holder with the credit union

● The ACH credit identified Doe’s personal account number, but it was commercially coded as “CCD,” i.e., “Corporate Credit or Debit,” for business transactions under Rules of the National Automated Clearing House Association (NACHA)

● NACHA Rules restrict CCD payments to transactions that involve only businesses, and require that any CCD payments directed to personal accounts be rejected

● Shortly thereafter, the credit union accepted three additional high-value commercial ACH credit payments for Doe’s account, totaling $558,868.17

● Over a one-month period, Doe then withdrew over $558,868.17 incrementally and in-person at the credit union’s branch with the assistance of the credit union, through 13 cashier checks or wire transfers totaling $558,868.17

● Nine (9) of the thirteen (13) withdrawals were made out to an individual or entity that is alleged to be known to the credit union or its employee(s).

Id. at *1-4.

While the district court dismissed several claims brought by the plaintiff, it permitted two key counts to go forward, in large measure due to the plaintiff’s reliance on NACHA’s rules.

The first was a claim under UCC § 4A-207 for misdescription of beneficiary, with the court finding: “While it is true that [the credit union] has no duty to proactively discover a conflict, the Complaint alleges that [it] had actual knowledge of the misdescription because the transfers were codified as ‘CCD’ and, thus, that it was automatically required to reject the misdescribed ACH transfers, pursuant to NACHA, but it did not. . . . Therefore, the issue of whether [the credit union] had actual knowledge is a factual determination for the jury.” Id. at 12-13.

The second claim the court permitted was a claim for bailment, concluding, “Although bailment requires a common law duty of care . . . the NACHA Rules and [UCC § 4A-207] establish that 1st Advantage must act in a commercially reasonable manner or that it exercised ordinary care when it has control over ACH transfers.” Id. at 16. Like the UCC claim, the court stated: “the question of whether 1st Advantage acted in a commercially reasonable manner in exercising control over [plaintiff’s] ACH transfers is one that the jury must answer[.]” Id. at 16-17. “Specifically, the Complaint alleges that the NACHA Rules provide that ‘it is not commercially reasonable to deposit commercially-coded ‘CCD’ transfers expressly identified as ‘business transactions’ into a personal checking account. Furthermore, NACHA Rules require that depositing ‘CCD’ coded transfers into consumer accounts is not commercially reasonable. . . . Moreover, [plaintiff] has adequately alleged that [the credit union] did not act in a commercially reasonable manner in allowing John Doe to fraudulently withdraw money over a month in-person.” Id. at 17.

This case, like L&R’s recent ACH matter, is an important illustration of how effective application of the NACHA Rules can be critical in resolving such cases.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

Posted in BANKING & FINANCE, CORPORATE, INSURANCE, INTERNATIONAL, LITIGATION | Tagged ACH, ACH Fraud, BEC, Business Email Compromise, Credit Union, Cybercrime, Cybersecurity, Funds Transfer Fraud, NACHA, NACHA Operating Rules, Salvatore Scanio, Social Engineering, UCC, UCC Article 4A, UCC § 4A-207 | Leave a comment

Nevada Bench Trial Applies UCC in Allocating Loss Between Hacked Seller and Duped Buyer

Posted on January 28, 2021 by Ludwig & Robinson PLLC

In cybercrime cases, there often are two victims: one a business subject to an email hack and another that transmits funds based on fraudulent wire instructions from the hacked email account. Which party should bear the loss? A Nevada federal court recently conducted a bench trial to resolve that vexing question. Jetcrete N. Am. Lp v. Austin Truck & Equip., 2020 U.S. Dist. LEXIS 161783 (D. Nev. Sep. 3, 2020).

In Jetcrete, the parties entered into an agreement for the purchase of trucks, with plaintiff seeking to buy $518,124 of trucks from defendant dealer. Like a typical email scheme, the dealer sent wire instructions to the buyer, the dealer’s email was then hacked, and new wire instructions were sent by the cybercriminal to the buyer.

The plaintiff argued that the seller “was in the best position to avoid the loss by employing reasonable security measures to prevent the hack of [its] email[.]” The seller contended “it took reasonable security steps by hiring an IT consultant[,] installing Symantec virus scanner software on its system, and hosting its email server at Intermedia,” and that plaintiff “was in the best position to avoid the loss by simply calling [it] to verify the wiring instructions.” Id. at *8-9.

In resolving the dispute, the court adopted plaintiff’s argument that because the contract involved the sale of goods resolution should be governed by the Uniform Commercial Code, and looked by analogy to UCC § 3-404, which provides in part:

(a) If an impostor . . . induces the issuer of an instrument to issue the instrument to the impostor, . . . by impersonating the payee of the instrument or a person authorized to act for the payee, an endorsement of the instrument by any person in the name of the payee is effective as the endorsement of the payee in favor of a person who, in good faith, pays the instrument or takes it for value or for collection.

. . . .

(d). With respect to an instrument to which subsection (a) . . . applies, if a person paying the instrument or taking it for value or for collection fails to exercise ordinary care in paying or taking the instrument and that failure substantially contributes to loss resulting from payment of the instrument, the person bearing the loss may recover from the person failing to exercise ordinary care to the extent the failure to exercise ordinary care contributed to the loss.

UCC § 3-404 (emphasis added).

While UCC Articles 3 and 4 governing negotiable instruments provide a comparative negligence loss-allocation regime, UCC Article 4A governing electronic funds transfers does not, but rather a strict liability regime. See, e.g., Peter E. Shapiro, P.A. v. Wells Fargo Bank, N.A., 795 Fed. Appx. 741, 744, n.4 (11^th Cir. 2019) (quoting UCC § 4A-207, cmt. 2 and contrasting the Articles 3 and 4 approach, citing Salvatore Scanio & Robert W. Ludwig, Contracting Out of the Uniform Commercial Code: Reducing Bank Liability by Shortening the One-Year Notice Period for Reporting Check Fraud, 33:11 Banking & Fin. Servs. Policy Report 15, 17 n.8 (Nov. 2014)). UCC Article 4A was inapplicable because it applies to the parties to funds transfers; the email hacked business which did not receive the funds was never a party to a funds transfer.

The Jetcrete court concluded: “The hack of [the seller’s] email account created the scenario for the loss. But [plaintiff] was in the best position to prevent the loss by taking the reasonable precaution of verifying the wiring instructions by phone. Thus, even under an analysis based on [UCC § 3-404, plaintiff] should suffer the loss.” Jetcrete, at *12.

Even though the UCC did not apply directly to this cybertheft dispute, the court’s application of its loss allocation principles demonstrates the UCC’s continued importance in resolving commercial payment disputes involving fraud.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

Posted in BANKING & FINANCE, CORPORATE, INSURANCE, INTERNATIONAL, LITIGATION | Tagged BEC, Business Email Compromise, Comparative Negligence, Cybercrime, Cybersecurity, Funds Transfer Fraud, Salvatore Scanio, UCC, UCC Article 4A, UCC Articles 3 and 4, Unauthorized Transfer, Uniform Commercial Code, Wire Transfer Fraud | Leave a comment

Salvatore Scanio’s Article on the NAIC Insurance Data Security Model Law Published by ABA’s Cybersecurity and Data Privacy Committee

Posted on January 26, 2021 by Ludwig & Robinson PLLC

Salvatore Scanio’s article, NAIC Insurance Data Security Model Law: Key Provisions and Adoption to Date, was recently published by the American Bar Association, Tort Trial & Insurance Practice Section, Cybersecurity and Data Privacy Committee (Winter 2021). The NAIC Model, issued in October 2017, generally requires insurers, agents, and other entities licensed by a state department of insurance to develop, implement, and maintain an information security program, investigate any cybersecurity events, and notify the state insurance commissioner of such events. Eleven states, including three in 2020, have adopted the NAIC Model.

Posted in BANKING & FINANCE, CORPORATE, INSURANCE, INTERNATIONAL, LITIGATION | Tagged American Bar Association, Cybercrime, Cybersecurity, Cybersecurity and Data Privacy Committee, data privacy, data security, Data Security Model Law, NAIC, privacy, Salvatore Scanio, Tort Trial & Insurance Practice Section | Leave a comment

New York Court Rejects Cut Down of UCC Art. 4A’s 1-Year Notice Rule for Unauthorized Funds Transfers

Posted on December 18, 2020 by Ludwig & Robinson PLLC

In a recent unpublished New York opinion, the court found a bank’s 60-day notice provision in its Account Terms and Conditions for reporting unauthorized funds transfers to be unenforceable. Cardino v. J.P. Morgan Chase Bank, N.A, 2020 N.Y. Misc. LEXIS 4288 (N.Y. Sup. Aug. 13, 2020).

Unless a customer objects to a fraudulent funds transfer within one year, its claims against the bank are subject to UCC Article 4A’s one-year statute of repose. See UCC § 4A-505 cmt. UCC § 4A-505 provides:

If a receiving bank has received payment from its customer with respect to a payment order issued in the name of the customer as sender and accepted by the bank, and the customer received notification reasonably identifying the order, the customer is precluded from asserting that the bank is not entitled to retain the payment unless the customer notifies the bank of the customer’s objection to the payment within one year after the notification was received by the customer.

As a statute of repose, section 4A-505 does not provide an “affirmative defense . . . often subject to tolling principles,” but “extinguishes a plaintiff’s cause of action after the passage of a fixed period of time,” here, one year. Ma v. Merrill Lynch, Pierce, Fenner & Smith, Inc., 597 F.3d 84, 88 n.4 (2d Cir. 2010).

In Cardino, the bank attempted to cut down Article 4A’s one-year notice period to 60 days. Relying on Regatos v. N. Fork Bank, 838 N.E.2d 629 (N.Y. 2005), the court reasoned that because “Banks are liable under article 4-A of the UCC for improper funds transfers . . . and UCC [§ 4A-204(b)] provides ‘the obligation of a receiving bank to refund payment . . . may not otherwise be varied by agreement,’ . . . shortening the one-year period effectively would vary the bank’s obligation to refund payment[.]” Cardino, at *7. Therefore, the bank could not shorten the one-year period in any way. Id. at *8.

In contrast, courts generally permit the one-year notice rule in UCC Article 4 covering unauthorized checks and other items, UCC § 4-406(f), to be cut down by contract to as little as 14 days in some cases. See Salvatore Scanio & Robert W. Ludwig, Contracting Out of the Uniform Commercial Code: Reducing Bank Liability by Shortening the One-Year Notice Period for Reporting Check Fraud, 33 Banking & Fin. Servs. Policy Report 15 (Nov. 2014).

This case is an important reminder for customers and banks alike to consider whether particular cut-down provisions in bank-customer agreements are enforceable in the event of a dispute.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

Posted in BANKING & FINANCE, CORPORATE, INSURANCE, LITIGATION | Tagged Account Terms and Conditions, Bank Contract, Bank Liability, Bank Notice, Bank-Customer Agreement, Cybercrime, Cybersecurity, Funds Transfer Fraud, Notice Cut-Down, Salvatore Scanio, Statute of Repose, UCC Article 4A, Unauthorized Transfer, Uniform Commercial Code, Wire Transfer Fraud | Leave a comment

FinCEN Advisory Highlights Cybercriminals Exploiting COVID-19 Pandemic for Funds Transfer Fraud

Posted on December 7, 2020 by Ludwig & Robinson PLLC

In a continuing trend of regulatory pronouncements in the area, the Financial Crimes Enforcement Network (FinCEN) recent issued an Advisory on Cybercrime and Cyber-Enabled Crime Exploiting the Coronavirus Disease 2019 (COVID-19) Pandemic, FIN-2020-A005 (July 30, 2020).

The Advisory highlights how the COVID-19 pandemic is being exploited in “cyber-enabled crime through malware and phishing schemes, extortion, business email compromise (BEC) fraud, and exploitation of remote applications.” FinCEN identifies numerous “red flag indicators of COVID-19 cyber-enabled crimes to assist financial institutions in detecting, preventing, and reporting suspicious transactions associated with the COVID-19 pandemic.”

At the same time, FinCEN warns financial institutions they should continue to “consider additional contextual information and the surrounding facts and circumstances, such as a customer’s historical financial activity, whether the transactions are in line with prevailing business practices, and whether the customer exhibits multiple indicators, before determining if a transaction is suspicious or otherwise indicative of potential fraudulent COVID-19-related activities.” In other words, fundamental, long-established signs of suspicious activity apply equally, if not more so, in the COVID-19 era.

The impact of COVID-19 on funds transfer schemes was recently reviewed in an ABA webinar Salvatore Scanio presented with Ben Wallach, Cybercrime and Funds Transfer Fund – Recent Developments.

Posted in BANKING & FINANCE, CORPORATE, INSURANCE, INTERNATIONAL, LITIGATION | Tagged ABA, Account Takeover, ACH Fraud, American Bar Association, Bank Liability, Banking Law Committee, Ben Wallach, Business Email Compromise, coronavirus, COVID-19, Cybercrime, Cybersecurity, Email Fraud, FinCen, Funds Transfer Fraud, Salvatore Scanio, Suspicious Activity, Wire Transfer Fraud | Leave a comment

Salvatore Scanio presented an American Bar Association webinar on Cybercrime and Funds Transfer Fraud – Recent Developments

Posted on November 17, 2020 by Ludwig & Robinson PLLC

On October 21, 2020, Salvatore Scanio presented an American Bar Association webinar on Cybercrime and Funds Transfer Fund – Recent Developments. The well-attended program was sponsored by the Banking Law and Cyberspace Law committees of the ABA’s Business Law Section. He was joined by Ben Wallach, a banking industry fraud and cyber executive.

The lively program discussed the latest trends in cybercrime involving fraudulent funds transfers. They reviewed recent funds transfer schemes, including those arising as a result of the COVID-19 era. The program discussed the latest developments in the legal regime applicable to fraudulent ACH and wire transfers, and explained the allocation of liability in such cases. They also addressed schemes involving law firms. The webinar featured numerous questions and answers throughout the event.

For a copy of the program materials, please contact Salvatore Scanio at sscanio@ludwigrobinson.com.

Posted in BANKING & FINANCE, CORPORATE, INSURANCE, INTERNATIONAL, LITIGATION | Tagged ABA, Account Takeover, ACH Fraud, American Bar Association, Bank Liability, Banking Law Committee, Ben Wallach, Business Email Compromise, Business Law Section, COVID-19, Cybercrime, Cybersecurity, Cyberspace Law Committee, Email Fraud, Funds Transfer Fraud, Law Firm Cybercrime, Salvatore Scanio, Wire Transfer Fraud | Leave a comment

L&R Obtains Prompt Full Recovery for Polish Client in ACH Cybercrime Case

Posted on September 2, 2020 by Ludwig & Robinson PLLC

A U.S. subsidiary of a Polish company suffered a loss of nearly $100,000 arising from 10 unauthorized ACH (automated clearing house) debits over a single week. After an unknown theft of the subsidiary’s bank account number and bank name/routing number, cyber criminals impersonating another firm (buyer) used this information to ostensibly pay a third firm (seller) for commercial goods. The seller originated payment requests in the form of ACH debits (to pull money), submitted through its bank, an Originating Depositary Financial Institution (ODFI), which were processed by the buyer’s bank, a Receiving Depositary Financial Institution (RDFI), and applied to its account as Receiver. In other words, cyber criminals orchestrated a complex scheme involving three firms, fraudulently obtaining commercial goods through unauthorized ACH debits.

The subsidiary reported the unauthorized ACH debits to its bank, a major U.S. commercial bank, which declined reimbursement because the ODFI, another major U.S. commercial bank, declined the claim as its customer, the Originator, also declined responsibility.

Upon being retained, L&R quickly investigated and pursued the matter with the banks under Operating Rules and Guidelines of the National Automated Clearing House Association (NACHA). While corporate ACH debits are not subject to the substantial protections afforded consumer ACH debits under Regulation E and NACHA’s rules, numerous other provisions of NACHA’s rules and guidelines do apply to unauthorized corporate debits. Of particular significance is NACHA’s warranty under which an ODFI warrants to the RDFI that transactions have been properly authorized by the Receiver, for which it is required to indemnify the RDFI for “all claims, demands, losses, liabilities, and expenses, including attorneys’ fees and costs, that result directly or indirectly” from the breach of warranty.

In less than a month after L&R contacted the RDFI, both banks reversed their positions, and the U.S. subsidiary was reimbursed for its full loss.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

Posted in BANKING & FINANCE, CORPORATE, INSURANCE, INTERNATIONAL, LITIGATION | Tagged ACH Debits, ACH Fraud, Bank Liability, Business Email Compromise, Corporate ACH, Cybercrime, Cybersecurity, Email Fraud, Funds Transfer Fraud, NACHA, NACHA Operating Rules, NACHA Warranty, ODFI, RDFI, Robert Ludwig, Salvatore Scanio, Unauthorized ACH Debits | Leave a comment

Illinois Supreme Court Holds a Non-bank Entity is a “Bank” Under UCC Art. 4A

Posted on August 17, 2020 by Ludwig & Robinson PLLC

The Illinois Supreme Court, applying the Uniform Commercial Code’s broad definition of a “bank,” held that a futures commission merchant was a “bank” for purposes of a fraudulent wire transfer under Article 4A. Whitaker v. Wedbush Securities, Inc., 2020 Ill. LEXIS 185 (Ill. Mar. 19, 2020).

Whitaker, a Georgia physician, maintained an account with Wedbush, a futures commission merchant. Whitaker’s email account was hacked, and a cybercriminal sent fraudulent emails to Wedbush, directing four wire transfers overseas totaling $374,960. Defending the suit, Wedbush, claimed it was not a “bank” because it was not “engaged in the business of banking,” as defined in UCC § 4A-105(a)(2), but merely acted as plaintiff’s agent in forwarding wire instructions to its bank, BMO Harris, for processing. The Illinois high court, reversing the courts below, recognized that non-bank financial institutions like brokerage firms, mutual funds, and insurance companies have consistently been held by the courts to be a “bank” under UCC Articles 3, 4, and 4A. Id. at *17. The court concluded Wedbush was a “bank” for purposes of Article 4A because it provided financial services, including brokerage and trading services, and “regularly assisted customers in processing funds transfers,” id. at *18, and thus subject to Article 4A’s strict liability regime for unauthorized funds transfers.

This case is an important reminder that non-bank financial firms, whether brokerages, mutual funds, or insurers that assist customers in processing funds transfers can be held to the same legal requirements as chartered banks under UCC Article 4A, and thus should have commercially reasonable security policies and procedures in place. It further reminds that non-bank entities providing such customer assistance may share in the risk of loss under Article 4A’s loss-allocation rules.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

Posted in BANKING & FINANCE, CORPORATE, INSURANCE, INTERNATIONAL, LITIGATION | Tagged Account Takeover, Bank Liability, Cybercrime, Cybersecurity, Definition of Bank, Email Fraud, Funds Transfer Fraud, futures commission merchant, Robert Ludwig, Salvatore Scanio, UCC Article 4A, Uniform Commercial Code, Wire Transfer Fraud | Leave a comment

D.C. Law Firm Victim of Email Wire Fraud Fails to Sufficiently Plead Bank Aiding and Abetting

Posted on July 28, 2020 by Ludwig & Robinson PLLC

A recent email funds transfer fraud case illustrates a novel claim against a bank dismissed at the pleading stage. Beins, Axelrod, PC v. Analytics, LLC, 2020 U.S. Dist. LEXIS 71713 (D.D.C. Apr. 23, 2020). After a D.C. law firm, seeking its share of $5,966,250 in fees and costs arising from a class action settlement, sent wire instructions for payment to another firm, the lawyer’s email account was hacked, and a cybercriminal fraudulently emailed new wire instructions. Using the new information, the sender initiated a wire transfer to a Citibank account controlled by the hacker.

The law firm filed a pro se claim against Citibank under the Computer Fraud and Abuse Act (“CFAA”), requiring a showing that Citibank aided and abetted the hacker by “knowingly and with intent to defraud, access[ing] a computer without authorization, . . . and by means of such conduct further[ing] the intended fraud….” 18 U.S.C. § 1030(a)(4). The firm alleged the bank’s maintenance of the hacker’s account, allowing the deposit of stolen funds and permitting their withdrawal, constituted the requisite assistance. The district court rejected the allegations of Citibank involvement as insufficient “even under a willful-blindness theory,” noting the plaintiff did not allege “facts that indicate that the bank ‘closed its eyes’ to the hacker’s obvious crime” nor did it “allege any unusual activity that might have raised the bank’s suspicion or any vetting irregularities,” and dismissed the claim without prejudice. 2020 U.S. Dist. LEXIS 71713, at 10.

While this claim under the CFAA is novel, it is also serves to show that banks can be subject to aiding and abetting liability when properly plead. L&R has successfully brought aiding and abetting claims, including in a major, serial loan fraud case, representing bank no. 2 against bank no. 1, where bank no. 1 discovered the fraud, forcing the fraudster to commit the same fraud against bank no. 2 in order to be repaid, with bank no. 1 later paying a substantial settlement.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

Posted in BANKING & FINANCE, CORPORATE, INSURANCE, INTERNATIONAL, LITIGATION | Tagged Aiding and Abetting Liability, Attorney’s Fees, Bank Liability, Business Email Compromise, Computer Fraud and Abuse Act, Cybercrime, Cybersecurity, Email Fraud, Funds Transfer Fraud, Robert Ludwig, Salvatore Scanio, UCC Article 4A, Uniform Commercial Code, Wire Transfer Fraud | Leave a comment

Conflicting Results in Recent Funds Transfer Coverage Cases in Virginia

Posted on June 29, 2020 by Ludwig & Robinson PLLC

Three recent insurance coverage cases arising from fraudulent email/funds transfer schemes in the Eastern District of Virginia arrived at different results.

In Midlothian Enter., Inc. v. Owners Ins. Co., 2020 U.S. Dist. LEXIS 30237 (E.D. Va. Feb. 5, 2020), hackers obtained access to a business owner’s email and directed a fraudulent email to an employee to send a $42,000 wire. The insured sought coverage under policy endorsements for “money and securities” and “forgery or alteration.” The court held the first “does not cover a loss caused by an employee . . . voluntarily wiring money to another account due to a fraudulent email,” finding its “voluntary parting exclusion” applicable. Id. at *9-10. As to the latter, the court found “an email from a business owner telling an employee to wire money to a bank account does not have the same form or legal effect as a check, draft, or promissory note” and “does not constitute a ‘covered instrument’ under the explicit terms of the endorsement.” Id. at *11.

Weeks before another judge found emails covered in Quality Plus Services, Inc. v. Nat’l Union Fire Ins. Co., 2020 U.S. Dist. LEXIS 7337 (E.D. Va. Jan. 15, 2020). There an insured’s employee sent five wires totaling $1.6 million to overseas accounts based on fraudulent emails ostensibly from its CEO. The court held coverage otherwise existed under the policy’s Funds Transfer Fraud Provision, which covered “loss of Funds resulting directly from a Fraudulent Instruction directing a financial institution to transfer, pay or deliver Funds from the Insured’s Transfer Account.” Id. at *8. Though the emails were not payment orders (i.e. under UCC Article 4A), the court appeared to find them covered under the policy’s partial definition of Fraudulent Instruction as “an electronic, computer . . . or written instruction initially received by the Insured” which was “fraudulently transmitted by someone else without the Insured’s or the Employee’s knowledge or consent,” and thus constituted an “Occurrence” or an “act or event” that “directly” causes the insured’s loss. Id. at *20. Applying a but-for test, the court concluded: “Without the emails, Quality Plus would not have suffered the losses.” Id. at *21. Ultimately, the court denied cross-motions for summary judgment, given fact disputes over (1) the location from which the fraudulent emails were sent, implicating the policy’s territory condition that was limited to the United States and Canada, and (2) the number of individuals who sent them, implicating the $1 million per Occurrence limit of liability. Id. at *22-28. The case then settled, weeks before trial.

Similarly, in Cincinnati Ins. Co. v. Norfolk Truck Ctr., Inc., 2019 U.S. Dist. LEXIS 220076 (E.D. Va. Dec. 20, 2019), an insured sent a wire transfer of $333,724.00 in response to an imposter’s email with fraudulent payment instructions for legitimate invoices. The commercial crime policy’s “Computer Fraud” provision covered “loss of . . . money . . . resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises . . . [t]o a person . . . outside those premises.” Id. at *2-3. The court defined “directly” as “something that is done in a ‘straightforward’ or ‘proximate’ manner and ‘without deviation’ or ‘without intervening agency’ from its cause,” citing various dictionaries. Id. at *31. Relying primarily on American Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., 895 F.3d 455 (6th Cir. 2018), and noting contrary appellate authority is unreported, the court concluded:

the Imposter here somehow learned of the [legitimate] invoices, created a false Internet domain to mimic [the] vendor, impersonated [the] vendor, learned about [the] balance due, and sent e-mail messages . . . with false payment information. Upon receiving that fraudulent e-mail, [the insured] immediately communicated with its bank through a series of e-mails to initiate a transfer by computer as requested. Since the wire transfer involved a loan requiring documentation, it continued in a straightforward and proximate manner, uninterrupted, until the money was wired to the Imposter.

Id. *32.

Each case involved different policy provisions, which may superficially explain the varying outcomes, but coverage results in email funds transfer claims continue to be unpredictable. The computer fraud and funds transfer fraud policies in Norfolk Truck and Quality Plus were not designed to cover fraudulent emails, but rather computer hacking or unauthorized payment orders from an insured to its bank. This essential point was lost in both cases, and absent it being more effectively developed and presented, similar results may be expected to continue.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

Posted in BANKING & FINANCE, CORPORATE, INSURANCE, INTERNATIONAL, LITIGATION | Tagged Account Takeover, ACH Fraud, BEC, Business Email Compromise, Computer Fraud, Cyber Insurance, Cybercrime, Cybersecurity, Funds Transfer Fraud, Insurance Coverage, Malware, UCC Article 4A, Wire Transfer Fraud | Leave a comment

Nevada Bench Trial Applies UCC in Allocating Loss Between Hacked Seller and Duped Buyer

Salvatore Scanio’s Article on the NAIC Insurance Data Security Model Law Published by ABA’s Cybersecurity and Data Privacy Committee

New York Court Rejects Cut Down of UCC Art. 4A’s 1-Year Notice Rule for Unauthorized Funds Transfers

FinCEN Advisory Highlights Cybercriminals Exploiting COVID-19 Pandemic for Funds Transfer Fraud

Salvatore Scanio presented an American Bar Association webinar on Cybercrime and Funds Transfer Fraud – Recent Developments

L&R Obtains Prompt Full Recovery for Polish Client in ACH Cybercrime Case

Illinois Supreme Court Holds a Non-bank Entity is a “Bank” Under UCC Art. 4A

D.C. Law Firm Victim of Email Wire Fraud Fails to Sufficiently Plead Bank Aiding and Abetting

Conflicting Results in Recent Funds Transfer Coverage Cases in Virginia

Recent Posts

Categories

Archives