The Advisory highlights how the COVID-19 pandemic is being exploited in “cyber-enabled crime through malware and phishing schemes, extortion, business email compromise (BEC) fraud, and exploitation of remote applications.” FinCEN identifies numerous “red flag indicators of COVID-19 cyber-enabled crimes to assist financial institutions in detecting, preventing, and reporting suspicious transactions associated with the COVID-19 pandemic.”

At the same time, FinCEN warns financial institutions they should continue to “consider additional contextual information and the surrounding facts and circumstances, such as a customer’s historical financial activity, whether the transactions are in line with prevailing business practices, and whether the customer exhibits multiple indicators, before determining if a transaction is suspicious or otherwise indicative of potential fraudulent COVID-19-related activities.” In other words, fundamental, long-established signs of suspicious activity apply equally, if not more so, in the COVID-19 era.

The impact of COVID-19 on funds transfer schemes was recently reviewed in an ABA webinar Salvatore Scanio presented with Ben Wallach, Cybercrime and Funds Transfer Fund – Recent Developments. 

The lively program discussed the latest trends in cybercrime involving fraudulent funds transfers. They reviewed recent funds transfer schemes, including those arising as a result of the COVID-19 era. The program discussed the latest developments in the legal regime applicable to fraudulent ACH and wire transfers, and explained the allocation of liability in such cases. They also addressed schemes involving law firms. The webinar featured numerous questions and answers throughout the event.

For a copy of the program materials, please contact Salvatore Scanio at sscanio@ludwigrobinson.com.

Whitaker, a Georgia physician, maintained an account with Wedbush, a futures commission merchant. Whitaker’s email account was hacked, and a cybercriminal sent fraudulent emails to Wedbush, directing four wire transfers overseas totaling $374,960.  Defending the suit, Wedbush, claimed it was not a “bank” because it was not “engaged in the business of banking,” as defined in UCC § 4A-105(a)(2), but merely acted as plaintiff’s agent in forwarding wire instructions to its bank, BMO Harris, for processing.  The Illinois high court, reversing the courts below, recognized that non-bank financial institutions like brokerage firms, mutual funds, and insurance companies have consistently been held by the courts to be a “bank” under UCC Articles 3, 4, and 4A. Id. at *17.  The court concluded Wedbush was a “bank” for purposes of Article 4A because it provided financial services, including brokerage and trading services, and “regularly assisted customers in processing funds transfers,” id. at *18, and thus subject to Article 4A’s strict liability regime for unauthorized funds transfers.

This case is an important reminder that non-bank financial firms, whether brokerages, mutual funds, or insurers that assist customers in processing funds transfers can be held to the same legal requirements as chartered banks under UCC Article 4A, and thus should have commercially reasonable security policies and procedures in place.  It further reminds that non-bank entities providing such customer assistance may share in the risk of loss under Article 4A’s loss-allocation rules.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

In Midlothian Enter., Inc. v. Owners Ins. Co., 2020 U.S. Dist. LEXIS 30237 (E.D. Va. Feb. 5, 2020), hackers obtained access to a business owner’s email and directed a fraudulent email to an employee to send a $42,000 wire. The insured sought coverage under policy endorsements for “money and securities” and “forgery or alteration.” The court held the first “does not cover a loss caused by an employee . . . voluntarily wiring money to another account due to a fraudulent email,” finding its “voluntary parting exclusion” applicable. Id. at *9-10. As to the latter, the court found “an email from a business owner telling an employee to wire money to a bank account does not have the same form or legal effect as a check, draft, or promissory note” and “does not constitute a ‘covered instrument’ under the explicit terms of the endorsement.” Id. at *11.

Weeks before another judge found emails covered in Quality Plus Services, Inc. v. Nat’l Union Fire Ins. Co., 2020 U.S. Dist. LEXIS 7337 (E.D. Va. Jan. 15, 2020). There an insured’s employee sent five wires totaling $1.6 million to overseas accounts based on fraudulent emails ostensibly from its CEO. The court held coverage otherwise existed under the policy’s Funds Transfer Fraud Provision, which covered “loss of Funds resulting directly from a Fraudulent Instruction directing a financial institution to transfer, pay or deliver Funds from the Insured’s Transfer Account.” Id. at *8. Though the emails were not payment orders (i.e. under UCC Article 4A), the court appeared to find them covered under the policy’s partial definition of Fraudulent Instruction as “an electronic, computer . . . or written instruction initially received by the Insured” which was “fraudulently transmitted by someone else without the Insured’s or the Employee’s knowledge or consent,” and thus constituted an “Occurrence” or an “act or event” that “directly” causes the insured’s loss. Id. at *20. Applying a but-for test, the court concluded: “Without the emails, Quality Plus would not have suffered the losses.” Id. at *21. Ultimately, the court denied cross-motions for summary judgment, given fact disputes over (1) the location from which the fraudulent emails were sent, implicating the policy’s territory condition that was limited to the United States and Canada, and (2) the number of individuals who sent them, implicating the $1 million per Occurrence limit of liability. Id. at *22-28. The case then settled, weeks before trial.

Similarly, in Cincinnati Ins. Co. v. Norfolk Truck Ctr., Inc., 2019 U.S. Dist. LEXIS 220076 (E.D. Va. Dec. 20, 2019), an insured sent a wire transfer of $333,724.00 in response to an imposter’s email with fraudulent payment instructions for legitimate invoices. The commercial crime policy’s “Computer Fraud” provision covered “loss of . . . money . . . resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises . . . [t]o a person . . . outside those premises.” Id. at *2-3. The court defined “directly” as “something that is done in a ‘straightforward’ or ‘proximate’ manner and ‘without deviation’ or ‘without intervening agency’ from its cause,” citing various dictionaries. Id. at *31. Relying primarily on American Tooling Ctr., Inc. v. Travelers Cas. & Sur. Co. of Am., 895 F.3d 455 (6th Cir. 2018), and noting contrary appellate authority is unreported, the court concluded:

the Imposter here somehow learned of the [legitimate] invoices, created a false Internet domain to mimic [the] vendor, impersonated [the] vendor, learned about [the] balance due, and sent e-mail messages . . . with false payment information. Upon receiving that fraudulent e-mail, [the insured] immediately communicated with its bank through a series of e-mails to initiate a transfer by computer as requested. Since the wire transfer involved a loan requiring documentation, it continued in a straightforward and proximate manner, uninterrupted, until the money was wired to the Imposter.

Id. *32.

Each case involved different policy provisions, which may superficially explain the varying outcomes, but coverage results in email funds transfer claims continue to be unpredictable. The computer fraud and funds transfer fraud policies in Norfolk Truck and Quality Plus were not designed to cover fraudulent emails, but rather computer hacking or unauthorized payment orders from an insured to its bank. This essential point was lost in both cases, and absent it being more effectively developed and presented, similar results may be expected to continue.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

Previously, the court dismissed all non-UCC Article 4A counts, including breach of contract and violation of federal banking statutes.  Federal Ins. Co. v. Benchmark Bank, 2018 U.S. Dist. LEXIS 11152 (S.D. Ohio Jan. 24, 2018).  Addressing the contract claim, the court found the account holders were not parties to any relevant electronic banking agreement with the bank; rather, the agreements were between their related entity and the bank.  Id. at *13-15.  Apparently not raised in that earlier decision was the settled rule that in the absence of an applicable agreement identifying an agreed security procedure, the bank would bear strict liability for any unauthorized payments.  See UCC §§ 4A-202(b), 4A-204(a).

Now on summary judgment, the court concluded the bank’s security procedures were commercially reasonable as a matter of law under UCC § 4A-202(b), though it did not use common multifactor authentication (i.e., the use of two of: something the user knows, something the user has, and something the user is).  2020 U.S. Dist. LEXIS 23315, at *32.  The court held nonetheless that the bank’s use of “layered security by utilizing unique usernames and passwords, security challenge questions triggered by a risk algorithm, account lockout after three unsuccessful login attempts, IP blacklisting, and dual authorization” satisfied banking agency guidelines, relying primarily on dual authorization.  Id. at *25-29.

In considering Article 4A’s good faith requirement, the court initially indicated the bank “acted according to the reasonable expectations of the parties,” where the customer understood it was “not checking whether a receiving entity had a relationship to or prior history” with the customer, “whether a recipient’s name was of Eastern European origin, or where an originating IP address was located,” because the ACH agreement provided the “purpose of the security procedures in place was ‘for verification of authenticity and not to detect an error in the transmission or content of an Entry.’”  Id. at *34-35.  The court nowhere took into account customary industry practices in considering whether the bank should have applied fraud detection to the transactions, including if the customer previously sent transfers to such recipients.  The court concluded, however, there were genuine issues of material fact on whether the bank accepted the transfers in good faith and in compliance the ACH agreement and customer instructions, noting numerous transfers exceeded the agreement’s $50,000 limit per ACH transfer, and a dispute over whether the customer’s employee had authority to conduct transactions on certain accounts.  Id. at *36-40.

In a remarkable coda, the court upheld the bank’s setoff defense for attorney’s fees based on an indemnification provision in the customer agreement.  The court concluded that indemnification was not inconsistent with UCC Article 4A, allowing the bank to set off its attorneys’ fees and costs against a plaintiff’s damages claims, 2020 U.S. Dist. LEXIS 23315, at *46-49, misciting Choice Escrow and Land Title, LLC v. BankcorpSouth Bank, 754 F.3d 611, 625 (8^th Cir. 2014), where the bank was the prevailing party.  In contrast, Benchmark Bank sought to invoke the provision even if it were found to be the responsible, non-prevailing party.  The court’s holding adopting that notion is inconsistent with the objectives of UCC Article 4A, if not the contractual indemnification language irtself, which the court did not construe.  Apparently no motion for reconsideration was filed, and shortly after the decision issued, the case settled.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

Cybercriminals are exploiting the pandemic in countless ways, from preying on human vulnerability to taking advantage of the increased use of online banking and electronic payments. The scams include credential phishing, spam email campaigns, malware, and business email compromise (BEC).

According to the FBI’s Alert No. I-040120-PSA, Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments (Apr. 1, 2020), its Internet Crime Complaint Center received over 1,200 complaints as of March 30, 2020.  The FBI Alert warns that “during this pandemic, BEC fraudsters have impersonated vendors and asked for payment outside the normal course of business due to COVID-19.”  As defined by the FBI’s Internet Crime Report (2019), BEC “is a sophisticated scam targeting both businesses and individuals performing a transfer of funds. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” In 2019, there were 24,000 complaints of BEC scams, with a total loss of $1.7 billion.

On April 6, 2020, the FBI issued a press release, FBI Anticipates Rise in Business Email Compromise Schemes Related to the COVID-19 Pandemic, in which it detailed recent examples of BEC attacks:

• A financial institution received an email allegedly from the CEO of a company, who had previously scheduled a transfer of $1 million, requesting that the transfer date be moved up and the recipient account be changed “due to the Coronavirus outbreak and quarantine processes and precautions.” The email address used by the fraudsters was almost identical to the CEO’s actual email address with only one letter changed.
• A bank customer was emailed by someone claiming to be one of the customer’s clients in China. The client requested that all invoice payments be changed to a different bank because their regular bank accounts were inaccessible due to “Corona Virus audits.” The victim sent several wires to the new bank account for a significant loss before discovering the fraud.

Also on April 6, 2020, the FBI issued a further warning, Money Mule Schemes Exploiting the COVID-19 Pandemic.  The FBI anticipates a rise in work-at-home schemes to recruit money mules to wittingly or unwittingly facilitate the laundering of fraudulent funds transfers.

On April 13, 2020, the FBI issued another release, Advance Fee and BEC Schemes Related to Procurement of PPE and Other Supplies During COVID-19 Pandemic.  The FBI’s warning reports on evolving schemes being utilized to exploit the coronavirus pandemic.

The FBI is often the first place to turn for assistance when a business is the of a cyberattack that results in fraudulent wire transfers or ACHs. If contacted within 48 hours of the theft and a loss threshold is met, the FBI may be able to identify whether any of the funds may be recovered.

The next option would be potentially responsible third-parties.  L&R recently presented a paper at an American Bar Association Conference, titled Technology and Salvage: Using Social Media in Recovery and Allocating Cybercrime Funds Transfers to Third Parties (Jan. 31, 2020), that discusses the latest trends in cybercrime involving fraudulent transfers and how losses are allocated between businesses and third-parties, particularly banks.

Generally, the focus is on the beneficiary’s bank in the business email compromise scenario and on the receiving bank in the malware/account takeover situation.

As detailed in L&R’s recent paper, the beneficiary’s bank (i.e., the bank of the beneficiary of the funds transfer where the funds are ultimately transferred) has potential liability exposure for fraudulent funds transfers arising in the business email compromise scenario under any of the following:  (1) the bank “knows” that the name and account number on the wire transfer order refer to different persons; (2) improper bank conduct took place before the funds transfer, such as at account opening; (3) improper bank conduct took place after the wire transfer; or (4) where the bank accepted funds when it knew or should have known that the funds were fraudulently obtained.

In the malware/account takeover scenario, the receiving bank (i.e., generally the customer’s bank from where the transfer originated) has liability exposure for fraudulent funds transfers, unless the bank proves: (1) the bank and customer agreed that the authenticity of a payment order would be verified through a “security procedure;” (2) the security procedure agreed upon is “commercially reasonable;” (3) the bank processed the payment order in “compliance” with the security procedure; (4) the bank processed the order in compliance with any written agreement or instruction of the customer; and (5) the bank accepted the payment order in “good faith.”

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

The conference theme was, “A Whole New World: The Impact of Technology and Cybercrime on Fidelity Policies.”  They were joined by Joseph S. Szary of Great American Insurance Group.  Their presentation addressed the latest trends in cybercrime involving fraudulent funds transfers and how losses are allocated between insureds and third-parties, particularly banks. They also discussed how social media may be used effectively in locating businesses and individuals, their income and assets, and covered applicable regulatory guidelines. Their discussion included the recent opinion by the 11^th Circuit Court of Appeals, Peter E. Shapiro, P.A. v. Wells Fargo Bank, N.A., 2019 U.S. App. LEXIS 35604 (11^th Cir. Nov. 27, 2019).

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

Sal’s presentation focused on the legal regime for allocating liability for unauthorized fund transfers, including wire transfers, ACH transactions, and SWIFT transfers.  He discussed several key and recent cases under UCC Article 4A that have grappled with the breadth of the “security procedure” defense, applied the UCC test for determining whether a bank’s procedures are “commercially reasonable,” and addressed circumstances where banks were considered to have or have not acted in “good faith.”  He covered applicable regulatory guidelines issued by the Federal Financial Institutions Examination Council and the New York State Department of Financial Services, including recent developments on reporting cybercrime.

Sal’s presentation also addressed the continuing trend in the payment card arena in which fraud liability is shifting from issuers to acquirer/merchants under card network rules and recent suits brought by issuing banks against merchants for data breaches.   (For an overview of the evolving payment card system and developing loss allocation, see Sal Scanio’s prior article, Payment Card Fraud, Data Breaches and Emerging Payment Technologies, XXI Fidelity L.J. 59 (2015)).

Finally, Sal outlined a number of practical measures that can be taken by financial institutions to reduce their legal and compliance risk.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605.

The bank received a $440,000 wire request purportedly from the customer, an escrow company, for transfer to a beneficiary’s account in the Republic of Cyprus.  The request, received over the Internet using the customer’s login and password, was authenticated via a secure ID token downloaded on the customer’s computer to show it had been initiated from its registered IP address. The customer, a common malware target as an escrow company, had been attacked and its purported request was unauthorized.

Significantly, in establishing online banking services, the customer had declined the use of “Dual Control,” as offered by the bank, requiring two users using separate logins and passwords to process wire transfers, as well as daily limits on wire transfer activity.  Subsequently, the customer inquired whether foreign wire transfers could be blocked to avoid fraudulent wires.  The bank advised that it was unable to stop just foreign wires, recommending again dual control which the customer still declined.

On appeal as in the district court, the customer argued that the security procedures offered were not commercially reasonable because none involved transactional analysis whereby wire transfers are subject to individual fraud review.  The Eighth Circuit disagreed, affirming thatit would be impracticable for the bank to review every outgoing wire and that there was no genuine question of fact whether the bank was required to use transactional analysis as a matter of reasonable commercial procedures.  The Eighth Circuit concluded that the security procedures offered were commercially reasonable for that customer, observing:

[T]his appears to be a case where “an informed customer refuses a security procedure that is commercially reasonable and suitable for that customer and insists on using a higher-risk procedure because it is more convenient or cheaper[,]” in which case “the customer has voluntarily assumed the risk of failure of the procedure and cannot shift the loss to the bank.”

Id. at *26-27 (quoting UCC § 4A-203 cmt. 4).

Turning to whether the bank had proved it accepted the payment order in good faith under UCC § 4A-202(b), the Eighth Circuit described the good faith test as follows:

[W]hile there may be some evidentiary overlap between the commercial reasonableness of a bank’s security procedures and its compliance with reasonable commercial standards of fair dealing, we do not believe that the two inquiries are coextensive. While the commercial reasonableness inquiry concerns the adequacy of a bank’s security procedures, the objective good faith inquiry concerns a bank’s acceptance of payment orders in accordance with those security procedures. In other words, technical compliance with a security procedure is not enough under Article 4A; instead . . . the bank must abide by its procedures in a way that reflects the parties’ reasonable expectations as to how those procedures will operate.

[T]he focus of our good faith inquiry is on the aspects of wire transfer that are left to the bank’s discretion. . . .Where, as here, a bank’s security procedures do not depend on the judgment or discretion of its employees, the scope of the good-faith inquiry under Article 4A is correspondingly narrow. . . . [T]o establish that it acted in good faith, [the bank] must establish that its employees accepted and executed the . . . payment order in a way that comported with [the customer’s] reasonable expectations, as established by reasonable commercial standards of fair dealing.

Id. at *29-31.  The court concluded that the bank met its burden because: (1) the customer was aware that the only time the bank’s employees saw the payment order was after the wire had cleared its security procedures, (2) the customer was also aware that the employees’ role was to route payment orders, not to check for irregularities, (3) the “payment order was not so unusual that it should have raised eyebrows,” as the amount was not unusual for the customer, and (4) the bank was under no obligation to review the memo line of the payment order.  Id. at *32-33.  The Eighth Circuit contrasted this case with Experi-Metal, Inc. v. Comerica Bank, 2011 U.S. Dist. LEXIS 62677 (E.D. Mich. June 13, 2011), where the district court found a lack of good faith by the bank in allowing, inter alia, $5 million in overdrafts from an account that had a zero balance.

Finally, the Eighth Circuit addressed the bank’s counterclaim for attorney’s fees based on an indemnification provision in the customer agreement.  The district court had found that the indemnification provision conflicted with Article 4A, and dismissed the counterclaim.  The Eighth Circuit reversed:

[The bank’s] counterclaim seeks attorney’s fees, not damages stemming from the fraudulent payment order, and Article 4A contains no provision allocating attorney’s fees between the bank and its customer in the event of litigation.  Although awarding attorney’s fees to a bank under an indemnification agreement might reduce a customer’s overall recovery against that bank, it would do so for reasons extrinsic to Article 4A’s attempts to balance the risk of loss due to a fraudulent payment order. We thus conclude that the portion of the indemnification provision relating to attorney’s fees is not inconsistent with Article 4A and that [the bank] may seek attorney’s fees from [the customer] under this provision.

Id. at *38-39. Plainly, a bank’s ability to obtain attorney’s fees upon prevailing in customer claims under Article 4A may become a significant factor in the resolution of such claims.

Choice Escrow represents another decision illustrating the importance of bank customer agreements in allocating losses for unauthorized electronic funds transfers.  See Salvatore Scanio and Robert W. Ludwig, Surging, Swift and Liable? Cybercrime and Electronic Payments Fraud Involving Commercial Bank: Who Bears the Loss?, 16 J. of Internet L. 3 (April 2013). 

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605, or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.