In another fairly typical business email compromise/social engineering scheme, a cybercriminal  impersonating a vendor induced a business to send four large ACH transfers totaling  $558,868.17 to the fraudster’s account at a credit union. The plaintiff asserted various claims against the beneficiary’s bank, alleging:

● Around August 2018, the credit union opened a personal checking account for an individual, John Doe, but did not verify his identity, address, prior banking history, source of funds, membership eligibility

● In October 2018, Doe transmitted fraudulent emails to plaintiff

● Plaintiff then sent an ACH transfer of $156,834.55 identifying itself, Studco, as the originator and its vendor Olympic Steel, by corporate address, as the receiver, which did not match any account holder with the credit union

● The ACH credit identified Doe’s personal account number, but it was commercially coded as “CCD,” i.e., “Corporate Credit or Debit,” for business transactions under Rules of the National Automated Clearing House Association (NACHA)

● NACHA Rules restrict CCD payments to transactions that involve only businesses, and require that any CCD payments directed to personal accounts be rejected

● Shortly thereafter, the credit union accepted three additional high-value commercial ACH credit payments for Doe’s account, totaling $558,868.17

● Over a one-month period, Doe then withdrew over $558,868.17 incrementally and in-person at the credit union’s branch with the assistance of the credit union, through 13 cashier checks or wire transfers totaling $558,868.17

● Nine (9) of the thirteen (13) withdrawals were made out to an individual or entity that is alleged to be known to the credit union or its employee(s).

Id. at *1-4.

While the district court dismissed several claims brought by the plaintiff, it permitted two key counts to go forward, in large measure due to the plaintiff’s reliance on NACHA’s rules.

The first was a claim under UCC § 4A-207 for misdescription of beneficiary, with the court finding: “While it is true that [the credit union] has no duty to proactively discover a conflict, the Complaint alleges that [it] had actual knowledge of the misdescription because the transfers were codified as ‘CCD’ and, thus, that it was automatically required to reject the misdescribed ACH transfers, pursuant to NACHA, but it did not. . . . Therefore, the issue of whether [the credit union] had actual knowledge is a factual determination for the jury.” Id. at 12-13.

The second claim the court permitted was a claim for bailment, concluding, “Although bailment requires a common law duty of care . . . the NACHA Rules and [UCC § 4A-207] establish that 1st Advantage must act in a commercially reasonable manner or that it exercised ordinary care when it has control over ACH transfers.” Id. at 16. Like the UCC claim, the court stated: “the question of whether 1st Advantage acted in a commercially reasonable manner in exercising control over [plaintiff’s] ACH transfers is one that the jury must answer[.]” Id. at 16-17. “Specifically, the Complaint alleges that the NACHA Rules provide that ‘it is not commercially reasonable to deposit commercially-coded ‘CCD’ transfers expressly identified as ‘business transactions’ into a personal checking account. Furthermore, NACHA Rules require that depositing ‘CCD’ coded transfers into consumer accounts is not commercially reasonable. . . . Moreover, [plaintiff] has adequately alleged that [the credit union] did not act in a commercially reasonable manner in allowing John Doe to fraudulently withdraw money over a month in-person.” Id. at 17.

This case, like L&R’s recent ACH matter, is an important illustration of how effective application of the NACHA Rules can be critical in resolving such cases.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

As a member of the Fed’s Task Force, Ludwig & Robinson is seeking feedback on these payment use cases, which has created an online Payment Use Cases Industry Survey for that purpose.

In addition, the Task Force is presenting Payment Use Case webinars to provide an opportunity to gain a high-level overview of each use case as a supplement to the use case documents, as follows:

Payment Use Cases Webinar – ACH, Wire and Check
Date and Time: Thursday, May 11 from 3:00 – 4:00 p.m. ET

Payment Use Cases Webinar – Card Signature, Card PIN and Card Not Present
Date and Time: Friday, May 12 from 2:00 – 3:00 p.m. ET

Payment Use Cases Webinar – Card Not Present, Contactless and Wallet
Date and Time: Monday, May 15 from 2:00 – 3:00 p.m. ET

You may register for one or more of these webinars to learn about each of the payment use cases and provide your input.  This information can also be found on FedPaymentsImprovement.org.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605.