The Advisory highlights how the COVID-19 pandemic is being exploited in “cyber-enabled crime through malware and phishing schemes, extortion, business email compromise (BEC) fraud, and exploitation of remote applications.” FinCEN identifies numerous “red flag indicators of COVID-19 cyber-enabled crimes to assist financial institutions in detecting, preventing, and reporting suspicious transactions associated with the COVID-19 pandemic.”

At the same time, FinCEN warns financial institutions they should continue to “consider additional contextual information and the surrounding facts and circumstances, such as a customer’s historical financial activity, whether the transactions are in line with prevailing business practices, and whether the customer exhibits multiple indicators, before determining if a transaction is suspicious or otherwise indicative of potential fraudulent COVID-19-related activities.” In other words, fundamental, long-established signs of suspicious activity apply equally, if not more so, in the COVID-19 era.

The impact of COVID-19 on funds transfer schemes was recently reviewed in an ABA webinar Salvatore Scanio presented with Ben Wallach, Cybercrime and Funds Transfer Fund – Recent Developments. 

The lively program discussed the latest trends in cybercrime involving fraudulent funds transfers. They reviewed recent funds transfer schemes, including those arising as a result of the COVID-19 era. The program discussed the latest developments in the legal regime applicable to fraudulent ACH and wire transfers, and explained the allocation of liability in such cases. They also addressed schemes involving law firms. The webinar featured numerous questions and answers throughout the event.

For a copy of the program materials, please contact Salvatore Scanio at sscanio@ludwigrobinson.com.

The subsidiary reported the unauthorized ACH debits to its bank, a major U.S. commercial bank, which declined reimbursement because the ODFI, another major U.S. commercial bank, declined the claim as its customer, the Originator, also declined responsibility.

Upon being retained, L&R quickly investigated and pursued the matter with the banks under Operating Rules and Guidelines of the National Automated Clearing House Association (NACHA).  While corporate ACH debits are not subject to the substantial protections afforded consumer ACH debits under Regulation E and NACHA’s rules, numerous other provisions of NACHA’s rules and guidelines do apply to unauthorized corporate debits.  Of particular significance is NACHA’s warranty under which an ODFI warrants to the RDFI that transactions have been properly authorized by the Receiver, for which it is required to indemnify the RDFI for “all claims, demands, losses, liabilities, and expenses, including attorneys’ fees and costs, that result directly or indirectly” from the breach of warranty.

In less than a month after L&R contacted the RDFI, both banks reversed their positions, and the U.S. subsidiary was reimbursed for its full loss.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

Whitaker, a Georgia physician, maintained an account with Wedbush, a futures commission merchant. Whitaker’s email account was hacked, and a cybercriminal sent fraudulent emails to Wedbush, directing four wire transfers overseas totaling $374,960.  Defending the suit, Wedbush, claimed it was not a “bank” because it was not “engaged in the business of banking,” as defined in UCC § 4A-105(a)(2), but merely acted as plaintiff’s agent in forwarding wire instructions to its bank, BMO Harris, for processing.  The Illinois high court, reversing the courts below, recognized that non-bank financial institutions like brokerage firms, mutual funds, and insurance companies have consistently been held by the courts to be a “bank” under UCC Articles 3, 4, and 4A. Id. at *17.  The court concluded Wedbush was a “bank” for purposes of Article 4A because it provided financial services, including brokerage and trading services, and “regularly assisted customers in processing funds transfers,” id. at *18, and thus subject to Article 4A’s strict liability regime for unauthorized funds transfers.

This case is an important reminder that non-bank financial firms, whether brokerages, mutual funds, or insurers that assist customers in processing funds transfers can be held to the same legal requirements as chartered banks under UCC Article 4A, and thus should have commercially reasonable security policies and procedures in place.  It further reminds that non-bank entities providing such customer assistance may share in the risk of loss under Article 4A’s loss-allocation rules.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

The law firm filed a pro se claim against Citibank under the Computer Fraud and Abuse Act (“CFAA”), requiring a showing that Citibank aided and abetted the hacker by “knowingly and with intent to defraud, access[ing] a computer without authorization, . . . and by means of such conduct further[ing] the intended fraud….” 18 U.S.C. § 1030(a)(4).  The firm alleged the bank’s maintenance of the hacker’s account, allowing the deposit of stolen funds and permitting their withdrawal, constituted the requisite assistance. The district court rejected the allegations of Citibank involvement as insufficient “even under a willful-blindness theory,” noting the plaintiff did not allege “facts that indicate that the bank ‘closed its eyes’ to the hacker’s obvious crime” nor did it “allege any unusual activity that might have raised the bank’s suspicion or any vetting irregularities,” and dismissed the claim without prejudice.  2020 U.S. Dist. LEXIS 71713, at 10.

While this claim under the CFAA is novel, it is also serves to show that banks can be subject to aiding and abetting liability when properly plead.  L&R has successfully brought aiding and abetting claims, including in a major, serial loan fraud case, representing bank no. 2 against bank no. 1, where bank no. 1 discovered the fraud, forcing the fraudster to commit the same fraud against bank no. 2 in order to be repaid, with bank no. 1 later paying a substantial settlement.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.