Previously, the court dismissed all non-UCC Article 4A counts, including breach of contract and violation of federal banking statutes.  Federal Ins. Co. v. Benchmark Bank, 2018 U.S. Dist. LEXIS 11152 (S.D. Ohio Jan. 24, 2018).  Addressing the contract claim, the court found the account holders were not parties to any relevant electronic banking agreement with the bank; rather, the agreements were between their related entity and the bank.  Id. at *13-15.  Apparently not raised in that earlier decision was the settled rule that in the absence of an applicable agreement identifying an agreed security procedure, the bank would bear strict liability for any unauthorized payments.  See UCC §§ 4A-202(b), 4A-204(a).

Now on summary judgment, the court concluded the bank’s security procedures were commercially reasonable as a matter of law under UCC § 4A-202(b), though it did not use common multifactor authentication (i.e., the use of two of: something the user knows, something the user has, and something the user is).  2020 U.S. Dist. LEXIS 23315, at *32.  The court held nonetheless that the bank’s use of “layered security by utilizing unique usernames and passwords, security challenge questions triggered by a risk algorithm, account lockout after three unsuccessful login attempts, IP blacklisting, and dual authorization” satisfied banking agency guidelines, relying primarily on dual authorization.  Id. at *25-29.

In considering Article 4A’s good faith requirement, the court initially indicated the bank “acted according to the reasonable expectations of the parties,” where the customer understood it was “not checking whether a receiving entity had a relationship to or prior history” with the customer, “whether a recipient’s name was of Eastern European origin, or where an originating IP address was located,” because the ACH agreement provided the “purpose of the security procedures in place was ‘for verification of authenticity and not to detect an error in the transmission or content of an Entry.’”  Id. at *34-35.  The court nowhere took into account customary industry practices in considering whether the bank should have applied fraud detection to the transactions, including if the customer previously sent transfers to such recipients.  The court concluded, however, there were genuine issues of material fact on whether the bank accepted the transfers in good faith and in compliance the ACH agreement and customer instructions, noting numerous transfers exceeded the agreement’s $50,000 limit per ACH transfer, and a dispute over whether the customer’s employee had authority to conduct transactions on certain accounts.  Id. at *36-40.

In a remarkable coda, the court upheld the bank’s setoff defense for attorney’s fees based on an indemnification provision in the customer agreement.  The court concluded that indemnification was not inconsistent with UCC Article 4A, allowing the bank to set off its attorneys’ fees and costs against a plaintiff’s damages claims, 2020 U.S. Dist. LEXIS 23315, at *46-49, misciting Choice Escrow and Land Title, LLC v. BankcorpSouth Bank, 754 F.3d 611, 625 (8^th Cir. 2014), where the bank was the prevailing party.  In contrast, Benchmark Bank sought to invoke the provision even if it were found to be the responsible, non-prevailing party.  The court’s holding adopting that notion is inconsistent with the objectives of UCC Article 4A, if not the contractual indemnification language irtself, which the court did not construe.  Apparently no motion for reconsideration was filed, and shortly after the decision issued, the case settled.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

Cybercriminals are exploiting the pandemic in countless ways, from preying on human vulnerability to taking advantage of the increased use of online banking and electronic payments. The scams include credential phishing, spam email campaigns, malware, and business email compromise (BEC).

According to the FBI’s Alert No. I-040120-PSA, Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments (Apr. 1, 2020), its Internet Crime Complaint Center received over 1,200 complaints as of March 30, 2020.  The FBI Alert warns that “during this pandemic, BEC fraudsters have impersonated vendors and asked for payment outside the normal course of business due to COVID-19.”  As defined by the FBI’s Internet Crime Report (2019), BEC “is a sophisticated scam targeting both businesses and individuals performing a transfer of funds. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” In 2019, there were 24,000 complaints of BEC scams, with a total loss of $1.7 billion.

On April 6, 2020, the FBI issued a press release, FBI Anticipates Rise in Business Email Compromise Schemes Related to the COVID-19 Pandemic, in which it detailed recent examples of BEC attacks:

• A financial institution received an email allegedly from the CEO of a company, who had previously scheduled a transfer of $1 million, requesting that the transfer date be moved up and the recipient account be changed “due to the Coronavirus outbreak and quarantine processes and precautions.” The email address used by the fraudsters was almost identical to the CEO’s actual email address with only one letter changed.
• A bank customer was emailed by someone claiming to be one of the customer’s clients in China. The client requested that all invoice payments be changed to a different bank because their regular bank accounts were inaccessible due to “Corona Virus audits.” The victim sent several wires to the new bank account for a significant loss before discovering the fraud.

Also on April 6, 2020, the FBI issued a further warning, Money Mule Schemes Exploiting the COVID-19 Pandemic.  The FBI anticipates a rise in work-at-home schemes to recruit money mules to wittingly or unwittingly facilitate the laundering of fraudulent funds transfers.

On April 13, 2020, the FBI issued another release, Advance Fee and BEC Schemes Related to Procurement of PPE and Other Supplies During COVID-19 Pandemic.  The FBI’s warning reports on evolving schemes being utilized to exploit the coronavirus pandemic.

The FBI is often the first place to turn for assistance when a business is the of a cyberattack that results in fraudulent wire transfers or ACHs. If contacted within 48 hours of the theft and a loss threshold is met, the FBI may be able to identify whether any of the funds may be recovered.

The next option would be potentially responsible third-parties.  L&R recently presented a paper at an American Bar Association Conference, titled Technology and Salvage: Using Social Media in Recovery and Allocating Cybercrime Funds Transfers to Third Parties (Jan. 31, 2020), that discusses the latest trends in cybercrime involving fraudulent transfers and how losses are allocated between businesses and third-parties, particularly banks.

Generally, the focus is on the beneficiary’s bank in the business email compromise scenario and on the receiving bank in the malware/account takeover situation.

As detailed in L&R’s recent paper, the beneficiary’s bank (i.e., the bank of the beneficiary of the funds transfer where the funds are ultimately transferred) has potential liability exposure for fraudulent funds transfers arising in the business email compromise scenario under any of the following:  (1) the bank “knows” that the name and account number on the wire transfer order refer to different persons; (2) improper bank conduct took place before the funds transfer, such as at account opening; (3) improper bank conduct took place after the wire transfer; or (4) where the bank accepted funds when it knew or should have known that the funds were fraudulently obtained.

In the malware/account takeover scenario, the receiving bank (i.e., generally the customer’s bank from where the transfer originated) has liability exposure for fraudulent funds transfers, unless the bank proves: (1) the bank and customer agreed that the authenticity of a payment order would be verified through a “security procedure;” (2) the security procedure agreed upon is “commercially reasonable;” (3) the bank processed the payment order in “compliance” with the security procedure; (4) the bank processed the order in compliance with any written agreement or instruction of the customer; and (5) the bank accepted the payment order in “good faith.”

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

The conference theme was, “A Whole New World: The Impact of Technology and Cybercrime on Fidelity Policies.”  They were joined by Joseph S. Szary of Great American Insurance Group.  Their presentation addressed the latest trends in cybercrime involving fraudulent funds transfers and how losses are allocated between insureds and third-parties, particularly banks. They also discussed how social media may be used effectively in locating businesses and individuals, their income and assets, and covered applicable regulatory guidelines. Their discussion included the recent opinion by the 11^th Circuit Court of Appeals, Peter E. Shapiro, P.A. v. Wells Fargo Bank, N.A., 2019 U.S. App. LEXIS 35604 (11^th Cir. Nov. 27, 2019).

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

The Joint Statement focuses on six key aspects of cybersecurity risk management, which we summarize as follows:

Response, Resilience, and Recovery Capabilities.  Maintain comprehensive, documented, and current incident and business resilience plans that include responding to and recovering from a destructive cyber attack.  One consideration is the use of cyber insurance as part of a broader risk management strategy.

Identity and Access Management.  Use and validate the effectiveness of authentication controls, such as multifactor authentication, to segment and safeguard access to critical systems and data on the network.

Network Configuration and System Hardening.  Review the appropriateness of default system settings, change default user profiles, configure security settings, implement security monitoring tools, and apply security updates and system patches.

Employee Training.  Ongoing employee training on recognizing cyber threats, phishing, and suspicious links.

Security Tools and Monitoring.  Use qualified cybersecurity staff or provider to actively monitor systems for network threat and vulnerability information available from industry sources.

Data Protection.  Maintain a data classification program to identify sensitive and critical data.  Encrypt or tokenize sensitive and critical data in transit and at rest.

The Joint Statement is the latest in a growing line of cybersecurity regulations applicable to banks.  For a discussion of relevant guidelines, see L&R’s latest article, Robert W. Ludwig, Salvatore Scanio, and Joseph Szary, Technology and Salvage: Using Social Media in Recovery and Allocating Cybercrime Funds Transfers to Third Parties, Am. Bar Ass’n, Tort Trial & Insurance Practice Section, Fidelity and Surety Law 2020 Midwinter Conference, Jan. 31, 2020, at 25-30.

Like other banking agency guidelines, the Joint Statement also expands the guideposts for evaluating whether bank security procedures are commercially reasonable under UCC Article 4A. See, e.g., Patco Constr. Co., Inc. v. People’s United Bank, 684 F.3d 197, 201-04 (1^st Cir. 2012).

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605.