In another fairly typical business email compromise/social engineering scheme, a cybercriminal  impersonating a vendor induced a business to send four large ACH transfers totaling  $558,868.17 to the fraudster’s account at a credit union. The plaintiff asserted various claims against the beneficiary’s bank, alleging:

● Around August 2018, the credit union opened a personal checking account for an individual, John Doe, but did not verify his identity, address, prior banking history, source of funds, membership eligibility

● In October 2018, Doe transmitted fraudulent emails to plaintiff

● Plaintiff then sent an ACH transfer of $156,834.55 identifying itself, Studco, as the originator and its vendor Olympic Steel, by corporate address, as the receiver, which did not match any account holder with the credit union

● The ACH credit identified Doe’s personal account number, but it was commercially coded as “CCD,” i.e., “Corporate Credit or Debit,” for business transactions under Rules of the National Automated Clearing House Association (NACHA)

● NACHA Rules restrict CCD payments to transactions that involve only businesses, and require that any CCD payments directed to personal accounts be rejected

● Shortly thereafter, the credit union accepted three additional high-value commercial ACH credit payments for Doe’s account, totaling $558,868.17

● Over a one-month period, Doe then withdrew over $558,868.17 incrementally and in-person at the credit union’s branch with the assistance of the credit union, through 13 cashier checks or wire transfers totaling $558,868.17

● Nine (9) of the thirteen (13) withdrawals were made out to an individual or entity that is alleged to be known to the credit union or its employee(s).

Id. at *1-4.

While the district court dismissed several claims brought by the plaintiff, it permitted two key counts to go forward, in large measure due to the plaintiff’s reliance on NACHA’s rules.

The first was a claim under UCC § 4A-207 for misdescription of beneficiary, with the court finding: “While it is true that [the credit union] has no duty to proactively discover a conflict, the Complaint alleges that [it] had actual knowledge of the misdescription because the transfers were codified as ‘CCD’ and, thus, that it was automatically required to reject the misdescribed ACH transfers, pursuant to NACHA, but it did not. . . . Therefore, the issue of whether [the credit union] had actual knowledge is a factual determination for the jury.” Id. at 12-13.

The second claim the court permitted was a claim for bailment, concluding, “Although bailment requires a common law duty of care . . . the NACHA Rules and [UCC § 4A-207] establish that 1st Advantage must act in a commercially reasonable manner or that it exercised ordinary care when it has control over ACH transfers.” Id. at 16. Like the UCC claim, the court stated: “the question of whether 1st Advantage acted in a commercially reasonable manner in exercising control over [plaintiff’s] ACH transfers is one that the jury must answer[.]” Id. at 16-17. “Specifically, the Complaint alleges that the NACHA Rules provide that ‘it is not commercially reasonable to deposit commercially-coded ‘CCD’ transfers expressly identified as ‘business transactions’ into a personal checking account. Furthermore, NACHA Rules require that depositing ‘CCD’ coded transfers into consumer accounts is not commercially reasonable. . . . Moreover, [plaintiff] has adequately alleged that [the credit union] did not act in a commercially reasonable manner in allowing John Doe to fraudulently withdraw money over a month in-person.” Id. at 17.

This case, like L&R’s recent ACH matter, is an important illustration of how effective application of the NACHA Rules can be critical in resolving such cases.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

The subsidiary reported the unauthorized ACH debits to its bank, a major U.S. commercial bank, which declined reimbursement because the ODFI, another major U.S. commercial bank, declined the claim as its customer, the Originator, also declined responsibility.

Upon being retained, L&R quickly investigated and pursued the matter with the banks under Operating Rules and Guidelines of the National Automated Clearing House Association (NACHA).  While corporate ACH debits are not subject to the substantial protections afforded consumer ACH debits under Regulation E and NACHA’s rules, numerous other provisions of NACHA’s rules and guidelines do apply to unauthorized corporate debits.  Of particular significance is NACHA’s warranty under which an ODFI warrants to the RDFI that transactions have been properly authorized by the Receiver, for which it is required to indemnify the RDFI for “all claims, demands, losses, liabilities, and expenses, including attorneys’ fees and costs, that result directly or indirectly” from the breach of warranty.

In less than a month after L&R contacted the RDFI, both banks reversed their positions, and the U.S. subsidiary was reimbursed for its full loss.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.