In another fairly typical business email compromise/social engineering scheme, a cybercriminal  impersonating a vendor induced a business to send four large ACH transfers totaling  $558,868.17 to the fraudster’s account at a credit union. The plaintiff asserted various claims against the beneficiary’s bank, alleging:

● Around August 2018, the credit union opened a personal checking account for an individual, John Doe, but did not verify his identity, address, prior banking history, source of funds, membership eligibility

● In October 2018, Doe transmitted fraudulent emails to plaintiff

● Plaintiff then sent an ACH transfer of $156,834.55 identifying itself, Studco, as the originator and its vendor Olympic Steel, by corporate address, as the receiver, which did not match any account holder with the credit union

● The ACH credit identified Doe’s personal account number, but it was commercially coded as “CCD,” i.e., “Corporate Credit or Debit,” for business transactions under Rules of the National Automated Clearing House Association (NACHA)

● NACHA Rules restrict CCD payments to transactions that involve only businesses, and require that any CCD payments directed to personal accounts be rejected

● Shortly thereafter, the credit union accepted three additional high-value commercial ACH credit payments for Doe’s account, totaling $558,868.17

● Over a one-month period, Doe then withdrew over $558,868.17 incrementally and in-person at the credit union’s branch with the assistance of the credit union, through 13 cashier checks or wire transfers totaling $558,868.17

● Nine (9) of the thirteen (13) withdrawals were made out to an individual or entity that is alleged to be known to the credit union or its employee(s).

Id. at *1-4.

While the district court dismissed several claims brought by the plaintiff, it permitted two key counts to go forward, in large measure due to the plaintiff’s reliance on NACHA’s rules.

The first was a claim under UCC § 4A-207 for misdescription of beneficiary, with the court finding: “While it is true that [the credit union] has no duty to proactively discover a conflict, the Complaint alleges that [it] had actual knowledge of the misdescription because the transfers were codified as ‘CCD’ and, thus, that it was automatically required to reject the misdescribed ACH transfers, pursuant to NACHA, but it did not. . . . Therefore, the issue of whether [the credit union] had actual knowledge is a factual determination for the jury.” Id. at 12-13.

The second claim the court permitted was a claim for bailment, concluding, “Although bailment requires a common law duty of care . . . the NACHA Rules and [UCC § 4A-207] establish that 1st Advantage must act in a commercially reasonable manner or that it exercised ordinary care when it has control over ACH transfers.” Id. at 16. Like the UCC claim, the court stated: “the question of whether 1st Advantage acted in a commercially reasonable manner in exercising control over [plaintiff’s] ACH transfers is one that the jury must answer[.]” Id. at 16-17. “Specifically, the Complaint alleges that the NACHA Rules provide that ‘it is not commercially reasonable to deposit commercially-coded ‘CCD’ transfers expressly identified as ‘business transactions’ into a personal checking account. Furthermore, NACHA Rules require that depositing ‘CCD’ coded transfers into consumer accounts is not commercially reasonable. . . . Moreover, [plaintiff] has adequately alleged that [the credit union] did not act in a commercially reasonable manner in allowing John Doe to fraudulently withdraw money over a month in-person.” Id. at 17.

This case, like L&R’s recent ACH matter, is an important illustration of how effective application of the NACHA Rules can be critical in resolving such cases.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

In Jetcrete, the parties entered into an agreement for the purchase of trucks, with plaintiff seeking to buy $518,124 of trucks from defendant dealer. Like a typical email scheme, the dealer sent wire instructions to the buyer, the dealer’s email was then hacked, and new wire instructions were sent by the cybercriminal to the buyer.

The plaintiff argued that the seller “was in the best position to avoid the loss by employing reasonable security measures to prevent the hack of [its] email[.]” The seller contended “it took reasonable security steps by hiring an IT consultant[,] installing Symantec virus scanner software on its system, and hosting its email server at Intermedia,” and that plaintiff “was in the best position to avoid the loss by simply calling [it] to verify the wiring instructions.” Id. at *8-9.

In resolving the dispute, the court adopted plaintiff’s argument that because the contract involved the sale of goods resolution should be governed by the Uniform Commercial Code, and looked by analogy to UCC § 3-404, which provides in part:

(a) If an impostor . . . induces the issuer of an instrument to issue the instrument to the impostor, . . . by impersonating the payee of the instrument or a person authorized to act for the payee, an endorsement of the instrument by any person in the name of the payee is effective as the endorsement of the payee in favor of a person who, in good faith, pays the instrument or takes it for value or for collection.

. . . .

(d). With respect to an instrument to which subsection (a) . . . applies, if a person paying the instrument or taking it for value or for collection fails to exercise ordinary care in paying or taking the instrument and that failure substantially contributes to loss resulting from payment of the instrument, the person bearing the loss may recover from the person failing to exercise ordinary care to the extent the failure to exercise ordinary care contributed to the loss.

UCC § 3-404 (emphasis added).

While UCC Articles 3 and 4 governing negotiable instruments provide a comparative negligence loss-allocation regime, UCC Article 4A governing electronic funds transfers does not, but rather a strict liability regime. See, e.g., Peter E. Shapiro, P.A. v. Wells Fargo Bank, N.A., 795 Fed. Appx. 741, 744, n.4 (11^th Cir. 2019) (quoting UCC § 4A-207, cmt. 2 and contrasting the Articles 3 and 4 approach, citing Salvatore Scanio & Robert W. Ludwig, Contracting Out of the Uniform Commercial Code: Reducing Bank Liability by Shortening the One-Year Notice Period for Reporting Check Fraud, 33:11 Banking & Fin. Servs. Policy Report 15, 17 n.8 (Nov. 2014)). UCC Article 4A was inapplicable because it applies to the parties to funds transfers; the email hacked business which did not receive the funds was never a party to a funds transfer.

The Jetcrete court concluded: “The hack of [the seller’s] email account created the scenario for the loss. But [plaintiff] was in the best position to prevent the loss by taking the reasonable precaution of verifying the wiring instructions by phone. Thus, even under an analysis based on [UCC § 3-404, plaintiff] should suffer the loss.” Jetcrete, at *12.

Even though the UCC did not apply directly to this cybertheft dispute, the court’s application of its loss allocation principles demonstrates the UCC’s continued importance in resolving commercial payment disputes involving fraud.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

The committee is interested in receiving input from business and consumer groups, governmental agencies, academics, and others concerning all articles of the UCC (except Article 6).  For example, should Article 4 be amended to account for remote deposit capture and other advances due to use of check images? Should the UCC provide rules for electronic payments that do not involve “items” or “banks?”  Similarly, should Article 4A address funds transfers other than through banks? Do the loss-allocation rules of Article 4A adequately address the risks of fund transfers under “smart contracts?”

The committee has published a questionnaire, available here, with responses sought by June 28, 2019.