In Jetcrete, the parties entered into an agreement for the purchase of trucks, with plaintiff seeking to buy $518,124 of trucks from defendant dealer. Like a typical email scheme, the dealer sent wire instructions to the buyer, the dealer’s email was then hacked, and new wire instructions were sent by the cybercriminal to the buyer.

The plaintiff argued that the seller “was in the best position to avoid the loss by employing reasonable security measures to prevent the hack of [its] email[.]” The seller contended “it took reasonable security steps by hiring an IT consultant[,] installing Symantec virus scanner software on its system, and hosting its email server at Intermedia,” and that plaintiff “was in the best position to avoid the loss by simply calling [it] to verify the wiring instructions.” Id. at *8-9.

In resolving the dispute, the court adopted plaintiff’s argument that because the contract involved the sale of goods resolution should be governed by the Uniform Commercial Code, and looked by analogy to UCC § 3-404, which provides in part:

(a) If an impostor . . . induces the issuer of an instrument to issue the instrument to the impostor, . . . by impersonating the payee of the instrument or a person authorized to act for the payee, an endorsement of the instrument by any person in the name of the payee is effective as the endorsement of the payee in favor of a person who, in good faith, pays the instrument or takes it for value or for collection.

. . . .

(d). With respect to an instrument to which subsection (a) . . . applies, if a person paying the instrument or taking it for value or for collection fails to exercise ordinary care in paying or taking the instrument and that failure substantially contributes to loss resulting from payment of the instrument, the person bearing the loss may recover from the person failing to exercise ordinary care to the extent the failure to exercise ordinary care contributed to the loss.

UCC § 3-404 (emphasis added).

While UCC Articles 3 and 4 governing negotiable instruments provide a comparative negligence loss-allocation regime, UCC Article 4A governing electronic funds transfers does not, but rather a strict liability regime. See, e.g., Peter E. Shapiro, P.A. v. Wells Fargo Bank, N.A., 795 Fed. Appx. 741, 744, n.4 (11^th Cir. 2019) (quoting UCC § 4A-207, cmt. 2 and contrasting the Articles 3 and 4 approach, citing Salvatore Scanio & Robert W. Ludwig, Contracting Out of the Uniform Commercial Code: Reducing Bank Liability by Shortening the One-Year Notice Period for Reporting Check Fraud, 33:11 Banking & Fin. Servs. Policy Report 15, 17 n.8 (Nov. 2014)). UCC Article 4A was inapplicable because it applies to the parties to funds transfers; the email hacked business which did not receive the funds was never a party to a funds transfer.

The Jetcrete court concluded: “The hack of [the seller’s] email account created the scenario for the loss. But [plaintiff] was in the best position to prevent the loss by taking the reasonable precaution of verifying the wiring instructions by phone. Thus, even under an analysis based on [UCC § 3-404, plaintiff] should suffer the loss.” Jetcrete, at *12.

Even though the UCC did not apply directly to this cybertheft dispute, the court’s application of its loss allocation principles demonstrates the UCC’s continued importance in resolving commercial payment disputes involving fraud.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

Unless a customer objects to a fraudulent funds transfer within one year, its claims against the bank are subject to UCC Article 4A’s one-year statute of repose. See UCC § 4A-505 cmt.  UCC § 4A-505 provides:

If a receiving bank has received payment from its customer with respect to a payment order issued in the name of the customer as sender and accepted by the bank, and the customer received notification reasonably identifying the order, the customer is precluded from asserting that the bank is not entitled to retain the payment unless the customer notifies the bank of the customer’s objection to the payment within one year after the notification was received by the customer.

As a statute of repose, section 4A-505 does not provide an “affirmative defense . . . often subject to tolling principles,” but “extinguishes a plaintiff’s cause of action after the passage of a fixed period of time,” here, one year. Ma v. Merrill Lynch, Pierce, Fenner & Smith, Inc., 597 F.3d 84, 88 n.4 (2d Cir. 2010).

In Cardino, the bank attempted to cut down Article 4A’s one-year notice period to 60 days. Relying on Regatos v. N. Fork Bank, 838 N.E.2d 629 (N.Y. 2005), the court reasoned that because “Banks are liable under article 4-A of the UCC for improper funds transfers . . . and UCC [§ 4A-204(b)] provides ‘the obligation of a receiving bank to refund payment . . . may not otherwise be varied by agreement,’ . . . shortening the one-year period effectively would vary the bank’s obligation to refund payment[.]” Cardino, at *7. Therefore, the bank could not shorten the one-year period in any way. Id. at *8.

In contrast, courts generally permit the one-year notice rule in UCC Article 4 covering unauthorized checks and other items, UCC § 4-406(f), to be cut down by contract to as little as 14 days in some cases. See Salvatore Scanio & Robert W. Ludwig, Contracting Out of the Uniform Commercial Code: Reducing Bank Liability by Shortening the One-Year Notice Period for Reporting Check Fraud, 33 Banking & Fin. Servs. Policy Report 15 (Nov. 2014).

This case is an important reminder for customers and banks alike to consider whether particular cut-down provisions in bank-customer agreements are enforceable in the event of a dispute.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

Whitaker, a Georgia physician, maintained an account with Wedbush, a futures commission merchant. Whitaker’s email account was hacked, and a cybercriminal sent fraudulent emails to Wedbush, directing four wire transfers overseas totaling $374,960.  Defending the suit, Wedbush, claimed it was not a “bank” because it was not “engaged in the business of banking,” as defined in UCC § 4A-105(a)(2), but merely acted as plaintiff’s agent in forwarding wire instructions to its bank, BMO Harris, for processing.  The Illinois high court, reversing the courts below, recognized that non-bank financial institutions like brokerage firms, mutual funds, and insurance companies have consistently been held by the courts to be a “bank” under UCC Articles 3, 4, and 4A. Id. at *17.  The court concluded Wedbush was a “bank” for purposes of Article 4A because it provided financial services, including brokerage and trading services, and “regularly assisted customers in processing funds transfers,” id. at *18, and thus subject to Article 4A’s strict liability regime for unauthorized funds transfers.

This case is an important reminder that non-bank financial firms, whether brokerages, mutual funds, or insurers that assist customers in processing funds transfers can be held to the same legal requirements as chartered banks under UCC Article 4A, and thus should have commercially reasonable security policies and procedures in place.  It further reminds that non-bank entities providing such customer assistance may share in the risk of loss under Article 4A’s loss-allocation rules.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

The law firm filed a pro se claim against Citibank under the Computer Fraud and Abuse Act (“CFAA”), requiring a showing that Citibank aided and abetted the hacker by “knowingly and with intent to defraud, access[ing] a computer without authorization, . . . and by means of such conduct further[ing] the intended fraud….” 18 U.S.C. § 1030(a)(4).  The firm alleged the bank’s maintenance of the hacker’s account, allowing the deposit of stolen funds and permitting their withdrawal, constituted the requisite assistance. The district court rejected the allegations of Citibank involvement as insufficient “even under a willful-blindness theory,” noting the plaintiff did not allege “facts that indicate that the bank ‘closed its eyes’ to the hacker’s obvious crime” nor did it “allege any unusual activity that might have raised the bank’s suspicion or any vetting irregularities,” and dismissed the claim without prejudice.  2020 U.S. Dist. LEXIS 71713, at 10.

While this claim under the CFAA is novel, it is also serves to show that banks can be subject to aiding and abetting liability when properly plead.  L&R has successfully brought aiding and abetting claims, including in a major, serial loan fraud case, representing bank no. 2 against bank no. 1, where bank no. 1 discovered the fraud, forcing the fraudster to commit the same fraud against bank no. 2 in order to be repaid, with bank no. 1 later paying a substantial settlement.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

Previously, the court dismissed all non-UCC Article 4A counts, including breach of contract and violation of federal banking statutes.  Federal Ins. Co. v. Benchmark Bank, 2018 U.S. Dist. LEXIS 11152 (S.D. Ohio Jan. 24, 2018).  Addressing the contract claim, the court found the account holders were not parties to any relevant electronic banking agreement with the bank; rather, the agreements were between their related entity and the bank.  Id. at *13-15.  Apparently not raised in that earlier decision was the settled rule that in the absence of an applicable agreement identifying an agreed security procedure, the bank would bear strict liability for any unauthorized payments.  See UCC §§ 4A-202(b), 4A-204(a).

Now on summary judgment, the court concluded the bank’s security procedures were commercially reasonable as a matter of law under UCC § 4A-202(b), though it did not use common multifactor authentication (i.e., the use of two of: something the user knows, something the user has, and something the user is).  2020 U.S. Dist. LEXIS 23315, at *32.  The court held nonetheless that the bank’s use of “layered security by utilizing unique usernames and passwords, security challenge questions triggered by a risk algorithm, account lockout after three unsuccessful login attempts, IP blacklisting, and dual authorization” satisfied banking agency guidelines, relying primarily on dual authorization.  Id. at *25-29.

In considering Article 4A’s good faith requirement, the court initially indicated the bank “acted according to the reasonable expectations of the parties,” where the customer understood it was “not checking whether a receiving entity had a relationship to or prior history” with the customer, “whether a recipient’s name was of Eastern European origin, or where an originating IP address was located,” because the ACH agreement provided the “purpose of the security procedures in place was ‘for verification of authenticity and not to detect an error in the transmission or content of an Entry.’”  Id. at *34-35.  The court nowhere took into account customary industry practices in considering whether the bank should have applied fraud detection to the transactions, including if the customer previously sent transfers to such recipients.  The court concluded, however, there were genuine issues of material fact on whether the bank accepted the transfers in good faith and in compliance the ACH agreement and customer instructions, noting numerous transfers exceeded the agreement’s $50,000 limit per ACH transfer, and a dispute over whether the customer’s employee had authority to conduct transactions on certain accounts.  Id. at *36-40.

In a remarkable coda, the court upheld the bank’s setoff defense for attorney’s fees based on an indemnification provision in the customer agreement.  The court concluded that indemnification was not inconsistent with UCC Article 4A, allowing the bank to set off its attorneys’ fees and costs against a plaintiff’s damages claims, 2020 U.S. Dist. LEXIS 23315, at *46-49, misciting Choice Escrow and Land Title, LLC v. BankcorpSouth Bank, 754 F.3d 611, 625 (8^th Cir. 2014), where the bank was the prevailing party.  In contrast, Benchmark Bank sought to invoke the provision even if it were found to be the responsible, non-prevailing party.  The court’s holding adopting that notion is inconsistent with the objectives of UCC Article 4A, if not the contractual indemnification language irtself, which the court did not construe.  Apparently no motion for reconsideration was filed, and shortly after the decision issued, the case settled.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

Cybercriminals are exploiting the pandemic in countless ways, from preying on human vulnerability to taking advantage of the increased use of online banking and electronic payments. The scams include credential phishing, spam email campaigns, malware, and business email compromise (BEC).

According to the FBI’s Alert No. I-040120-PSA, Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments (Apr. 1, 2020), its Internet Crime Complaint Center received over 1,200 complaints as of March 30, 2020.  The FBI Alert warns that “during this pandemic, BEC fraudsters have impersonated vendors and asked for payment outside the normal course of business due to COVID-19.”  As defined by the FBI’s Internet Crime Report (2019), BEC “is a sophisticated scam targeting both businesses and individuals performing a transfer of funds. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” In 2019, there were 24,000 complaints of BEC scams, with a total loss of $1.7 billion.

On April 6, 2020, the FBI issued a press release, FBI Anticipates Rise in Business Email Compromise Schemes Related to the COVID-19 Pandemic, in which it detailed recent examples of BEC attacks:

• A financial institution received an email allegedly from the CEO of a company, who had previously scheduled a transfer of $1 million, requesting that the transfer date be moved up and the recipient account be changed “due to the Coronavirus outbreak and quarantine processes and precautions.” The email address used by the fraudsters was almost identical to the CEO’s actual email address with only one letter changed.
• A bank customer was emailed by someone claiming to be one of the customer’s clients in China. The client requested that all invoice payments be changed to a different bank because their regular bank accounts were inaccessible due to “Corona Virus audits.” The victim sent several wires to the new bank account for a significant loss before discovering the fraud.

Also on April 6, 2020, the FBI issued a further warning, Money Mule Schemes Exploiting the COVID-19 Pandemic.  The FBI anticipates a rise in work-at-home schemes to recruit money mules to wittingly or unwittingly facilitate the laundering of fraudulent funds transfers.

On April 13, 2020, the FBI issued another release, Advance Fee and BEC Schemes Related to Procurement of PPE and Other Supplies During COVID-19 Pandemic.  The FBI’s warning reports on evolving schemes being utilized to exploit the coronavirus pandemic.

The FBI is often the first place to turn for assistance when a business is the of a cyberattack that results in fraudulent wire transfers or ACHs. If contacted within 48 hours of the theft and a loss threshold is met, the FBI may be able to identify whether any of the funds may be recovered.

The next option would be potentially responsible third-parties.  L&R recently presented a paper at an American Bar Association Conference, titled Technology and Salvage: Using Social Media in Recovery and Allocating Cybercrime Funds Transfers to Third Parties (Jan. 31, 2020), that discusses the latest trends in cybercrime involving fraudulent transfers and how losses are allocated between businesses and third-parties, particularly banks.

Generally, the focus is on the beneficiary’s bank in the business email compromise scenario and on the receiving bank in the malware/account takeover situation.

As detailed in L&R’s recent paper, the beneficiary’s bank (i.e., the bank of the beneficiary of the funds transfer where the funds are ultimately transferred) has potential liability exposure for fraudulent funds transfers arising in the business email compromise scenario under any of the following:  (1) the bank “knows” that the name and account number on the wire transfer order refer to different persons; (2) improper bank conduct took place before the funds transfer, such as at account opening; (3) improper bank conduct took place after the wire transfer; or (4) where the bank accepted funds when it knew or should have known that the funds were fraudulently obtained.

In the malware/account takeover scenario, the receiving bank (i.e., generally the customer’s bank from where the transfer originated) has liability exposure for fraudulent funds transfers, unless the bank proves: (1) the bank and customer agreed that the authenticity of a payment order would be verified through a “security procedure;” (2) the security procedure agreed upon is “commercially reasonable;” (3) the bank processed the payment order in “compliance” with the security procedure; (4) the bank processed the order in compliance with any written agreement or instruction of the customer; and (5) the bank accepted the payment order in “good faith.”

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

The conference theme was, “A Whole New World: The Impact of Technology and Cybercrime on Fidelity Policies.”  They were joined by Joseph S. Szary of Great American Insurance Group.  Their presentation addressed the latest trends in cybercrime involving fraudulent funds transfers and how losses are allocated between insureds and third-parties, particularly banks. They also discussed how social media may be used effectively in locating businesses and individuals, their income and assets, and covered applicable regulatory guidelines. Their discussion included the recent opinion by the 11^th Circuit Court of Appeals, Peter E. Shapiro, P.A. v. Wells Fargo Bank, N.A., 2019 U.S. App. LEXIS 35604 (11^th Cir. Nov. 27, 2019).

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605 or Robert Ludwig at rludwig@ludwigrobinson.com or 202-289-7603.

The committee is interested in receiving input from business and consumer groups, governmental agencies, academics, and others concerning all articles of the UCC (except Article 6).  For example, should Article 4 be amended to account for remote deposit capture and other advances due to use of check images? Should the UCC provide rules for electronic payments that do not involve “items” or “banks?”  Similarly, should Article 4A address funds transfers other than through banks? Do the loss-allocation rules of Article 4A adequately address the risks of fund transfers under “smart contracts?”

The committee has published a questionnaire, available here, with responses sought by June 28, 2019.

Sal Scanio’s recent article, Interbank Liability for Fraudulent Transfers via SWIFT: Banco del Austro, S.A. v. Wells Fargo Bank, N.A., 36 BANKING & FIN. SERVICES POL’Y REP. 8 (DEC. 2017), analyzes one such case of fraudulent transfers via SWIFT to illustrate the framework for allocating liability between banks.  In Banco Del Austro, S.A. v. Wells Fargo Bank, N.A., No. 1:16-CV-00628 (S.D.N.Y. filed Jan. 20, 2016), an Ecuadorian bank’s computer system was infiltrated by cybercriminals who were able to steal the login credentials of a bank employee, logon to the bank’s SWIFT terminal, and cause at least 13 unauthorized transfers via SWIFT by re-issuing cancelled or rejected transactions that remained in the bank’s SWIFT outbox and altering the amounts, beneficiary, beneficiary bank, and destination.  Between January 12 and January 21, 2015, a dozen SWIFT messages were sent from Banco Del Austro to its correspondent bank in New York, Wells Fargo Bank, N.A. that enabled fraudulent transfers totaling $12,172,762.  Banco Del Austro alleged that these transfers were unusual, suspect, or anomalous because they were inconsistent with the bank’s normal activity in its correspondent account at Wells Fargo. Banco Del Austro brought suit against Wells Fargo, asserting causes of action for violations of Uniform Commercial Code (UCC) Article 4A and common law claims of negligence and breach of contract.  The article discusses the development of this litigation and analyzes the legal theories of liability as applied to this case of SWIFT cybercrime.

For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605.