Categories
Financial Institutions and Banking

Federal Court: Financial Institution Liable for ACH Fraud Losses

In a recent case — Studco Building Systems US, LLC v. 1st Advantage Federal Credit Union — the U.S. District Court for the Eastern District of Virginia held a credit union liable for more than $500,000 in fraudulent ACH payments deposited into a member’s account and quickly withdrawn. The payments were the result of a business email compromise scam. There was little or no evidence that the credit union had actual knowledge of the scam. But the court found that such knowledge was imputed to the credit union based on real-time alerts from its anti-money laundering system and various red flags indicating that the account was being used for fraudulent purposes.

Compromised email scam

The plaintiff in Studco was a manufacturer of commercial metal building products. A supplier informed the plaintiff that it would be sending a change in banking instructions. However, a third party, which had gained access to the plaintiff’s email system, prevented the plaintiff from receiving the legitimate email from the supplier with the new banking instructions. Instead, the third party sent the plaintiff a spoofed email, purportedly from the supplier, instructing it to direct future payments to a personal account at the defendant credit union. Neither the plaintiff nor its supplier had accounts at the credit union.

Over the next few weeks, the plaintiff made four ACH deposits — totaling $558,869 — that named its supplier as beneficiary but listed the account number for the personal account created by the scammers. The individual owner of that account quickly dispersed all the funds. Although the credit union declined to make attempted international wire transfers from the account — based on Office of Foreign Assets Control alerts — it didn’t otherwise stop activity into or out of the account.

The credit union’s computer system automatically generates warnings for ACH transactions when, as in this case, the identified payee doesn’t exactly match the name of the receiving account holder. However, the system generates “hundreds to thousands” of these warnings per day, the majority of which aren’t significant, so the credit union’s personnel doesn’t actively monitor them.

Court decision

The court said, under the Uniform Commercial Code (UCC) as adopted by Virginia, the plaintiff had the right to recover the fraudulent ACH deposits received by the credit union if it showed that the credit union “‘[knew] that the name and [account] number’ of the incoming ACHs from [the plaintiff] ‘identif[ied] different persons.’” According to the UCC, “know” means “actual knowledge,” defined as follows:

Actual knowledge of information received by the organization is effective for a particular transaction from the time it is brought to the attention of the individual conducting that transaction and, in any event, from the time it would have been brought to the individual’s attention if the organization had exercised due diligence. [Emphasis added]

The UCC further provides that an organization exercises due diligence if it “maintains reasonable routines for communicating significant information to the person conducting the transaction and there is reasonable compliance with the routines.”

In Studco, the court held that the credit union would have discovered the mismatch between the intended payee and the recipient if it had exercised due diligence. Evidence at trial showed that the credit union failed to do so. Among other things:

  • The credit union allowed the recipient to open the account even though it triggered an “ID verification warning,” stating that the system was unable to verify the address provided.
  • The credit union failed to establish a reasonable routine for monitoring suspicious activity alerts. It wasn’t reasonable to ignore those alerts because of their sheer volume. The credit union could have implemented a system to “escalate pertinent alerts of high-value transactions.”
  • It was unreasonable for the credit union to allow the deposits into the personal account, which was a new account that had a small starting balance followed by multiple high-value transactions.

The court essentially applied a “knew or should have known” standard that’s a departure from the “actual knowledge” standard used by many courts. (See “What other courts have said” on page X.) As the court explained, the credit union couldn’t “ignore their own systems to prevent fraud in order to claim that they did not have actual knowledge of said fraud.”

Stay tuned

It remains to be seen whether the Studco case is an aberration, or whether it heralds a shift in how courts view financial institutions’ responsibility to monitor ACH transactions for potential fraud. The credit union has appealed the decision to the Fourth U.S. Circuit Court of Appeals.

Sidebar: What other courts have said

Before Studco (see main article), most courts have focused on a bank’s state of knowledge at the time an ACH payment is credited to the recipient’s account. They point to language in the Uniform Commercial Code regarding misdescription of the beneficiary: “If the beneficiary’s bank does not know that the name and number refer to different persons, it may rely on the number as the proper identification of the beneficiary of the order. The beneficiary’s bank need not determine whether the name and number refer to the same person.” As the comments to this provision explain, “It is possible for the beneficiary’s bank to determine whether the name and number refer to the same person, but if a duty to make that determination is imposed on the beneficiary’s bank the benefits of automated payment are lost.”

In Shapiro v. Wells Fargo Bank, a case with similar facts to Studco, the 11th U.S. Circuit Court of Appeals found that it wasn’t unreasonable for Wells Fargo to allow its automated payment system to ignore a potential name mismatch and rely on the number as the proper identification.

© 2024