Introduction
The most pervasive form of cybercrime involving fraudulent funds transfers is business email compromise (“BEC”). As defined by the FBI’s Internet Crime Report, “BEC is a scam targeting businesses or individuals working with suppliers and/or businesses regularly performing wire transfer payments. These sophisticated scams are carried out by fraudsters by compromising email accounts . . . through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds.” In 2022, there were 21,832 incidents of BEC with adjusted losses of over $2.7 billion. The FBI recently labeled BEC as “[t]he $50 Billion Scam,” with 277,918 domestic and international incidents of BEC and an exposed dollar loss of over $50 billion for the period between October 2013 and December 2022.
In the typical BEC scheme, a person is tricked into authorizing its bank to issue electronic funds transfers, such as a wire transfer or Automated Clearing House (“ACH”) transfer, to a bank account that does not belong to the intended recipient. Instead, the bank account is controlled by cyberthieves. In view of the significant amount of BEC cybercrime, there has been an increase in related litigation as BEC victims attempt to recover their losses, particularly from banks. In BEC cases, a funds transfer is made to the designated account number, but the designated recipient’s name does not match the name on the account controlled by cyberthieves. In other words, while the account number matches, the account names do not match. Under the U.C.C.’s safe harbor that allows banks to rely on the account number, banks generally have been shielded from liability in cases involving a discrepancy between the names on the funds transfer and the account. In one notable case, however, Studco Building System U.S., LLC v. 1st Advantage Federal Credit Union, a federal court in Virginia found a bank liable in these circumstances.
Liability of the Beneficiary’s Bank for Misdescription of Beneficiary
Under U.C.C. Article 4A, a “funds transfer” is the series of transactions which result in payment to the beneficiary. A “payment order” is the instruction to the receiving bank to pay a fixed or determinable amount of money. A “sender” is the person or entity making the payment order or instruction to pay, with the “originator” being the sender of the first payment order in a funds transfer. The “beneficiary” is the person to be paid under the payment order. As for banks, a “receiving bank” is the bank receiving the payment order, and the “beneficiary’s bank” is the bank identified in the payment order to credit the beneficiary’s account or otherwise make payment to the beneficiary.
The liability of a beneficiary’s bank is generally limited to defined circumstances, for example, under U.C.C. section 4A-207, titled “Misdescription of Beneficiary,” where the bank “knows” that the name and account number on the payment order refer to different persons. Unless the beneficiary’s bank “knows” that there is a mismatch between the name and account number, it may rely on the account number, with no obligation to determine whether the name and account number refer to different persons. This “safe harbor” is set forth in U.C.C. section 4A-207(b) addressing the misdescription of beneficiary scenario where a funds transfer “identifies the beneficiary both by name and by an identifying or bank account number and the name and number identify different persons.” If the “beneficiary’s bank does not know that the name and number refer to different persons,” it may rely solely on the account number to process the funds transfer. Thus, the beneficiary’s bank is under no obligation to “determine whether the name and number refer to the same person.” However, in the event that the beneficiary’s bank “knows that the name and number identify different persons no person has rights as beneficiary,” then generally “acceptance of the order cannot occur.”
Under U.C.C. section 4A-207(c), if the beneficiary’s bank pays the person identified by number, the originator is required to pay the payment order if it is a bank. If it is not a bank, the originator is not required to pay the payment order “unless the originator's bank proves that the originator, before acceptance of the originator's order, had notice that payment of a payment order issued by the originator might be made by the beneficiary's bank on the basis of an identifying or bank account number even if it identifies a person different from the named beneficiary.”
In terms of remedies, U.C.C. section 4A-207(d) provides:
(d) In a case governed by subsection (b)(1), if the beneficiary's bank rightfully pays the person identified by number and that person was not entitled to receive payment from the originator, the amount paid may be recovered from that person to the extent allowed by the law governing mistake and restitution as follows:
- If the originator is obliged to pay its payment order as stated in subsection (c), the originator has the right to recover.
- If the originator is not a bank and is not obliged to pay its payment order, the originator's bank has the right to recover.
The critical issue in misdescription of beneficiary cases under section 4A-207 is whether the beneficiary’s bank “knows” of the name and account number discrepancy. The Official Comment to section 4A-207 explains that “Subsection (b) allows banks to utilize automated processing by allowing banks to act on the basis of the number without regard to the name if the bank does not know that the name and number refer to different persons.”
In terms of definitions, “[k]nowledge” is defined as “actual knowledge. ‘Know’ has a corresponding meaning.” “Knowledge” is determined at the “time of payment,” which is defined as “when and to the extent (i) the beneficiary is notified of the right to withdraw the credit, (ii) the bank lawfully applies the credit to a debt of the beneficiary, or (iii) funds with respect to the order are otherwise made available to the beneficiary by the bank.”
Significantly, in determining whether an “organization,” such as a bank, “has knowledge of information received by the organization,” the U.C.C.’s imputation rule provides as follows:
Notice, knowledge, or a notice or notification received by an organization is effective for a particular transaction from the time it is brought to the attention of the individual conducting that transaction and, in any event, from the time it would have been brought to the individual's attention if the organization had exercised due diligence. An organization exercises due diligence if it maintains reasonable routines for communicating significant information to the person conducting the transaction and there is reasonable compliance with the routines. Due diligence does not require an individual acting for the organization to communicate information unless the communication is part of the individual's regular duties or the individual has reason to know of the transaction and that the transaction would be materially affected by the information.
In applying these rules, recent court decisions have generally continued the trend of rejecting claims against a beneficiary’s bank under the safe harbor of U.C.C. section 4A-207(b)(1) for lack of actual knowledge of any discrepancy between account name and number. A small number of recent court decisions, however, have held that the originator pled sufficient facts to show that the beneficiary’s bank had actual knowledge of the account name and number mismatch.
Liability Found for the Beneficiary’s Bank Under U.C.C. Section 4A-207
In Studco Building System U.S., LLC v. 1st Advantage Federal Credit Union, the court found a beneficiary’s bank liable under U.C.C. section 4A-207 following a bench trial, entering judgment in the amount of four fraudulent ACH transfers totaling $558,868.71 plus attorney’s fees and costs. In Studco, the plaintiff ’s email system was compromised through which cybercriminals monitored the company’s email and learned that a vendor, Olympic Steel, had supplied new banking information for payments. The cybercriminals intercepted that legitimate email and sent a spoofed email from Olympic Steel substituting an account at 1st Advantage. That account was in the name of an individual, Lesa Taylor, who was unknowingly serving as a money mule for the cybercriminals. Because Studco was anticipating new banking information from Olympic Steel, it believed the banking information in the spoofed email to be correct, and it then issued four commercial ACH transfers (coded “CCD”) over the course of five weeks totaling $558,868.71 to Olympic Steel at the account number at 1st Advantage that was actually a personal account in the name of Lesa Taylor. Taylor had been a member and account holder at 1st Advantage for many years and opened a new personal account for “real estate transactions,” as directed by the cybercriminals. That new account application involved several discrepancies with an alert triggered for an address verification failure. Because of Taylor’s existing relationship, 1st Advantage allowed her to open the new account.
1st Advantage’s ACH system identified “hundreds to thousands” of warnings related to mismatched names on a daily basis, including the four ACH transfers in this case, but did not have any procedures for escalating or reviewing those warnings. In order to comply with its obligations under the Bank Secrecy Act, 1st Advantage used anti-money laundering software called Financial Crimes Risk Manager supplied by Fiserv, “a public company that develops financial transaction security products used by thousands of financial institutions.” 1st Advantage used the software’s preprogrammed rules to trigger alerts involving suspicious activity. Based on 1st Advantage’s description of the rules, multiple alerts should have been triggered, including for each of the ACH transfers and the large, rapid outflow of funds following each ACH transfer, but none did.
After citing relevant provisions of U.C.C. sections 4A-207 and 1-202(f ), the court summarized the rules as follows:
[A] bank may accept a wire transfer relying solely on the number as the proper identification of the beneficiary of the order and it has no duty to determine whether there is a conflict unless the bank actually knows that the number and the name identify different accounts . . . .
Thus, if a bank does not know about a conflict between the name and number, then it has no duty to determine whether there is a conflict and it may rely on the number as the proper identification of the beneficiary of the order. However, if a beneficiary's bank knows about the conflict between the name and number and nevertheless paid processed [sic] the payment, then the bank could be in violation … .
Citing U.C.C. section 1-202(f ), the U.C.C.’s organization knowledge imputation rule, the court stated:
While it is true that 1st Advantage had no duty to proactively discover a misdescription of the Account information, the evidence at trial illustrated that 1st Advantage did not maintain reasonable routines for communicating significant information to the person conducting the transaction. If 1st Advantage had exercised due diligence, the misdescription would have been discovered during the first ACH transfer.
In support, the court pointed to the following. First, the court found “[u]pon the opening of the Account, 1st Advantage had been notified of identification discrepancies.” Second, the court determined that “1st Advantage failed to establish a reasonable routine to monitor alerts that warned of suspicious activity regarding the Account.” In this regard, the court concluded: “Actual knowledge of the misdescription can be imputed on 1st Advantage because the transfers generated real-time warnings that the name of the intended beneficiary (Olympic Steel) did not match the name of the owner of the account receiving the ACH (Taylor),” with the transfers also coded as “CCD” for commercial transactions but credited to a personal account. More importantly, the court pointed to 1st Advantage’s admission that its system generated hundreds of thousands of alerts daily involving mismatched names, but it did not have any system in place to review those alerts. Therefore, “1st Advantage ignored all warnings generated by their systems designed and used for the purpose of detecting fraudulent or suspicious activity.” As a result, “1st Advantage cannot ignore their own systems to prevent fraud in order to claim that they did not have actual knowledge of said fraud.”
Accordingly, the court found that Studco had proven a misdescription of beneficiary in violation of U.C.C. section 4A-207:
It is clear from the evidence presented that 1st Advantage did not maintain any routines, let alone reasonable routines, for communicating significant information to the person conducting the transaction. If 1st Advantage implemented reasonable routines for communicating information, the identification discrepancy recognized at the opening of the Account, the numerous alerts generated by the ACH transfers describing the misdescription of the Account, and the fact that Olympic Steel could not open an Account at 1st Advantage would have alerted 1st Advantage to the misdescription and possible fraud upon the posting of the first ACH transfer.
In contrast to the result reached in Studco, the Eleventh Circuit reached a different conclusion while applying the same rules in Peter E. Shapiro, P.A. v. Wells Fargo Bank, N.A. In Shapiro, the beneficiary’s bank’s automated “audit trail reflected that there was a ‘possible name mismatch in [credit] party,’” and “the wire was manually screened by an individual person for Office of Foreign Assets Control (“OFAC”) compliance purposes.” The court, however, noted that “no individual person . . . obtained actual knowledge of the possible name mismatch in Shapiro’s payment order.” The Eleventh Circuit concluded:
Considering the clear intention of the statute, which is to allow for the automated processing by banks of a large number of payment orders on a daily basis, while reducing both transaction costs and the potential for clerical error, we easily conclude that Wells Fargo maintained and complied with reasonable routines, and thus exercised due diligence, with respect to the processing of Shapiro’s payment order through its automated [system]. In processing the payment order Shapiro originated, it was not unreasonable for Wells Fargo to allow its automated payment system to ignore a potential name mismatch and “rely on the number as the proper identification of the beneficiary of the order.” [Wells Fargo] implemented and used an automated system that processed payment orders on the basis of a matching account number alone, ignoring potential name mismatches automatically reflected in the audit trail.
Furthermore, the Eleventh Circuit approved the beneficiary’s bank procedure, stating:
Even if Wells Fargo intentionally programmed the automated portions of its MTS system to ignore potential name mismatches . . . “it may rely on the number as the proper identification of the beneficiary of the order” unless and until an individual person conducting the transaction has actual knowledge of a name mismatch or would have had such knowledge had the organization exercised due diligence.
In a similar vein, in Madison Title Agency, LLC v. Bank of Am., N.A., a federal court in Georgia granted summary judgment to the beneficiary’s bank, finding assertions that the bank’s wire system was “badly outdated” and that the bank knew of readily available technology to detect mismatches were insufficient to create an issue of fact to create liability under U.C.C. section 4A-207. Moreover, the court cited Shapiro in holding, “[i]f a bank that actually implements an automated mismatch system is not liable for failing to act on an automatically identified mismatch, then by extension the Bank cannot be held liable for failing to implement an automated mismatch system altogether.”