Who is Liable in Cases of Wire Fraud? Costly Lawsuits Signal Increased Liability for Banks and Businesses

Key Takeaways

• The Electronic Fund Transfer Act of 1978 (EFTA) and Section 4A of the Uniform Commercial Code (“UCC”) have traditionally protected banks from instances of wire fraud.
• As cases of wire fraud increase in both volume and complexity, more consumers and legislators are beginning to claim legal justification to hold more banks and businesses accountable.
• Every business should adopt an end-to-end fraud prevention solution that encompass hardware, software, procedures, and personnel training.

‍

It was a nightmare scenario for one business leader who recently discovered that their liquid assets had been stolen in their entirety almost overnight. Over the course of only 48 hours, cyber criminals drained $1.6 million dollars from all four of the company’s PNC bank accounts through a combination of phishing, social engineering, account takeover, and wire fraud. 

The scammers had created a sham website imitating the online banking app for the company’s corporate bank. A company employee unwittingly entered their login credentials into the bogus website, delivering their password directly into the hands of the perpetrators. The fraudsters then logged in, impersonated the employee, and wired the total value of all corporate accounts from PNC to their own untraceable accounts.

Although this event took place more than a year ago, and despite the magnitude of the crime, the victims and the bank are still disputing liability in court. It raises the question, who is financially responsible for negligence in cases like this? Who had the power to disrupt the cybercriminals before they got away with massive fraud, and what steps should they have taken?

The answers to these questions should drive any business’ fraud prevention and risk mitigation strategy. We’ll examine the latest in legal precedent and how businesses can protect their clients and assets in the current liability landscape.
‍

Table of Contents:‍

• ‍Policy Governing Liability in Wire Fraud Cases‍
  • Electronic Fund Transfer Act‍
  • The Uniform Commercial Code‍
  • Emerging Policy‍
  • Landmark Lawsuits, Shifting Liability‍
• Policy-Aligned Fraud Prevention Strategy

Policy Governing Liability in Wire Fraud Cases

The law has historically protected banks from accountability in cases of wire fraud. These protections primarily come from the Electronic Fund Transfer Act of 1978 (EFTA) and Section 4A of the Uniform Commercial Code (“UCC”).

Electronic Fund Transfer Act

The EFTA does require banks to reimburse consumers for certain categories of “unauthorized” and “incorrect” transfers, as long as they notify their banks quickly, but most victims don’t discover the fraud until it’s too late. Fraudsters now exploit advances in instant payment technology to move money at lightning speed into untraceable accounts. After only a day or two, banks cannot freeze accounts or reverse the transfers, and victims can’t invoke the EFTA.

The EFTA originated in the 1970s, when financial institutions were the only ones who could execute wire transfers. While the EFTA does hold banks responsible for committing certain errors when they are in charge of a transfer, it doesn’t recognize them as the accountable party when the consumer, or someone impersonating them, is initiating the transfer.

With the proliferation of online banking tools and instant payment apps like Zelle and Venmo, consumers are increasingly able to move their own money. Similarly, in real estate transactions, attorneys and title companies may be moving money on a client’s behalf. But the EFTA still sees the consumer, or the person abusing their login credentials, as the responsible party, even if the transfer took place on the bank’s platform or involved the bank’s staff. 

The Uniform Commercial Code

The Uniform Commercial Code (“UCC”) also governs liability in wire fraud cases, this time in relation to contract law. According to the UCC, a Bank may be liable if it fails to adhere to wire instructions, but in cases of wire fraud, it is typically following the instructions to the letter—it has either received fraudulent instructions directly from an impersonator or received them from its own banking client who was given deceptive instructions. 

Banks do have a legal obligation to their customers, but that “duty of care” doesn’t extend to customers of other banks who unwittingly moved all their money to a scammer’s bank account.

Victims can’t hold the bank responsible for aiding and abetting wire fraud unless they can prove that the bank had “actual knowledge” of illicit activity. Since so many transactions are automated or facilitated by AI and other technology, banks can claim that they didn’t have “actual knowledge” and avoid liability.

These policies have left the financial burden of wire fraud squarely on the shoulders of victims. Businesses haven’t been able to count on their banks to reimburse or recover losses from wire fraud, so executives have faced the choice between adopting sophisticated fraud prevention tools or absorbing the risks and losses from cyber attacks.

Emerging Policy

The latest moves from lawmakers indicate that policies might be shifting, forcing banks to play a bigger part in disrupting wire fraud, or pay the price. Earlier this year, the Senate hosted a public hearing to gather testimony about protecting businesses and consumers from wire fraud. Congress has also acted quickly to propose new legislation that would regulate the use of artificial intelligence (AI) for impersonation. The increased oversight could eventually extend to banks, which can use AI and machine learning to flag suspicious transactions. 

Landmark Lawsuits, Shifting Liability

Judges have historically sided with banks in landmark lawsuits claiming negligence, but several new wire fraud cases indicate changing sentiment and potential new precedents in a digital-first era.

PNC bank is facing a suit for the $1.6 million stolen from a corporate client. The plaintiffs claim that PNC bank failed to comply with basic multi-factor authentication practices for approving the wire transfers. Multiple employees were supposed to have provided security tokens to approve such transactions. The victims also allege that when they reported the fraud, the bank’s employee wasn’t trained to freeze the account or reverse the transfer.

Another law firm just announced a suit against JP Morgan Chase for failing to raise red flags for a client who ultimately lost $16 million across 35 fraudulent wire transfers. The victim in this case had no history of transfers exceeding $100,000, yet the bank allowed back-to-back transfers of $500,000 without instituting a hold for suspicious activity. This case is in addition to the suit they’re already facing for an incredible $272 million stolen from one manufacturing client through privilege misuse and wire fraud. Only $100 million could be recovered.

The New York Attorney General has just thrown their hat in the ring with a negligence suit against Citibank. Both Citibank and JP Morgan have filed for dismissals. While the judge agreed to dismiss parts of the case against JP Morgan, they granted a jury trial based on a provision that requires banks to refund unauthorized payments.

Moreover, some scholars agree that there is a credible legal justification for reinterpreting the Electronic Funds Transfer Act (EFTA) so that banks are liable for wire fraud incidents that are currently ascribed only to consumers. The law requires reimbursements for “unauthorized and incorrect transfers,” and litigators could argue that accidentally sending funds to someone with false credentials is “unauthorized” or “incorrect.”

Nevertheless, banks continue to cite the EFTA and UCC in their defenses. For example, a judge granted a dismissal in a recent wire fraud case against HSBC, even though the bank failed to follow its own cyber security procedures and disregarded enough red flags to rival the inventory in Pamplona. The bank maintained that all the signs of suspicious activity never amounted to “actual knowledge” of fraud or grounds for liability.

Business leaders and consumer advocates are losing patience with these excuses and making their grievances known to their representatives in Congress. Even if the law doesn’t force banks to raise red flags, victims argue that banks at least have an ethical obligation to use the considerable technology at their disposal to protect their customers, and the law should regulate them. If banks can put temporary holds on credit cards for unexpected purchases at fast food joints, then surely they can suspend multiple million-dollar transfers pending authentication, or adopt a protective software like CertifID.

The Consumer Financial Protection Bureau would almost certainly face a lawsuit of their own from the banking lobby if they moved to increase banks’ liability, but they’re facing increasing pressure from a rapidly growing community of wire fraud victims to hold banks more accountable. 

Policy-Aligned Fraud Prevention Strategy

Unfortunately, the dramatic stories of millions gone missing overnight aren’t scenes from fictional heist movies, or even particularly unique occurrences. While lawmakers debate expanding liability for banks, fraudsters are exploiting the legal loopholes, claiming more and more victims who may never see their money back. Their exploits cost victims $12.5 billion in 2023 alone, according to the FBI’s annual internet crimes report.

In the current legal landscape, it’s in the best interest of banks, business owners, and consumers to prioritize fraud prevention. Regardless of where lawmakers land on liability, investing in cyber security delivers a high return on investment compared to costly, and potentially embarrassing, litigation. 

Both banks and business owners can take a four-pronged approach to fraud prevention to avoid the missteps that lead to lawsuits and losses. All four pillars of cybersecurity— (1) Hardware, (2) Software, (3) Procedure, and (4) People—play an important part in mitigating risks. When all stakeholders in a business transaction adhere to these practices, the risk of fraud decreases significantly. Adopt a recovery solution, including insurance, for the times when preventive measures aren’t enough. 

The greatest benefit of full-scale solutions like CertifID may be that they’re guided more by integrity than liability. By choosing an end-to-end solution, business leaders ensure that they have a partner to help protect them from fraud or recover funds if needed, even when lawmakers or banks let victims down.

‍