Unauthorized financial transaction fraud: Mitigating liability risks
As financial institutions beef up their internal security, electronic fraudsters increasingly shift their attention away from large-scale company hacks to accountholders themselves. In a typical scheme, the fraudster obtains the accountholder’s login and other security credentials and, impersonating them, absconds with assets. The accountholder, lacking any practical means to even identify the perpetrator, often seeks to recover any losses from the innocent financial institution through litigation. In this article, we analyze the legal landscape concerning financial institution liability for these unauthorized transfers and suggest how financial institutions can protect themselves against liability for third-party fraud and accountholder carelessness.
Unauthorized financial transaction fraud on the rise
Fraud attacks are on the rise. According to a 2019 LexisNexis study, year-over-year fraud has doubled. Cloud security company Wandera reports that a new phishing site launches every 20 seconds. COVID has only accelerated the rise, shifting even more transactions online and giving rise to COVID-themed cyberattacks, which have spiked to nearly one million per day.
Many fraud schemes involve unauthorized financial transactions. Through phishing, hacking, or other deceitful means, a fraudster gains access to the accountholder’s account credentials for a financial institution and effects a transfer of assets. Typically, the fraudster cannot be found, leaving the accountholder with a sizeable loss and no perpetrator to pursue. And often, the accountholder has a very sympathetic story.
Financial institution liability for unauthorized transactions
With nowhere else to turn, the accountholder sues the financial institution, as in the recent Illinois case of Whitaker v. Wedbush Securities. Futures commission merchant Wedbush Securities held funds for its customers James Whitaker and Pathology Institute. Whitaker’s email account was infiltrated by a third-party hacker, who sent $374,960 in wire transfer requests to Wedbush. Wedbush sent confirmation emails for the wires, but the hacker intercepted them. Unwilling or unable to pursue the hacker, Whitaker sued Wedbush for allegedly failing to secure the account.
Or consider Gold v. Merrill Lynch Company. Plaintiff Mitchell Gold kept certain non-marital retirement funds in an account with Merrill Lynch. His wife was not an authorized accountholder but nevertheless withdrew more than $335,920. Rather than seek return of the funds from his wife, Gold sued Merrill Lynch for breach of contract and negligence.
How have courts resolved such claims?
As an initial matter, courts in such cases have often limited plaintiffs to breach of contract claim and have dismissed tort claims. In Gold, for example, the court granted Merrill Lynch’s motion to dismiss a negligence claim, reasoning that the economic loss doctrine precluded plaintiff from recovering in tort for economic losses resulting from a breach of contract. A Delaware court reached a similar conclusion in Continental Finance Company v. TD Bank, when it dismissed negligence claims against TD Bank for allegedly allowing a third party to transfer funds out of Continental’s account. This scenario, of course, assumes the existence of a contract between the institution and victim.
When the unauthorized transfer involves a wire transfer, accountholders may also have a claim under state law UCC 4A, which provides a set of rules governing, among other things, liability for unauthorized wire transfers. Under the typical state UCC 4A provision, financial institutions that process wire transfers are presumptively liable for unauthorized wire transfers unless they can show two things: (1) the institution employed commercially reasonable methods of providing security against unauthorized payment orders and (2) the institution accepted the payment order in good faith and in compliance with the security procedure and any agreement with the accountholder. Note that this applies not just to banks but also, at least in many states, to other types of financial institutions that process wire transfers, such as futures commission merchants (Wedbush) and securities brokers (Gold).
Putting the above contexts together, financial institution liability for unauthorized transfers typically turns on whether the institution followed commercially reasonable procedures set forth in the account agreement. For example, applying this framework, the court in Continental affirmed the dismissal of Continental’s UCC 4A claim, noting that the parties had entered into an account agreement describing security features that Continental expressly agreed were commercially reasonable. As a note, courts have held that two-factor authentication is commercially reasonable as a matter of law.
Mitigating risk of liability for unauthorized transfers
As can be gleaned from the above, there are several steps that financial institutions can take to proactively mitigate the risk of liability for unauthorized transfers.
First, institutions should implement and meticulously follow commercially reasonable security and authentication measures, including two-factor or multi-factor authentication. Institutions should also ensure that these measures are clearly memorialized and expressly agreed to be commercially reasonable in the account agreement. This will bolster the institution’s defenses to a breach of contract or 4A claim.
Second, accountholder agreements should expressly place responsibility on the accountholder to protect login credentials (such as a password and answers to security questions) and other devices and explain that this cannot be the sole responsibility of the institution. Often, hacks unfortunately result from accountholder negligence. Showing that unauthorized transfers resulted from a breach of the account agreement not by the institution but by the accountholder can be powerful evidence.
Third, institutions should prominently inform accountholders, including in the accountholder agreement, that they will bear any losses resulting from their failure to protect login credentials. The agreement can even explain several threat vectors used by phishers and other fraudsters and caution against these traps for the unwary.
While unauthorized transfer victims can make for sympathetic plaintiffs, financial institutions often have strong legal defenses against fraud they could not reasonably prevent. To learn more about these defenses, contact Matthew Miller, Michael Fluhr or your DLA Piper relationship lawyer.
The authors thank Mustafa Moiz for his extensive work on this article.