As wire fraud losses increase across the consumer sector, new lawsuits aim to hold more businesses and banks accountable.
As wire fraud losses increase across the consumer sector, new lawsuits aim to hold more businesses and banks accountable.
Tyler Adams
6 min
Wire Fraud
Apr 19, 2024
It was a nightmare scenario for one business leader who recently discovered that their liquid assets had been stolen in their entirety almost overnight. Over the course of only 48 hours, cyber criminals drained $1.6 million dollars from all four of the company’s PNC bank accounts through a combination of phishing, social engineering, account takeover, and wire fraud.
The scammers had created a sham website imitating the online banking app for the company’s corporate bank. A company employee unwittingly entered their login credentials into the bogus website, delivering their password directly into the hands of the perpetrators. The fraudsters then logged in, impersonated the employee, and wired the total value of all corporate accounts from PNC to their own untraceable accounts.
Although this event took place more than a year ago, and despite the magnitude of the crime, the victims and the bank are still disputing liability in court. It raises the question, who is financially responsible for negligence in cases like this? Who had the power to disrupt the cybercriminals before they got away with massive fraud, and what steps should they have taken?
The answers to these questions should drive any business’ fraud prevention and risk mitigation strategy. We’ll examine the latest in legal precedent and how businesses can protect their clients and assets in the current liability landscape.
Table of Contents:
The law has historically protected banks from accountability in cases of wire fraud. These protections primarily come from the Electronic Fund Transfer Act of 1978 (EFTA) and Section 4A of the Uniform Commercial Code (“UCC”).
The EFTA does require banks to reimburse consumers for certain categories of “unauthorized” and “incorrect” transfers, as long as they notify their banks quickly, but most victims don’t discover the fraud until it’s too late. Fraudsters now exploit advances in instant payment technology to move money at lightning speed into untraceable accounts. After only a day or two, banks cannot freeze accounts or reverse the transfers, and victims can’t invoke the EFTA.
The EFTA originated in the 1970s, when financial institutions were the only ones who could execute wire transfers. While the EFTA does hold banks responsible for committing certain errors when they are in charge of a transfer, it doesn’t recognize them as the accountable party when the consumer, or someone impersonating them, is initiating the transfer.
With the proliferation of online banking tools and instant payment apps like Zelle and Venmo, consumers are increasingly able to move their own money. Similarly, in real estate transactions, attorneys and title companies may be moving money on a client’s behalf. But the EFTA still sees the consumer, or the person abusing their login credentials, as the responsible party, even if the transfer took place on the bank’s platform or involved the bank’s staff.
The Uniform Commercial Code (“UCC”) also governs liability in wire fraud cases, this time in relation to contract law. According to the UCC, a Bank may be liable if it fails to adhere to wire instructions, but in cases of wire fraud, it is typically following the instructions to the letter—it has either received fraudulent instructions directly from an impersonator or received them from its own banking client who was given deceptive instructions.
Banks do have a legal obligation to their customers, but that “duty of care” doesn’t extend to customers of other banks who unwittingly moved all their money to a scammer’s bank account.
Victims can’t hold the bank responsible for aiding and abetting wire fraud unless they can prove that the bank had “actual knowledge” of illicit activity. Since so many transactions are automated or facilitated by AI and other technology, banks can claim that they didn’t have “actual knowledge” and avoid liability.
These policies have left the financial burden of wire fraud squarely on the shoulders of victims. Businesses haven’t been able to count on their banks to reimburse or recover losses from wire fraud, so executives have faced the choice between adopting sophisticated fraud prevention tools or absorbing the risks and losses from cyber attacks.
The latest moves from lawmakers indicate that policies might be shifting, forcing banks to play a bigger part in disrupting wire fraud, or pay the price. Earlier this year, the Senate hosted a public hearing to gather testimony about protecting businesses and consumers from wire fraud. Congress has also acted quickly to propose new legislation that would regulate the use of artificial intelligence (AI) for impersonation. The increased oversight could eventually extend to banks, which can use AI and machine learning to flag suspicious transactions.
Judges have historically sided with banks in landmark lawsuits claiming negligence, but several new wire fraud cases indicate changing sentiment and potential new precedents in a digital-first era.
PNC bank is facing a suit for the $1.6 million stolen from a corporate client. The plaintiffs claim that PNC bank failed to comply with basic multi-factor authentication practices for approving the wire transfers. Multiple employees were supposed to have provided security tokens to approve such transactions. The victims also allege that when they reported the fraud, the bank’s employee wasn’t trained to freeze the account or reverse the transfer.
Another law firm just announced a suit against JP Morgan Chase for failing to raise red flags for a client who ultimately lost $16 million across 35 fraudulent wire transfers. The victim in this case had no history of transfers exceeding $100,000, yet the bank allowed back-to-back transfers of $500,000 without instituting a hold for suspicious activity. This case is in addition to the suit they’re already facing for an incredible $272 million stolen from one manufacturing client through privilege misuse and wire fraud. Only $100 million could be recovered.
The New York Attorney General has just thrown their hat in the ring with a negligence suit against Citibank. Both Citibank and JP Morgan have filed for dismissals. While the judge agreed to dismiss parts of the case against JP Morgan, they granted a jury trial based on a provision that requires banks to refund unauthorized payments.
Moreover, some scholars agree that there is a credible legal justification for reinterpreting the Electronic Funds Transfer Act (EFTA) so that banks are liable for wire fraud incidents that are currently ascribed only to consumers. The law requires reimbursements for “unauthorized and incorrect transfers,” and litigators could argue that accidentally sending funds to someone with false credentials is “unauthorized” or “incorrect.”
Nevertheless, banks continue to cite the EFTA and UCC in their defenses. For example, a judge granted a dismissal in a recent wire fraud case against HSBC, even though the bank failed to follow its own cyber security procedures and disregarded enough red flags to rival the inventory in Pamplona. The bank maintained that all the signs of suspicious activity never amounted to “actual knowledge” of fraud or grounds for liability.
Business leaders and consumer advocates are losing patience with these excuses and making their grievances known to their representatives in Congress. Even if the law doesn’t force banks to raise red flags, victims argue that banks at least have an ethical obligation to use the considerable technology at their disposal to protect their customers, and the law should regulate them. If banks can put temporary holds on credit cards for unexpected purchases at fast food joints, then surely they can suspend multiple million-dollar transfers pending authentication, or adopt a protective software like CertifID.
The Consumer Financial Protection Bureau would almost certainly face a lawsuit of their own from the banking lobby if they moved to increase banks’ liability, but they’re facing increasing pressure from a rapidly growing community of wire fraud victims to hold banks more accountable.
Unfortunately, the dramatic stories of millions gone missing overnight aren’t scenes from fictional heist movies, or even particularly unique occurrences. While lawmakers debate expanding liability for banks, fraudsters are exploiting the legal loopholes, claiming more and more victims who may never see their money back. Their exploits cost victims $12.5 billion in 2023 alone, according to the FBI’s annual internet crimes report.
In the current legal landscape, it’s in the best interest of banks, business owners, and consumers to prioritize fraud prevention. Regardless of where lawmakers land on liability, investing in cyber security delivers a high return on investment compared to costly, and potentially embarrassing, litigation.
Both banks and business owners can take a four-pronged approach to fraud prevention to avoid the missteps that lead to lawsuits and losses. All four pillars of cybersecurity— (1) Hardware, (2) Software, (3) Procedure, and (4) People—play an important part in mitigating risks. When all stakeholders in a business transaction adhere to these practices, the risk of fraud decreases significantly. Adopt a recovery solution, including insurance, for the times when preventive measures aren’t enough.
The greatest benefit of full-scale solutions like CertifID may be that they’re guided more by integrity than liability. By choosing an end-to-end solution, business leaders ensure that they have a partner to help protect them from fraud or recover funds if needed, even when lawmakers or banks let victims down.
Co-founder & CEO
Tyler brings a decade of leadership experience developing and launching technology businesses. Before co-founding CertifID, Tyler led new product development at BCG Digital Ventures for Mercedes-Benz, First American Financial, Boston Scientific, and Aflac.
It was a nightmare scenario for one business leader who recently discovered that their liquid assets had been stolen in their entirety almost overnight. Over the course of only 48 hours, cyber criminals drained $1.6 million dollars from all four of the company’s PNC bank accounts through a combination of phishing, social engineering, account takeover, and wire fraud.
The scammers had created a sham website imitating the online banking app for the company’s corporate bank. A company employee unwittingly entered their login credentials into the bogus website, delivering their password directly into the hands of the perpetrators. The fraudsters then logged in, impersonated the employee, and wired the total value of all corporate accounts from PNC to their own untraceable accounts.
Although this event took place more than a year ago, and despite the magnitude of the crime, the victims and the bank are still disputing liability in court. It raises the question, who is financially responsible for negligence in cases like this? Who had the power to disrupt the cybercriminals before they got away with massive fraud, and what steps should they have taken?
The answers to these questions should drive any business’ fraud prevention and risk mitigation strategy. We’ll examine the latest in legal precedent and how businesses can protect their clients and assets in the current liability landscape.
Table of Contents:
The law has historically protected banks from accountability in cases of wire fraud. These protections primarily come from the Electronic Fund Transfer Act of 1978 (EFTA) and Section 4A of the Uniform Commercial Code (“UCC”).
The EFTA does require banks to reimburse consumers for certain categories of “unauthorized” and “incorrect” transfers, as long as they notify their banks quickly, but most victims don’t discover the fraud until it’s too late. Fraudsters now exploit advances in instant payment technology to move money at lightning speed into untraceable accounts. After only a day or two, banks cannot freeze accounts or reverse the transfers, and victims can’t invoke the EFTA.
The EFTA originated in the 1970s, when financial institutions were the only ones who could execute wire transfers. While the EFTA does hold banks responsible for committing certain errors when they are in charge of a transfer, it doesn’t recognize them as the accountable party when the consumer, or someone impersonating them, is initiating the transfer.
With the proliferation of online banking tools and instant payment apps like Zelle and Venmo, consumers are increasingly able to move their own money. Similarly, in real estate transactions, attorneys and title companies may be moving money on a client’s behalf. But the EFTA still sees the consumer, or the person abusing their login credentials, as the responsible party, even if the transfer took place on the bank’s platform or involved the bank’s staff.
The Uniform Commercial Code (“UCC”) also governs liability in wire fraud cases, this time in relation to contract law. According to the UCC, a Bank may be liable if it fails to adhere to wire instructions, but in cases of wire fraud, it is typically following the instructions to the letter—it has either received fraudulent instructions directly from an impersonator or received them from its own banking client who was given deceptive instructions.
Banks do have a legal obligation to their customers, but that “duty of care” doesn’t extend to customers of other banks who unwittingly moved all their money to a scammer’s bank account.
Victims can’t hold the bank responsible for aiding and abetting wire fraud unless they can prove that the bank had “actual knowledge” of illicit activity. Since so many transactions are automated or facilitated by AI and other technology, banks can claim that they didn’t have “actual knowledge” and avoid liability.
These policies have left the financial burden of wire fraud squarely on the shoulders of victims. Businesses haven’t been able to count on their banks to reimburse or recover losses from wire fraud, so executives have faced the choice between adopting sophisticated fraud prevention tools or absorbing the risks and losses from cyber attacks.
The latest moves from lawmakers indicate that policies might be shifting, forcing banks to play a bigger part in disrupting wire fraud, or pay the price. Earlier this year, the Senate hosted a public hearing to gather testimony about protecting businesses and consumers from wire fraud. Congress has also acted quickly to propose new legislation that would regulate the use of artificial intelligence (AI) for impersonation. The increased oversight could eventually extend to banks, which can use AI and machine learning to flag suspicious transactions.
Judges have historically sided with banks in landmark lawsuits claiming negligence, but several new wire fraud cases indicate changing sentiment and potential new precedents in a digital-first era.
PNC bank is facing a suit for the $1.6 million stolen from a corporate client. The plaintiffs claim that PNC bank failed to comply with basic multi-factor authentication practices for approving the wire transfers. Multiple employees were supposed to have provided security tokens to approve such transactions. The victims also allege that when they reported the fraud, the bank’s employee wasn’t trained to freeze the account or reverse the transfer.
Another law firm just announced a suit against JP Morgan Chase for failing to raise red flags for a client who ultimately lost $16 million across 35 fraudulent wire transfers. The victim in this case had no history of transfers exceeding $100,000, yet the bank allowed back-to-back transfers of $500,000 without instituting a hold for suspicious activity. This case is in addition to the suit they’re already facing for an incredible $272 million stolen from one manufacturing client through privilege misuse and wire fraud. Only $100 million could be recovered.
The New York Attorney General has just thrown their hat in the ring with a negligence suit against Citibank. Both Citibank and JP Morgan have filed for dismissals. While the judge agreed to dismiss parts of the case against JP Morgan, they granted a jury trial based on a provision that requires banks to refund unauthorized payments.
Moreover, some scholars agree that there is a credible legal justification for reinterpreting the Electronic Funds Transfer Act (EFTA) so that banks are liable for wire fraud incidents that are currently ascribed only to consumers. The law requires reimbursements for “unauthorized and incorrect transfers,” and litigators could argue that accidentally sending funds to someone with false credentials is “unauthorized” or “incorrect.”
Nevertheless, banks continue to cite the EFTA and UCC in their defenses. For example, a judge granted a dismissal in a recent wire fraud case against HSBC, even though the bank failed to follow its own cyber security procedures and disregarded enough red flags to rival the inventory in Pamplona. The bank maintained that all the signs of suspicious activity never amounted to “actual knowledge” of fraud or grounds for liability.
Business leaders and consumer advocates are losing patience with these excuses and making their grievances known to their representatives in Congress. Even if the law doesn’t force banks to raise red flags, victims argue that banks at least have an ethical obligation to use the considerable technology at their disposal to protect their customers, and the law should regulate them. If banks can put temporary holds on credit cards for unexpected purchases at fast food joints, then surely they can suspend multiple million-dollar transfers pending authentication, or adopt a protective software like CertifID.
The Consumer Financial Protection Bureau would almost certainly face a lawsuit of their own from the banking lobby if they moved to increase banks’ liability, but they’re facing increasing pressure from a rapidly growing community of wire fraud victims to hold banks more accountable.
Unfortunately, the dramatic stories of millions gone missing overnight aren’t scenes from fictional heist movies, or even particularly unique occurrences. While lawmakers debate expanding liability for banks, fraudsters are exploiting the legal loopholes, claiming more and more victims who may never see their money back. Their exploits cost victims $12.5 billion in 2023 alone, according to the FBI’s annual internet crimes report.
In the current legal landscape, it’s in the best interest of banks, business owners, and consumers to prioritize fraud prevention. Regardless of where lawmakers land on liability, investing in cyber security delivers a high return on investment compared to costly, and potentially embarrassing, litigation.
Both banks and business owners can take a four-pronged approach to fraud prevention to avoid the missteps that lead to lawsuits and losses. All four pillars of cybersecurity— (1) Hardware, (2) Software, (3) Procedure, and (4) People—play an important part in mitigating risks. When all stakeholders in a business transaction adhere to these practices, the risk of fraud decreases significantly. Adopt a recovery solution, including insurance, for the times when preventive measures aren’t enough.
The greatest benefit of full-scale solutions like CertifID may be that they’re guided more by integrity than liability. By choosing an end-to-end solution, business leaders ensure that they have a partner to help protect them from fraud or recover funds if needed, even when lawmakers or banks let victims down.
Co-founder & CEO
Tyler brings a decade of leadership experience developing and launching technology businesses. Before co-founding CertifID, Tyler led new product development at BCG Digital Ventures for Mercedes-Benz, First American Financial, Boston Scientific, and Aflac.